VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.3/test/sslapitest.c@ 95219

Last change on this file since 95219 was 95219, checked in by vboxsync, 3 years ago

libs/openssl: Switched to v3.0.3, bugref:10128
File size: 334.6 KB
Line 
1/*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36
37#include "helpers/ssltestlib.h"
38#include "testutil.h"
39#include "testutil/output.h"
40#include "internal/nelem.h"
41#include "internal/ktls.h"
42#include "../ssl/ssl_local.h"
43#include "filterprov.h"
44
45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
60
61static OSSL_LIB_CTX *libctx = NULL;
62static OSSL_PROVIDER *defctxnull = NULL;
63
64#ifndef OSSL_NO_USABLE_TLS1_3
65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
82static char *certsdir = NULL;
83static char *cert = NULL;
84static char *privkey = NULL;
85static char *cert2 = NULL;
86static char *privkey2 = NULL;
87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
97static char *dhfile = NULL;
98
99static int is_fips = 0;
100
101#define LOG_BUFFER_SIZE 2048
102static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103static size_t server_log_buffer_index = 0;
104static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t client_log_buffer_index = 0;
106static int error_writing_log = 0;
107
108#ifndef OPENSSL_NO_OCSP
109static const unsigned char orespder[] = "Dummy OCSP Response";
110static int ocsp_server_called = 0;
111static int ocsp_client_called = 0;
112
113static int cdummyarg = 1;
114static X509 *ocspcert = NULL;
115#endif
116
117#define NUM_EXTRA_CERTS 40
118#define CLIENT_VERSION_LEN 2
119
120/*
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
123 */
124struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
127 unsigned int client_early_secret_count;
128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
132 unsigned int early_exporter_secret_count;
133 unsigned int exporter_secret_count;
134};
135
136
137static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
141};
142
143static unsigned char serverinfov2[] = {
144 0x00, 0x00, 0x00,
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
149};
150
151static int hostname_cb(SSL *s, int *al, void *arg)
152{
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
154
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
158
159 return SSL_TLSEXT_ERR_NOACK;
160}
161
162static void client_keylog_callback(const SSL *ssl, const char *line)
163{
164 int line_length = strlen(line);
165
166 /* If the log doesn't fit, error out. */
167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
169 error_writing_log = 1;
170 return;
171 }
172
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
175 client_log_buffer[client_log_buffer_index++] = '\n';
176}
177
178static void server_keylog_callback(const SSL *ssl, const char *line)
179{
180 int line_length = strlen(line);
181
182 /* If the log doesn't fit, error out. */
183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
184 TEST_info("Server log too full");
185 error_writing_log = 1;
186 return;
187 }
188
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
191 server_log_buffer[server_log_buffer_index++] = '\n';
192}
193
194static int compare_hex_encoded_buffer(const char *hex_encoded,
195 size_t hex_length,
196 const uint8_t *raw,
197 size_t raw_length)
198{
199 size_t i, j;
200 char hexed[3];
201
202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
203 return 1;
204
205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
206 sprintf(hexed, "%02x", raw[i]);
207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
209 return 1;
210 }
211
212 return 0;
213}
214
215static int test_keylog_output(char *buffer, const SSL *ssl,
216 const SSL_SESSION *session,
217 struct sslapitest_log_counts *expected)
218{
219 char *token = NULL;
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
226 unsigned int client_early_secret_count = 0;
227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
231 unsigned int early_exporter_secret_count = 0;
232 unsigned int exporter_secret_count = 0;
233
234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
236 if (strcmp(token, "RSA") == 0) {
237 /*
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
239 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 * secret.
241 */
242 if (!TEST_ptr(token = strtok(NULL, " \n")))
243 return 0;
244 if (!TEST_size_t_eq(strlen(token), 16))
245 return 0;
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 return 0;
248 /*
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
252 */
253 rsa_key_exchange_count++;
254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
255 /*
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, then the hex-encoded master secret.
258 */
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
261 SSL3_RANDOM_SIZE);
262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
263 return 0;
264
265 if (!TEST_ptr(token = strtok(NULL, " \n")))
266 return 0;
267 if (!TEST_size_t_eq(strlen(token), 64))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
272 return 0;
273
274 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 return 0;
276 master_key_size = SSL_SESSION_get_master_key(session,
277 actual_master_key,
278 master_key_size);
279 if (!TEST_size_t_ne(master_key_size, 0))
280 return 0;
281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
282 actual_master_key,
283 master_key_size)))
284 return 0;
285 master_secret_count++;
286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
292 || strcmp(token, "EXPORTER_SECRET") == 0) {
293 /*
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
298 */
299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
313
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
316 SSL3_RANDOM_SIZE);
317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
318 return 0;
319
320 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 return 0;
322 if (!TEST_size_t_eq(strlen(token), 64))
323 return 0;
324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
327 return 0;
328
329 if (!TEST_ptr(token = strtok(NULL, " \n")))
330 return 0;
331 } else {
332 TEST_info("Unexpected token %s\n", token);
333 return 0;
334 }
335 }
336
337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count,
339 expected->rsa_key_exchange_count)
340 || !TEST_size_t_eq(master_secret_count,
341 expected->master_secret_count)
342 || !TEST_size_t_eq(client_early_secret_count,
343 expected->client_early_secret_count)
344 || !TEST_size_t_eq(client_handshake_secret_count,
345 expected->client_handshake_secret_count)
346 || !TEST_size_t_eq(server_handshake_secret_count,
347 expected->server_handshake_secret_count)
348 || !TEST_size_t_eq(client_application_secret_count,
349 expected->client_application_secret_count)
350 || !TEST_size_t_eq(server_application_secret_count,
351 expected->server_application_secret_count)
352 || !TEST_size_t_eq(early_exporter_secret_count,
353 expected->early_exporter_secret_count)
354 || !TEST_size_t_eq(exporter_secret_count,
355 expected->exporter_secret_count))
356 return 0;
357 return 1;
358}
359
360#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
361static int test_keylog(void)
362{
363 SSL_CTX *cctx = NULL, *sctx = NULL;
364 SSL *clientssl = NULL, *serverssl = NULL;
365 int testresult = 0;
366 struct sslapitest_log_counts expected;
367
368 /* Clean up logging space */
369 memset(&expected, 0, sizeof(expected));
370 memset(client_log_buffer, 0, sizeof(client_log_buffer));
371 memset(server_log_buffer, 0, sizeof(server_log_buffer));
372 client_log_buffer_index = 0;
373 server_log_buffer_index = 0;
374 error_writing_log = 0;
375
376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
377 TLS_client_method(),
378 TLS1_VERSION, 0,
379 &sctx, &cctx, cert, privkey)))
380 return 0;
381
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
384 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
385
386 /* We also want to ensure that we use RSA-based key exchange. */
387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
388 goto end;
389
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
392 goto end;
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
396 goto end;
397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
400 goto end;
401
402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
406 SSL_ERROR_NONE))
407 || !TEST_false(error_writing_log)
408 || !TEST_int_gt(client_log_buffer_index, 0)
409 || !TEST_int_gt(server_log_buffer_index, 0))
410 goto end;
411
412 /*
413 * Now we want to test that our output data was vaguely sensible. We
414 * do that by using strtok and confirming that we have more or less the
415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
417 */
418 expected.rsa_key_exchange_count = 1;
419 expected.master_secret_count = 1;
420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected)))
422 goto end;
423
424 expected.rsa_key_exchange_count = 0;
425 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
426 SSL_get_session(serverssl), &expected)))
427 goto end;
428
429 testresult = 1;
430
431end:
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 SSL_CTX_free(sctx);
435 SSL_CTX_free(cctx);
436
437 return testresult;
438}
439#endif
440
441#ifndef OSSL_NO_USABLE_TLS1_3
442static int test_keylog_no_master_key(void)
443{
444 SSL_CTX *cctx = NULL, *sctx = NULL;
445 SSL *clientssl = NULL, *serverssl = NULL;
446 SSL_SESSION *sess = NULL;
447 int testresult = 0;
448 struct sslapitest_log_counts expected;
449 unsigned char buf[1];
450 size_t readbytes, written;
451
452 /* Clean up logging space */
453 memset(&expected, 0, sizeof(expected));
454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458 error_writing_log = 0;
459
460 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION, 0,
462 &sctx, &cctx, cert, privkey))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
464 SSL3_RT_MAX_PLAIN_LENGTH)))
465 return 0;
466
467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
469 goto end;
470
471 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
473 == client_keylog_callback))
474 goto end;
475
476 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
478 == server_keylog_callback))
479 goto end;
480
481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
483 &clientssl, NULL, NULL))
484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 SSL_ERROR_NONE))
486 || !TEST_false(error_writing_log))
487 goto end;
488
489 /*
490 * Now we want to test that our output data was vaguely sensible. For this
491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
492 * TLSv1.3, but we do expect both client and server to emit keys.
493 */
494 expected.client_handshake_secret_count = 1;
495 expected.server_handshake_secret_count = 1;
496 expected.client_application_secret_count = 1;
497 expected.server_application_secret_count = 1;
498 expected.exporter_secret_count = 1;
499 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
500 SSL_get_session(clientssl), &expected))
501 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
502 SSL_get_session(serverssl),
503 &expected)))
504 goto end;
505
506 /* Terminate old session and resume with early data. */
507 sess = SSL_get1_session(clientssl);
508 SSL_shutdown(clientssl);
509 SSL_shutdown(serverssl);
510 SSL_free(serverssl);
511 SSL_free(clientssl);
512 serverssl = clientssl = NULL;
513
514 /* Reset key log */
515 memset(client_log_buffer, 0, sizeof(client_log_buffer));
516 memset(server_log_buffer, 0, sizeof(server_log_buffer));
517 client_log_buffer_index = 0;
518 server_log_buffer_index = 0;
519
520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
521 &clientssl, NULL, NULL))
522 || !TEST_true(SSL_set_session(clientssl, sess))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
526 &readbytes),
527 SSL_READ_EARLY_DATA_ERROR)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
529 SSL_EARLY_DATA_ACCEPTED)
530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
531 SSL_ERROR_NONE))
532 || !TEST_true(SSL_session_reused(clientssl)))
533 goto end;
534
535 /* In addition to the previous entries, expect early secrets. */
536 expected.client_early_secret_count = 1;
537 expected.early_exporter_secret_count = 1;
538 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
539 SSL_get_session(clientssl), &expected))
540 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
541 SSL_get_session(serverssl),
542 &expected)))
543 goto end;
544
545 testresult = 1;
546
547end:
548 SSL_SESSION_free(sess);
549 SSL_free(serverssl);
550 SSL_free(clientssl);
551 SSL_CTX_free(sctx);
552 SSL_CTX_free(cctx);
553
554 return testresult;
555}
556#endif
557
558static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
559{
560 int res = X509_verify_cert(ctx);
561 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
562 SSL *ssl;
563
564 /* this should not happen but check anyway */
565 if (idx < 0
566 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
567 return 0;
568
569 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl);
573
574 return res;
575}
576
577static int test_client_cert_verify_cb(void)
578{
579 /* server key, cert, chain, and root */
580 char *skey = test_mk_file_path(certsdir, "leaf.key");
581 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
582 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
583 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
584 char *root = test_mk_file_path(certsdir, "rootCA.pem");
585 X509 *crt1 = NULL, *crt2 = NULL;
586 STACK_OF(X509) *server_chain;
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
589 int testresult = 0;
590
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, NULL, NULL)))
594 goto end;
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
597 SSL_FILETYPE_PEM), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
599 goto end;
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
601 goto end;
602 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
603 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
605 &clientssl, NULL, NULL)))
606 goto end;
607
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_WANT_RETRY_VERIFY)))
611 goto end;
612
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
615 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
616 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
617 goto end;
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain, crt1)))
620 goto end;
621 crt1 = NULL;
622 if (!TEST_true(sk_X509_push(server_chain, crt2)))
623 goto end;
624 crt2 = NULL;
625
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
628 SSL_ERROR_NONE)))
629 goto end;
630
631 testresult = 1;
632
633end:
634 X509_free(crt1);
635 X509_free(crt2);
636 if (clientssl != NULL) {
637 SSL_shutdown(clientssl);
638 SSL_free(clientssl);
639 }
640 if (serverssl != NULL) {
641 SSL_shutdown(serverssl);
642 SSL_free(serverssl);
643 }
644 SSL_CTX_free(sctx);
645 SSL_CTX_free(cctx);
646
647 OPENSSL_free(skey);
648 OPENSSL_free(leaf);
649 OPENSSL_free(int2);
650 OPENSSL_free(int1);
651 OPENSSL_free(root);
652
653 return testresult;
654}
655
656static int test_ssl_build_cert_chain(void)
657{
658 int ret = 0;
659 SSL_CTX *ssl_ctx = NULL;
660 SSL *ssl = NULL;
661 char *skey = test_mk_file_path(certsdir, "leaf.key");
662 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
663
664 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
665 goto end;
666 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
667 goto end;
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
672 goto end;
673 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK)))
675 goto end;
676 ret = 1;
677end:
678 SSL_free(ssl);
679 SSL_CTX_free(ssl_ctx);
680 OPENSSL_free(leaf_chain);
681 OPENSSL_free(skey);
682 return ret;
683}
684
685static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
686{
687 static const char pass[] = "testpass";
688
689 if (!TEST_int_eq(size, PEM_BUFSIZE))
690 return -1;
691
692 memcpy(buf, pass, sizeof(pass) - 1);
693 return sizeof(pass) - 1;
694}
695
696static int test_ssl_ctx_build_cert_chain(void)
697{
698 int ret = 0;
699 SSL_CTX *ctx = NULL;
700 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
701 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
702
703 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
704 goto end;
705 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
709 SSL_FILETYPE_PEM), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
711 goto end;
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK)))
714 goto end;
715 ret = 1;
716end:
717 SSL_CTX_free(ctx);
718 OPENSSL_free(leaf_chain);
719 OPENSSL_free(skey);
720 return ret;
721}
722
723#ifndef OPENSSL_NO_TLS1_2
724static int full_client_hello_callback(SSL *s, int *al, void *arg)
725{
726 int *ctr = arg;
727 const unsigned char *p;
728 int *exts;
729 /* We only configure two ciphers, but the SCSV is added automatically. */
730#ifdef OPENSSL_NO_EC
731 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
732#else
733 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
734 0x2c, 0x00, 0xff};
735#endif
736 const int expected_extensions[] = {
737#ifndef OPENSSL_NO_EC
738 11, 10,
739#endif
740 35, 22, 23, 13};
741 size_t len;
742
743 /* Make sure we can defer processing and get called back. */
744 if ((*ctr)++ == 0)
745 return SSL_CLIENT_HELLO_RETRY;
746
747 len = SSL_client_hello_get0_ciphers(s, &p);
748 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
749 || !TEST_size_t_eq(
750 SSL_client_hello_get0_compression_methods(s, &p), 1)
751 || !TEST_int_eq(*p, 0))
752 return SSL_CLIENT_HELLO_ERROR;
753 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
754 return SSL_CLIENT_HELLO_ERROR;
755 if (len != OSSL_NELEM(expected_extensions) ||
756 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
757 printf("ClientHello callback expected extensions mismatch\n");
758 OPENSSL_free(exts);
759 return SSL_CLIENT_HELLO_ERROR;
760 }
761 OPENSSL_free(exts);
762 return SSL_CLIENT_HELLO_SUCCESS;
763}
764
765static int test_client_hello_cb(void)
766{
767 SSL_CTX *cctx = NULL, *sctx = NULL;
768 SSL *clientssl = NULL, *serverssl = NULL;
769 int testctr = 0, testresult = 0;
770
771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION, 0,
773 &sctx, &cctx, cert, privkey)))
774 goto end;
775 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
776
777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
779
780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
783 &clientssl, NULL, NULL))
784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
785 SSL_ERROR_WANT_CLIENT_HELLO_CB))
786 /*
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
789 * */
790 || !TEST_int_eq(SSL_get_error(serverssl, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB)
792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
793 SSL_ERROR_NONE)))
794 goto end;
795
796 testresult = 1;
797
798end:
799 SSL_free(serverssl);
800 SSL_free(clientssl);
801 SSL_CTX_free(sctx);
802 SSL_CTX_free(cctx);
803
804 return testresult;
805}
806
807static int test_no_ems(void)
808{
809 SSL_CTX *cctx = NULL, *sctx = NULL;
810 SSL *clientssl = NULL, *serverssl = NULL;
811 int testresult = 0;
812
813 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
814 TLS1_VERSION, TLS1_2_VERSION,
815 &sctx, &cctx, cert, privkey)) {
816 printf("Unable to create SSL_CTX pair\n");
817 goto end;
818 }
819
820 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
821
822 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
823 printf("Unable to create SSL objects\n");
824 goto end;
825 }
826
827 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
828 printf("Creating SSL connection failed\n");
829 goto end;
830 }
831
832 if (SSL_get_extms_support(serverssl)) {
833 printf("Server reports Extended Master Secret support\n");
834 goto end;
835 }
836
837 if (SSL_get_extms_support(clientssl)) {
838 printf("Client reports Extended Master Secret support\n");
839 goto end;
840 }
841 testresult = 1;
842
843end:
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850}
851
852/*
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
856 * encryption to real encryption).
857 */
858static int test_ccs_change_cipher(void)
859{
860 SSL_CTX *cctx = NULL, *sctx = NULL;
861 SSL *clientssl = NULL, *serverssl = NULL;
862 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
863 int testresult = 0;
864 int i;
865 unsigned char buf;
866 size_t readbytes;
867
868 /*
869 * Create a conection so we can resume and potentially (but not) use
870 * a different cipher in the second connection.
871 */
872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
873 TLS_client_method(),
874 TLS1_VERSION, TLS1_2_VERSION,
875 &sctx, &cctx, cert, privkey))
876 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
878 NULL, NULL))
879 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
881 SSL_ERROR_NONE))
882 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
883 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
884 goto end;
885
886 shutdown_ssl_connection(serverssl, clientssl);
887 serverssl = clientssl = NULL;
888
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
892 NULL, NULL))
893 || !TEST_true(SSL_set_session(clientssl, sess))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
896 SSL_ERROR_NONE))
897 || !TEST_true(SSL_session_reused(clientssl))
898 || !TEST_true(SSL_session_reused(serverssl))
899 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
900 || !TEST_ptr_eq(sesspre, sesspost)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
903 goto end;
904 shutdown_ssl_connection(serverssl, clientssl);
905 serverssl = clientssl = NULL;
906
907 /*
908 * Now create a fresh connection and try to renegotiate a different
909 * cipher on it.
910 */
911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
912 NULL, NULL))
913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
915 SSL_ERROR_NONE))
916 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
917 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl))
919 || !TEST_true(SSL_renegotiate_pending(clientssl)))
920 goto end;
921 /* Actually drive the renegotiation. */
922 for (i = 0; i < 3; i++) {
923 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
931 if (!TEST_ulong_eq(readbytes, 0))
932 goto end;
933 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
934 SSL_ERROR_WANT_READ)) {
935 goto end;
936 }
937 }
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl))
940 || !TEST_false(SSL_session_reused(clientssl))
941 || !TEST_false(SSL_session_reused(serverssl))
942 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
943 || !TEST_ptr_ne(sesspre, sesspost)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
946 goto end;
947
948 shutdown_ssl_connection(serverssl, clientssl);
949 serverssl = clientssl = NULL;
950
951 testresult = 1;
952
953end:
954 SSL_free(serverssl);
955 SSL_free(clientssl);
956 SSL_CTX_free(sctx);
957 SSL_CTX_free(cctx);
958 SSL_SESSION_free(sess);
959
960 return testresult;
961}
962#endif
963
964static int execute_test_large_message(const SSL_METHOD *smeth,
965 const SSL_METHOD *cmeth,
966 int min_version, int max_version,
967 int read_ahead)
968{
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
971 int testresult = 0;
972 int i;
973 BIO *certbio = NULL;
974 X509 *chaincert = NULL;
975 int certlen;
976
977 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
978 goto end;
979
980 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
981 goto end;
982
983 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
984 goto end;
985 BIO_free(certbio);
986 certbio = NULL;
987
988 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
989 max_version, &sctx, &cctx, cert,
990 privkey)))
991 goto end;
992
993#ifdef OPENSSL_NO_DTLS1_2
994 if (smeth == DTLS_server_method()) {
995 /*
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
997 * level 0
998 */
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1001 "DEFAULT:@SECLEVEL=0")))
1002 goto end;
1003 }
1004#endif
1005
1006 if (read_ahead) {
1007 /*
1008 * Test that read_ahead works correctly when dealing with large
1009 * records
1010 */
1011 SSL_CTX_set_read_ahead(cctx, 1);
1012 }
1013
1014 /*
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
1020 */
1021 certlen = i2d_X509(chaincert, NULL);
1022 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1023 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1024 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1025 if (!X509_up_ref(chaincert))
1026 goto end;
1027 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1028 X509_free(chaincert);
1029 goto end;
1030 }
1031 }
1032
1033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1034 NULL, NULL))
1035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1036 SSL_ERROR_NONE)))
1037 goto end;
1038
1039 /*
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1041 * doesn't leak.
1042 */
1043 if (!TEST_true(SSL_clear(serverssl)))
1044 goto end;
1045
1046 testresult = 1;
1047 end:
1048 BIO_free(certbio);
1049 X509_free(chaincert);
1050 SSL_free(serverssl);
1051 SSL_free(clientssl);
1052 SSL_CTX_free(sctx);
1053 SSL_CTX_free(cctx);
1054
1055 return testresult;
1056}
1057
1058#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1060/* sock must be connected */
1061static int ktls_chk_platform(int sock)
1062{
1063 if (!ktls_enable(sock))
1064 return 0;
1065 return 1;
1066}
1067
1068static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1069{
1070 static char count = 1;
1071 unsigned char cbuf[16000] = {0};
1072 unsigned char sbuf[16000];
1073 size_t err = 0;
1074 char crec_wseq_before[SEQ_NUM_SIZE];
1075 char crec_wseq_after[SEQ_NUM_SIZE];
1076 char crec_rseq_before[SEQ_NUM_SIZE];
1077 char crec_rseq_after[SEQ_NUM_SIZE];
1078 char srec_wseq_before[SEQ_NUM_SIZE];
1079 char srec_wseq_after[SEQ_NUM_SIZE];
1080 char srec_rseq_before[SEQ_NUM_SIZE];
1081 char srec_rseq_after[SEQ_NUM_SIZE];
1082
1083 cbuf[0] = count++;
1084 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1088
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1090 goto end;
1091
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1094 goto end;
1095 }
1096 }
1097
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1099 goto end;
1100
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1103 goto end;
1104 }
1105 }
1106
1107 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1108 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1111
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1114 goto end;
1115
1116 /*
1117 * If ktls is used then kernel sequences are used instead of
1118 * OpenSSL sequences
1119 */
1120 if (!BIO_get_ktls_send(clientssl->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1123 goto end;
1124 } else {
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1127 goto end;
1128 }
1129
1130 if (!BIO_get_ktls_send(serverssl->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1133 goto end;
1134 } else {
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1137 goto end;
1138 }
1139
1140 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1143 goto end;
1144 } else {
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1147 goto end;
1148 }
1149
1150 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1153 goto end;
1154 } else {
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1157 goto end;
1158 }
1159
1160 return 1;
1161end:
1162 return 0;
1163}
1164
1165static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1167{
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1172 int rx_supported;
1173
1174 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1175 goto end;
1176
1177 /* Skip this test if the platform does not support ktls */
1178 if (!ktls_chk_platform(cfd)) {
1179 testresult = TEST_skip("Kernel does not support KTLS");
1180 goto end;
1181 }
1182
1183 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1184 testresult = TEST_skip("CHACHA is not supported in FIPS");
1185 goto end;
1186 }
1187
1188 /* Create a session based on SHA-256 */
1189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1190 TLS_client_method(),
1191 tls_version, tls_version,
1192 &sctx, &cctx, cert, privkey)))
1193 goto end;
1194
1195 if (tls_version == TLS1_3_VERSION) {
1196 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1197 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1198 goto end;
1199 } else {
1200 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1201 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1202 goto end;
1203 }
1204
1205 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1206 &clientssl, sfd, cfd)))
1207 goto end;
1208
1209 if (cis_ktls) {
1210 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1211 goto end;
1212 }
1213
1214 if (sis_ktls) {
1215 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1216 goto end;
1217 }
1218
1219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1220 goto end;
1221
1222 /*
1223 * The running kernel may not support a given cipher suite
1224 * or direction, so just check that KTLS isn't used when it
1225 * isn't enabled.
1226 */
1227 if (!cis_ktls) {
1228 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1229 goto end;
1230 } else {
1231 if (BIO_get_ktls_send(clientssl->wbio))
1232 ktls_used = 1;
1233 }
1234
1235 if (!sis_ktls) {
1236 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1237 goto end;
1238 } else {
1239 if (BIO_get_ktls_send(serverssl->wbio))
1240 ktls_used = 1;
1241 }
1242
1243#if defined(OPENSSL_NO_KTLS_RX)
1244 rx_supported = 0;
1245#else
1246 rx_supported = (tls_version != TLS1_3_VERSION);
1247#endif
1248 if (!cis_ktls || !rx_supported) {
1249 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1250 goto end;
1251 } else {
1252 if (BIO_get_ktls_send(clientssl->rbio))
1253 ktls_used = 1;
1254 }
1255
1256 if (!sis_ktls || !rx_supported) {
1257 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1258 goto end;
1259 } else {
1260 if (BIO_get_ktls_send(serverssl->rbio))
1261 ktls_used = 1;
1262 }
1263
1264 if ((cis_ktls || sis_ktls) && !ktls_used) {
1265 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1266 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1267 "TLS 1.2", cipher);
1268 goto end;
1269 }
1270
1271 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1272 goto end;
1273
1274 testresult = 1;
1275end:
1276 if (clientssl) {
1277 SSL_shutdown(clientssl);
1278 SSL_free(clientssl);
1279 }
1280 if (serverssl) {
1281 SSL_shutdown(serverssl);
1282 SSL_free(serverssl);
1283 }
1284 SSL_CTX_free(sctx);
1285 SSL_CTX_free(cctx);
1286 serverssl = clientssl = NULL;
1287 if (cfd != -1)
1288 close(cfd);
1289 if (sfd != -1)
1290 close(sfd);
1291 return testresult;
1292}
1293
1294#define SENDFILE_SZ (16 * 4096)
1295#define SENDFILE_CHUNK (4 * 4096)
1296#define min(a,b) ((a) > (b) ? (b) : (a))
1297
1298static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1299{
1300 SSL_CTX *cctx = NULL, *sctx = NULL;
1301 SSL *clientssl = NULL, *serverssl = NULL;
1302 unsigned char *buf, *buf_dst;
1303 BIO *out = NULL, *in = NULL;
1304 int cfd = -1, sfd = -1, ffd, err;
1305 ssize_t chunk_size = 0;
1306 off_t chunk_off = 0;
1307 int testresult = 0;
1308 FILE *ffdp;
1309
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1314 goto end;
1315
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1319 goto end;
1320 }
1321
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1324 goto end;
1325 }
1326
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1332 goto end;
1333
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1337 goto end;
1338 } else {
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1341 goto end;
1342 }
1343
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1346 goto end;
1347
1348 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1349 goto end;
1350
1351 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1352 SSL_ERROR_NONE)))
1353 goto end;
1354
1355 if (!BIO_get_ktls_send(serverssl->wbio)) {
1356 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1357 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1358 "TLS 1.2", cipher);
1359 goto end;
1360 }
1361
1362 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1363 goto end;
1364
1365 out = BIO_new_file(tmpfilename, "wb");
1366 if (!TEST_ptr(out))
1367 goto end;
1368
1369 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1370 goto end;
1371
1372 BIO_free(out);
1373 out = NULL;
1374 in = BIO_new_file(tmpfilename, "rb");
1375 BIO_get_fp(in, &ffdp);
1376 ffd = fileno(ffdp);
1377
1378 while (chunk_off < SENDFILE_SZ) {
1379 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1380 while ((err = SSL_sendfile(serverssl,
1381 ffd,
1382 chunk_off,
1383 chunk_size,
1384 0)) != chunk_size) {
1385 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1386 goto end;
1387 }
1388 while ((err = SSL_read(clientssl,
1389 buf_dst + chunk_off,
1390 chunk_size)) != chunk_size) {
1391 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1392 goto end;
1393 }
1394
1395 /* verify the payload */
1396 if (!TEST_mem_eq(buf_dst + chunk_off,
1397 chunk_size,
1398 buf + chunk_off,
1399 chunk_size))
1400 goto end;
1401
1402 chunk_off += chunk_size;
1403 }
1404
1405 testresult = 1;
1406end:
1407 if (clientssl) {
1408 SSL_shutdown(clientssl);
1409 SSL_free(clientssl);
1410 }
1411 if (serverssl) {
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1414 }
1415 SSL_CTX_free(sctx);
1416 SSL_CTX_free(cctx);
1417 serverssl = clientssl = NULL;
1418 BIO_free(out);
1419 BIO_free(in);
1420 if (cfd != -1)
1421 close(cfd);
1422 if (sfd != -1)
1423 close(sfd);
1424 OPENSSL_free(buf);
1425 OPENSSL_free(buf_dst);
1426 return testresult;
1427}
1428
1429static struct ktls_test_cipher {
1430 int tls_version;
1431 const char *cipher;
1432} ktls_test_ciphers[] = {
1433# if !defined(OPENSSL_NO_TLS1_2)
1434# ifdef OPENSSL_KTLS_AES_GCM_128
1435 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1436# endif
1437# ifdef OPENSSL_KTLS_AES_CCM_128
1438 { TLS1_2_VERSION, "AES128-CCM"},
1439# endif
1440# ifdef OPENSSL_KTLS_AES_GCM_256
1441 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1442# endif
1443# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1445# endif
1446# endif
1447# if !defined(OSSL_NO_USABLE_TLS1_3)
1448# ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1450# endif
1451# ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1453# endif
1454# ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1456# endif
1457# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1459# endif
1460# endif
1461};
1462
1463#define NUM_KTLS_TEST_CIPHERS \
1464 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1465
1466static int test_ktls(int test)
1467{
1468 struct ktls_test_cipher *cipher;
1469 int cis_ktls, sis_ktls;
1470
1471 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1472 cipher = &ktls_test_ciphers[test / 4];
1473
1474 cis_ktls = (test & 1) != 0;
1475 sis_ktls = (test & 2) != 0;
1476
1477 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1478 cipher->cipher);
1479}
1480
1481static int test_ktls_sendfile(int tst)
1482{
1483 struct ktls_test_cipher *cipher;
1484
1485 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1486 cipher = &ktls_test_ciphers[tst];
1487
1488 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1489}
1490#endif
1491
1492static int test_large_message_tls(void)
1493{
1494 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1495 TLS1_VERSION, 0, 0);
1496}
1497
1498static int test_large_message_tls_read_ahead(void)
1499{
1500 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1501 TLS1_VERSION, 0, 1);
1502}
1503
1504#ifndef OPENSSL_NO_DTLS
1505static int test_large_message_dtls(void)
1506{
1507# ifdef OPENSSL_NO_DTLS1_2
1508 /* Not supported in the FIPS provider */
1509 if (is_fips)
1510 return 1;
1511# endif
1512 /*
1513 * read_ahead is not relevant to DTLS because DTLS always acts as if
1514 * read_ahead is set.
1515 */
1516 return execute_test_large_message(DTLS_server_method(),
1517 DTLS_client_method(),
1518 DTLS1_VERSION, 0, 0);
1519}
1520#endif
1521
1522static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1523 const SSL_METHOD *cmeth,
1524 int min_version, int max_version)
1525{
1526 size_t i;
1527 SSL_CTX *cctx = NULL, *sctx = NULL;
1528 SSL *clientssl = NULL, *serverssl = NULL;
1529 int testresult = 0;
1530 SSL3_RECORD *rr;
1531 void *zbuf;
1532
1533 static unsigned char cbuf[16000];
1534 static unsigned char sbuf[16000];
1535
1536 if (!TEST_true(create_ssl_ctx_pair(libctx,
1537 smeth, cmeth,
1538 min_version, max_version,
1539 &sctx, &cctx, cert,
1540 privkey)))
1541 goto end;
1542
1543#ifdef OPENSSL_NO_DTLS1_2
1544 if (smeth == DTLS_server_method()) {
1545# ifdef OPENSSL_NO_DTLS1_2
1546 /* Not supported in the FIPS provider */
1547 if (is_fips) {
1548 testresult = 1;
1549 goto end;
1550 };
1551# endif
1552 /*
1553 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1554 * level 0
1555 */
1556 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1557 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1558 "DEFAULT:@SECLEVEL=0")))
1559 goto end;
1560 }
1561#endif
1562
1563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1564 NULL, NULL)))
1565 goto end;
1566
1567 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1568 goto end;
1569
1570 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1571 SSL_ERROR_NONE)))
1572 goto end;
1573
1574 for (i = 0; i < sizeof(cbuf); i++) {
1575 cbuf[i] = i & 0xff;
1576 }
1577
1578 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1579 goto end;
1580
1581 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1582 goto end;
1583
1584 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1585 goto end;
1586
1587 /*
1588 * Since we called SSL_peek(), we know the data in the record
1589 * layer is a plaintext record. We can gather the pointer to check
1590 * for zeroization after SSL_read().
1591 */
1592 rr = serverssl->rlayer.rrec;
1593 zbuf = &rr->data[rr->off];
1594 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1595 goto end;
1596
1597 /*
1598 * After SSL_peek() the plaintext must still be stored in the
1599 * record.
1600 */
1601 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1602 goto end;
1603
1604 memset(sbuf, 0, sizeof(sbuf));
1605 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1606 goto end;
1607
1608 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1609 goto end;
1610
1611 /* Check if rbuf is cleansed */
1612 memset(cbuf, 0, sizeof(cbuf));
1613 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1614 goto end;
1615
1616 testresult = 1;
1617 end:
1618 SSL_free(serverssl);
1619 SSL_free(clientssl);
1620 SSL_CTX_free(sctx);
1621 SSL_CTX_free(cctx);
1622
1623 return testresult;
1624}
1625
1626static int test_cleanse_plaintext(void)
1627{
1628#if !defined(OPENSSL_NO_TLS1_2)
1629 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1630 TLS_client_method(),
1631 TLS1_2_VERSION,
1632 TLS1_2_VERSION)))
1633 return 0;
1634
1635#endif
1636
1637#if !defined(OSSL_NO_USABLE_TLS1_3)
1638 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1639 TLS_client_method(),
1640 TLS1_3_VERSION,
1641 TLS1_3_VERSION)))
1642 return 0;
1643#endif
1644
1645#if !defined(OPENSSL_NO_DTLS)
1646
1647 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1648 DTLS_client_method(),
1649 DTLS1_VERSION,
1650 0)))
1651 return 0;
1652#endif
1653 return 1;
1654}
1655
1656#ifndef OPENSSL_NO_OCSP
1657static int ocsp_server_cb(SSL *s, void *arg)
1658{
1659 int *argi = (int *)arg;
1660 unsigned char *copy = NULL;
1661 STACK_OF(OCSP_RESPID) *ids = NULL;
1662 OCSP_RESPID *id = NULL;
1663
1664 if (*argi == 2) {
1665 /* In this test we are expecting exactly 1 OCSP_RESPID */
1666 SSL_get_tlsext_status_ids(s, &ids);
1667 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1668 return SSL_TLSEXT_ERR_ALERT_FATAL;
1669
1670 id = sk_OCSP_RESPID_value(ids, 0);
1671 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1672 return SSL_TLSEXT_ERR_ALERT_FATAL;
1673 } else if (*argi != 1) {
1674 return SSL_TLSEXT_ERR_ALERT_FATAL;
1675 }
1676
1677 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1678 return SSL_TLSEXT_ERR_ALERT_FATAL;
1679
1680 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1681 sizeof(orespder)))) {
1682 OPENSSL_free(copy);
1683 return SSL_TLSEXT_ERR_ALERT_FATAL;
1684 }
1685 ocsp_server_called = 1;
1686 return SSL_TLSEXT_ERR_OK;
1687}
1688
1689static int ocsp_client_cb(SSL *s, void *arg)
1690{
1691 int *argi = (int *)arg;
1692 const unsigned char *respderin;
1693 size_t len;
1694
1695 if (*argi != 1 && *argi != 2)
1696 return 0;
1697
1698 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1699 if (!TEST_mem_eq(orespder, len, respderin, len))
1700 return 0;
1701
1702 ocsp_client_called = 1;
1703 return 1;
1704}
1705
1706static int test_tlsext_status_type(void)
1707{
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1710 int testresult = 0;
1711 STACK_OF(OCSP_RESPID) *ids = NULL;
1712 OCSP_RESPID *id = NULL;
1713 BIO *certbio = NULL;
1714
1715 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1716 TLS1_VERSION, 0,
1717 &sctx, &cctx, cert, privkey))
1718 return 0;
1719
1720 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1721 goto end;
1722
1723 /* First just do various checks getting and setting tlsext_status_type */
1724
1725 clientssl = SSL_new(cctx);
1726 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1727 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1728 TLSEXT_STATUSTYPE_ocsp))
1729 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1730 TLSEXT_STATUSTYPE_ocsp))
1731 goto end;
1732
1733 SSL_free(clientssl);
1734 clientssl = NULL;
1735
1736 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1737 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1738 goto end;
1739
1740 clientssl = SSL_new(cctx);
1741 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1742 goto end;
1743 SSL_free(clientssl);
1744 clientssl = NULL;
1745
1746 /*
1747 * Now actually do a handshake and check OCSP information is exchanged and
1748 * the callbacks get called
1749 */
1750 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1751 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1752 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1753 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1755 &clientssl, NULL, NULL))
1756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1757 SSL_ERROR_NONE))
1758 || !TEST_true(ocsp_client_called)
1759 || !TEST_true(ocsp_server_called))
1760 goto end;
1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1763 serverssl = NULL;
1764 clientssl = NULL;
1765
1766 /* Try again but this time force the server side callback to fail */
1767 ocsp_client_called = 0;
1768 ocsp_server_called = 0;
1769 cdummyarg = 0;
1770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1771 &clientssl, NULL, NULL))
1772 /* This should fail because the callback will fail */
1773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1774 SSL_ERROR_NONE))
1775 || !TEST_false(ocsp_client_called)
1776 || !TEST_false(ocsp_server_called))
1777 goto end;
1778 SSL_free(serverssl);
1779 SSL_free(clientssl);
1780 serverssl = NULL;
1781 clientssl = NULL;
1782
1783 /*
1784 * This time we'll get the client to send an OCSP_RESPID that it will
1785 * accept.
1786 */
1787 ocsp_client_called = 0;
1788 ocsp_server_called = 0;
1789 cdummyarg = 2;
1790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1791 &clientssl, NULL, NULL)))
1792 goto end;
1793
1794 /*
1795 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1796 * specific one. We'll use the server cert.
1797 */
1798 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1799 || !TEST_ptr(id = OCSP_RESPID_new())
1800 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1801 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1802 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1803 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1804 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1805 goto end;
1806 id = NULL;
1807 SSL_set_tlsext_status_ids(clientssl, ids);
1808 /* Control has been transferred */
1809 ids = NULL;
1810
1811 BIO_free(certbio);
1812 certbio = NULL;
1813
1814 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1815 SSL_ERROR_NONE))
1816 || !TEST_true(ocsp_client_called)
1817 || !TEST_true(ocsp_server_called))
1818 goto end;
1819
1820 testresult = 1;
1821
1822 end:
1823 SSL_free(serverssl);
1824 SSL_free(clientssl);
1825 SSL_CTX_free(sctx);
1826 SSL_CTX_free(cctx);
1827 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1828 OCSP_RESPID_free(id);
1829 BIO_free(certbio);
1830 X509_free(ocspcert);
1831 ocspcert = NULL;
1832
1833 return testresult;
1834}
1835#endif
1836
1837#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1838static int new_called, remove_called, get_called;
1839
1840static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1841{
1842 new_called++;
1843 /*
1844 * sess has been up-refed for us, but we don't actually need it so free it
1845 * immediately.
1846 */
1847 SSL_SESSION_free(sess);
1848 return 1;
1849}
1850
1851static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1852{
1853 remove_called++;
1854}
1855
1856static SSL_SESSION *get_sess_val = NULL;
1857
1858static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1859 int *copy)
1860{
1861 get_called++;
1862 *copy = 1;
1863 return get_sess_val;
1864}
1865
1866static int execute_test_session(int maxprot, int use_int_cache,
1867 int use_ext_cache, long s_options)
1868{
1869 SSL_CTX *sctx = NULL, *cctx = NULL;
1870 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1871 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1872# ifndef OPENSSL_NO_TLS1_1
1873 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1874# endif
1875 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1876 int testresult = 0, numnewsesstick = 1;
1877
1878 new_called = remove_called = 0;
1879
1880 /* TLSv1.3 sends 2 NewSessionTickets */
1881 if (maxprot == TLS1_3_VERSION)
1882 numnewsesstick = 2;
1883
1884 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1885 TLS_client_method(), TLS1_VERSION, 0,
1886 &sctx, &cctx, cert, privkey)))
1887 return 0;
1888
1889 /*
1890 * Only allow the max protocol version so we can force a connection failure
1891 * later
1892 */
1893 SSL_CTX_set_min_proto_version(cctx, maxprot);
1894 SSL_CTX_set_max_proto_version(cctx, maxprot);
1895
1896 /* Set up session cache */
1897 if (use_ext_cache) {
1898 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1899 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1900 }
1901 if (use_int_cache) {
1902 /* Also covers instance where both are set */
1903 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1904 } else {
1905 SSL_CTX_set_session_cache_mode(cctx,
1906 SSL_SESS_CACHE_CLIENT
1907 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1908 }
1909
1910 if (s_options) {
1911 SSL_CTX_set_options(sctx, s_options);
1912 }
1913
1914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1915 NULL, NULL))
1916 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1917 SSL_ERROR_NONE))
1918 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1919 goto end;
1920
1921 /* Should fail because it should already be in the cache */
1922 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1923 goto end;
1924 if (use_ext_cache
1925 && (!TEST_int_eq(new_called, numnewsesstick)
1926
1927 || !TEST_int_eq(remove_called, 0)))
1928 goto end;
1929
1930 new_called = remove_called = 0;
1931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1932 &clientssl2, NULL, NULL))
1933 || !TEST_true(SSL_set_session(clientssl2, sess1))
1934 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1935 SSL_ERROR_NONE))
1936 || !TEST_true(SSL_session_reused(clientssl2)))
1937 goto end;
1938
1939 if (maxprot == TLS1_3_VERSION) {
1940 /*
1941 * In TLSv1.3 we should have created a new session even though we have
1942 * resumed. Since we attempted a resume we should also have removed the
1943 * old ticket from the cache so that we try to only use tickets once.
1944 */
1945 if (use_ext_cache
1946 && (!TEST_int_eq(new_called, 1)
1947 || !TEST_int_eq(remove_called, 1)))
1948 goto end;
1949 } else {
1950 /*
1951 * In TLSv1.2 we expect to have resumed so no sessions added or
1952 * removed.
1953 */
1954 if (use_ext_cache
1955 && (!TEST_int_eq(new_called, 0)
1956 || !TEST_int_eq(remove_called, 0)))
1957 goto end;
1958 }
1959
1960 SSL_SESSION_free(sess1);
1961 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1962 goto end;
1963 shutdown_ssl_connection(serverssl2, clientssl2);
1964 serverssl2 = clientssl2 = NULL;
1965
1966 new_called = remove_called = 0;
1967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1968 &clientssl2, NULL, NULL))
1969 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1970 SSL_ERROR_NONE)))
1971 goto end;
1972
1973 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1974 goto end;
1975
1976 if (use_ext_cache
1977 && (!TEST_int_eq(new_called, numnewsesstick)
1978 || !TEST_int_eq(remove_called, 0)))
1979 goto end;
1980
1981 new_called = remove_called = 0;
1982 /*
1983 * This should clear sess2 from the cache because it is a "bad" session.
1984 * See SSL_set_session() documentation.
1985 */
1986 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1987 goto end;
1988 if (use_ext_cache
1989 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1990 goto end;
1991 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1992 goto end;
1993
1994 if (use_int_cache) {
1995 /* Should succeeded because it should not already be in the cache */
1996 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1997 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1998 goto end;
1999 }
2000
2001 new_called = remove_called = 0;
2002 /* This shouldn't be in the cache so should fail */
2003 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2004 goto end;
2005
2006 if (use_ext_cache
2007 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2008 goto end;
2009
2010# if !defined(OPENSSL_NO_TLS1_1)
2011 new_called = remove_called = 0;
2012 /* Force a connection failure */
2013 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2015 &clientssl3, NULL, NULL))
2016 || !TEST_true(SSL_set_session(clientssl3, sess1))
2017 /* This should fail because of the mismatched protocol versions */
2018 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2019 SSL_ERROR_NONE)))
2020 goto end;
2021
2022 /* We should have automatically removed the session from the cache */
2023 if (use_ext_cache
2024 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2025 goto end;
2026
2027 /* Should succeed because it should not already be in the cache */
2028 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2029 goto end;
2030# endif
2031
2032 /* Now do some tests for server side caching */
2033 if (use_ext_cache) {
2034 SSL_CTX_sess_set_new_cb(cctx, NULL);
2035 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2036 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2037 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2038 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2039 get_sess_val = NULL;
2040 }
2041
2042 SSL_CTX_set_session_cache_mode(cctx, 0);
2043 /* Internal caching is the default on the server side */
2044 if (!use_int_cache)
2045 SSL_CTX_set_session_cache_mode(sctx,
2046 SSL_SESS_CACHE_SERVER
2047 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2048
2049 SSL_free(serverssl1);
2050 SSL_free(clientssl1);
2051 serverssl1 = clientssl1 = NULL;
2052 SSL_free(serverssl2);
2053 SSL_free(clientssl2);
2054 serverssl2 = clientssl2 = NULL;
2055 SSL_SESSION_free(sess1);
2056 sess1 = NULL;
2057 SSL_SESSION_free(sess2);
2058 sess2 = NULL;
2059
2060 SSL_CTX_set_max_proto_version(sctx, maxprot);
2061 if (maxprot == TLS1_2_VERSION)
2062 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2063 new_called = remove_called = get_called = 0;
2064 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2065 NULL, NULL))
2066 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2067 SSL_ERROR_NONE))
2068 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2069 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2070 goto end;
2071
2072 if (use_int_cache) {
2073 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2074 /*
2075 * In TLSv1.3 it should not have been added to the internal cache,
2076 * except in the case where we also have an external cache (in that
2077 * case it gets added to the cache in order to generate remove
2078 * events after timeout).
2079 */
2080 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2081 goto end;
2082 } else {
2083 /* Should fail because it should already be in the cache */
2084 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2085 goto end;
2086 }
2087 }
2088
2089 if (use_ext_cache) {
2090 SSL_SESSION *tmp = sess2;
2091
2092 if (!TEST_int_eq(new_called, numnewsesstick)
2093 || !TEST_int_eq(remove_called, 0)
2094 || !TEST_int_eq(get_called, 0))
2095 goto end;
2096 /*
2097 * Delete the session from the internal cache to force a lookup from
2098 * the external cache. We take a copy first because
2099 * SSL_CTX_remove_session() also marks the session as non-resumable.
2100 */
2101 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2102 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2103 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2104 goto end;
2105 SSL_SESSION_free(sess2);
2106 }
2107 sess2 = tmp;
2108 }
2109
2110 new_called = remove_called = get_called = 0;
2111 get_sess_val = sess2;
2112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2113 &clientssl2, NULL, NULL))
2114 || !TEST_true(SSL_set_session(clientssl2, sess1))
2115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2116 SSL_ERROR_NONE))
2117 || !TEST_true(SSL_session_reused(clientssl2)))
2118 goto end;
2119
2120 if (use_ext_cache) {
2121 if (!TEST_int_eq(remove_called, 0))
2122 goto end;
2123
2124 if (maxprot == TLS1_3_VERSION) {
2125 if (!TEST_int_eq(new_called, 1)
2126 || !TEST_int_eq(get_called, 0))
2127 goto end;
2128 } else {
2129 if (!TEST_int_eq(new_called, 0)
2130 || !TEST_int_eq(get_called, 1))
2131 goto end;
2132 }
2133 }
2134
2135 testresult = 1;
2136
2137 end:
2138 SSL_free(serverssl1);
2139 SSL_free(clientssl1);
2140 SSL_free(serverssl2);
2141 SSL_free(clientssl2);
2142# ifndef OPENSSL_NO_TLS1_1
2143 SSL_free(serverssl3);
2144 SSL_free(clientssl3);
2145# endif
2146 SSL_SESSION_free(sess1);
2147 SSL_SESSION_free(sess2);
2148 SSL_CTX_free(sctx);
2149 SSL_CTX_free(cctx);
2150
2151 return testresult;
2152}
2153#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2154
2155static int test_session_with_only_int_cache(void)
2156{
2157#ifndef OSSL_NO_USABLE_TLS1_3
2158 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2159 return 0;
2160#endif
2161
2162#ifndef OPENSSL_NO_TLS1_2
2163 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2164#else
2165 return 1;
2166#endif
2167}
2168
2169static int test_session_with_only_ext_cache(void)
2170{
2171#ifndef OSSL_NO_USABLE_TLS1_3
2172 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2173 return 0;
2174#endif
2175
2176#ifndef OPENSSL_NO_TLS1_2
2177 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2178#else
2179 return 1;
2180#endif
2181}
2182
2183static int test_session_with_both_cache(void)
2184{
2185#ifndef OSSL_NO_USABLE_TLS1_3
2186 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2187 return 0;
2188#endif
2189
2190#ifndef OPENSSL_NO_TLS1_2
2191 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2192#else
2193 return 1;
2194#endif
2195}
2196
2197static int test_session_wo_ca_names(void)
2198{
2199#ifndef OSSL_NO_USABLE_TLS1_3
2200 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2201 return 0;
2202#endif
2203
2204#ifndef OPENSSL_NO_TLS1_2
2205 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2206#else
2207 return 1;
2208#endif
2209}
2210
2211
2212#ifndef OSSL_NO_USABLE_TLS1_3
2213static SSL_SESSION *sesscache[6];
2214static int do_cache;
2215
2216static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2217{
2218 if (do_cache) {
2219 sesscache[new_called] = sess;
2220 } else {
2221 /* We don't need the reference to the session, so free it */
2222 SSL_SESSION_free(sess);
2223 }
2224 new_called++;
2225
2226 return 1;
2227}
2228
2229static int post_handshake_verify(SSL *sssl, SSL *cssl)
2230{
2231 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2232 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2233 return 0;
2234
2235 /* Start handshake on the server and client */
2236 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2237 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2238 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2239 || !TEST_true(create_ssl_connection(sssl, cssl,
2240 SSL_ERROR_NONE)))
2241 return 0;
2242
2243 return 1;
2244}
2245
2246static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2247 SSL_CTX **cctx)
2248{
2249 int sess_id_ctx = 1;
2250
2251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2252 TLS_client_method(), TLS1_VERSION, 0,
2253 sctx, cctx, cert, privkey))
2254 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2255 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2256 (void *)&sess_id_ctx,
2257 sizeof(sess_id_ctx))))
2258 return 0;
2259
2260 if (stateful)
2261 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2262
2263 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2264 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2265 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2266
2267 return 1;
2268}
2269
2270static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2271{
2272 SSL *serverssl = NULL, *clientssl = NULL;
2273 int i;
2274
2275 /* Test that we can resume with all the tickets we got given */
2276 for (i = 0; i < idx * 2; i++) {
2277 new_called = 0;
2278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2279 &clientssl, NULL, NULL))
2280 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2281 goto end;
2282
2283 SSL_set_post_handshake_auth(clientssl, 1);
2284
2285 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2286 SSL_ERROR_NONE)))
2287 goto end;
2288
2289 /*
2290 * Following a successful resumption we only get 1 ticket. After a
2291 * failed one we should get idx tickets.
2292 */
2293 if (succ) {
2294 if (!TEST_true(SSL_session_reused(clientssl))
2295 || !TEST_int_eq(new_called, 1))
2296 goto end;
2297 } else {
2298 if (!TEST_false(SSL_session_reused(clientssl))
2299 || !TEST_int_eq(new_called, idx))
2300 goto end;
2301 }
2302
2303 new_called = 0;
2304 /* After a post-handshake authentication we should get 1 new ticket */
2305 if (succ
2306 && (!post_handshake_verify(serverssl, clientssl)
2307 || !TEST_int_eq(new_called, 1)))
2308 goto end;
2309
2310 SSL_shutdown(clientssl);
2311 SSL_shutdown(serverssl);
2312 SSL_free(serverssl);
2313 SSL_free(clientssl);
2314 serverssl = clientssl = NULL;
2315 SSL_SESSION_free(sesscache[i]);
2316 sesscache[i] = NULL;
2317 }
2318
2319 return 1;
2320
2321 end:
2322 SSL_free(clientssl);
2323 SSL_free(serverssl);
2324 return 0;
2325}
2326
2327static int test_tickets(int stateful, int idx)
2328{
2329 SSL_CTX *sctx = NULL, *cctx = NULL;
2330 SSL *serverssl = NULL, *clientssl = NULL;
2331 int testresult = 0;
2332 size_t j;
2333
2334 /* idx is the test number, but also the number of tickets we want */
2335
2336 new_called = 0;
2337 do_cache = 1;
2338
2339 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2340 goto end;
2341
2342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2343 &clientssl, NULL, NULL)))
2344 goto end;
2345
2346 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2347 SSL_ERROR_NONE))
2348 /* Check we got the number of tickets we were expecting */
2349 || !TEST_int_eq(idx, new_called))
2350 goto end;
2351
2352 SSL_shutdown(clientssl);
2353 SSL_shutdown(serverssl);
2354 SSL_free(serverssl);
2355 SSL_free(clientssl);
2356 SSL_CTX_free(sctx);
2357 SSL_CTX_free(cctx);
2358 clientssl = serverssl = NULL;
2359 sctx = cctx = NULL;
2360
2361 /*
2362 * Now we try to resume with the tickets we previously created. The
2363 * resumption attempt is expected to fail (because we're now using a new
2364 * SSL_CTX). We should see idx number of tickets issued again.
2365 */
2366
2367 /* Stop caching sessions - just count them */
2368 do_cache = 0;
2369
2370 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2371 goto end;
2372
2373 if (!check_resumption(idx, sctx, cctx, 0))
2374 goto end;
2375
2376 /* Start again with caching sessions */
2377 new_called = 0;
2378 do_cache = 1;
2379 SSL_CTX_free(sctx);
2380 SSL_CTX_free(cctx);
2381 sctx = cctx = NULL;
2382
2383 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2384 goto end;
2385
2386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL)))
2388 goto end;
2389
2390 SSL_set_post_handshake_auth(clientssl, 1);
2391
2392 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2393 SSL_ERROR_NONE))
2394 /* Check we got the number of tickets we were expecting */
2395 || !TEST_int_eq(idx, new_called))
2396 goto end;
2397
2398 /* After a post-handshake authentication we should get new tickets issued */
2399 if (!post_handshake_verify(serverssl, clientssl)
2400 || !TEST_int_eq(idx * 2, new_called))
2401 goto end;
2402
2403 SSL_shutdown(clientssl);
2404 SSL_shutdown(serverssl);
2405 SSL_free(serverssl);
2406 SSL_free(clientssl);
2407 serverssl = clientssl = NULL;
2408
2409 /* Stop caching sessions - just count them */
2410 do_cache = 0;
2411
2412 /*
2413 * Check we can resume with all the tickets we created. This time around the
2414 * resumptions should all be successful.
2415 */
2416 if (!check_resumption(idx, sctx, cctx, 1))
2417 goto end;
2418
2419 testresult = 1;
2420
2421 end:
2422 SSL_free(serverssl);
2423 SSL_free(clientssl);
2424 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2425 SSL_SESSION_free(sesscache[j]);
2426 sesscache[j] = NULL;
2427 }
2428 SSL_CTX_free(sctx);
2429 SSL_CTX_free(cctx);
2430
2431 return testresult;
2432}
2433
2434static int test_stateless_tickets(int idx)
2435{
2436 return test_tickets(0, idx);
2437}
2438
2439static int test_stateful_tickets(int idx)
2440{
2441 return test_tickets(1, idx);
2442}
2443
2444static int test_psk_tickets(void)
2445{
2446 SSL_CTX *sctx = NULL, *cctx = NULL;
2447 SSL *serverssl = NULL, *clientssl = NULL;
2448 int testresult = 0;
2449 int sess_id_ctx = 1;
2450
2451 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2452 TLS_client_method(), TLS1_VERSION, 0,
2453 &sctx, &cctx, NULL, NULL))
2454 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2455 (void *)&sess_id_ctx,
2456 sizeof(sess_id_ctx))))
2457 goto end;
2458
2459 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2460 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2461 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2462 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2463 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2464 use_session_cb_cnt = 0;
2465 find_session_cb_cnt = 0;
2466 srvid = pskid;
2467 new_called = 0;
2468
2469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2470 NULL, NULL)))
2471 goto end;
2472 clientpsk = serverpsk = create_a_psk(clientssl);
2473 if (!TEST_ptr(clientpsk))
2474 goto end;
2475 SSL_SESSION_up_ref(clientpsk);
2476
2477 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2478 SSL_ERROR_NONE))
2479 || !TEST_int_eq(1, find_session_cb_cnt)
2480 || !TEST_int_eq(1, use_session_cb_cnt)
2481 /* We should always get 1 ticket when using external PSK */
2482 || !TEST_int_eq(1, new_called))
2483 goto end;
2484
2485 testresult = 1;
2486
2487 end:
2488 SSL_free(serverssl);
2489 SSL_free(clientssl);
2490 SSL_CTX_free(sctx);
2491 SSL_CTX_free(cctx);
2492 SSL_SESSION_free(clientpsk);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2495
2496 return testresult;
2497}
2498
2499static int test_extra_tickets(int idx)
2500{
2501 SSL_CTX *sctx = NULL, *cctx = NULL;
2502 SSL *serverssl = NULL, *clientssl = NULL;
2503 BIO *bretry = BIO_new(bio_s_always_retry());
2504 BIO *tmp = NULL;
2505 int testresult = 0;
2506 int stateful = 0;
2507 size_t nbytes;
2508 unsigned char c, buf[1];
2509
2510 new_called = 0;
2511 do_cache = 1;
2512
2513 if (idx >= 3) {
2514 idx -= 3;
2515 stateful = 1;
2516 }
2517
2518 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2519 goto end;
2520 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2521 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2522 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2523
2524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2525 &clientssl, NULL, NULL)))
2526 goto end;
2527
2528 /*
2529 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2530 * incremented by both client and server.
2531 */
2532 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2533 SSL_ERROR_NONE))
2534 /* Check we got the number of tickets we were expecting */
2535 || !TEST_int_eq(idx * 2, new_called)
2536 || !TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_int_eq(idx * 2, new_called))
2539 goto end;
2540
2541 /* Now try a (real) write to actually send the tickets */
2542 c = '1';
2543 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2544 || !TEST_size_t_eq(1, nbytes)
2545 || !TEST_int_eq(idx * 2 + 2, new_called)
2546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2547 || !TEST_int_eq(idx * 2 + 4, new_called)
2548 || !TEST_int_eq(sizeof(buf), nbytes)
2549 || !TEST_int_eq(c, buf[0])
2550 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2551 goto end;
2552
2553 /* Try with only requesting one new ticket, too */
2554 c = '2';
2555 new_called = 0;
2556 if (!TEST_true(SSL_new_session_ticket(serverssl))
2557 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2558 || !TEST_size_t_eq(sizeof(c), nbytes)
2559 || !TEST_int_eq(1, new_called)
2560 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2561 || !TEST_int_eq(2, new_called)
2562 || !TEST_size_t_eq(sizeof(buf), nbytes)
2563 || !TEST_int_eq(c, buf[0]))
2564 goto end;
2565
2566 /* Do it again but use dummy writes to drive the ticket generation */
2567 c = '3';
2568 new_called = 0;
2569 if (!TEST_true(SSL_new_session_ticket(serverssl))
2570 || !TEST_true(SSL_new_session_ticket(serverssl))
2571 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2572 || !TEST_size_t_eq(0, nbytes)
2573 || !TEST_int_eq(2, new_called)
2574 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2575 || !TEST_int_eq(4, new_called))
2576 goto end;
2577
2578 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2579 c = '4';
2580 new_called = 0;
2581 if (!TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_new_session_ticket(serverssl))
2583 || !TEST_true(SSL_do_handshake(serverssl))
2584 || !TEST_int_eq(2, new_called)
2585 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2586 || !TEST_int_eq(4, new_called))
2587 goto end;
2588
2589 /*
2590 * Use the always-retry BIO to exercise the logic that forces ticket
2591 * generation to wait until a record boundary.
2592 */
2593 c = '5';
2594 new_called = 0;
2595 tmp = SSL_get_wbio(serverssl);
2596 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2597 tmp = NULL;
2598 goto end;
2599 }
2600 SSL_set0_wbio(serverssl, bretry);
2601 bretry = NULL;
2602 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2603 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2604 || !TEST_size_t_eq(nbytes, 0))
2605 goto end;
2606 /* Restore a BIO that will let the write succeed */
2607 SSL_set0_wbio(serverssl, tmp);
2608 tmp = NULL;
2609 /*
2610 * These calls should just queue the request and not send anything
2611 * even if we explicitly try to hit the state machine.
2612 */
2613 if (!TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_new_session_ticket(serverssl))
2615 || !TEST_int_eq(0, new_called)
2616 || !TEST_true(SSL_do_handshake(serverssl))
2617 || !TEST_int_eq(0, new_called))
2618 goto end;
2619 /* Re-do the write; still no tickets sent */
2620 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2621 || !TEST_size_t_eq(1, nbytes)
2622 || !TEST_int_eq(0, new_called)
2623 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2624 || !TEST_int_eq(0, new_called)
2625 || !TEST_int_eq(sizeof(buf), nbytes)
2626 || !TEST_int_eq(c, buf[0])
2627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2628 goto end;
2629 /* Even trying to hit the state machine now will still not send tickets */
2630 if (!TEST_true(SSL_do_handshake(serverssl))
2631 || !TEST_int_eq(0, new_called))
2632 goto end;
2633 /* Now the *next* write should send the tickets */
2634 c = '6';
2635 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2636 || !TEST_size_t_eq(1, nbytes)
2637 || !TEST_int_eq(2, new_called)
2638 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2639 || !TEST_int_eq(4, new_called)
2640 || !TEST_int_eq(sizeof(buf), nbytes)
2641 || !TEST_int_eq(c, buf[0])
2642 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2643 goto end;
2644
2645 SSL_shutdown(clientssl);
2646 SSL_shutdown(serverssl);
2647 testresult = 1;
2648
2649 end:
2650 BIO_free(bretry);
2651 BIO_free(tmp);
2652 SSL_free(serverssl);
2653 SSL_free(clientssl);
2654 SSL_CTX_free(sctx);
2655 SSL_CTX_free(cctx);
2656 clientssl = serverssl = NULL;
2657 sctx = cctx = NULL;
2658 return testresult;
2659}
2660#endif
2661
2662#define USE_NULL 0
2663#define USE_BIO_1 1
2664#define USE_BIO_2 2
2665#define USE_DEFAULT 3
2666
2667#define CONNTYPE_CONNECTION_SUCCESS 0
2668#define CONNTYPE_CONNECTION_FAIL 1
2669#define CONNTYPE_NO_CONNECTION 2
2670
2671#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2672#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2673#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2674# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2675#else
2676# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2677#endif
2678
2679#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2680 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2681 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2682
2683static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2684{
2685 switch (type) {
2686 case USE_NULL:
2687 *res = NULL;
2688 break;
2689 case USE_BIO_1:
2690 *res = bio1;
2691 break;
2692 case USE_BIO_2:
2693 *res = bio2;
2694 break;
2695 }
2696}
2697
2698
2699/*
2700 * Tests calls to SSL_set_bio() under various conditions.
2701 *
2702 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2703 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2704 * then do more tests where we create a successful connection first using our
2705 * standard connection setup functions, and then call SSL_set_bio() with
2706 * various combinations of valid BIOs or NULL. We then repeat these tests
2707 * following a failed connection. In this last case we are looking to check that
2708 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2709 */
2710static int test_ssl_set_bio(int idx)
2711{
2712 SSL_CTX *sctx = NULL, *cctx = NULL;
2713 BIO *bio1 = NULL;
2714 BIO *bio2 = NULL;
2715 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2716 SSL *serverssl = NULL, *clientssl = NULL;
2717 int initrbio, initwbio, newrbio, newwbio, conntype;
2718 int testresult = 0;
2719
2720 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2721 initrbio = idx % 3;
2722 idx /= 3;
2723 initwbio = idx % 3;
2724 idx /= 3;
2725 newrbio = idx % 3;
2726 idx /= 3;
2727 newwbio = idx % 3;
2728 conntype = CONNTYPE_NO_CONNECTION;
2729 } else {
2730 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2731 initrbio = initwbio = USE_DEFAULT;
2732 newrbio = idx % 2;
2733 idx /= 2;
2734 newwbio = idx % 2;
2735 idx /= 2;
2736 conntype = idx % 2;
2737 }
2738
2739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2740 TLS_client_method(), TLS1_VERSION, 0,
2741 &sctx, &cctx, cert, privkey)))
2742 goto end;
2743
2744 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2745 /*
2746 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2747 * because we reduced the number of tests in the definition of
2748 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2749 * mismatched protocol versions we will force a connection failure.
2750 */
2751 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2752 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2753 }
2754
2755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2756 NULL, NULL)))
2757 goto end;
2758
2759 if (initrbio == USE_BIO_1
2760 || initwbio == USE_BIO_1
2761 || newrbio == USE_BIO_1
2762 || newwbio == USE_BIO_1) {
2763 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2764 goto end;
2765 }
2766
2767 if (initrbio == USE_BIO_2
2768 || initwbio == USE_BIO_2
2769 || newrbio == USE_BIO_2
2770 || newwbio == USE_BIO_2) {
2771 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2772 goto end;
2773 }
2774
2775 if (initrbio != USE_DEFAULT) {
2776 setupbio(&irbio, bio1, bio2, initrbio);
2777 setupbio(&iwbio, bio1, bio2, initwbio);
2778 SSL_set_bio(clientssl, irbio, iwbio);
2779
2780 /*
2781 * We want to maintain our own refs to these BIO, so do an up ref for
2782 * each BIO that will have ownership transferred in the SSL_set_bio()
2783 * call
2784 */
2785 if (irbio != NULL)
2786 BIO_up_ref(irbio);
2787 if (iwbio != NULL && iwbio != irbio)
2788 BIO_up_ref(iwbio);
2789 }
2790
2791 if (conntype != CONNTYPE_NO_CONNECTION
2792 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2793 SSL_ERROR_NONE)
2794 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2795 goto end;
2796
2797 setupbio(&nrbio, bio1, bio2, newrbio);
2798 setupbio(&nwbio, bio1, bio2, newwbio);
2799
2800 /*
2801 * We will (maybe) transfer ownership again so do more up refs.
2802 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2803 * already been set!
2804 */
2805 if (nrbio != NULL
2806 && nrbio != irbio
2807 && (nwbio != iwbio || nrbio != nwbio))
2808 BIO_up_ref(nrbio);
2809 if (nwbio != NULL
2810 && nwbio != nrbio
2811 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2812 BIO_up_ref(nwbio);
2813
2814 SSL_set_bio(clientssl, nrbio, nwbio);
2815
2816 testresult = 1;
2817
2818 end:
2819 BIO_free(bio1);
2820 BIO_free(bio2);
2821
2822 /*
2823 * This test is checking that the ref counting for SSL_set_bio is correct.
2824 * If we get here and we did too many frees then we will fail in the above
2825 * functions.
2826 */
2827 SSL_free(serverssl);
2828 SSL_free(clientssl);
2829 SSL_CTX_free(sctx);
2830 SSL_CTX_free(cctx);
2831 return testresult;
2832}
2833
2834typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2835
2836static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2837{
2838 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2839 SSL_CTX *ctx;
2840 SSL *ssl = NULL;
2841 int testresult = 0;
2842
2843 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2844 || !TEST_ptr(ssl = SSL_new(ctx))
2845 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2846 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2847 goto end;
2848
2849 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2850
2851 /*
2852 * If anything goes wrong here then we could leak memory.
2853 */
2854 BIO_push(sslbio, membio1);
2855
2856 /* Verify changing the rbio/wbio directly does not cause leaks */
2857 if (change_bio != NO_BIO_CHANGE) {
2858 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2859 ssl = NULL;
2860 goto end;
2861 }
2862 if (change_bio == CHANGE_RBIO)
2863 SSL_set0_rbio(ssl, membio2);
2864 else
2865 SSL_set0_wbio(ssl, membio2);
2866 }
2867 ssl = NULL;
2868
2869 if (pop_ssl)
2870 BIO_pop(sslbio);
2871 else
2872 BIO_pop(membio1);
2873
2874 testresult = 1;
2875 end:
2876 BIO_free(membio1);
2877 BIO_free(sslbio);
2878 SSL_free(ssl);
2879 SSL_CTX_free(ctx);
2880
2881 return testresult;
2882}
2883
2884static int test_ssl_bio_pop_next_bio(void)
2885{
2886 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2887}
2888
2889static int test_ssl_bio_pop_ssl_bio(void)
2890{
2891 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2892}
2893
2894static int test_ssl_bio_change_rbio(void)
2895{
2896 return execute_test_ssl_bio(0, CHANGE_RBIO);
2897}
2898
2899static int test_ssl_bio_change_wbio(void)
2900{
2901 return execute_test_ssl_bio(0, CHANGE_WBIO);
2902}
2903
2904#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2905typedef struct {
2906 /* The list of sig algs */
2907 const int *list;
2908 /* The length of the list */
2909 size_t listlen;
2910 /* A sigalgs list in string format */
2911 const char *liststr;
2912 /* Whether setting the list should succeed */
2913 int valid;
2914 /* Whether creating a connection with the list should succeed */
2915 int connsuccess;
2916} sigalgs_list;
2917
2918static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2919# ifndef OPENSSL_NO_EC
2920static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2921static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2922# endif
2923static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2924static const int invalidlist2[] = {NID_sha256, NID_undef};
2925static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2926static const int invalidlist4[] = {NID_sha256};
2927static const sigalgs_list testsigalgs[] = {
2928 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2929# ifndef OPENSSL_NO_EC
2930 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2931 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2932# endif
2933 {NULL, 0, "RSA+SHA256", 1, 1},
2934# ifndef OPENSSL_NO_EC
2935 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2936 {NULL, 0, "ECDSA+SHA512", 1, 0},
2937# endif
2938 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2939 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2940 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2941 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2942 {NULL, 0, "RSA", 0, 0},
2943 {NULL, 0, "SHA256", 0, 0},
2944 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2945 {NULL, 0, "Invalid", 0, 0}
2946};
2947
2948static int test_set_sigalgs(int idx)
2949{
2950 SSL_CTX *cctx = NULL, *sctx = NULL;
2951 SSL *clientssl = NULL, *serverssl = NULL;
2952 int testresult = 0;
2953 const sigalgs_list *curr;
2954 int testctx;
2955
2956 /* Should never happen */
2957 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2958 return 0;
2959
2960 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2961 curr = testctx ? &testsigalgs[idx]
2962 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2963
2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
2967 return 0;
2968
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2970
2971 if (testctx) {
2972 int ret;
2973
2974 if (curr->list != NULL)
2975 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2976 else
2977 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2978
2979 if (!ret) {
2980 if (curr->valid)
2981 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2982 else
2983 testresult = 1;
2984 goto end;
2985 }
2986 if (!curr->valid) {
2987 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2988 goto end;
2989 }
2990 }
2991
2992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2993 &clientssl, NULL, NULL)))
2994 goto end;
2995
2996 if (!testctx) {
2997 int ret;
2998
2999 if (curr->list != NULL)
3000 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3001 else
3002 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3003 if (!ret) {
3004 if (curr->valid)
3005 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3006 else
3007 testresult = 1;
3008 goto end;
3009 }
3010 if (!curr->valid)
3011 goto end;
3012 }
3013
3014 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3015 SSL_ERROR_NONE),
3016 curr->connsuccess))
3017 goto end;
3018
3019 testresult = 1;
3020
3021 end:
3022 SSL_free(serverssl);
3023 SSL_free(clientssl);
3024 SSL_CTX_free(sctx);
3025 SSL_CTX_free(cctx);
3026
3027 return testresult;
3028}
3029#endif
3030
3031#ifndef OSSL_NO_USABLE_TLS1_3
3032static int psk_client_cb_cnt = 0;
3033static int psk_server_cb_cnt = 0;
3034
3035static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3036 size_t *idlen, SSL_SESSION **sess)
3037{
3038 switch (++use_session_cb_cnt) {
3039 case 1:
3040 /* The first call should always have a NULL md */
3041 if (md != NULL)
3042 return 0;
3043 break;
3044
3045 case 2:
3046 /* The second call should always have an md */
3047 if (md == NULL)
3048 return 0;
3049 break;
3050
3051 default:
3052 /* We should only be called a maximum of twice */
3053 return 0;
3054 }
3055
3056 if (clientpsk != NULL)
3057 SSL_SESSION_up_ref(clientpsk);
3058
3059 *sess = clientpsk;
3060 *id = (const unsigned char *)pskid;
3061 *idlen = strlen(pskid);
3062
3063 return 1;
3064}
3065
3066#ifndef OPENSSL_NO_PSK
3067static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3068 unsigned int max_id_len,
3069 unsigned char *psk,
3070 unsigned int max_psk_len)
3071{
3072 unsigned int psklen = 0;
3073
3074 psk_client_cb_cnt++;
3075
3076 if (strlen(pskid) + 1 > max_id_len)
3077 return 0;
3078
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (psk_client_cb_cnt > 2)
3081 return 0;
3082
3083 if (clientpsk == NULL)
3084 return 0;
3085
3086 /* We'll reuse the PSK we set up for TLSv1.3 */
3087 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3088 return 0;
3089 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3090 strncpy(id, pskid, max_id_len);
3091
3092 return psklen;
3093}
3094#endif /* OPENSSL_NO_PSK */
3095
3096static int find_session_cb(SSL *ssl, const unsigned char *identity,
3097 size_t identity_len, SSL_SESSION **sess)
3098{
3099 find_session_cb_cnt++;
3100
3101 /* We should only ever be called a maximum of twice per connection */
3102 if (find_session_cb_cnt > 2)
3103 return 0;
3104
3105 if (serverpsk == NULL)
3106 return 0;
3107
3108 /* Identity should match that set by the client */
3109 if (strlen(srvid) != identity_len
3110 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3111 /* No PSK found, continue but without a PSK */
3112 *sess = NULL;
3113 return 1;
3114 }
3115
3116 SSL_SESSION_up_ref(serverpsk);
3117 *sess = serverpsk;
3118
3119 return 1;
3120}
3121
3122#ifndef OPENSSL_NO_PSK
3123static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3124 unsigned char *psk, unsigned int max_psk_len)
3125{
3126 unsigned int psklen = 0;
3127
3128 psk_server_cb_cnt++;
3129
3130 /* We should only ever be called a maximum of twice per connection */
3131 if (find_session_cb_cnt > 2)
3132 return 0;
3133
3134 if (serverpsk == NULL)
3135 return 0;
3136
3137 /* Identity should match that set by the client */
3138 if (strcmp(srvid, identity) != 0) {
3139 return 0;
3140 }
3141
3142 /* We'll reuse the PSK we set up for TLSv1.3 */
3143 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3144 return 0;
3145 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3146
3147 return psklen;
3148}
3149#endif /* OPENSSL_NO_PSK */
3150
3151#define MSG1 "Hello"
3152#define MSG2 "World."
3153#define MSG3 "This"
3154#define MSG4 "is"
3155#define MSG5 "a"
3156#define MSG6 "test"
3157#define MSG7 "message."
3158
3159#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3160#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3161#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3162#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3163#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3164
3165
3166static SSL_SESSION *create_a_psk(SSL *ssl)
3167{
3168 const SSL_CIPHER *cipher = NULL;
3169 const unsigned char key[] = {
3170 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3171 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3172 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3173 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3174 0x2c, 0x2d, 0x2e, 0x2f
3175 };
3176 SSL_SESSION *sess = NULL;
3177
3178 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3179 sess = SSL_SESSION_new();
3180 if (!TEST_ptr(sess)
3181 || !TEST_ptr(cipher)
3182 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3183 sizeof(key)))
3184 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3185 || !TEST_true(
3186 SSL_SESSION_set_protocol_version(sess,
3187 TLS1_3_VERSION))) {
3188 SSL_SESSION_free(sess);
3189 return NULL;
3190 }
3191 return sess;
3192}
3193
3194/*
3195 * Helper method to setup objects for early data test. Caller frees objects on
3196 * error.
3197 */
3198static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3199 SSL **serverssl, SSL_SESSION **sess, int idx)
3200{
3201 if (*sctx == NULL
3202 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3203 TLS_client_method(),
3204 TLS1_VERSION, 0,
3205 sctx, cctx, cert, privkey)))
3206 return 0;
3207
3208 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3209 return 0;
3210
3211 if (idx == 1) {
3212 /* When idx == 1 we repeat the tests with read_ahead set */
3213 SSL_CTX_set_read_ahead(*cctx, 1);
3214 SSL_CTX_set_read_ahead(*sctx, 1);
3215 } else if (idx == 2) {
3216 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3217 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3218 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3219 use_session_cb_cnt = 0;
3220 find_session_cb_cnt = 0;
3221 srvid = pskid;
3222 }
3223
3224 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3225 NULL, NULL)))
3226 return 0;
3227
3228 /*
3229 * For one of the run throughs (doesn't matter which one), we'll try sending
3230 * some SNI data in the initial ClientHello. This will be ignored (because
3231 * there is no SNI cb set up by the server), so it should not impact
3232 * early_data.
3233 */
3234 if (idx == 1
3235 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3236 return 0;
3237
3238 if (idx == 2) {
3239 clientpsk = create_a_psk(*clientssl);
3240 if (!TEST_ptr(clientpsk)
3241 /*
3242 * We just choose an arbitrary value for max_early_data which
3243 * should be big enough for testing purposes.
3244 */
3245 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3246 0x100))
3247 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3248 SSL_SESSION_free(clientpsk);
3249 clientpsk = NULL;
3250 return 0;
3251 }
3252 serverpsk = clientpsk;
3253
3254 if (sess != NULL) {
3255 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3256 SSL_SESSION_free(clientpsk);
3257 SSL_SESSION_free(serverpsk);
3258 clientpsk = serverpsk = NULL;
3259 return 0;
3260 }
3261 *sess = clientpsk;
3262 }
3263 return 1;
3264 }
3265
3266 if (sess == NULL)
3267 return 1;
3268
3269 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3270 SSL_ERROR_NONE)))
3271 return 0;
3272
3273 *sess = SSL_get1_session(*clientssl);
3274 SSL_shutdown(*clientssl);
3275 SSL_shutdown(*serverssl);
3276 SSL_free(*serverssl);
3277 SSL_free(*clientssl);
3278 *serverssl = *clientssl = NULL;
3279
3280 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3281 clientssl, NULL, NULL))
3282 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3283 return 0;
3284
3285 return 1;
3286}
3287
3288static int test_early_data_read_write(int idx)
3289{
3290 SSL_CTX *cctx = NULL, *sctx = NULL;
3291 SSL *clientssl = NULL, *serverssl = NULL;
3292 int testresult = 0;
3293 SSL_SESSION *sess = NULL;
3294 unsigned char buf[20], data[1024];
3295 size_t readbytes, written, eoedlen, rawread, rawwritten;
3296 BIO *rbio;
3297
3298 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3299 &serverssl, &sess, idx)))
3300 goto end;
3301
3302 /* Write and read some early data */
3303 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3304 &written))
3305 || !TEST_size_t_eq(written, strlen(MSG1))
3306 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3307 sizeof(buf), &readbytes),
3308 SSL_READ_EARLY_DATA_SUCCESS)
3309 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3310 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3311 SSL_EARLY_DATA_ACCEPTED))
3312 goto end;
3313
3314 /*
3315 * Server should be able to write data, and client should be able to
3316 * read it.
3317 */
3318 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3319 &written))
3320 || !TEST_size_t_eq(written, strlen(MSG2))
3321 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3322 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3323 goto end;
3324
3325 /* Even after reading normal data, client should be able write early data */
3326 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3327 &written))
3328 || !TEST_size_t_eq(written, strlen(MSG3)))
3329 goto end;
3330
3331 /* Server should still be able read early data after writing data */
3332 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3333 &readbytes),
3334 SSL_READ_EARLY_DATA_SUCCESS)
3335 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3336 goto end;
3337
3338 /* Write more data from server and read it from client */
3339 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3340 &written))
3341 || !TEST_size_t_eq(written, strlen(MSG4))
3342 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3344 goto end;
3345
3346 /*
3347 * If client writes normal data it should mean writing early data is no
3348 * longer possible.
3349 */
3350 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3351 || !TEST_size_t_eq(written, strlen(MSG5))
3352 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3353 SSL_EARLY_DATA_ACCEPTED))
3354 goto end;
3355
3356 /*
3357 * At this point the client has written EndOfEarlyData, ClientFinished and
3358 * normal (fully protected) data. We are going to cause a delay between the
3359 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3360 * in the read BIO, and then just put back the EndOfEarlyData message.
3361 */
3362 rbio = SSL_get_rbio(serverssl);
3363 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3364 || !TEST_size_t_lt(rawread, sizeof(data))
3365 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3366 goto end;
3367
3368 /* Record length is in the 4th and 5th bytes of the record header */
3369 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3370 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3371 || !TEST_size_t_eq(rawwritten, eoedlen))
3372 goto end;
3373
3374 /* Server should be told that there is no more early data */
3375 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3376 &readbytes),
3377 SSL_READ_EARLY_DATA_FINISH)
3378 || !TEST_size_t_eq(readbytes, 0))
3379 goto end;
3380
3381 /*
3382 * Server has not finished init yet, so should still be able to write early
3383 * data.
3384 */
3385 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3386 &written))
3387 || !TEST_size_t_eq(written, strlen(MSG6)))
3388 goto end;
3389
3390 /* Push the ClientFinished and the normal data back into the server rbio */
3391 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3392 &rawwritten))
3393 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3394 goto end;
3395
3396 /* Server should be able to read normal data */
3397 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3399 goto end;
3400
3401 /* Client and server should not be able to write/read early data now */
3402 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3403 &written)))
3404 goto end;
3405 ERR_clear_error();
3406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3407 &readbytes),
3408 SSL_READ_EARLY_DATA_ERROR))
3409 goto end;
3410 ERR_clear_error();
3411
3412 /* Client should be able to read the data sent by the server */
3413 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3414 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3415 goto end;
3416
3417 /*
3418 * Make sure we process the two NewSessionTickets. These arrive
3419 * post-handshake. We attempt reads which we do not expect to return any
3420 * data.
3421 */
3422 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3423 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3424 &readbytes)))
3425 goto end;
3426
3427 /* Server should be able to write normal data */
3428 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3429 || !TEST_size_t_eq(written, strlen(MSG7))
3430 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3431 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3432 goto end;
3433
3434 SSL_SESSION_free(sess);
3435 sess = SSL_get1_session(clientssl);
3436 use_session_cb_cnt = 0;
3437 find_session_cb_cnt = 0;
3438
3439 SSL_shutdown(clientssl);
3440 SSL_shutdown(serverssl);
3441 SSL_free(serverssl);
3442 SSL_free(clientssl);
3443 serverssl = clientssl = NULL;
3444 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3445 &clientssl, NULL, NULL))
3446 || !TEST_true(SSL_set_session(clientssl, sess)))
3447 goto end;
3448
3449 /* Write and read some early data */
3450 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3451 &written))
3452 || !TEST_size_t_eq(written, strlen(MSG1))
3453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3454 &readbytes),
3455 SSL_READ_EARLY_DATA_SUCCESS)
3456 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3457 goto end;
3458
3459 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3460 || !TEST_int_gt(SSL_accept(serverssl), 0))
3461 goto end;
3462
3463 /* Client and server should not be able to write/read early data now */
3464 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3465 &written)))
3466 goto end;
3467 ERR_clear_error();
3468 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3469 &readbytes),
3470 SSL_READ_EARLY_DATA_ERROR))
3471 goto end;
3472 ERR_clear_error();
3473
3474 /* Client and server should be able to write/read normal data */
3475 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3476 || !TEST_size_t_eq(written, strlen(MSG5))
3477 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3478 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3479 goto end;
3480
3481 testresult = 1;
3482
3483 end:
3484 SSL_SESSION_free(sess);
3485 SSL_SESSION_free(clientpsk);
3486 SSL_SESSION_free(serverpsk);
3487 clientpsk = serverpsk = NULL;
3488 SSL_free(serverssl);
3489 SSL_free(clientssl);
3490 SSL_CTX_free(sctx);
3491 SSL_CTX_free(cctx);
3492 return testresult;
3493}
3494
3495static int allow_ed_cb_called = 0;
3496
3497static int allow_early_data_cb(SSL *s, void *arg)
3498{
3499 int *usecb = (int *)arg;
3500
3501 allow_ed_cb_called++;
3502
3503 if (*usecb == 1)
3504 return 0;
3505
3506 return 1;
3507}
3508
3509/*
3510 * idx == 0: Standard early_data setup
3511 * idx == 1: early_data setup using read_ahead
3512 * usecb == 0: Don't use a custom early data callback
3513 * usecb == 1: Use a custom early data callback and reject the early data
3514 * usecb == 2: Use a custom early data callback and accept the early data
3515 * confopt == 0: Configure anti-replay directly
3516 * confopt == 1: Configure anti-replay using SSL_CONF
3517 */
3518static int test_early_data_replay_int(int idx, int usecb, int confopt)
3519{
3520 SSL_CTX *cctx = NULL, *sctx = NULL;
3521 SSL *clientssl = NULL, *serverssl = NULL;
3522 int testresult = 0;
3523 SSL_SESSION *sess = NULL;
3524 size_t readbytes, written;
3525 unsigned char buf[20];
3526
3527 allow_ed_cb_called = 0;
3528
3529 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3530 TLS_client_method(), TLS1_VERSION, 0,
3531 &sctx, &cctx, cert, privkey)))
3532 return 0;
3533
3534 if (usecb > 0) {
3535 if (confopt == 0) {
3536 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3537 } else {
3538 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3539
3540 if (!TEST_ptr(confctx))
3541 goto end;
3542 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3543 | SSL_CONF_FLAG_SERVER);
3544 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3545 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3546 2)) {
3547 SSL_CONF_CTX_free(confctx);
3548 goto end;
3549 }
3550 SSL_CONF_CTX_free(confctx);
3551 }
3552 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3553 }
3554
3555 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3556 &serverssl, &sess, idx)))
3557 goto end;
3558
3559 /*
3560 * The server is configured to accept early data. Create a connection to
3561 * "use up" the ticket
3562 */
3563 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3564 || !TEST_true(SSL_session_reused(clientssl)))
3565 goto end;
3566
3567 SSL_shutdown(clientssl);
3568 SSL_shutdown(serverssl);
3569 SSL_free(serverssl);
3570 SSL_free(clientssl);
3571 serverssl = clientssl = NULL;
3572
3573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3574 &clientssl, NULL, NULL))
3575 || !TEST_true(SSL_set_session(clientssl, sess)))
3576 goto end;
3577
3578 /* Write and read some early data */
3579 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3580 &written))
3581 || !TEST_size_t_eq(written, strlen(MSG1)))
3582 goto end;
3583
3584 if (usecb <= 1) {
3585 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3586 &readbytes),
3587 SSL_READ_EARLY_DATA_FINISH)
3588 /*
3589 * The ticket was reused, so the we should have rejected the
3590 * early data
3591 */
3592 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3593 SSL_EARLY_DATA_REJECTED))
3594 goto end;
3595 } else {
3596 /* In this case the callback decides to accept the early data */
3597 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3598 &readbytes),
3599 SSL_READ_EARLY_DATA_SUCCESS)
3600 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3601 /*
3602 * Server will have sent its flight so client can now send
3603 * end of early data and complete its half of the handshake
3604 */
3605 || !TEST_int_gt(SSL_connect(clientssl), 0)
3606 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3607 &readbytes),
3608 SSL_READ_EARLY_DATA_FINISH)
3609 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3610 SSL_EARLY_DATA_ACCEPTED))
3611 goto end;
3612 }
3613
3614 /* Complete the connection */
3615 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3616 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3617 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3618 goto end;
3619
3620 testresult = 1;
3621
3622 end:
3623 SSL_SESSION_free(sess);
3624 SSL_SESSION_free(clientpsk);
3625 SSL_SESSION_free(serverpsk);
3626 clientpsk = serverpsk = NULL;
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3629 SSL_CTX_free(sctx);
3630 SSL_CTX_free(cctx);
3631 return testresult;
3632}
3633
3634static int test_early_data_replay(int idx)
3635{
3636 int ret = 1, usecb, confopt;
3637
3638 for (usecb = 0; usecb < 3; usecb++) {
3639 for (confopt = 0; confopt < 2; confopt++)
3640 ret &= test_early_data_replay_int(idx, usecb, confopt);
3641 }
3642
3643 return ret;
3644}
3645
3646/*
3647 * Helper function to test that a server attempting to read early data can
3648 * handle a connection from a client where the early data should be skipped.
3649 * testtype: 0 == No HRR
3650 * testtype: 1 == HRR
3651 * testtype: 2 == HRR, invalid early_data sent after HRR
3652 * testtype: 3 == recv_max_early_data set to 0
3653 */
3654static int early_data_skip_helper(int testtype, int idx)
3655{
3656 SSL_CTX *cctx = NULL, *sctx = NULL;
3657 SSL *clientssl = NULL, *serverssl = NULL;
3658 int testresult = 0;
3659 SSL_SESSION *sess = NULL;
3660 unsigned char buf[20];
3661 size_t readbytes, written;
3662
3663 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3664 &serverssl, &sess, idx)))
3665 goto end;
3666
3667 if (testtype == 1 || testtype == 2) {
3668 /* Force an HRR to occur */
3669#if defined(OPENSSL_NO_EC)
3670 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3671 goto end;
3672#else
3673 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3674 goto end;
3675#endif
3676 } else if (idx == 2) {
3677 /*
3678 * We force early_data rejection by ensuring the PSK identity is
3679 * unrecognised
3680 */
3681 srvid = "Dummy Identity";
3682 } else {
3683 /*
3684 * Deliberately corrupt the creation time. We take 20 seconds off the
3685 * time. It could be any value as long as it is not within tolerance.
3686 * This should mean the ticket is rejected.
3687 */
3688 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3689 goto end;
3690 }
3691
3692 if (testtype == 3
3693 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3694 goto end;
3695
3696 /* Write some early data */
3697 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3698 &written))
3699 || !TEST_size_t_eq(written, strlen(MSG1)))
3700 goto end;
3701
3702 /* Server should reject the early data */
3703 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3704 &readbytes),
3705 SSL_READ_EARLY_DATA_FINISH)
3706 || !TEST_size_t_eq(readbytes, 0)
3707 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3708 SSL_EARLY_DATA_REJECTED))
3709 goto end;
3710
3711 switch (testtype) {
3712 case 0:
3713 /* Nothing to do */
3714 break;
3715
3716 case 1:
3717 /*
3718 * Finish off the handshake. We perform the same writes and reads as
3719 * further down but we expect them to fail due to the incomplete
3720 * handshake.
3721 */
3722 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3723 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3724 &readbytes)))
3725 goto end;
3726 break;
3727
3728 case 2:
3729 {
3730 BIO *wbio = SSL_get_wbio(clientssl);
3731 /* A record that will appear as bad early_data */
3732 const unsigned char bad_early_data[] = {
3733 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3734 };
3735
3736 /*
3737 * We force the client to attempt a write. This will fail because
3738 * we're still in the handshake. It will cause the second
3739 * ClientHello to be sent.
3740 */
3741 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3742 &written)))
3743 goto end;
3744
3745 /*
3746 * Inject some early_data after the second ClientHello. This should
3747 * cause the server to fail
3748 */
3749 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3750 sizeof(bad_early_data), &written)))
3751 goto end;
3752 }
3753 /* fallthrough */
3754
3755 case 3:
3756 /*
3757 * This client has sent more early_data than we are willing to skip
3758 * (case 3) or sent invalid early_data (case 2) so the connection should
3759 * abort.
3760 */
3761 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3762 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3763 goto end;
3764
3765 /* Connection has failed - nothing more to do */
3766 testresult = 1;
3767 goto end;
3768
3769 default:
3770 TEST_error("Invalid test type");
3771 goto end;
3772 }
3773
3774 /*
3775 * Should be able to send normal data despite rejection of early data. The
3776 * early_data should be skipped.
3777 */
3778 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3779 || !TEST_size_t_eq(written, strlen(MSG2))
3780 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3781 SSL_EARLY_DATA_REJECTED)
3782 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3783 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3784 goto end;
3785
3786 testresult = 1;
3787
3788 end:
3789 SSL_SESSION_free(clientpsk);
3790 SSL_SESSION_free(serverpsk);
3791 clientpsk = serverpsk = NULL;
3792 SSL_SESSION_free(sess);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3795 SSL_CTX_free(sctx);
3796 SSL_CTX_free(cctx);
3797 return testresult;
3798}
3799
3800/*
3801 * Test that a server attempting to read early data can handle a connection
3802 * from a client where the early data is not acceptable.
3803 */
3804static int test_early_data_skip(int idx)
3805{
3806 return early_data_skip_helper(0, idx);
3807}
3808
3809/*
3810 * Test that a server attempting to read early data can handle a connection
3811 * from a client where an HRR occurs.
3812 */
3813static int test_early_data_skip_hrr(int idx)
3814{
3815 return early_data_skip_helper(1, idx);
3816}
3817
3818/*
3819 * Test that a server attempting to read early data can handle a connection
3820 * from a client where an HRR occurs and correctly fails if early_data is sent
3821 * after the HRR
3822 */
3823static int test_early_data_skip_hrr_fail(int idx)
3824{
3825 return early_data_skip_helper(2, idx);
3826}
3827
3828/*
3829 * Test that a server attempting to read early data will abort if it tries to
3830 * skip over too much.
3831 */
3832static int test_early_data_skip_abort(int idx)
3833{
3834 return early_data_skip_helper(3, idx);
3835}
3836
3837/*
3838 * Test that a server attempting to read early data can handle a connection
3839 * from a client that doesn't send any.
3840 */
3841static int test_early_data_not_sent(int idx)
3842{
3843 SSL_CTX *cctx = NULL, *sctx = NULL;
3844 SSL *clientssl = NULL, *serverssl = NULL;
3845 int testresult = 0;
3846 SSL_SESSION *sess = NULL;
3847 unsigned char buf[20];
3848 size_t readbytes, written;
3849
3850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3851 &serverssl, &sess, idx)))
3852 goto end;
3853
3854 /* Write some data - should block due to handshake with server */
3855 SSL_set_connect_state(clientssl);
3856 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3857 goto end;
3858
3859 /* Server should detect that early data has not been sent */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3861 &readbytes),
3862 SSL_READ_EARLY_DATA_FINISH)
3863 || !TEST_size_t_eq(readbytes, 0)
3864 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3865 SSL_EARLY_DATA_NOT_SENT)
3866 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3867 SSL_EARLY_DATA_NOT_SENT))
3868 goto end;
3869
3870 /* Continue writing the message we started earlier */
3871 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3872 || !TEST_size_t_eq(written, strlen(MSG1))
3873 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3874 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3875 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3876 || !TEST_size_t_eq(written, strlen(MSG2)))
3877 goto end;
3878
3879 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3880 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3881 goto end;
3882
3883 testresult = 1;
3884
3885 end:
3886 SSL_SESSION_free(sess);
3887 SSL_SESSION_free(clientpsk);
3888 SSL_SESSION_free(serverpsk);
3889 clientpsk = serverpsk = NULL;
3890 SSL_free(serverssl);
3891 SSL_free(clientssl);
3892 SSL_CTX_free(sctx);
3893 SSL_CTX_free(cctx);
3894 return testresult;
3895}
3896
3897static const char *servalpn;
3898
3899static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3900 unsigned char *outlen, const unsigned char *in,
3901 unsigned int inlen, void *arg)
3902{
3903 unsigned int protlen = 0;
3904 const unsigned char *prot;
3905
3906 for (prot = in; prot < in + inlen; prot += protlen) {
3907 protlen = *prot++;
3908 if (in + inlen < prot + protlen)
3909 return SSL_TLSEXT_ERR_NOACK;
3910
3911 if (protlen == strlen(servalpn)
3912 && memcmp(prot, servalpn, protlen) == 0) {
3913 *out = prot;
3914 *outlen = protlen;
3915 return SSL_TLSEXT_ERR_OK;
3916 }
3917 }
3918
3919 return SSL_TLSEXT_ERR_NOACK;
3920}
3921
3922/* Test that a PSK can be used to send early_data */
3923static int test_early_data_psk(int idx)
3924{
3925 SSL_CTX *cctx = NULL, *sctx = NULL;
3926 SSL *clientssl = NULL, *serverssl = NULL;
3927 int testresult = 0;
3928 SSL_SESSION *sess = NULL;
3929 unsigned char alpnlist[] = {
3930 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3931 'l', 'p', 'n'
3932 };
3933#define GOODALPNLEN 9
3934#define BADALPNLEN 8
3935#define GOODALPN (alpnlist)
3936#define BADALPN (alpnlist + GOODALPNLEN)
3937 int err = 0;
3938 unsigned char buf[20];
3939 size_t readbytes, written;
3940 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3941 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3942
3943 /* We always set this up with a final parameter of "2" for PSK */
3944 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3945 &serverssl, &sess, 2)))
3946 goto end;
3947
3948 servalpn = "goodalpn";
3949
3950 /*
3951 * Note: There is no test for inconsistent SNI with late client detection.
3952 * This is because servers do not acknowledge SNI even if they are using
3953 * it in a resumption handshake - so it is not actually possible for a
3954 * client to detect a problem.
3955 */
3956 switch (idx) {
3957 case 0:
3958 /* Set inconsistent SNI (early client detection) */
3959 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3960 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3961 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3962 goto end;
3963 break;
3964
3965 case 1:
3966 /* Set inconsistent ALPN (early client detection) */
3967 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3968 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3969 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3970 GOODALPNLEN))
3971 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3972 BADALPNLEN)))
3973 goto end;
3974 break;
3975
3976 case 2:
3977 /*
3978 * Set invalid protocol version. Technically this affects PSKs without
3979 * early_data too, but we test it here because it is similar to the
3980 * SNI/ALPN consistency tests.
3981 */
3982 err = SSL_R_BAD_PSK;
3983 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3984 goto end;
3985 break;
3986
3987 case 3:
3988 /*
3989 * Set inconsistent SNI (server side). In this case the connection
3990 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3991 * is associated with each handshake - not the session. Therefore it
3992 * should not matter that we used a different server name last time.
3993 */
3994 SSL_SESSION_free(serverpsk);
3995 serverpsk = SSL_SESSION_dup(clientpsk);
3996 if (!TEST_ptr(serverpsk)
3997 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3998 goto end;
3999 /* Fall through */
4000 case 4:
4001 /* Set consistent SNI */
4002 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4003 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4004 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4005 hostname_cb)))
4006 goto end;
4007 break;
4008
4009 case 5:
4010 /*
4011 * Set inconsistent ALPN (server detected). In this case the connection
4012 * will succeed but reject early_data.
4013 */
4014 servalpn = "badalpn";
4015 edstatus = SSL_EARLY_DATA_REJECTED;
4016 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4017 /* Fall through */
4018 case 6:
4019 /*
4020 * Set consistent ALPN.
4021 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4022 * accepts a list of protos (each one length prefixed).
4023 * SSL_set1_alpn_selected accepts a single protocol (not length
4024 * prefixed)
4025 */
4026 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4027 GOODALPNLEN - 1))
4028 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4029 GOODALPNLEN)))
4030 goto end;
4031
4032 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4033 break;
4034
4035 case 7:
4036 /* Set inconsistent ALPN (late client detection) */
4037 SSL_SESSION_free(serverpsk);
4038 serverpsk = SSL_SESSION_dup(clientpsk);
4039 if (!TEST_ptr(serverpsk)
4040 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4041 BADALPN + 1,
4042 BADALPNLEN - 1))
4043 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4044 GOODALPN + 1,
4045 GOODALPNLEN - 1))
4046 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4047 sizeof(alpnlist))))
4048 goto end;
4049 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4050 edstatus = SSL_EARLY_DATA_ACCEPTED;
4051 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4052 /* SSL_connect() call should fail */
4053 connectres = -1;
4054 break;
4055
4056 default:
4057 TEST_error("Bad test index");
4058 goto end;
4059 }
4060
4061 SSL_set_connect_state(clientssl);
4062 if (err != 0) {
4063 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4064 &written))
4065 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4066 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4067 goto end;
4068 } else {
4069 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4070 &written)))
4071 goto end;
4072
4073 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4074 &readbytes), readearlyres)
4075 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4076 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4077 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4078 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4079 goto end;
4080 }
4081
4082 testresult = 1;
4083
4084 end:
4085 SSL_SESSION_free(sess);
4086 SSL_SESSION_free(clientpsk);
4087 SSL_SESSION_free(serverpsk);
4088 clientpsk = serverpsk = NULL;
4089 SSL_free(serverssl);
4090 SSL_free(clientssl);
4091 SSL_CTX_free(sctx);
4092 SSL_CTX_free(cctx);
4093 return testresult;
4094}
4095
4096/*
4097 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4098 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4099 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4100 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4101 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4102 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4103 */
4104static int test_early_data_psk_with_all_ciphers(int idx)
4105{
4106 SSL_CTX *cctx = NULL, *sctx = NULL;
4107 SSL *clientssl = NULL, *serverssl = NULL;
4108 int testresult = 0;
4109 SSL_SESSION *sess = NULL;
4110 unsigned char buf[20];
4111 size_t readbytes, written;
4112 const SSL_CIPHER *cipher;
4113 const char *cipher_str[] = {
4114 TLS1_3_RFC_AES_128_GCM_SHA256,
4115 TLS1_3_RFC_AES_256_GCM_SHA384,
4116# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4117 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4118# else
4119 NULL,
4120# endif
4121 TLS1_3_RFC_AES_128_CCM_SHA256,
4122 TLS1_3_RFC_AES_128_CCM_8_SHA256
4123 };
4124 const unsigned char *cipher_bytes[] = {
4125 TLS13_AES_128_GCM_SHA256_BYTES,
4126 TLS13_AES_256_GCM_SHA384_BYTES,
4127# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4128 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4129# else
4130 NULL,
4131# endif
4132 TLS13_AES_128_CCM_SHA256_BYTES,
4133 TLS13_AES_128_CCM_8_SHA256_BYTES
4134 };
4135
4136 if (cipher_str[idx] == NULL)
4137 return 1;
4138 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4139 if (idx == 2 && is_fips == 1)
4140 return 1;
4141
4142 /* We always set this up with a final parameter of "2" for PSK */
4143 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4144 &serverssl, &sess, 2)))
4145 goto end;
4146
4147 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4148 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4149 goto end;
4150
4151 /*
4152 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4153 * and assigns to both client and server with incremented reference
4154 * and the same instance is updated in 'sess'.
4155 * So updating ciphersuite in 'sess' which will get reflected in
4156 * PSK handshake using psk use sess and find sess cb.
4157 */
4158 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4159 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4160 goto end;
4161
4162 SSL_set_connect_state(clientssl);
4163 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4164 &written)))
4165 goto end;
4166
4167 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4168 &readbytes),
4169 SSL_READ_EARLY_DATA_SUCCESS)
4170 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4171 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4172 SSL_EARLY_DATA_ACCEPTED)
4173 || !TEST_int_eq(SSL_connect(clientssl), 1)
4174 || !TEST_int_eq(SSL_accept(serverssl), 1))
4175 goto end;
4176
4177 /* Send some normal data from client to server */
4178 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4179 || !TEST_size_t_eq(written, strlen(MSG2)))
4180 goto end;
4181
4182 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4183 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4184 goto end;
4185
4186 testresult = 1;
4187 end:
4188 SSL_SESSION_free(sess);
4189 SSL_SESSION_free(clientpsk);
4190 SSL_SESSION_free(serverpsk);
4191 clientpsk = serverpsk = NULL;
4192 if (clientssl != NULL)
4193 SSL_shutdown(clientssl);
4194 if (serverssl != NULL)
4195 SSL_shutdown(serverssl);
4196 SSL_free(serverssl);
4197 SSL_free(clientssl);
4198 SSL_CTX_free(sctx);
4199 SSL_CTX_free(cctx);
4200 return testresult;
4201}
4202
4203/*
4204 * Test that a server that doesn't try to read early data can handle a
4205 * client sending some.
4206 */
4207static int test_early_data_not_expected(int idx)
4208{
4209 SSL_CTX *cctx = NULL, *sctx = NULL;
4210 SSL *clientssl = NULL, *serverssl = NULL;
4211 int testresult = 0;
4212 SSL_SESSION *sess = NULL;
4213 unsigned char buf[20];
4214 size_t readbytes, written;
4215
4216 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4217 &serverssl, &sess, idx)))
4218 goto end;
4219
4220 /* Write some early data */
4221 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4222 &written)))
4223 goto end;
4224
4225 /*
4226 * Server should skip over early data and then block waiting for client to
4227 * continue handshake
4228 */
4229 if (!TEST_int_le(SSL_accept(serverssl), 0)
4230 || !TEST_int_gt(SSL_connect(clientssl), 0)
4231 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4232 SSL_EARLY_DATA_REJECTED)
4233 || !TEST_int_gt(SSL_accept(serverssl), 0)
4234 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4235 SSL_EARLY_DATA_REJECTED))
4236 goto end;
4237
4238 /* Send some normal data from client to server */
4239 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4240 || !TEST_size_t_eq(written, strlen(MSG2)))
4241 goto end;
4242
4243 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4244 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4245 goto end;
4246
4247 testresult = 1;
4248
4249 end:
4250 SSL_SESSION_free(sess);
4251 SSL_SESSION_free(clientpsk);
4252 SSL_SESSION_free(serverpsk);
4253 clientpsk = serverpsk = NULL;
4254 SSL_free(serverssl);
4255 SSL_free(clientssl);
4256 SSL_CTX_free(sctx);
4257 SSL_CTX_free(cctx);
4258 return testresult;
4259}
4260
4261
4262# ifndef OPENSSL_NO_TLS1_2
4263/*
4264 * Test that a server attempting to read early data can handle a connection
4265 * from a TLSv1.2 client.
4266 */
4267static int test_early_data_tls1_2(int idx)
4268{
4269 SSL_CTX *cctx = NULL, *sctx = NULL;
4270 SSL *clientssl = NULL, *serverssl = NULL;
4271 int testresult = 0;
4272 unsigned char buf[20];
4273 size_t readbytes, written;
4274
4275 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4276 &serverssl, NULL, idx)))
4277 goto end;
4278
4279 /* Write some data - should block due to handshake with server */
4280 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4281 SSL_set_connect_state(clientssl);
4282 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4283 goto end;
4284
4285 /*
4286 * Server should do TLSv1.2 handshake. First it will block waiting for more
4287 * messages from client after ServerDone. Then SSL_read_early_data should
4288 * finish and detect that early data has not been sent
4289 */
4290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4291 &readbytes),
4292 SSL_READ_EARLY_DATA_ERROR))
4293 goto end;
4294
4295 /*
4296 * Continue writing the message we started earlier. Will still block waiting
4297 * for the CCS/Finished from server
4298 */
4299 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4301 &readbytes),
4302 SSL_READ_EARLY_DATA_FINISH)
4303 || !TEST_size_t_eq(readbytes, 0)
4304 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4305 SSL_EARLY_DATA_NOT_SENT))
4306 goto end;
4307
4308 /* Continue writing the message we started earlier */
4309 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4310 || !TEST_size_t_eq(written, strlen(MSG1))
4311 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4312 SSL_EARLY_DATA_NOT_SENT)
4313 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4314 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4315 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4316 || !TEST_size_t_eq(written, strlen(MSG2))
4317 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4318 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4319 goto end;
4320
4321 testresult = 1;
4322
4323 end:
4324 SSL_SESSION_free(clientpsk);
4325 SSL_SESSION_free(serverpsk);
4326 clientpsk = serverpsk = NULL;
4327 SSL_free(serverssl);
4328 SSL_free(clientssl);
4329 SSL_CTX_free(sctx);
4330 SSL_CTX_free(cctx);
4331
4332 return testresult;
4333}
4334# endif /* OPENSSL_NO_TLS1_2 */
4335
4336/*
4337 * Test configuring the TLSv1.3 ciphersuites
4338 *
4339 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4340 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4341 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4342 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4343 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4344 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4345 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4346 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4347 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4348 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4349 */
4350static int test_set_ciphersuite(int idx)
4351{
4352 SSL_CTX *cctx = NULL, *sctx = NULL;
4353 SSL *clientssl = NULL, *serverssl = NULL;
4354 int testresult = 0;
4355
4356 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4357 TLS_client_method(), TLS1_VERSION, 0,
4358 &sctx, &cctx, cert, privkey))
4359 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4360 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4361 goto end;
4362
4363 if (idx >=4 && idx <= 7) {
4364 /* SSL_CTX explicit cipher list */
4365 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4366 goto end;
4367 }
4368
4369 if (idx == 0 || idx == 4) {
4370 /* Default ciphersuite */
4371 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4372 "TLS_AES_128_GCM_SHA256")))
4373 goto end;
4374 } else if (idx == 1 || idx == 5) {
4375 /* Non default ciphersuite */
4376 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4377 "TLS_AES_128_CCM_SHA256")))
4378 goto end;
4379 }
4380
4381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4382 &clientssl, NULL, NULL)))
4383 goto end;
4384
4385 if (idx == 8 || idx == 9) {
4386 /* SSL explicit cipher list */
4387 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4388 goto end;
4389 }
4390
4391 if (idx == 2 || idx == 6 || idx == 8) {
4392 /* Default ciphersuite */
4393 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4394 "TLS_AES_128_GCM_SHA256")))
4395 goto end;
4396 } else if (idx == 3 || idx == 7 || idx == 9) {
4397 /* Non default ciphersuite */
4398 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4399 "TLS_AES_128_CCM_SHA256")))
4400 goto end;
4401 }
4402
4403 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4404 goto end;
4405
4406 testresult = 1;
4407
4408 end:
4409 SSL_free(serverssl);
4410 SSL_free(clientssl);
4411 SSL_CTX_free(sctx);
4412 SSL_CTX_free(cctx);
4413
4414 return testresult;
4415}
4416
4417static int test_ciphersuite_change(void)
4418{
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4421 SSL_SESSION *clntsess = NULL;
4422 int testresult = 0;
4423 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4424
4425 /* Create a session based on SHA-256 */
4426 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4427 TLS_client_method(), TLS1_VERSION, 0,
4428 &sctx, &cctx, cert, privkey))
4429 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4430 "TLS_AES_128_GCM_SHA256:"
4431 "TLS_AES_256_GCM_SHA384:"
4432 "TLS_AES_128_CCM_SHA256"))
4433 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4434 "TLS_AES_128_GCM_SHA256"))
4435 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4436 &clientssl, NULL, NULL))
4437 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4438 SSL_ERROR_NONE)))
4439 goto end;
4440
4441 clntsess = SSL_get1_session(clientssl);
4442 /* Save for later */
4443 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4444 SSL_shutdown(clientssl);
4445 SSL_shutdown(serverssl);
4446 SSL_free(serverssl);
4447 SSL_free(clientssl);
4448 serverssl = clientssl = NULL;
4449
4450 /* Check we can resume a session with a different SHA-256 ciphersuite */
4451 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4452 "TLS_AES_128_CCM_SHA256"))
4453 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4454 &clientssl, NULL, NULL))
4455 || !TEST_true(SSL_set_session(clientssl, clntsess))
4456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4457 SSL_ERROR_NONE))
4458 || !TEST_true(SSL_session_reused(clientssl)))
4459 goto end;
4460
4461 SSL_SESSION_free(clntsess);
4462 clntsess = SSL_get1_session(clientssl);
4463 SSL_shutdown(clientssl);
4464 SSL_shutdown(serverssl);
4465 SSL_free(serverssl);
4466 SSL_free(clientssl);
4467 serverssl = clientssl = NULL;
4468
4469 /*
4470 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4471 * succeeds but does not resume.
4472 */
4473 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4474 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4475 NULL, NULL))
4476 || !TEST_true(SSL_set_session(clientssl, clntsess))
4477 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4478 SSL_ERROR_SSL))
4479 || !TEST_false(SSL_session_reused(clientssl)))
4480 goto end;
4481
4482 SSL_SESSION_free(clntsess);
4483 clntsess = NULL;
4484 SSL_shutdown(clientssl);
4485 SSL_shutdown(serverssl);
4486 SSL_free(serverssl);
4487 SSL_free(clientssl);
4488 serverssl = clientssl = NULL;
4489
4490 /* Create a session based on SHA384 */
4491 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4492 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4493 &clientssl, NULL, NULL))
4494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4495 SSL_ERROR_NONE)))
4496 goto end;
4497
4498 clntsess = SSL_get1_session(clientssl);
4499 SSL_shutdown(clientssl);
4500 SSL_shutdown(serverssl);
4501 SSL_free(serverssl);
4502 SSL_free(clientssl);
4503 serverssl = clientssl = NULL;
4504
4505 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4506 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4507 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4508 "TLS_AES_256_GCM_SHA384"))
4509 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4510 NULL, NULL))
4511 || !TEST_true(SSL_set_session(clientssl, clntsess))
4512 /*
4513 * We use SSL_ERROR_WANT_READ below so that we can pause the
4514 * connection after the initial ClientHello has been sent to
4515 * enable us to make some session changes.
4516 */
4517 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4518 SSL_ERROR_WANT_READ)))
4519 goto end;
4520
4521 /* Trick the client into thinking this session is for a different digest */
4522 clntsess->cipher = aes_128_gcm_sha256;
4523 clntsess->cipher_id = clntsess->cipher->id;
4524
4525 /*
4526 * Continue the previously started connection. Server has selected a SHA-384
4527 * ciphersuite, but client thinks the session is for SHA-256, so it should
4528 * bail out.
4529 */
4530 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4531 SSL_ERROR_SSL))
4532 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4533 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4534 goto end;
4535
4536 testresult = 1;
4537
4538 end:
4539 SSL_SESSION_free(clntsess);
4540 SSL_free(serverssl);
4541 SSL_free(clientssl);
4542 SSL_CTX_free(sctx);
4543 SSL_CTX_free(cctx);
4544
4545 return testresult;
4546}
4547
4548/*
4549 * Test TLSv1.3 Key exchange
4550 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4551 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4552 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4553 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4554 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4555 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4556 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4557 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4558 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4559 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4560 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4561 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4562 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4563 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4564 */
4565# ifndef OPENSSL_NO_EC
4566static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4567 NID_secp521r1, NID_X25519, NID_X448};
4568# endif
4569# ifndef OPENSSL_NO_DH
4570static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4571 NID_ffdhe6144, NID_ffdhe8192};
4572# endif
4573static int test_key_exchange(int idx)
4574{
4575 SSL_CTX *sctx = NULL, *cctx = NULL;
4576 SSL *serverssl = NULL, *clientssl = NULL;
4577 int testresult = 0;
4578 int kexch_alg;
4579 int *kexch_groups = &kexch_alg;
4580 int kexch_groups_size = 1;
4581 int max_version = TLS1_3_VERSION;
4582 char *kexch_name0 = NULL;
4583
4584 switch (idx) {
4585# ifndef OPENSSL_NO_EC
4586# ifndef OPENSSL_NO_TLS1_2
4587 case 12:
4588 max_version = TLS1_2_VERSION;
4589# endif
4590 /* Fall through */
4591 case 0:
4592 kexch_groups = ecdhe_kexch_groups;
4593 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4594 kexch_name0 = "secp256r1";
4595 break;
4596 case 1:
4597 kexch_alg = NID_X9_62_prime256v1;
4598 kexch_name0 = "secp256r1";
4599 break;
4600 case 2:
4601 kexch_alg = NID_secp384r1;
4602 kexch_name0 = "secp384r1";
4603 break;
4604 case 3:
4605 kexch_alg = NID_secp521r1;
4606 kexch_name0 = "secp521r1";
4607 break;
4608 case 4:
4609 kexch_alg = NID_X25519;
4610 kexch_name0 = "x25519";
4611 break;
4612 case 5:
4613 kexch_alg = NID_X448;
4614 kexch_name0 = "x448";
4615 break;
4616# endif
4617# ifndef OPENSSL_NO_DH
4618# ifndef OPENSSL_NO_TLS1_2
4619 case 13:
4620 max_version = TLS1_2_VERSION;
4621 kexch_name0 = "ffdhe2048";
4622# endif
4623 /* Fall through */
4624 case 6:
4625 kexch_groups = ffdhe_kexch_groups;
4626 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4627 kexch_name0 = "ffdhe2048";
4628 break;
4629 case 7:
4630 kexch_alg = NID_ffdhe2048;
4631 kexch_name0 = "ffdhe2048";
4632 break;
4633 case 8:
4634 kexch_alg = NID_ffdhe3072;
4635 kexch_name0 = "ffdhe3072";
4636 break;
4637 case 9:
4638 kexch_alg = NID_ffdhe4096;
4639 kexch_name0 = "ffdhe4096";
4640 break;
4641 case 10:
4642 kexch_alg = NID_ffdhe6144;
4643 kexch_name0 = "ffdhe6144";
4644 break;
4645 case 11:
4646 kexch_alg = NID_ffdhe8192;
4647 kexch_name0 = "ffdhe8192";
4648 break;
4649# endif
4650 default:
4651 /* We're skipping this test */
4652 return 1;
4653 }
4654
4655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4656 TLS_client_method(), TLS1_VERSION,
4657 max_version, &sctx, &cctx, cert,
4658 privkey)))
4659 goto end;
4660
4661 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4662 TLS1_3_RFC_AES_128_GCM_SHA256)))
4663 goto end;
4664
4665 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4666 TLS1_3_RFC_AES_128_GCM_SHA256)))
4667 goto end;
4668
4669 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4670 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4671 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4672 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4673 goto end;
4674
4675 /*
4676 * Must include an EC ciphersuite so that we send supported groups in
4677 * TLSv1.2
4678 */
4679# ifndef OPENSSL_NO_TLS1_2
4680 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4681 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4682 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4683 goto end;
4684# endif
4685
4686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4687 NULL, NULL)))
4688 goto end;
4689
4690 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4691 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4692 goto end;
4693
4694 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4695 goto end;
4696
4697 /*
4698 * If Handshake succeeds the negotiated kexch alg should be the first one in
4699 * configured, except in the case of FFDHE groups (idx 13), which are
4700 * TLSv1.3 only so we expect no shared group to exist.
4701 */
4702 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4703 idx == 13 ? 0 : kexch_groups[0]))
4704 goto end;
4705
4706 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4707 kexch_name0))
4708 goto end;
4709
4710 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4711 if (idx != 13) {
4712 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4713 goto end;
4714 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4715 goto end;
4716 }
4717
4718 testresult = 1;
4719 end:
4720 SSL_free(serverssl);
4721 SSL_free(clientssl);
4722 SSL_CTX_free(sctx);
4723 SSL_CTX_free(cctx);
4724 return testresult;
4725}
4726
4727# if !defined(OPENSSL_NO_TLS1_2) \
4728 && !defined(OPENSSL_NO_EC) \
4729 && !defined(OPENSSL_NO_DH)
4730static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4731 int isecdhe, int idx)
4732{
4733 int kexch_alg;
4734 int *kexch_groups = &kexch_alg;
4735 int numec, numff;
4736
4737 numec = OSSL_NELEM(ecdhe_kexch_groups);
4738 numff = OSSL_NELEM(ffdhe_kexch_groups);
4739 if (isecdhe)
4740 kexch_alg = ecdhe_kexch_groups[idx];
4741 else
4742 kexch_alg = ffdhe_kexch_groups[idx];
4743
4744 if (clientmulti) {
4745 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4746 return 0;
4747 if (isecdhe) {
4748 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4749 numec)))
4750 return 0;
4751 } else {
4752 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4753 numff)))
4754 return 0;
4755 }
4756 } else {
4757 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4758 return 0;
4759 if (isecdhe) {
4760 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4761 numec)))
4762 return 0;
4763 } else {
4764 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4765 numff)))
4766 return 0;
4767 }
4768 }
4769 return 1;
4770}
4771
4772/*-
4773 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4774 * Run through both the ECDHE and FFDHE group lists used in the previous
4775 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4776 * confirming the expected result; then perform a resumption handshake
4777 * while offering the same group list, and another resumption handshake
4778 * offering a different group list. The returned value should be the
4779 * negotiated group for the initial handshake; for TLS 1.3 resumption
4780 * handshakes the returned value will be negotiated on the resumption
4781 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4782 * be cached in the session from the original handshake, regardless of what
4783 * was offered in the resumption ClientHello.
4784 *
4785 * Using E for the number of EC groups and F for the number of FF groups:
4786 * E tests of ECDHE with TLS 1.3, server only has one group
4787 * F tests of FFDHE with TLS 1.3, server only has one group
4788 * E tests of ECDHE with TLS 1.2, server only has one group
4789 * F tests of FFDHE with TLS 1.2, server only has one group
4790 * E tests of ECDHE with TLS 1.3, client sends only one group
4791 * F tests of FFDHE with TLS 1.3, client sends only one group
4792 * E tests of ECDHE with TLS 1.2, client sends only one group
4793 * F tests of FFDHE with TLS 1.2, client sends only one group
4794 */
4795static int test_negotiated_group(int idx)
4796{
4797 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4798 int expectednid;
4799 SSL_CTX *sctx = NULL, *cctx = NULL;
4800 SSL *serverssl = NULL, *clientssl = NULL;
4801 SSL_SESSION *origsess = NULL;
4802 int testresult = 0;
4803 int kexch_alg;
4804 int max_version = TLS1_3_VERSION;
4805
4806 numec = OSSL_NELEM(ecdhe_kexch_groups);
4807 numff = OSSL_NELEM(ffdhe_kexch_groups);
4808 numgroups = numec + numff;
4809 clientmulti = (idx < 2 * numgroups);
4810 idx = idx % (2 * numgroups);
4811 istls13 = (idx < numgroups);
4812 idx = idx % numgroups;
4813 isecdhe = (idx < numec);
4814 if (!isecdhe)
4815 idx -= numec;
4816 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4817 if (isecdhe)
4818 kexch_alg = ecdhe_kexch_groups[idx];
4819 else
4820 kexch_alg = ffdhe_kexch_groups[idx];
4821 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4822 if (!istls13 && !isecdhe)
4823 expectednid = NID_undef;
4824 else
4825 expectednid = kexch_alg;
4826
4827 if (!istls13)
4828 max_version = TLS1_2_VERSION;
4829
4830 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4831 TLS_client_method(), TLS1_VERSION,
4832 max_version, &sctx, &cctx, cert,
4833 privkey)))
4834 goto end;
4835
4836 /*
4837 * Force (EC)DHE ciphers for TLS 1.2.
4838 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4839 */
4840 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4841 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4842 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4843 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4844 goto end;
4845 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4846 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4847 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4848 goto end;
4849
4850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4851 NULL, NULL)))
4852 goto end;
4853
4854 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4855 idx)))
4856 goto end;
4857
4858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4859 goto end;
4860
4861 /* Initial handshake; always the configured one */
4862 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4863 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4864 goto end;
4865
4866 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4867 goto end;
4868
4869 SSL_shutdown(clientssl);
4870 SSL_shutdown(serverssl);
4871 SSL_free(serverssl);
4872 SSL_free(clientssl);
4873 serverssl = clientssl = NULL;
4874
4875 /* First resumption attempt; use the same config as initial handshake */
4876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4877 NULL, NULL))
4878 || !TEST_true(SSL_set_session(clientssl, origsess))
4879 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4880 isecdhe, idx)))
4881 goto end;
4882
4883 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4884 || !TEST_true(SSL_session_reused(clientssl)))
4885 goto end;
4886
4887 /* Still had better agree, since nothing changed... */
4888 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4889 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4890 goto end;
4891
4892 SSL_shutdown(clientssl);
4893 SSL_shutdown(serverssl);
4894 SSL_free(serverssl);
4895 SSL_free(clientssl);
4896 serverssl = clientssl = NULL;
4897
4898 /*-
4899 * Second resumption attempt
4900 * The party that picks one group changes it, which we effectuate by
4901 * changing 'idx' and updating what we expect.
4902 */
4903 if (idx == 0)
4904 idx = 1;
4905 else
4906 idx--;
4907 if (istls13) {
4908 if (isecdhe)
4909 expectednid = ecdhe_kexch_groups[idx];
4910 else
4911 expectednid = ffdhe_kexch_groups[idx];
4912 /* Verify that we are changing what we expect. */
4913 if (!TEST_int_ne(expectednid, kexch_alg))
4914 goto end;
4915 } else {
4916 /* TLS 1.2 only supports named groups for ECDHE. */
4917 if (isecdhe)
4918 expectednid = kexch_alg;
4919 else
4920 expectednid = 0;
4921 }
4922 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4923 NULL, NULL))
4924 || !TEST_true(SSL_set_session(clientssl, origsess))
4925 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4926 isecdhe, idx)))
4927 goto end;
4928
4929 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4930 || !TEST_true(SSL_session_reused(clientssl)))
4931 goto end;
4932
4933 /* Check that we get what we expected */
4934 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4935 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4936 goto end;
4937
4938 testresult = 1;
4939 end:
4940 SSL_free(serverssl);
4941 SSL_free(clientssl);
4942 SSL_CTX_free(sctx);
4943 SSL_CTX_free(cctx);
4944 SSL_SESSION_free(origsess);
4945 return testresult;
4946}
4947# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4948
4949/*
4950 * Test TLSv1.3 Cipher Suite
4951 * Test 0 = Set TLS1.3 cipher on context
4952 * Test 1 = Set TLS1.3 cipher on SSL
4953 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4954 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4955 */
4956static int test_tls13_ciphersuite(int idx)
4957{
4958 SSL_CTX *sctx = NULL, *cctx = NULL;
4959 SSL *serverssl = NULL, *clientssl = NULL;
4960 static const struct {
4961 const char *ciphername;
4962 int fipscapable;
4963 } t13_ciphers[] = {
4964 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4965 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4966 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4967# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4968 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4969 { TLS1_3_RFC_AES_256_GCM_SHA384
4970 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4971# endif
4972 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4973 };
4974 const char *t13_cipher = NULL;
4975 const char *t12_cipher = NULL;
4976 const char *negotiated_scipher;
4977 const char *negotiated_ccipher;
4978 int set_at_ctx = 0;
4979 int set_at_ssl = 0;
4980 int testresult = 0;
4981 int max_ver;
4982 size_t i;
4983
4984 switch (idx) {
4985 case 0:
4986 set_at_ctx = 1;
4987 break;
4988 case 1:
4989 set_at_ssl = 1;
4990 break;
4991 case 2:
4992 set_at_ctx = 1;
4993 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4994 break;
4995 case 3:
4996 set_at_ssl = 1;
4997 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4998 break;
4999 }
5000
5001 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5002# ifdef OPENSSL_NO_TLS1_2
5003 if (max_ver == TLS1_2_VERSION)
5004 continue;
5005# endif
5006 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5007 if (is_fips && !t13_ciphers[i].fipscapable)
5008 continue;
5009 t13_cipher = t13_ciphers[i].ciphername;
5010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5011 TLS_client_method(),
5012 TLS1_VERSION, max_ver,
5013 &sctx, &cctx, cert, privkey)))
5014 goto end;
5015
5016 if (set_at_ctx) {
5017 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5018 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5019 goto end;
5020 if (t12_cipher != NULL) {
5021 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5022 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5023 t12_cipher)))
5024 goto end;
5025 }
5026 }
5027
5028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5029 &clientssl, NULL, NULL)))
5030 goto end;
5031
5032 if (set_at_ssl) {
5033 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5034 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5035 goto end;
5036 if (t12_cipher != NULL) {
5037 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5038 || !TEST_true(SSL_set_cipher_list(clientssl,
5039 t12_cipher)))
5040 goto end;
5041 }
5042 }
5043
5044 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5045 SSL_ERROR_NONE)))
5046 goto end;
5047
5048 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5049 serverssl));
5050 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5051 clientssl));
5052 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5053 goto end;
5054
5055 /*
5056 * TEST_strn_eq is used below because t13_cipher can contain
5057 * multiple ciphersuites
5058 */
5059 if (max_ver == TLS1_3_VERSION
5060 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5061 strlen(negotiated_scipher)))
5062 goto end;
5063
5064# ifndef OPENSSL_NO_TLS1_2
5065 /* Below validation is not done when t12_cipher is NULL */
5066 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5067 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5068 goto end;
5069# endif
5070
5071 SSL_free(serverssl);
5072 serverssl = NULL;
5073 SSL_free(clientssl);
5074 clientssl = NULL;
5075 SSL_CTX_free(sctx);
5076 sctx = NULL;
5077 SSL_CTX_free(cctx);
5078 cctx = NULL;
5079 }
5080 }
5081
5082 testresult = 1;
5083 end:
5084 SSL_free(serverssl);
5085 SSL_free(clientssl);
5086 SSL_CTX_free(sctx);
5087 SSL_CTX_free(cctx);
5088 return testresult;
5089}
5090
5091/*
5092 * Test TLSv1.3 PSKs
5093 * Test 0 = Test new style callbacks
5094 * Test 1 = Test both new and old style callbacks
5095 * Test 2 = Test old style callbacks
5096 * Test 3 = Test old style callbacks with no certificate
5097 */
5098static int test_tls13_psk(int idx)
5099{
5100 SSL_CTX *sctx = NULL, *cctx = NULL;
5101 SSL *serverssl = NULL, *clientssl = NULL;
5102 const SSL_CIPHER *cipher = NULL;
5103 const unsigned char key[] = {
5104 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5105 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5106 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5107 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5108 };
5109 int testresult = 0;
5110
5111 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5112 TLS_client_method(), TLS1_VERSION, 0,
5113 &sctx, &cctx, idx == 3 ? NULL : cert,
5114 idx == 3 ? NULL : privkey)))
5115 goto end;
5116
5117 if (idx != 3) {
5118 /*
5119 * We use a ciphersuite with SHA256 to ease testing old style PSK
5120 * callbacks which will always default to SHA256. This should not be
5121 * necessary if we have no cert/priv key. In that case the server should
5122 * prefer SHA256 automatically.
5123 */
5124 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5125 "TLS_AES_128_GCM_SHA256")))
5126 goto end;
5127 } else {
5128 /*
5129 * As noted above the server should prefer SHA256 automatically. However
5130 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5131 * code works even if we are testing with only the FIPS provider loaded.
5132 */
5133 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5134 "TLS_AES_256_GCM_SHA384:"
5135 "TLS_AES_128_GCM_SHA256")))
5136 goto end;
5137 }
5138
5139 /*
5140 * Test 0: New style callbacks only
5141 * Test 1: New and old style callbacks (only the new ones should be used)
5142 * Test 2: Old style callbacks only
5143 */
5144 if (idx == 0 || idx == 1) {
5145 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5146 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5147 }
5148#ifndef OPENSSL_NO_PSK
5149 if (idx >= 1) {
5150 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5151 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5152 }
5153#endif
5154 srvid = pskid;
5155 use_session_cb_cnt = 0;
5156 find_session_cb_cnt = 0;
5157 psk_client_cb_cnt = 0;
5158 psk_server_cb_cnt = 0;
5159
5160 if (idx != 3) {
5161 /*
5162 * Check we can create a connection if callback decides not to send a
5163 * PSK
5164 */
5165 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5166 NULL, NULL))
5167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5168 SSL_ERROR_NONE))
5169 || !TEST_false(SSL_session_reused(clientssl))
5170 || !TEST_false(SSL_session_reused(serverssl)))
5171 goto end;
5172
5173 if (idx == 0 || idx == 1) {
5174 if (!TEST_true(use_session_cb_cnt == 1)
5175 || !TEST_true(find_session_cb_cnt == 0)
5176 /*
5177 * If no old style callback then below should be 0
5178 * otherwise 1
5179 */
5180 || !TEST_true(psk_client_cb_cnt == idx)
5181 || !TEST_true(psk_server_cb_cnt == 0))
5182 goto end;
5183 } else {
5184 if (!TEST_true(use_session_cb_cnt == 0)
5185 || !TEST_true(find_session_cb_cnt == 0)
5186 || !TEST_true(psk_client_cb_cnt == 1)
5187 || !TEST_true(psk_server_cb_cnt == 0))
5188 goto end;
5189 }
5190
5191 shutdown_ssl_connection(serverssl, clientssl);
5192 serverssl = clientssl = NULL;
5193 use_session_cb_cnt = psk_client_cb_cnt = 0;
5194 }
5195
5196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5197 NULL, NULL)))
5198 goto end;
5199
5200 /* Create the PSK */
5201 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5202 clientpsk = SSL_SESSION_new();
5203 if (!TEST_ptr(clientpsk)
5204 || !TEST_ptr(cipher)
5205 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5206 sizeof(key)))
5207 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5208 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5209 TLS1_3_VERSION))
5210 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5211 goto end;
5212 serverpsk = clientpsk;
5213
5214 /* Check we can create a connection and the PSK is used */
5215 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5216 || !TEST_true(SSL_session_reused(clientssl))
5217 || !TEST_true(SSL_session_reused(serverssl)))
5218 goto end;
5219
5220 if (idx == 0 || idx == 1) {
5221 if (!TEST_true(use_session_cb_cnt == 1)
5222 || !TEST_true(find_session_cb_cnt == 1)
5223 || !TEST_true(psk_client_cb_cnt == 0)
5224 || !TEST_true(psk_server_cb_cnt == 0))
5225 goto end;
5226 } else {
5227 if (!TEST_true(use_session_cb_cnt == 0)
5228 || !TEST_true(find_session_cb_cnt == 0)
5229 || !TEST_true(psk_client_cb_cnt == 1)
5230 || !TEST_true(psk_server_cb_cnt == 1))
5231 goto end;
5232 }
5233
5234 shutdown_ssl_connection(serverssl, clientssl);
5235 serverssl = clientssl = NULL;
5236 use_session_cb_cnt = find_session_cb_cnt = 0;
5237 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5238
5239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5240 NULL, NULL)))
5241 goto end;
5242
5243 /* Force an HRR */
5244#if defined(OPENSSL_NO_EC)
5245 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5246 goto end;
5247#else
5248 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5249 goto end;
5250#endif
5251
5252 /*
5253 * Check we can create a connection, the PSK is used and the callbacks are
5254 * called twice.
5255 */
5256 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5257 || !TEST_true(SSL_session_reused(clientssl))
5258 || !TEST_true(SSL_session_reused(serverssl)))
5259 goto end;
5260
5261 if (idx == 0 || idx == 1) {
5262 if (!TEST_true(use_session_cb_cnt == 2)
5263 || !TEST_true(find_session_cb_cnt == 2)
5264 || !TEST_true(psk_client_cb_cnt == 0)
5265 || !TEST_true(psk_server_cb_cnt == 0))
5266 goto end;
5267 } else {
5268 if (!TEST_true(use_session_cb_cnt == 0)
5269 || !TEST_true(find_session_cb_cnt == 0)
5270 || !TEST_true(psk_client_cb_cnt == 2)
5271 || !TEST_true(psk_server_cb_cnt == 2))
5272 goto end;
5273 }
5274
5275 shutdown_ssl_connection(serverssl, clientssl);
5276 serverssl = clientssl = NULL;
5277 use_session_cb_cnt = find_session_cb_cnt = 0;
5278 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5279
5280 if (idx != 3) {
5281 /*
5282 * Check that if the server rejects the PSK we can still connect, but with
5283 * a full handshake
5284 */
5285 srvid = "Dummy Identity";
5286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5287 NULL, NULL))
5288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5289 SSL_ERROR_NONE))
5290 || !TEST_false(SSL_session_reused(clientssl))
5291 || !TEST_false(SSL_session_reused(serverssl)))
5292 goto end;
5293
5294 if (idx == 0 || idx == 1) {
5295 if (!TEST_true(use_session_cb_cnt == 1)
5296 || !TEST_true(find_session_cb_cnt == 1)
5297 || !TEST_true(psk_client_cb_cnt == 0)
5298 /*
5299 * If no old style callback then below should be 0
5300 * otherwise 1
5301 */
5302 || !TEST_true(psk_server_cb_cnt == idx))
5303 goto end;
5304 } else {
5305 if (!TEST_true(use_session_cb_cnt == 0)
5306 || !TEST_true(find_session_cb_cnt == 0)
5307 || !TEST_true(psk_client_cb_cnt == 1)
5308 || !TEST_true(psk_server_cb_cnt == 1))
5309 goto end;
5310 }
5311
5312 shutdown_ssl_connection(serverssl, clientssl);
5313 serverssl = clientssl = NULL;
5314 }
5315 testresult = 1;
5316
5317 end:
5318 SSL_SESSION_free(clientpsk);
5319 SSL_SESSION_free(serverpsk);
5320 clientpsk = serverpsk = NULL;
5321 SSL_free(serverssl);
5322 SSL_free(clientssl);
5323 SSL_CTX_free(sctx);
5324 SSL_CTX_free(cctx);
5325 return testresult;
5326}
5327
5328static unsigned char cookie_magic_value[] = "cookie magic";
5329
5330static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5331 unsigned int *cookie_len)
5332{
5333 /*
5334 * Not suitable as a real cookie generation function but good enough for
5335 * testing!
5336 */
5337 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5338 *cookie_len = sizeof(cookie_magic_value) - 1;
5339
5340 return 1;
5341}
5342
5343static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5344 unsigned int cookie_len)
5345{
5346 if (cookie_len == sizeof(cookie_magic_value) - 1
5347 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5348 return 1;
5349
5350 return 0;
5351}
5352
5353static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5354 size_t *cookie_len)
5355{
5356 unsigned int temp;
5357 int res = generate_cookie_callback(ssl, cookie, &temp);
5358 *cookie_len = temp;
5359 return res;
5360}
5361
5362static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5363 size_t cookie_len)
5364{
5365 return verify_cookie_callback(ssl, cookie, cookie_len);
5366}
5367
5368static int test_stateless(void)
5369{
5370 SSL_CTX *sctx = NULL, *cctx = NULL;
5371 SSL *serverssl = NULL, *clientssl = NULL;
5372 int testresult = 0;
5373
5374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5375 TLS_client_method(), TLS1_VERSION, 0,
5376 &sctx, &cctx, cert, privkey)))
5377 goto end;
5378
5379 /* The arrival of CCS messages can confuse the test */
5380 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5381
5382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5383 NULL, NULL))
5384 /* Send the first ClientHello */
5385 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5386 SSL_ERROR_WANT_READ))
5387 /*
5388 * This should fail with a -1 return because we have no callbacks
5389 * set up
5390 */
5391 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5392 goto end;
5393
5394 /* Fatal error so abandon the connection from this client */
5395 SSL_free(clientssl);
5396 clientssl = NULL;
5397
5398 /* Set up the cookie generation and verification callbacks */
5399 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5400 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5401
5402 /*
5403 * Create a new connection from the client (we can reuse the server SSL
5404 * object).
5405 */
5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5407 NULL, NULL))
5408 /* Send the first ClientHello */
5409 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_WANT_READ))
5411 /* This should fail because there is no cookie */
5412 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5413 goto end;
5414
5415 /* Abandon the connection from this client */
5416 SSL_free(clientssl);
5417 clientssl = NULL;
5418
5419 /*
5420 * Now create a connection from a new client but with the same server SSL
5421 * object
5422 */
5423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5424 NULL, NULL))
5425 /* Send the first ClientHello */
5426 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5427 SSL_ERROR_WANT_READ))
5428 /* This should fail because there is no cookie */
5429 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5430 /* Send the second ClientHello */
5431 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5432 SSL_ERROR_WANT_READ))
5433 /* This should succeed because a cookie is now present */
5434 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5435 /* Complete the connection */
5436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5437 SSL_ERROR_NONE)))
5438 goto end;
5439
5440 shutdown_ssl_connection(serverssl, clientssl);
5441 serverssl = clientssl = NULL;
5442 testresult = 1;
5443
5444 end:
5445 SSL_free(serverssl);
5446 SSL_free(clientssl);
5447 SSL_CTX_free(sctx);
5448 SSL_CTX_free(cctx);
5449 return testresult;
5450
5451}
5452#endif /* OSSL_NO_USABLE_TLS1_3 */
5453
5454static int clntaddoldcb = 0;
5455static int clntparseoldcb = 0;
5456static int srvaddoldcb = 0;
5457static int srvparseoldcb = 0;
5458static int clntaddnewcb = 0;
5459static int clntparsenewcb = 0;
5460static int srvaddnewcb = 0;
5461static int srvparsenewcb = 0;
5462static int snicb = 0;
5463
5464#define TEST_EXT_TYPE1 0xff00
5465
5466static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5467 size_t *outlen, int *al, void *add_arg)
5468{
5469 int *server = (int *)add_arg;
5470 unsigned char *data;
5471
5472 if (SSL_is_server(s))
5473 srvaddoldcb++;
5474 else
5475 clntaddoldcb++;
5476
5477 if (*server != SSL_is_server(s)
5478 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5479 return -1;
5480
5481 *data = 1;
5482 *out = data;
5483 *outlen = sizeof(char);
5484 return 1;
5485}
5486
5487static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5488 void *add_arg)
5489{
5490 OPENSSL_free((unsigned char *)out);
5491}
5492
5493static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5494 size_t inlen, int *al, void *parse_arg)
5495{
5496 int *server = (int *)parse_arg;
5497
5498 if (SSL_is_server(s))
5499 srvparseoldcb++;
5500 else
5501 clntparseoldcb++;
5502
5503 if (*server != SSL_is_server(s)
5504 || inlen != sizeof(char)
5505 || *in != 1)
5506 return -1;
5507
5508 return 1;
5509}
5510
5511static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5512 const unsigned char **out, size_t *outlen, X509 *x,
5513 size_t chainidx, int *al, void *add_arg)
5514{
5515 int *server = (int *)add_arg;
5516 unsigned char *data;
5517
5518 if (SSL_is_server(s))
5519 srvaddnewcb++;
5520 else
5521 clntaddnewcb++;
5522
5523 if (*server != SSL_is_server(s)
5524 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5525 return -1;
5526
5527 *data = 1;
5528 *out = data;
5529 *outlen = sizeof(*data);
5530 return 1;
5531}
5532
5533static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5534 const unsigned char *out, void *add_arg)
5535{
5536 OPENSSL_free((unsigned char *)out);
5537}
5538
5539static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5540 const unsigned char *in, size_t inlen, X509 *x,
5541 size_t chainidx, int *al, void *parse_arg)
5542{
5543 int *server = (int *)parse_arg;
5544
5545 if (SSL_is_server(s))
5546 srvparsenewcb++;
5547 else
5548 clntparsenewcb++;
5549
5550 if (*server != SSL_is_server(s)
5551 || inlen != sizeof(char) || *in != 1)
5552 return -1;
5553
5554 return 1;
5555}
5556
5557static int sni_cb(SSL *s, int *al, void *arg)
5558{
5559 SSL_CTX *ctx = (SSL_CTX *)arg;
5560
5561 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5562 *al = SSL_AD_INTERNAL_ERROR;
5563 return SSL_TLSEXT_ERR_ALERT_FATAL;
5564 }
5565 snicb++;
5566 return SSL_TLSEXT_ERR_OK;
5567}
5568
5569static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5570{
5571 return 1;
5572}
5573
5574/*
5575 * Custom call back tests.
5576 * Test 0: Old style callbacks in TLSv1.2
5577 * Test 1: New style callbacks in TLSv1.2
5578 * Test 2: New style callbacks in TLSv1.2 with SNI
5579 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5580 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5581 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5582 */
5583static int test_custom_exts(int tst)
5584{
5585 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5586 SSL *clientssl = NULL, *serverssl = NULL;
5587 int testresult = 0;
5588 static int server = 1;
5589 static int client = 0;
5590 SSL_SESSION *sess = NULL;
5591 unsigned int context;
5592
5593#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5594 /* Skip tests for TLSv1.2 and below in this case */
5595 if (tst < 3)
5596 return 1;
5597#endif
5598
5599 /* Reset callback counters */
5600 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5601 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5602 snicb = 0;
5603
5604 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5605 TLS_client_method(), TLS1_VERSION, 0,
5606 &sctx, &cctx, cert, privkey)))
5607 goto end;
5608
5609 if (tst == 2
5610 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5611 TLS1_VERSION, 0,
5612 &sctx2, NULL, cert, privkey)))
5613 goto end;
5614
5615
5616 if (tst < 3) {
5617 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5618 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5619 if (sctx2 != NULL)
5620 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5621 }
5622
5623 if (tst == 5) {
5624 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5625 | SSL_EXT_TLS1_3_CERTIFICATE;
5626 SSL_CTX_set_verify(sctx,
5627 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5628 verify_cb);
5629 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5630 SSL_FILETYPE_PEM), 1)
5631 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5632 SSL_FILETYPE_PEM), 1)
5633 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5634 goto end;
5635 } else if (tst == 4) {
5636 context = SSL_EXT_CLIENT_HELLO
5637 | SSL_EXT_TLS1_2_SERVER_HELLO
5638 | SSL_EXT_TLS1_3_SERVER_HELLO
5639 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5640 | SSL_EXT_TLS1_3_CERTIFICATE
5641 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5642 } else {
5643 context = SSL_EXT_CLIENT_HELLO
5644 | SSL_EXT_TLS1_2_SERVER_HELLO
5645 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5646 }
5647
5648 /* Create a client side custom extension */
5649 if (tst == 0) {
5650 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5651 old_add_cb, old_free_cb,
5652 &client, old_parse_cb,
5653 &client)))
5654 goto end;
5655 } else {
5656 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5657 new_add_cb, new_free_cb,
5658 &client, new_parse_cb, &client)))
5659 goto end;
5660 }
5661
5662 /* Should not be able to add duplicates */
5663 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5664 old_add_cb, old_free_cb,
5665 &client, old_parse_cb,
5666 &client))
5667 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5668 context, new_add_cb,
5669 new_free_cb, &client,
5670 new_parse_cb, &client)))
5671 goto end;
5672
5673 /* Create a server side custom extension */
5674 if (tst == 0) {
5675 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5676 old_add_cb, old_free_cb,
5677 &server, old_parse_cb,
5678 &server)))
5679 goto end;
5680 } else {
5681 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5682 new_add_cb, new_free_cb,
5683 &server, new_parse_cb, &server)))
5684 goto end;
5685 if (sctx2 != NULL
5686 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5687 context, new_add_cb,
5688 new_free_cb, &server,
5689 new_parse_cb, &server)))
5690 goto end;
5691 }
5692
5693 /* Should not be able to add duplicates */
5694 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5695 old_add_cb, old_free_cb,
5696 &server, old_parse_cb,
5697 &server))
5698 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5699 context, new_add_cb,
5700 new_free_cb, &server,
5701 new_parse_cb, &server)))
5702 goto end;
5703
5704 if (tst == 2) {
5705 /* Set up SNI */
5706 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5707 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5708 goto end;
5709 }
5710
5711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5712 &clientssl, NULL, NULL))
5713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5714 SSL_ERROR_NONE)))
5715 goto end;
5716
5717 if (tst == 0) {
5718 if (clntaddoldcb != 1
5719 || clntparseoldcb != 1
5720 || srvaddoldcb != 1
5721 || srvparseoldcb != 1)
5722 goto end;
5723 } else if (tst == 1 || tst == 2 || tst == 3) {
5724 if (clntaddnewcb != 1
5725 || clntparsenewcb != 1
5726 || srvaddnewcb != 1
5727 || srvparsenewcb != 1
5728 || (tst != 2 && snicb != 0)
5729 || (tst == 2 && snicb != 1))
5730 goto end;
5731 } else if (tst == 5) {
5732 if (clntaddnewcb != 1
5733 || clntparsenewcb != 1
5734 || srvaddnewcb != 1
5735 || srvparsenewcb != 1)
5736 goto end;
5737 } else {
5738 /* In this case there 2 NewSessionTicket messages created */
5739 if (clntaddnewcb != 1
5740 || clntparsenewcb != 5
5741 || srvaddnewcb != 5
5742 || srvparsenewcb != 1)
5743 goto end;
5744 }
5745
5746 sess = SSL_get1_session(clientssl);
5747 SSL_shutdown(clientssl);
5748 SSL_shutdown(serverssl);
5749 SSL_free(serverssl);
5750 SSL_free(clientssl);
5751 serverssl = clientssl = NULL;
5752
5753 if (tst == 3 || tst == 5) {
5754 /* We don't bother with the resumption aspects for these tests */
5755 testresult = 1;
5756 goto end;
5757 }
5758
5759 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5760 NULL, NULL))
5761 || !TEST_true(SSL_set_session(clientssl, sess))
5762 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5763 SSL_ERROR_NONE)))
5764 goto end;
5765
5766 /*
5767 * For a resumed session we expect to add the ClientHello extension. For the
5768 * old style callbacks we ignore it on the server side because they set
5769 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5770 * them.
5771 */
5772 if (tst == 0) {
5773 if (clntaddoldcb != 2
5774 || clntparseoldcb != 1
5775 || srvaddoldcb != 1
5776 || srvparseoldcb != 1)
5777 goto end;
5778 } else if (tst == 1 || tst == 2 || tst == 3) {
5779 if (clntaddnewcb != 2
5780 || clntparsenewcb != 2
5781 || srvaddnewcb != 2
5782 || srvparsenewcb != 2)
5783 goto end;
5784 } else {
5785 /*
5786 * No Certificate message extensions in the resumption handshake,
5787 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5788 */
5789 if (clntaddnewcb != 2
5790 || clntparsenewcb != 8
5791 || srvaddnewcb != 8
5792 || srvparsenewcb != 2)
5793 goto end;
5794 }
5795
5796 testresult = 1;
5797
5798end:
5799 SSL_SESSION_free(sess);
5800 SSL_free(serverssl);
5801 SSL_free(clientssl);
5802 SSL_CTX_free(sctx2);
5803 SSL_CTX_free(sctx);
5804 SSL_CTX_free(cctx);
5805 return testresult;
5806}
5807
5808/*
5809 * Test loading of serverinfo data in various formats. test_sslmessages actually
5810 * tests to make sure the extensions appear in the handshake
5811 */
5812static int test_serverinfo(int tst)
5813{
5814 unsigned int version;
5815 unsigned char *sibuf;
5816 size_t sibuflen;
5817 int ret, expected, testresult = 0;
5818 SSL_CTX *ctx;
5819
5820 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5821 if (!TEST_ptr(ctx))
5822 goto end;
5823
5824 if ((tst & 0x01) == 0x01)
5825 version = SSL_SERVERINFOV2;
5826 else
5827 version = SSL_SERVERINFOV1;
5828
5829 if ((tst & 0x02) == 0x02) {
5830 sibuf = serverinfov2;
5831 sibuflen = sizeof(serverinfov2);
5832 expected = (version == SSL_SERVERINFOV2);
5833 } else {
5834 sibuf = serverinfov1;
5835 sibuflen = sizeof(serverinfov1);
5836 expected = (version == SSL_SERVERINFOV1);
5837 }
5838
5839 if ((tst & 0x04) == 0x04) {
5840 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5841 } else {
5842 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5843
5844 /*
5845 * The version variable is irrelevant in this case - it's what is in the
5846 * buffer that matters
5847 */
5848 if ((tst & 0x02) == 0x02)
5849 expected = 0;
5850 else
5851 expected = 1;
5852 }
5853
5854 if (!TEST_true(ret == expected))
5855 goto end;
5856
5857 testresult = 1;
5858
5859 end:
5860 SSL_CTX_free(ctx);
5861
5862 return testresult;
5863}
5864
5865/*
5866 * Test that SSL_export_keying_material() produces expected results. There are
5867 * no test vectors so all we do is test that both sides of the communication
5868 * produce the same results for different protocol versions.
5869 */
5870#define SMALL_LABEL_LEN 10
5871#define LONG_LABEL_LEN 249
5872static int test_export_key_mat(int tst)
5873{
5874 int testresult = 0;
5875 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5876 SSL *clientssl = NULL, *serverssl = NULL;
5877 const char label[LONG_LABEL_LEN + 1] = "test label";
5878 const unsigned char context[] = "context";
5879 const unsigned char *emptycontext = NULL;
5880 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5881 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5882 size_t labellen;
5883 const int protocols[] = {
5884 TLS1_VERSION,
5885 TLS1_1_VERSION,
5886 TLS1_2_VERSION,
5887 TLS1_3_VERSION,
5888 TLS1_3_VERSION,
5889 TLS1_3_VERSION
5890 };
5891
5892#ifdef OPENSSL_NO_TLS1
5893 if (tst == 0)
5894 return 1;
5895#endif
5896#ifdef OPENSSL_NO_TLS1_1
5897 if (tst == 1)
5898 return 1;
5899#endif
5900 if (is_fips && (tst == 0 || tst == 1))
5901 return 1;
5902#ifdef OPENSSL_NO_TLS1_2
5903 if (tst == 2)
5904 return 1;
5905#endif
5906#ifdef OSSL_NO_USABLE_TLS1_3
5907 if (tst >= 3)
5908 return 1;
5909#endif
5910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5911 TLS_client_method(), TLS1_VERSION, 0,
5912 &sctx, &cctx, cert, privkey)))
5913 goto end;
5914
5915 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5916 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5917 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5918 if ((protocols[tst] < TLS1_2_VERSION) &&
5919 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5920 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5921 goto end;
5922
5923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5924 NULL)))
5925 goto end;
5926
5927 /*
5928 * Premature call of SSL_export_keying_material should just fail.
5929 */
5930 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5931 sizeof(ckeymat1), label,
5932 SMALL_LABEL_LEN + 1, context,
5933 sizeof(context) - 1, 1), 0))
5934 goto end;
5935
5936 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5937 SSL_ERROR_NONE)))
5938 goto end;
5939
5940 if (tst == 5) {
5941 /*
5942 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5943 * go over that.
5944 */
5945 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5946 sizeof(ckeymat1), label,
5947 LONG_LABEL_LEN + 1, context,
5948 sizeof(context) - 1, 1), 0))
5949 goto end;
5950
5951 testresult = 1;
5952 goto end;
5953 } else if (tst == 4) {
5954 labellen = LONG_LABEL_LEN;
5955 } else {
5956 labellen = SMALL_LABEL_LEN;
5957 }
5958
5959 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5960 sizeof(ckeymat1), label,
5961 labellen, context,
5962 sizeof(context) - 1, 1), 1)
5963 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5964 sizeof(ckeymat2), label,
5965 labellen,
5966 emptycontext,
5967 0, 1), 1)
5968 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5969 sizeof(ckeymat3), label,
5970 labellen,
5971 NULL, 0, 0), 1)
5972 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5973 sizeof(skeymat1), label,
5974 labellen,
5975 context,
5976 sizeof(context) -1, 1),
5977 1)
5978 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5979 sizeof(skeymat2), label,
5980 labellen,
5981 emptycontext,
5982 0, 1), 1)
5983 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5984 sizeof(skeymat3), label,
5985 labellen,
5986 NULL, 0, 0), 1)
5987 /*
5988 * Check that both sides created the same key material with the
5989 * same context.
5990 */
5991 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5992 sizeof(skeymat1))
5993 /*
5994 * Check that both sides created the same key material with an
5995 * empty context.
5996 */
5997 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5998 sizeof(skeymat2))
5999 /*
6000 * Check that both sides created the same key material without a
6001 * context.
6002 */
6003 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6004 sizeof(skeymat3))
6005 /* Different contexts should produce different results */
6006 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6007 sizeof(ckeymat2)))
6008 goto end;
6009
6010 /*
6011 * Check that an empty context and no context produce different results in
6012 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6013 */
6014 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6015 sizeof(ckeymat3)))
6016 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6017 sizeof(ckeymat3))))
6018 goto end;
6019
6020 testresult = 1;
6021
6022 end:
6023 SSL_free(serverssl);
6024 SSL_free(clientssl);
6025 SSL_CTX_free(sctx2);
6026 SSL_CTX_free(sctx);
6027 SSL_CTX_free(cctx);
6028
6029 return testresult;
6030}
6031
6032#ifndef OSSL_NO_USABLE_TLS1_3
6033/*
6034 * Test that SSL_export_keying_material_early() produces expected
6035 * results. There are no test vectors so all we do is test that both
6036 * sides of the communication produce the same results for different
6037 * protocol versions.
6038 */
6039static int test_export_key_mat_early(int idx)
6040{
6041 static const char label[] = "test label";
6042 static const unsigned char context[] = "context";
6043 int testresult = 0;
6044 SSL_CTX *cctx = NULL, *sctx = NULL;
6045 SSL *clientssl = NULL, *serverssl = NULL;
6046 SSL_SESSION *sess = NULL;
6047 const unsigned char *emptycontext = NULL;
6048 unsigned char ckeymat1[80], ckeymat2[80];
6049 unsigned char skeymat1[80], skeymat2[80];
6050 unsigned char buf[1];
6051 size_t readbytes, written;
6052
6053 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6054 &sess, idx)))
6055 goto end;
6056
6057 /* Here writing 0 length early data is enough. */
6058 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6059 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6060 &readbytes),
6061 SSL_READ_EARLY_DATA_ERROR)
6062 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6063 SSL_EARLY_DATA_ACCEPTED))
6064 goto end;
6065
6066 if (!TEST_int_eq(SSL_export_keying_material_early(
6067 clientssl, ckeymat1, sizeof(ckeymat1), label,
6068 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6069 || !TEST_int_eq(SSL_export_keying_material_early(
6070 clientssl, ckeymat2, sizeof(ckeymat2), label,
6071 sizeof(label) - 1, emptycontext, 0), 1)
6072 || !TEST_int_eq(SSL_export_keying_material_early(
6073 serverssl, skeymat1, sizeof(skeymat1), label,
6074 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6075 || !TEST_int_eq(SSL_export_keying_material_early(
6076 serverssl, skeymat2, sizeof(skeymat2), label,
6077 sizeof(label) - 1, emptycontext, 0), 1)
6078 /*
6079 * Check that both sides created the same key material with the
6080 * same context.
6081 */
6082 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6083 sizeof(skeymat1))
6084 /*
6085 * Check that both sides created the same key material with an
6086 * empty context.
6087 */
6088 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6089 sizeof(skeymat2))
6090 /* Different contexts should produce different results */
6091 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6092 sizeof(ckeymat2)))
6093 goto end;
6094
6095 testresult = 1;
6096
6097 end:
6098 SSL_SESSION_free(sess);
6099 SSL_SESSION_free(clientpsk);
6100 SSL_SESSION_free(serverpsk);
6101 clientpsk = serverpsk = NULL;
6102 SSL_free(serverssl);
6103 SSL_free(clientssl);
6104 SSL_CTX_free(sctx);
6105 SSL_CTX_free(cctx);
6106
6107 return testresult;
6108}
6109
6110#define NUM_KEY_UPDATE_MESSAGES 40
6111/*
6112 * Test KeyUpdate.
6113 */
6114static int test_key_update(void)
6115{
6116 SSL_CTX *cctx = NULL, *sctx = NULL;
6117 SSL *clientssl = NULL, *serverssl = NULL;
6118 int testresult = 0, i, j;
6119 char buf[20];
6120 static char *mess = "A test message";
6121
6122 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6123 TLS_client_method(),
6124 TLS1_3_VERSION,
6125 0,
6126 &sctx, &cctx, cert, privkey))
6127 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6128 NULL, NULL))
6129 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6130 SSL_ERROR_NONE)))
6131 goto end;
6132
6133 for (j = 0; j < 2; j++) {
6134 /* Send lots of KeyUpdate messages */
6135 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6136 if (!TEST_true(SSL_key_update(clientssl,
6137 (j == 0)
6138 ? SSL_KEY_UPDATE_NOT_REQUESTED
6139 : SSL_KEY_UPDATE_REQUESTED))
6140 || !TEST_true(SSL_do_handshake(clientssl)))
6141 goto end;
6142 }
6143
6144 /* Check that sending and receiving app data is ok */
6145 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6146 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6147 strlen(mess)))
6148 goto end;
6149
6150 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6151 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6152 strlen(mess)))
6153 goto end;
6154 }
6155
6156 testresult = 1;
6157
6158 end:
6159 SSL_free(serverssl);
6160 SSL_free(clientssl);
6161 SSL_CTX_free(sctx);
6162 SSL_CTX_free(cctx);
6163
6164 return testresult;
6165}
6166
6167/*
6168 * Test we can handle a KeyUpdate (update requested) message while
6169 * write data is pending in peer.
6170 * Test 0: Client sends KeyUpdate while Server is writing
6171 * Test 1: Server sends KeyUpdate while Client is writing
6172 */
6173static int test_key_update_peer_in_write(int tst)
6174{
6175 SSL_CTX *cctx = NULL, *sctx = NULL;
6176 SSL *clientssl = NULL, *serverssl = NULL;
6177 int testresult = 0;
6178 char buf[20];
6179 static char *mess = "A test message";
6180 BIO *bretry = BIO_new(bio_s_always_retry());
6181 BIO *tmp = NULL;
6182 SSL *peerupdate = NULL, *peerwrite = NULL;
6183
6184 if (!TEST_ptr(bretry)
6185 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6186 TLS_client_method(),
6187 TLS1_3_VERSION,
6188 0,
6189 &sctx, &cctx, cert, privkey))
6190 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6191 NULL, NULL))
6192 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6193 SSL_ERROR_NONE)))
6194 goto end;
6195
6196 peerupdate = tst == 0 ? clientssl : serverssl;
6197 peerwrite = tst == 0 ? serverssl : clientssl;
6198
6199 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6200 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6201 goto end;
6202
6203 /* Swap the writing endpoint's write BIO to force a retry */
6204 tmp = SSL_get_wbio(peerwrite);
6205 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6206 tmp = NULL;
6207 goto end;
6208 }
6209 SSL_set0_wbio(peerwrite, bretry);
6210 bretry = NULL;
6211
6212 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6213 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6214 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6215 goto end;
6216
6217 /* Reinstate the original writing endpoint's write BIO */
6218 SSL_set0_wbio(peerwrite, tmp);
6219 tmp = NULL;
6220
6221 /* Now read some data - we will read the key update */
6222 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6223 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6224 goto end;
6225
6226 /*
6227 * Complete the write we started previously and read it from the other
6228 * endpoint
6229 */
6230 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6231 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6232 goto end;
6233
6234 /* Write more data to ensure we send the KeyUpdate message back */
6235 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6236 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6237 goto end;
6238
6239 testresult = 1;
6240
6241 end:
6242 SSL_free(serverssl);
6243 SSL_free(clientssl);
6244 SSL_CTX_free(sctx);
6245 SSL_CTX_free(cctx);
6246 BIO_free(bretry);
6247 BIO_free(tmp);
6248
6249 return testresult;
6250}
6251
6252/*
6253 * Test we can handle a KeyUpdate (update requested) message while
6254 * peer read data is pending after peer accepted keyupdate(the msg header
6255 * had been read 5 bytes).
6256 * Test 0: Client sends KeyUpdate while Server is reading
6257 * Test 1: Server sends KeyUpdate while Client is reading
6258 */
6259static int test_key_update_peer_in_read(int tst)
6260{
6261 SSL_CTX *cctx = NULL, *sctx = NULL;
6262 SSL *clientssl = NULL, *serverssl = NULL;
6263 int testresult = 0;
6264 char prbuf[515], lwbuf[515] = {0};
6265 static char *mess = "A test message";
6266 BIO *lbio = NULL, *pbio = NULL;
6267 SSL *local = NULL, *peer = NULL;
6268
6269 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6270 TLS_client_method(),
6271 TLS1_3_VERSION,
6272 0,
6273 &sctx, &cctx, cert, privkey))
6274 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6275 NULL, NULL))
6276 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6277 SSL_ERROR_NONE)))
6278 goto end;
6279
6280 local = tst == 0 ? clientssl : serverssl;
6281 peer = tst == 0 ? serverssl : clientssl;
6282
6283 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6284 goto end;
6285
6286 SSL_set_bio(local, lbio, lbio);
6287 SSL_set_bio(peer, pbio, pbio);
6288
6289 /*
6290 * we first write keyupdate msg then appdata in local
6291 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6292 * lwbuf app data msg size + key updata msg size > 512(the size of
6293 * the bio pair buffer)
6294 */
6295 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6296 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6297 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6298 goto end;
6299
6300 /*
6301 * first read keyupdate msg in peer in peer
6302 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6303 */
6304 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6305 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6306 goto end;
6307
6308 /* Now write some data in peer - we will write the key update */
6309 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6310 goto end;
6311
6312 /*
6313 * write data in local previously that we will complete
6314 * read data in peer previously that we will complete
6315 */
6316 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6317 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6318 goto end;
6319
6320 /* check that sending and receiving appdata ok */
6321 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6322 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6323 goto end;
6324
6325 testresult = 1;
6326
6327 end:
6328 SSL_free(serverssl);
6329 SSL_free(clientssl);
6330 SSL_CTX_free(sctx);
6331 SSL_CTX_free(cctx);
6332
6333 return testresult;
6334}
6335
6336/*
6337 * Test we can't send a KeyUpdate (update requested) message while
6338 * local write data is pending.
6339 * Test 0: Client sends KeyUpdate while Client is writing
6340 * Test 1: Server sends KeyUpdate while Server is writing
6341 */
6342static int test_key_update_local_in_write(int tst)
6343{
6344 SSL_CTX *cctx = NULL, *sctx = NULL;
6345 SSL *clientssl = NULL, *serverssl = NULL;
6346 int testresult = 0;
6347 char buf[20];
6348 static char *mess = "A test message";
6349 BIO *bretry = BIO_new(bio_s_always_retry());
6350 BIO *tmp = NULL;
6351 SSL *local = NULL, *peer = NULL;
6352
6353 if (!TEST_ptr(bretry)
6354 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6355 TLS_client_method(),
6356 TLS1_3_VERSION,
6357 0,
6358 &sctx, &cctx, cert, privkey))
6359 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6360 NULL, NULL))
6361 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6362 SSL_ERROR_NONE)))
6363 goto end;
6364
6365 local = tst == 0 ? clientssl : serverssl;
6366 peer = tst == 0 ? serverssl : clientssl;
6367
6368 /* Swap the writing endpoint's write BIO to force a retry */
6369 tmp = SSL_get_wbio(local);
6370 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6371 tmp = NULL;
6372 goto end;
6373 }
6374 SSL_set0_wbio(local, bretry);
6375 bretry = NULL;
6376
6377 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6378 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6379 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6380 goto end;
6381
6382 /* Reinstate the original writing endpoint's write BIO */
6383 SSL_set0_wbio(local, tmp);
6384 tmp = NULL;
6385
6386 /* SSL_key_update will fail, because writing in local*/
6387 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6388 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6389 goto end;
6390
6391 ERR_clear_error();
6392 /* write data in local previously that we will complete */
6393 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6394 goto end;
6395
6396 /* SSL_key_update will succeed because there is no pending write data */
6397 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6398 || !TEST_int_eq(SSL_do_handshake(local), 1))
6399 goto end;
6400
6401 /*
6402 * we write some appdata in local
6403 * read data in peer - we will read the keyupdate msg
6404 */
6405 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6406 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6407 goto end;
6408
6409 /* Write more peer more data to ensure we send the keyupdate message back */
6410 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6411 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6412 goto end;
6413
6414 testresult = 1;
6415
6416 end:
6417 SSL_free(serverssl);
6418 SSL_free(clientssl);
6419 SSL_CTX_free(sctx);
6420 SSL_CTX_free(cctx);
6421 BIO_free(bretry);
6422 BIO_free(tmp);
6423
6424 return testresult;
6425}
6426
6427/*
6428 * Test we can handle a KeyUpdate (update requested) message while
6429 * local read data is pending(the msg header had been read 5 bytes).
6430 * Test 0: Client sends KeyUpdate while Client is reading
6431 * Test 1: Server sends KeyUpdate while Server is reading
6432 */
6433static int test_key_update_local_in_read(int tst)
6434{
6435 SSL_CTX *cctx = NULL, *sctx = NULL;
6436 SSL *clientssl = NULL, *serverssl = NULL;
6437 int testresult = 0;
6438 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6439 static char *mess = "A test message";
6440 BIO *lbio = NULL, *pbio = NULL;
6441 SSL *local = NULL, *peer = NULL;
6442
6443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6444 TLS_client_method(),
6445 TLS1_3_VERSION,
6446 0,
6447 &sctx, &cctx, cert, privkey))
6448 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6449 NULL, NULL))
6450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6451 SSL_ERROR_NONE)))
6452 goto end;
6453
6454 local = tst == 0 ? clientssl : serverssl;
6455 peer = tst == 0 ? serverssl : clientssl;
6456
6457 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6458 goto end;
6459
6460 SSL_set_bio(local, lbio, lbio);
6461 SSL_set_bio(peer, pbio, pbio);
6462
6463 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6464 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6465 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6466 goto end;
6467
6468 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6469 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6470 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6471 goto end;
6472
6473 /* SSL_do_handshake will send keyupdate msg */
6474 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6475 || !TEST_int_eq(SSL_do_handshake(local), 1))
6476 goto end;
6477
6478 /*
6479 * write data in peer previously that we will complete
6480 * read data in local previously that we will complete
6481 */
6482 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6483 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6484 goto end;
6485
6486 /*
6487 * write data in local
6488 * read data in peer - we will read the key update
6489 */
6490 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6491 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6492 goto end;
6493
6494 /* Write more peer data to ensure we send the keyupdate message back */
6495 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6496 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6497 goto end;
6498
6499 testresult = 1;
6500
6501 end:
6502 SSL_free(serverssl);
6503 SSL_free(clientssl);
6504 SSL_CTX_free(sctx);
6505 SSL_CTX_free(cctx);
6506
6507 return testresult;
6508}
6509#endif /* OSSL_NO_USABLE_TLS1_3 */
6510
6511static int test_ssl_clear(int idx)
6512{
6513 SSL_CTX *cctx = NULL, *sctx = NULL;
6514 SSL *clientssl = NULL, *serverssl = NULL;
6515 int testresult = 0;
6516
6517#ifdef OPENSSL_NO_TLS1_2
6518 if (idx == 1)
6519 return 1;
6520#endif
6521
6522 /* Create an initial connection */
6523 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6524 TLS_client_method(), TLS1_VERSION, 0,
6525 &sctx, &cctx, cert, privkey))
6526 || (idx == 1
6527 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6528 TLS1_2_VERSION)))
6529 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6530 &clientssl, NULL, NULL))
6531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6532 SSL_ERROR_NONE)))
6533 goto end;
6534
6535 SSL_shutdown(clientssl);
6536 SSL_shutdown(serverssl);
6537 SSL_free(serverssl);
6538 serverssl = NULL;
6539
6540 /* Clear clientssl - we're going to reuse the object */
6541 if (!TEST_true(SSL_clear(clientssl)))
6542 goto end;
6543
6544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6545 NULL, NULL))
6546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6547 SSL_ERROR_NONE))
6548 || !TEST_true(SSL_session_reused(clientssl)))
6549 goto end;
6550
6551 SSL_shutdown(clientssl);
6552 SSL_shutdown(serverssl);
6553
6554 testresult = 1;
6555
6556 end:
6557 SSL_free(serverssl);
6558 SSL_free(clientssl);
6559 SSL_CTX_free(sctx);
6560 SSL_CTX_free(cctx);
6561
6562 return testresult;
6563}
6564
6565/* Parse CH and retrieve any MFL extension value if present */
6566static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6567{
6568 long len;
6569 unsigned char *data;
6570 PACKET pkt, pkt2, pkt3;
6571 unsigned int MFL_code = 0, type = 0;
6572
6573 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6574 goto end;
6575
6576 memset(&pkt, 0, sizeof(pkt));
6577 memset(&pkt2, 0, sizeof(pkt2));
6578 memset(&pkt3, 0, sizeof(pkt3));
6579
6580 if (!TEST_long_gt(len, 0)
6581 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6582 /* Skip the record header */
6583 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6584 /* Skip the handshake message header */
6585 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6586 /* Skip client version and random */
6587 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6588 + SSL3_RANDOM_SIZE))
6589 /* Skip session id */
6590 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6591 /* Skip ciphers */
6592 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6593 /* Skip compression */
6594 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6595 /* Extensions len */
6596 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6597 goto end;
6598
6599 /* Loop through all extensions */
6600 while (PACKET_remaining(&pkt2)) {
6601 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6602 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6603 goto end;
6604
6605 if (type == TLSEXT_TYPE_max_fragment_length) {
6606 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6607 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6608 goto end;
6609
6610 *mfl_codemfl_code = MFL_code;
6611 return 1;
6612 }
6613 }
6614
6615 end:
6616 return 0;
6617}
6618
6619/* Maximum-Fragment-Length TLS extension mode to test */
6620static const unsigned char max_fragment_len_test[] = {
6621 TLSEXT_max_fragment_length_512,
6622 TLSEXT_max_fragment_length_1024,
6623 TLSEXT_max_fragment_length_2048,
6624 TLSEXT_max_fragment_length_4096
6625};
6626
6627static int test_max_fragment_len_ext(int idx_tst)
6628{
6629 SSL_CTX *ctx = NULL;
6630 SSL *con = NULL;
6631 int testresult = 0, MFL_mode = 0;
6632 BIO *rbio, *wbio;
6633
6634 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6635 TLS1_VERSION, 0, NULL, &ctx, NULL,
6636 NULL)))
6637 return 0;
6638
6639 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6640 ctx, max_fragment_len_test[idx_tst])))
6641 goto end;
6642
6643 con = SSL_new(ctx);
6644 if (!TEST_ptr(con))
6645 goto end;
6646
6647 rbio = BIO_new(BIO_s_mem());
6648 wbio = BIO_new(BIO_s_mem());
6649 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6650 BIO_free(rbio);
6651 BIO_free(wbio);
6652 goto end;
6653 }
6654
6655 SSL_set_bio(con, rbio, wbio);
6656
6657 if (!TEST_int_le(SSL_connect(con), 0)) {
6658 /* This shouldn't succeed because we don't have a server! */
6659 goto end;
6660 }
6661
6662 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6663 /* no MFL in client hello */
6664 goto end;
6665 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6666 goto end;
6667
6668 testresult = 1;
6669
6670end:
6671 SSL_free(con);
6672 SSL_CTX_free(ctx);
6673
6674 return testresult;
6675}
6676
6677#ifndef OSSL_NO_USABLE_TLS1_3
6678static int test_pha_key_update(void)
6679{
6680 SSL_CTX *cctx = NULL, *sctx = NULL;
6681 SSL *clientssl = NULL, *serverssl = NULL;
6682 int testresult = 0;
6683
6684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6685 TLS_client_method(), TLS1_VERSION, 0,
6686 &sctx, &cctx, cert, privkey)))
6687 return 0;
6688
6689 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6690 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6691 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6692 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6693 goto end;
6694
6695 SSL_CTX_set_post_handshake_auth(cctx, 1);
6696
6697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6698 NULL, NULL)))
6699 goto end;
6700
6701 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6702 SSL_ERROR_NONE)))
6703 goto end;
6704
6705 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6706 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6707 goto end;
6708
6709 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6710 goto end;
6711
6712 /* Start handshake on the server */
6713 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6714 goto end;
6715
6716 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6718 SSL_ERROR_NONE)))
6719 goto end;
6720
6721 SSL_shutdown(clientssl);
6722 SSL_shutdown(serverssl);
6723
6724 testresult = 1;
6725
6726 end:
6727 SSL_free(serverssl);
6728 SSL_free(clientssl);
6729 SSL_CTX_free(sctx);
6730 SSL_CTX_free(cctx);
6731 return testresult;
6732}
6733#endif
6734
6735#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6736
6737static SRP_VBASE *vbase = NULL;
6738
6739static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6740{
6741 int ret = SSL3_AL_FATAL;
6742 char *username;
6743 SRP_user_pwd *user = NULL;
6744
6745 username = SSL_get_srp_username(s);
6746 if (username == NULL) {
6747 *ad = SSL_AD_INTERNAL_ERROR;
6748 goto err;
6749 }
6750
6751 user = SRP_VBASE_get1_by_user(vbase, username);
6752 if (user == NULL) {
6753 *ad = SSL_AD_INTERNAL_ERROR;
6754 goto err;
6755 }
6756
6757 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6758 user->info) <= 0) {
6759 *ad = SSL_AD_INTERNAL_ERROR;
6760 goto err;
6761 }
6762
6763 ret = 0;
6764
6765 err:
6766 SRP_user_pwd_free(user);
6767 return ret;
6768}
6769
6770static int create_new_vfile(char *userid, char *password, const char *filename)
6771{
6772 char *gNid = NULL;
6773 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6774 TXT_DB *db = NULL;
6775 int ret = 0;
6776 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6777 size_t i;
6778
6779 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6780 goto end;
6781
6782 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6783 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6784 if (!TEST_ptr(gNid))
6785 goto end;
6786
6787 /*
6788 * The only way to create an empty TXT_DB is to provide a BIO with no data
6789 * in it!
6790 */
6791 db = TXT_DB_read(dummy, DB_NUMBER);
6792 if (!TEST_ptr(db))
6793 goto end;
6794
6795 out = BIO_new_file(filename, "w");
6796 if (!TEST_ptr(out))
6797 goto end;
6798
6799 row[DB_srpid] = OPENSSL_strdup(userid);
6800 row[DB_srptype] = OPENSSL_strdup("V");
6801 row[DB_srpgN] = OPENSSL_strdup(gNid);
6802
6803 if (!TEST_ptr(row[DB_srpid])
6804 || !TEST_ptr(row[DB_srptype])
6805 || !TEST_ptr(row[DB_srpgN])
6806 || !TEST_true(TXT_DB_insert(db, row)))
6807 goto end;
6808
6809 row = NULL;
6810
6811 if (TXT_DB_write(out, db) <= 0)
6812 goto end;
6813
6814 ret = 1;
6815 end:
6816 if (row != NULL) {
6817 for (i = 0; i < DB_NUMBER; i++)
6818 OPENSSL_free(row[i]);
6819 }
6820 OPENSSL_free(row);
6821 BIO_free(dummy);
6822 BIO_free(out);
6823 TXT_DB_free(db);
6824
6825 return ret;
6826}
6827
6828static int create_new_vbase(char *userid, char *password)
6829{
6830 BIGNUM *verifier = NULL, *salt = NULL;
6831 const SRP_gN *lgN = NULL;
6832 SRP_user_pwd *user_pwd = NULL;
6833 int ret = 0;
6834
6835 lgN = SRP_get_default_gN(NULL);
6836 if (!TEST_ptr(lgN))
6837 goto end;
6838
6839 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6840 lgN->N, lgN->g, libctx, NULL)))
6841 goto end;
6842
6843 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6844 if (!TEST_ptr(user_pwd))
6845 goto end;
6846
6847 user_pwd->N = lgN->N;
6848 user_pwd->g = lgN->g;
6849 user_pwd->id = OPENSSL_strdup(userid);
6850 if (!TEST_ptr(user_pwd->id))
6851 goto end;
6852
6853 user_pwd->v = verifier;
6854 user_pwd->s = salt;
6855 verifier = salt = NULL;
6856
6857 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6858 goto end;
6859 user_pwd = NULL;
6860
6861 ret = 1;
6862end:
6863 SRP_user_pwd_free(user_pwd);
6864 BN_free(salt);
6865 BN_free(verifier);
6866
6867 return ret;
6868}
6869
6870/*
6871 * SRP tests
6872 *
6873 * Test 0: Simple successful SRP connection, new vbase
6874 * Test 1: Connection failure due to bad password, new vbase
6875 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6876 * Test 3: Connection failure due to bad password, vbase loaded from existing
6877 * file
6878 * Test 4: Simple successful SRP connection, vbase loaded from new file
6879 * Test 5: Connection failure due to bad password, vbase loaded from new file
6880 */
6881static int test_srp(int tst)
6882{
6883 char *userid = "test", *password = "password", *tstsrpfile;
6884 SSL_CTX *cctx = NULL, *sctx = NULL;
6885 SSL *clientssl = NULL, *serverssl = NULL;
6886 int ret, testresult = 0;
6887
6888 vbase = SRP_VBASE_new(NULL);
6889 if (!TEST_ptr(vbase))
6890 goto end;
6891
6892 if (tst == 0 || tst == 1) {
6893 if (!TEST_true(create_new_vbase(userid, password)))
6894 goto end;
6895 } else {
6896 if (tst == 4 || tst == 5) {
6897 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6898 goto end;
6899 tstsrpfile = tmpfilename;
6900 } else {
6901 tstsrpfile = srpvfile;
6902 }
6903 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6904 goto end;
6905 }
6906
6907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6908 TLS_client_method(), TLS1_VERSION, 0,
6909 &sctx, &cctx, cert, privkey)))
6910 goto end;
6911
6912 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6913 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6914 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6915 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6916 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6917 goto end;
6918
6919 if (tst % 2 == 1) {
6920 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6921 goto end;
6922 } else {
6923 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6924 goto end;
6925 }
6926
6927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6928 NULL, NULL)))
6929 goto end;
6930
6931 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6932 if (ret) {
6933 if (!TEST_true(tst % 2 == 0))
6934 goto end;
6935 } else {
6936 if (!TEST_true(tst % 2 == 1))
6937 goto end;
6938 }
6939
6940 testresult = 1;
6941
6942 end:
6943 SRP_VBASE_free(vbase);
6944 vbase = NULL;
6945 SSL_free(serverssl);
6946 SSL_free(clientssl);
6947 SSL_CTX_free(sctx);
6948 SSL_CTX_free(cctx);
6949
6950 return testresult;
6951}
6952#endif
6953
6954static int info_cb_failed = 0;
6955static int info_cb_offset = 0;
6956static int info_cb_this_state = -1;
6957
6958static struct info_cb_states_st {
6959 int where;
6960 const char *statestr;
6961} info_cb_states[][60] = {
6962 {
6963 /* TLSv1.2 server followed by resumption */
6964 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6965 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6966 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6967 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6968 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6969 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6970 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6971 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6972 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6973 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6974 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6975 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6976 {SSL_CB_EXIT, NULL}, {0, NULL},
6977 }, {
6978 /* TLSv1.2 client followed by resumption */
6979 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6980 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6981 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6982 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6983 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6984 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6985 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6986 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6987 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6988 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6989 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6990 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6991 }, {
6992 /* TLSv1.3 server followed by resumption */
6993 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6994 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6995 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6996 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6997 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6998 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6999 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7000 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7001 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7002 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7003 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7004 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7005 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7006 }, {
7007 /* TLSv1.3 client followed by resumption */
7008 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7009 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7010 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7011 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7012 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7013 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7014 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7015 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7016 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7017 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7018 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7019 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7020 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7021 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7022 {SSL_CB_EXIT, NULL}, {0, NULL},
7023 }, {
7024 /* TLSv1.3 server, early_data */
7025 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7026 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7027 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7028 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7029 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7030 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7031 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7032 {SSL_CB_EXIT, NULL}, {0, NULL},
7033 }, {
7034 /* TLSv1.3 client, early_data */
7035 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7036 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7037 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7038 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7039 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7040 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7041 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7042 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7043 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7044 }, {
7045 {0, NULL},
7046 }
7047};
7048
7049static void sslapi_info_callback(const SSL *s, int where, int ret)
7050{
7051 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7052
7053 /* We do not ever expect a connection to fail in this test */
7054 if (!TEST_false(ret == 0)) {
7055 info_cb_failed = 1;
7056 return;
7057 }
7058
7059 /*
7060 * Do some sanity checks. We never expect these things to happen in this
7061 * test
7062 */
7063 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7064 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7065 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7066 info_cb_failed = 1;
7067 return;
7068 }
7069
7070 /* Now check we're in the right state */
7071 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7072 info_cb_failed = 1;
7073 return;
7074 }
7075 if ((where & SSL_CB_LOOP) != 0
7076 && !TEST_int_eq(strcmp(SSL_state_string(s),
7077 state[info_cb_this_state].statestr), 0)) {
7078 info_cb_failed = 1;
7079 return;
7080 }
7081
7082 /*
7083 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7084 */
7085 if ((where & SSL_CB_HANDSHAKE_DONE)
7086 && SSL_in_init((SSL *)s) != 0) {
7087 info_cb_failed = 1;
7088 return;
7089 }
7090}
7091
7092/*
7093 * Test the info callback gets called when we expect it to.
7094 *
7095 * Test 0: TLSv1.2, server
7096 * Test 1: TLSv1.2, client
7097 * Test 2: TLSv1.3, server
7098 * Test 3: TLSv1.3, client
7099 * Test 4: TLSv1.3, server, early_data
7100 * Test 5: TLSv1.3, client, early_data
7101 */
7102static int test_info_callback(int tst)
7103{
7104 SSL_CTX *cctx = NULL, *sctx = NULL;
7105 SSL *clientssl = NULL, *serverssl = NULL;
7106 SSL_SESSION *clntsess = NULL;
7107 int testresult = 0;
7108 int tlsvers;
7109
7110 if (tst < 2) {
7111/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7112#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7113 || !defined(OPENSSL_NO_DH))
7114 tlsvers = TLS1_2_VERSION;
7115#else
7116 return 1;
7117#endif
7118 } else {
7119#ifndef OSSL_NO_USABLE_TLS1_3
7120 tlsvers = TLS1_3_VERSION;
7121#else
7122 return 1;
7123#endif
7124 }
7125
7126 /* Reset globals */
7127 info_cb_failed = 0;
7128 info_cb_this_state = -1;
7129 info_cb_offset = tst;
7130
7131#ifndef OSSL_NO_USABLE_TLS1_3
7132 if (tst >= 4) {
7133 SSL_SESSION *sess = NULL;
7134 size_t written, readbytes;
7135 unsigned char buf[80];
7136
7137 /* early_data tests */
7138 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7139 &serverssl, &sess, 0)))
7140 goto end;
7141
7142 /* We don't actually need this reference */
7143 SSL_SESSION_free(sess);
7144
7145 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7146 sslapi_info_callback);
7147
7148 /* Write and read some early data and then complete the connection */
7149 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7150 &written))
7151 || !TEST_size_t_eq(written, strlen(MSG1))
7152 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7153 sizeof(buf), &readbytes),
7154 SSL_READ_EARLY_DATA_SUCCESS)
7155 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7156 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7157 SSL_EARLY_DATA_ACCEPTED)
7158 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7159 SSL_ERROR_NONE))
7160 || !TEST_false(info_cb_failed))
7161 goto end;
7162
7163 testresult = 1;
7164 goto end;
7165 }
7166#endif
7167
7168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7169 TLS_client_method(),
7170 tlsvers, tlsvers, &sctx, &cctx, cert,
7171 privkey)))
7172 goto end;
7173
7174 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7175 goto end;
7176
7177 /*
7178 * For even numbered tests we check the server callbacks. For odd numbers we
7179 * check the client.
7180 */
7181 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7182 sslapi_info_callback);
7183
7184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7185 &clientssl, NULL, NULL))
7186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7187 SSL_ERROR_NONE))
7188 || !TEST_false(info_cb_failed))
7189 goto end;
7190
7191
7192
7193 clntsess = SSL_get1_session(clientssl);
7194 SSL_shutdown(clientssl);
7195 SSL_shutdown(serverssl);
7196 SSL_free(serverssl);
7197 SSL_free(clientssl);
7198 serverssl = clientssl = NULL;
7199
7200 /* Now do a resumption */
7201 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7202 NULL))
7203 || !TEST_true(SSL_set_session(clientssl, clntsess))
7204 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7205 SSL_ERROR_NONE))
7206 || !TEST_true(SSL_session_reused(clientssl))
7207 || !TEST_false(info_cb_failed))
7208 goto end;
7209
7210 testresult = 1;
7211
7212 end:
7213 SSL_free(serverssl);
7214 SSL_free(clientssl);
7215 SSL_SESSION_free(clntsess);
7216 SSL_CTX_free(sctx);
7217 SSL_CTX_free(cctx);
7218 return testresult;
7219}
7220
7221static int test_ssl_pending(int tst)
7222{
7223 SSL_CTX *cctx = NULL, *sctx = NULL;
7224 SSL *clientssl = NULL, *serverssl = NULL;
7225 int testresult = 0;
7226 char msg[] = "A test message";
7227 char buf[5];
7228 size_t written, readbytes;
7229
7230 if (tst == 0) {
7231 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7232 TLS_client_method(),
7233 TLS1_VERSION, 0,
7234 &sctx, &cctx, cert, privkey)))
7235 goto end;
7236 } else {
7237#ifndef OPENSSL_NO_DTLS
7238 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7239 DTLS_client_method(),
7240 DTLS1_VERSION, 0,
7241 &sctx, &cctx, cert, privkey)))
7242 goto end;
7243
7244# ifdef OPENSSL_NO_DTLS1_2
7245 /* Not supported in the FIPS provider */
7246 if (is_fips) {
7247 testresult = 1;
7248 goto end;
7249 };
7250 /*
7251 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7252 * level 0
7253 */
7254 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7255 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7256 "DEFAULT:@SECLEVEL=0")))
7257 goto end;
7258# endif
7259#else
7260 return 1;
7261#endif
7262 }
7263
7264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7265 NULL, NULL))
7266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7267 SSL_ERROR_NONE)))
7268 goto end;
7269
7270 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7271 || !TEST_false(SSL_has_pending(clientssl))
7272 || !TEST_int_eq(SSL_pending(serverssl), 0)
7273 || !TEST_false(SSL_has_pending(serverssl))
7274 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7275 || !TEST_size_t_eq(written, sizeof(msg))
7276 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7277 || !TEST_size_t_eq(readbytes, sizeof(buf))
7278 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7279 || !TEST_true(SSL_has_pending(clientssl)))
7280 goto end;
7281
7282 testresult = 1;
7283
7284 end:
7285 SSL_free(serverssl);
7286 SSL_free(clientssl);
7287 SSL_CTX_free(sctx);
7288 SSL_CTX_free(cctx);
7289
7290 return testresult;
7291}
7292
7293static struct {
7294 unsigned int maxprot;
7295 const char *clntciphers;
7296 const char *clnttls13ciphers;
7297 const char *srvrciphers;
7298 const char *srvrtls13ciphers;
7299 const char *shared;
7300 const char *fipsshared;
7301} shared_ciphers_data[] = {
7302/*
7303 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7304 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7305 */
7306#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7307 {
7308 TLS1_2_VERSION,
7309 "AES128-SHA:AES256-SHA",
7310 NULL,
7311 "AES256-SHA:DHE-RSA-AES128-SHA",
7312 NULL,
7313 "AES256-SHA",
7314 "AES256-SHA"
7315 },
7316# if !defined(OPENSSL_NO_CHACHA) \
7317 && !defined(OPENSSL_NO_POLY1305) \
7318 && !defined(OPENSSL_NO_EC)
7319 {
7320 TLS1_2_VERSION,
7321 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7322 NULL,
7323 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7324 NULL,
7325 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7326 "AES128-SHA"
7327 },
7328# endif
7329 {
7330 TLS1_2_VERSION,
7331 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7332 NULL,
7333 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7334 NULL,
7335 "AES128-SHA:AES256-SHA",
7336 "AES128-SHA:AES256-SHA"
7337 },
7338 {
7339 TLS1_2_VERSION,
7340 "AES128-SHA:AES256-SHA",
7341 NULL,
7342 "AES128-SHA:DHE-RSA-AES128-SHA",
7343 NULL,
7344 "AES128-SHA",
7345 "AES128-SHA"
7346 },
7347#endif
7348/*
7349 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7350 * enabled.
7351 */
7352#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7353 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7354 {
7355 TLS1_3_VERSION,
7356 "AES128-SHA:AES256-SHA",
7357 NULL,
7358 "AES256-SHA:AES128-SHA256",
7359 NULL,
7360 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7361 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7362 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7363 },
7364#endif
7365#ifndef OSSL_NO_USABLE_TLS1_3
7366 {
7367 TLS1_3_VERSION,
7368 "AES128-SHA",
7369 "TLS_AES_256_GCM_SHA384",
7370 "AES256-SHA",
7371 "TLS_AES_256_GCM_SHA384",
7372 "TLS_AES_256_GCM_SHA384",
7373 "TLS_AES_256_GCM_SHA384"
7374 },
7375#endif
7376};
7377
7378static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7379{
7380 SSL_CTX *cctx = NULL, *sctx = NULL;
7381 SSL *clientssl = NULL, *serverssl = NULL;
7382 int testresult = 0;
7383 char buf[1024];
7384 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7385
7386 if (!TEST_ptr(tmplibctx))
7387 goto end;
7388
7389 /*
7390 * Regardless of whether we're testing with the FIPS provider loaded into
7391 * libctx, we want one peer to always use the full set of ciphersuites
7392 * available. Therefore we use a separate libctx with the default provider
7393 * loaded into it. We run the same tests twice - once with the client side
7394 * having the full set of ciphersuites and once with the server side.
7395 */
7396 if (clnt) {
7397 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7398 if (!TEST_ptr(cctx))
7399 goto end;
7400 } else {
7401 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7402 if (!TEST_ptr(sctx))
7403 goto end;
7404 }
7405
7406 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7407 TLS_client_method(),
7408 TLS1_VERSION,
7409 shared_ciphers_data[tst].maxprot,
7410 &sctx, &cctx, cert, privkey)))
7411 goto end;
7412
7413 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7414 shared_ciphers_data[tst].clntciphers))
7415 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7416 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7417 shared_ciphers_data[tst].clnttls13ciphers)))
7418 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7419 shared_ciphers_data[tst].srvrciphers))
7420 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7421 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7422 shared_ciphers_data[tst].srvrtls13ciphers))))
7423 goto end;
7424
7425
7426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7427 NULL, NULL))
7428 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7429 SSL_ERROR_NONE)))
7430 goto end;
7431
7432 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7433 || !TEST_int_eq(strcmp(buf,
7434 is_fips
7435 ? shared_ciphers_data[tst].fipsshared
7436 : shared_ciphers_data[tst].shared),
7437 0)) {
7438 TEST_info("Shared ciphers are: %s\n", buf);
7439 goto end;
7440 }
7441
7442 testresult = 1;
7443
7444 end:
7445 SSL_free(serverssl);
7446 SSL_free(clientssl);
7447 SSL_CTX_free(sctx);
7448 SSL_CTX_free(cctx);
7449 OSSL_LIB_CTX_free(tmplibctx);
7450
7451 return testresult;
7452}
7453
7454static int test_ssl_get_shared_ciphers(int tst)
7455{
7456 return int_test_ssl_get_shared_ciphers(tst, 0)
7457 && int_test_ssl_get_shared_ciphers(tst, 1);
7458}
7459
7460
7461static const char *appdata = "Hello World";
7462static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7463static int tick_key_renew = 0;
7464static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7465
7466static int gen_tick_cb(SSL *s, void *arg)
7467{
7468 gen_tick_called = 1;
7469
7470 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7471 strlen(appdata));
7472}
7473
7474static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7475 const unsigned char *keyname,
7476 size_t keyname_length,
7477 SSL_TICKET_STATUS status,
7478 void *arg)
7479{
7480 void *tickdata;
7481 size_t tickdlen;
7482
7483 dec_tick_called = 1;
7484
7485 if (status == SSL_TICKET_EMPTY)
7486 return SSL_TICKET_RETURN_IGNORE_RENEW;
7487
7488 if (!TEST_true(status == SSL_TICKET_SUCCESS
7489 || status == SSL_TICKET_SUCCESS_RENEW))
7490 return SSL_TICKET_RETURN_ABORT;
7491
7492 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7493 &tickdlen))
7494 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7495 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7496 return SSL_TICKET_RETURN_ABORT;
7497
7498 if (tick_key_cb_called) {
7499 /* Don't change what the ticket key callback wanted to do */
7500 switch (status) {
7501 case SSL_TICKET_NO_DECRYPT:
7502 return SSL_TICKET_RETURN_IGNORE_RENEW;
7503
7504 case SSL_TICKET_SUCCESS:
7505 return SSL_TICKET_RETURN_USE;
7506
7507 case SSL_TICKET_SUCCESS_RENEW:
7508 return SSL_TICKET_RETURN_USE_RENEW;
7509
7510 default:
7511 return SSL_TICKET_RETURN_ABORT;
7512 }
7513 }
7514 return tick_dec_ret;
7515
7516}
7517
7518#ifndef OPENSSL_NO_DEPRECATED_3_0
7519static int tick_key_cb(SSL *s, unsigned char key_name[16],
7520 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7521 HMAC_CTX *hctx, int enc)
7522{
7523 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7524 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7525 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7526 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7527 int ret;
7528
7529 tick_key_cb_called = 1;
7530 memset(iv, 0, AES_BLOCK_SIZE);
7531 memset(key_name, 0, 16);
7532 if (aes128cbc == NULL
7533 || sha256 == NULL
7534 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7535 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7536 NULL))
7537 ret = -1;
7538 else
7539 ret = tick_key_renew ? 2 : 1;
7540
7541 EVP_CIPHER_free(aes128cbc);
7542 EVP_MD_free(sha256);
7543
7544 return ret;
7545}
7546#endif
7547
7548static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7549 unsigned char iv[EVP_MAX_IV_LENGTH],
7550 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7551{
7552 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7553 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7554 OSSL_PARAM params[2];
7555 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7556 int ret;
7557
7558 tick_key_cb_called = 1;
7559 memset(iv, 0, AES_BLOCK_SIZE);
7560 memset(key_name, 0, 16);
7561 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7562 "SHA256", 0);
7563 params[1] = OSSL_PARAM_construct_end();
7564 if (aes128cbc == NULL
7565 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7566 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7567 params))
7568 ret = -1;
7569 else
7570 ret = tick_key_renew ? 2 : 1;
7571
7572 EVP_CIPHER_free(aes128cbc);
7573
7574 return ret;
7575}
7576
7577/*
7578 * Test the various ticket callbacks
7579 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7580 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7581 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7582 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7583 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7584 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7585 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7586 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7587 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7588 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7589 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7590 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7591 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7592 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7593 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7594 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7595 */
7596static int test_ticket_callbacks(int tst)
7597{
7598 SSL_CTX *cctx = NULL, *sctx = NULL;
7599 SSL *clientssl = NULL, *serverssl = NULL;
7600 SSL_SESSION *clntsess = NULL;
7601 int testresult = 0;
7602
7603#ifdef OPENSSL_NO_TLS1_2
7604 if (tst % 2 == 0)
7605 return 1;
7606#endif
7607#ifdef OSSL_NO_USABLE_TLS1_3
7608 if (tst % 2 == 1)
7609 return 1;
7610#endif
7611#ifdef OPENSSL_NO_DEPRECATED_3_0
7612 if (tst >= 8 && tst <= 11)
7613 return 1;
7614#endif
7615
7616 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7617
7618 /* Which tests the ticket key callback should request renewal for */
7619 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7620 tick_key_renew = 1;
7621 else
7622 tick_key_renew = 0;
7623
7624 /* Which tests the decrypt ticket callback should request renewal for */
7625 switch (tst) {
7626 case 0:
7627 case 1:
7628 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7629 break;
7630
7631 case 2:
7632 case 3:
7633 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7634 break;
7635
7636 case 4:
7637 case 5:
7638 tick_dec_ret = SSL_TICKET_RETURN_USE;
7639 break;
7640
7641 case 6:
7642 case 7:
7643 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7644 break;
7645
7646 default:
7647 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7648 }
7649
7650 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7651 TLS_client_method(),
7652 TLS1_VERSION,
7653 ((tst % 2) == 0) ? TLS1_2_VERSION
7654 : TLS1_3_VERSION,
7655 &sctx, &cctx, cert, privkey)))
7656 goto end;
7657
7658 /*
7659 * We only want sessions to resume from tickets - not the session cache. So
7660 * switch the cache off.
7661 */
7662 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7663 goto end;
7664
7665 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7666 NULL)))
7667 goto end;
7668
7669 if (tst >= 12) {
7670 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7671 goto end;
7672#ifndef OPENSSL_NO_DEPRECATED_3_0
7673 } else if (tst >= 8) {
7674 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7675 goto end;
7676#endif
7677 }
7678
7679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7680 NULL, NULL))
7681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7682 SSL_ERROR_NONE)))
7683 goto end;
7684
7685 /*
7686 * The decrypt ticket key callback in TLSv1.2 should be called even though
7687 * we have no ticket yet, because it gets called with a status of
7688 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7689 * actually send any ticket data). This does not happen in TLSv1.3 because
7690 * it is not valid to send empty ticket data in TLSv1.3.
7691 */
7692 if (!TEST_int_eq(gen_tick_called, 1)
7693 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7694 goto end;
7695
7696 gen_tick_called = dec_tick_called = 0;
7697
7698 clntsess = SSL_get1_session(clientssl);
7699 SSL_shutdown(clientssl);
7700 SSL_shutdown(serverssl);
7701 SSL_free(serverssl);
7702 SSL_free(clientssl);
7703 serverssl = clientssl = NULL;
7704
7705 /* Now do a resumption */
7706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7707 NULL))
7708 || !TEST_true(SSL_set_session(clientssl, clntsess))
7709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7710 SSL_ERROR_NONE)))
7711 goto end;
7712
7713 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7714 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7715 if (!TEST_false(SSL_session_reused(clientssl)))
7716 goto end;
7717 } else {
7718 if (!TEST_true(SSL_session_reused(clientssl)))
7719 goto end;
7720 }
7721
7722 if (!TEST_int_eq(gen_tick_called,
7723 (tick_key_renew
7724 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7725 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7726 ? 1 : 0)
7727 || !TEST_int_eq(dec_tick_called, 1))
7728 goto end;
7729
7730 testresult = 1;
7731
7732 end:
7733 SSL_SESSION_free(clntsess);
7734 SSL_free(serverssl);
7735 SSL_free(clientssl);
7736 SSL_CTX_free(sctx);
7737 SSL_CTX_free(cctx);
7738
7739 return testresult;
7740}
7741
7742/*
7743 * Test incorrect shutdown.
7744 * Test 0: client does not shutdown properly,
7745 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7746 * server should get SSL_ERROR_SSL
7747 * Test 1: client does not shutdown properly,
7748 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7749 * server should get SSL_ERROR_ZERO_RETURN
7750 */
7751static int test_incorrect_shutdown(int tst)
7752{
7753 SSL_CTX *cctx = NULL, *sctx = NULL;
7754 SSL *clientssl = NULL, *serverssl = NULL;
7755 int testresult = 0;
7756 char buf[80];
7757 BIO *c2s;
7758
7759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7760 TLS_client_method(), 0, 0,
7761 &sctx, &cctx, cert, privkey)))
7762 goto end;
7763
7764 if (tst == 1)
7765 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7766
7767 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7768 NULL, NULL)))
7769 goto end;
7770
7771 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7772 SSL_ERROR_NONE)))
7773 goto end;
7774
7775 c2s = SSL_get_rbio(serverssl);
7776 BIO_set_mem_eof_return(c2s, 0);
7777
7778 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7779 goto end;
7780
7781 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7782 goto end;
7783 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7784 goto end;
7785
7786 testresult = 1;
7787
7788 end:
7789 SSL_free(serverssl);
7790 SSL_free(clientssl);
7791 SSL_CTX_free(sctx);
7792 SSL_CTX_free(cctx);
7793
7794 return testresult;
7795}
7796
7797/*
7798 * Test bi-directional shutdown.
7799 * Test 0: TLSv1.2
7800 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7801 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7802 * Test 3: TLSv1.3, pending NewSessionTicket messages
7803 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7804 * sends key update, client reads it
7805 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7806 * sends CertificateRequest, client reads and ignores it
7807 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7808 * doesn't read it
7809 */
7810static int test_shutdown(int tst)
7811{
7812 SSL_CTX *cctx = NULL, *sctx = NULL;
7813 SSL *clientssl = NULL, *serverssl = NULL;
7814 int testresult = 0;
7815 char msg[] = "A test message";
7816 char buf[80];
7817 size_t written, readbytes;
7818 SSL_SESSION *sess;
7819
7820#ifdef OPENSSL_NO_TLS1_2
7821 if (tst <= 1)
7822 return 1;
7823#endif
7824#ifdef OSSL_NO_USABLE_TLS1_3
7825 if (tst >= 2)
7826 return 1;
7827#endif
7828
7829 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7830 TLS_client_method(),
7831 TLS1_VERSION,
7832 (tst <= 1) ? TLS1_2_VERSION
7833 : TLS1_3_VERSION,
7834 &sctx, &cctx, cert, privkey)))
7835 goto end;
7836
7837 if (tst == 5)
7838 SSL_CTX_set_post_handshake_auth(cctx, 1);
7839
7840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7841 NULL, NULL)))
7842 goto end;
7843
7844 if (tst == 3) {
7845 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7846 SSL_ERROR_NONE, 1))
7847 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7848 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7849 goto end;
7850 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7851 SSL_ERROR_NONE))
7852 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7853 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7854 goto end;
7855 }
7856
7857 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7858 goto end;
7859
7860 if (tst >= 4) {
7861 /*
7862 * Reading on the server after the client has sent close_notify should
7863 * fail and provide SSL_ERROR_ZERO_RETURN
7864 */
7865 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7866 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7867 SSL_ERROR_ZERO_RETURN)
7868 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7869 SSL_RECEIVED_SHUTDOWN)
7870 /*
7871 * Even though we're shutdown on receive we should still be
7872 * able to write.
7873 */
7874 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7875 goto end;
7876 if (tst == 4
7877 && !TEST_true(SSL_key_update(serverssl,
7878 SSL_KEY_UPDATE_REQUESTED)))
7879 goto end;
7880 if (tst == 5) {
7881 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7882 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7883 goto end;
7884 }
7885 if ((tst == 4 || tst == 5)
7886 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7887 goto end;
7888 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7889 goto end;
7890 if (tst == 4 || tst == 5) {
7891 /* Should still be able to read data from server */
7892 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7893 &readbytes))
7894 || !TEST_size_t_eq(readbytes, sizeof(msg))
7895 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7896 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7897 &readbytes))
7898 || !TEST_size_t_eq(readbytes, sizeof(msg))
7899 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7900 goto end;
7901 }
7902 }
7903
7904 /* Writing on the client after sending close_notify shouldn't be possible */
7905 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7906 goto end;
7907
7908 if (tst < 4) {
7909 /*
7910 * For these tests the client has sent close_notify but it has not yet
7911 * been received by the server. The server has not sent close_notify
7912 * yet.
7913 */
7914 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7915 /*
7916 * Writing on the server after sending close_notify shouldn't
7917 * be possible.
7918 */
7919 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7920 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7921 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7922 || !TEST_true(SSL_SESSION_is_resumable(sess))
7923 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7924 goto end;
7925 } else if (tst == 4 || tst == 5) {
7926 /*
7927 * In this test the client has sent close_notify and it has been
7928 * received by the server which has responded with a close_notify. The
7929 * client needs to read the close_notify sent by the server.
7930 */
7931 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7932 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7933 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7934 goto end;
7935 } else {
7936 /*
7937 * tst == 6
7938 *
7939 * The client has sent close_notify and is expecting a close_notify
7940 * back, but instead there is application data first. The shutdown
7941 * should fail with a fatal error.
7942 */
7943 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7944 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7945 goto end;
7946 }
7947
7948 testresult = 1;
7949
7950 end:
7951 SSL_free(serverssl);
7952 SSL_free(clientssl);
7953 SSL_CTX_free(sctx);
7954 SSL_CTX_free(cctx);
7955
7956 return testresult;
7957}
7958
7959#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7960static int cert_cb_cnt;
7961
7962static int cert_cb(SSL *s, void *arg)
7963{
7964 SSL_CTX *ctx = (SSL_CTX *)arg;
7965 BIO *in = NULL;
7966 EVP_PKEY *pkey = NULL;
7967 X509 *x509 = NULL, *rootx = NULL;
7968 STACK_OF(X509) *chain = NULL;
7969 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7970 int ret = 0;
7971
7972 if (cert_cb_cnt == 0) {
7973 /* Suspend the handshake */
7974 cert_cb_cnt++;
7975 return -1;
7976 } else if (cert_cb_cnt == 1) {
7977 /*
7978 * Update the SSL_CTX, set the certificate and private key and then
7979 * continue the handshake normally.
7980 */
7981 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7982 return 0;
7983
7984 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7985 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7986 SSL_FILETYPE_PEM))
7987 || !TEST_true(SSL_check_private_key(s)))
7988 return 0;
7989 cert_cb_cnt++;
7990 return 1;
7991 } else if (cert_cb_cnt == 3) {
7992 int rv;
7993
7994 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7995 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7996 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7997 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7998 goto out;
7999 chain = sk_X509_new_null();
8000 if (!TEST_ptr(chain))
8001 goto out;
8002 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8003 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8004 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8005 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8006 || !TEST_true(sk_X509_push(chain, rootx)))
8007 goto out;
8008 rootx = NULL;
8009 BIO_free(in);
8010 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8011 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8012 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8013 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8014 goto out;
8015 BIO_free(in);
8016 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8017 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8018 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8019 NULL, NULL,
8020 libctx, NULL)))
8021 goto out;
8022 rv = SSL_check_chain(s, x509, pkey, chain);
8023 /*
8024 * If the cert doesn't show as valid here (e.g., because we don't
8025 * have any shared sigalgs), then we will not set it, and there will
8026 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8027 * will cause tls_choose_sigalgs() to fail the connection.
8028 */
8029 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8030 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8031 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8032 goto out;
8033 }
8034
8035 ret = 1;
8036 }
8037
8038 /* Abort the handshake */
8039 out:
8040 OPENSSL_free(ecdsacert);
8041 OPENSSL_free(ecdsakey);
8042 OPENSSL_free(rootfile);
8043 BIO_free(in);
8044 EVP_PKEY_free(pkey);
8045 X509_free(x509);
8046 X509_free(rootx);
8047 sk_X509_pop_free(chain, X509_free);
8048 return ret;
8049}
8050
8051/*
8052 * Test the certificate callback.
8053 * Test 0: Callback fails
8054 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8055 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8056 * Test 3: Success - Call SSL_check_chain from the callback
8057 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8058 * chain
8059 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8060 */
8061static int test_cert_cb_int(int prot, int tst)
8062{
8063 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8064 SSL *clientssl = NULL, *serverssl = NULL;
8065 int testresult = 0, ret;
8066
8067#ifdef OPENSSL_NO_EC
8068 /* We use an EC cert in these tests, so we skip in a no-ec build */
8069 if (tst >= 3)
8070 return 1;
8071#endif
8072
8073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8074 TLS_client_method(),
8075 TLS1_VERSION,
8076 prot,
8077 &sctx, &cctx, NULL, NULL)))
8078 goto end;
8079
8080 if (tst == 0)
8081 cert_cb_cnt = -1;
8082 else if (tst >= 3)
8083 cert_cb_cnt = 3;
8084 else
8085 cert_cb_cnt = 0;
8086
8087 if (tst == 2) {
8088 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8089 if (!TEST_ptr(snictx))
8090 goto end;
8091 }
8092
8093 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8094
8095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8096 NULL, NULL)))
8097 goto end;
8098
8099 if (tst == 4) {
8100 /*
8101 * We cause SSL_check_chain() to fail by specifying sig_algs that
8102 * the chain doesn't meet (the root uses an RSA cert)
8103 */
8104 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8105 "ecdsa_secp256r1_sha256")))
8106 goto end;
8107 } else if (tst == 5) {
8108 /*
8109 * We cause SSL_check_chain() to fail by specifying sig_algs that
8110 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8111 */
8112 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8113 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8114 goto end;
8115 }
8116
8117 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8118 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8119 || (tst > 0
8120 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8121 goto end;
8122 }
8123
8124 testresult = 1;
8125
8126 end:
8127 SSL_free(serverssl);
8128 SSL_free(clientssl);
8129 SSL_CTX_free(sctx);
8130 SSL_CTX_free(cctx);
8131 SSL_CTX_free(snictx);
8132
8133 return testresult;
8134}
8135#endif
8136
8137static int test_cert_cb(int tst)
8138{
8139 int testresult = 1;
8140
8141#ifndef OPENSSL_NO_TLS1_2
8142 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8143#endif
8144#ifndef OSSL_NO_USABLE_TLS1_3
8145 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8146#endif
8147
8148 return testresult;
8149}
8150
8151static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8152{
8153 X509 *xcert;
8154 EVP_PKEY *privpkey;
8155 BIO *in = NULL;
8156 BIO *priv_in = NULL;
8157
8158 /* Check that SSL_get0_peer_certificate() returns something sensible */
8159 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8160 return 0;
8161
8162 in = BIO_new_file(cert, "r");
8163 if (!TEST_ptr(in))
8164 return 0;
8165
8166 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8167 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8168 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8169 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8170 NULL, NULL,
8171 libctx, NULL)))
8172 goto err;
8173
8174 *x509 = xcert;
8175 *pkey = privpkey;
8176
8177 BIO_free(in);
8178 BIO_free(priv_in);
8179 return 1;
8180err:
8181 X509_free(xcert);
8182 BIO_free(in);
8183 BIO_free(priv_in);
8184 return 0;
8185}
8186
8187static int test_client_cert_cb(int tst)
8188{
8189 SSL_CTX *cctx = NULL, *sctx = NULL;
8190 SSL *clientssl = NULL, *serverssl = NULL;
8191 int testresult = 0;
8192
8193#ifdef OPENSSL_NO_TLS1_2
8194 if (tst == 0)
8195 return 1;
8196#endif
8197#ifdef OSSL_NO_USABLE_TLS1_3
8198 if (tst == 1)
8199 return 1;
8200#endif
8201
8202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8203 TLS_client_method(),
8204 TLS1_VERSION,
8205 tst == 0 ? TLS1_2_VERSION
8206 : TLS1_3_VERSION,
8207 &sctx, &cctx, cert, privkey)))
8208 goto end;
8209
8210 /*
8211 * Test that setting a client_cert_cb results in a client certificate being
8212 * sent.
8213 */
8214 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8215 SSL_CTX_set_verify(sctx,
8216 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8217 verify_cb);
8218
8219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8220 NULL, NULL))
8221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8222 SSL_ERROR_NONE)))
8223 goto end;
8224
8225 testresult = 1;
8226
8227 end:
8228 SSL_free(serverssl);
8229 SSL_free(clientssl);
8230 SSL_CTX_free(sctx);
8231 SSL_CTX_free(cctx);
8232
8233 return testresult;
8234}
8235
8236#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8237/*
8238 * Test setting certificate authorities on both client and server.
8239 *
8240 * Test 0: SSL_CTX_set0_CA_list() only
8241 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8242 * Test 2: Only SSL_CTX_set_client_CA_list()
8243 */
8244static int test_ca_names_int(int prot, int tst)
8245{
8246 SSL_CTX *cctx = NULL, *sctx = NULL;
8247 SSL *clientssl = NULL, *serverssl = NULL;
8248 int testresult = 0;
8249 size_t i;
8250 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8251 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8252 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8253 const STACK_OF(X509_NAME) *sktmp = NULL;
8254
8255 for (i = 0; i < OSSL_NELEM(name); i++) {
8256 name[i] = X509_NAME_new();
8257 if (!TEST_ptr(name[i])
8258 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8259 MBSTRING_ASC,
8260 (unsigned char *)
8261 strnames[i],
8262 -1, -1, 0)))
8263 goto end;
8264 }
8265
8266 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8267 TLS_client_method(),
8268 TLS1_VERSION,
8269 prot,
8270 &sctx, &cctx, cert, privkey)))
8271 goto end;
8272
8273 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8274
8275 if (tst == 0 || tst == 1) {
8276 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8277 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8278 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8279 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8280 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8281 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8282 goto end;
8283
8284 SSL_CTX_set0_CA_list(sctx, sk1);
8285 SSL_CTX_set0_CA_list(cctx, sk2);
8286 sk1 = sk2 = NULL;
8287 }
8288 if (tst == 1 || tst == 2) {
8289 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8290 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8291 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8292 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8293 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8294 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8295 goto end;
8296
8297 SSL_CTX_set_client_CA_list(sctx, sk1);
8298 SSL_CTX_set_client_CA_list(cctx, sk2);
8299 sk1 = sk2 = NULL;
8300 }
8301
8302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8303 NULL, NULL))
8304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8305 SSL_ERROR_NONE)))
8306 goto end;
8307
8308 /*
8309 * We only expect certificate authorities to have been sent to the server
8310 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8311 */
8312 sktmp = SSL_get0_peer_CA_list(serverssl);
8313 if (prot == TLS1_3_VERSION
8314 && (tst == 0 || tst == 1)) {
8315 if (!TEST_ptr(sktmp)
8316 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8317 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8318 name[0]), 0)
8319 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8320 name[1]), 0))
8321 goto end;
8322 } else if (!TEST_ptr_null(sktmp)) {
8323 goto end;
8324 }
8325
8326 /*
8327 * In all tests we expect certificate authorities to have been sent to the
8328 * client. However, SSL_set_client_CA_list() should override
8329 * SSL_set0_CA_list()
8330 */
8331 sktmp = SSL_get0_peer_CA_list(clientssl);
8332 if (!TEST_ptr(sktmp)
8333 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8334 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8335 name[tst == 0 ? 0 : 2]), 0)
8336 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8337 name[tst == 0 ? 1 : 3]), 0))
8338 goto end;
8339
8340 testresult = 1;
8341
8342 end:
8343 SSL_free(serverssl);
8344 SSL_free(clientssl);
8345 SSL_CTX_free(sctx);
8346 SSL_CTX_free(cctx);
8347 for (i = 0; i < OSSL_NELEM(name); i++)
8348 X509_NAME_free(name[i]);
8349 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8350 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8351
8352 return testresult;
8353}
8354#endif
8355
8356static int test_ca_names(int tst)
8357{
8358 int testresult = 1;
8359
8360#ifndef OPENSSL_NO_TLS1_2
8361 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8362#endif
8363#ifndef OSSL_NO_USABLE_TLS1_3
8364 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8365#endif
8366
8367 return testresult;
8368}
8369
8370#ifndef OPENSSL_NO_TLS1_2
8371static const char *multiblock_cipherlist_data[]=
8372{
8373 "AES128-SHA",
8374 "AES128-SHA256",
8375 "AES256-SHA",
8376 "AES256-SHA256",
8377};
8378
8379/* Reduce the fragment size - so the multiblock test buffer can be small */
8380# define MULTIBLOCK_FRAGSIZE 512
8381
8382static int test_multiblock_write(int test_index)
8383{
8384 static const char *fetchable_ciphers[]=
8385 {
8386 "AES-128-CBC-HMAC-SHA1",
8387 "AES-128-CBC-HMAC-SHA256",
8388 "AES-256-CBC-HMAC-SHA1",
8389 "AES-256-CBC-HMAC-SHA256"
8390 };
8391 const char *cipherlist = multiblock_cipherlist_data[test_index];
8392 const SSL_METHOD *smeth = TLS_server_method();
8393 const SSL_METHOD *cmeth = TLS_client_method();
8394 int min_version = TLS1_VERSION;
8395 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8396 SSL_CTX *cctx = NULL, *sctx = NULL;
8397 SSL *clientssl = NULL, *serverssl = NULL;
8398 int testresult = 0;
8399
8400 /*
8401 * Choose a buffer large enough to perform a multi-block operation
8402 * i.e: write_len >= 4 * frag_size
8403 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8404 */
8405 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8406 unsigned char buf[sizeof(msg)], *p = buf;
8407 size_t readbytes, written, len;
8408 EVP_CIPHER *ciph = NULL;
8409
8410 /*
8411 * Check if the cipher exists before attempting to use it since it only has
8412 * a hardware specific implementation.
8413 */
8414 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8415 if (ciph == NULL) {
8416 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8417 return 1;
8418 }
8419 EVP_CIPHER_free(ciph);
8420
8421 /* Set up a buffer with some data that will be sent to the client */
8422 RAND_bytes(msg, sizeof(msg));
8423
8424 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8425 max_version, &sctx, &cctx, cert,
8426 privkey)))
8427 goto end;
8428
8429 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8430 goto end;
8431
8432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8433 NULL, NULL)))
8434 goto end;
8435
8436 /* settings to force it to use AES-CBC-HMAC_SHA */
8437 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8438 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8439 goto end;
8440
8441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8442 goto end;
8443
8444 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8445 || !TEST_size_t_eq(written, sizeof(msg)))
8446 goto end;
8447
8448 len = written;
8449 while (len > 0) {
8450 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8451 goto end;
8452 p += readbytes;
8453 len -= readbytes;
8454 }
8455 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8456 goto end;
8457
8458 testresult = 1;
8459end:
8460 SSL_free(serverssl);
8461 SSL_free(clientssl);
8462 SSL_CTX_free(sctx);
8463 SSL_CTX_free(cctx);
8464
8465 return testresult;
8466}
8467#endif /* OPENSSL_NO_TLS1_2 */
8468
8469static int test_session_timeout(int test)
8470{
8471 /*
8472 * Test session ordering and timeout
8473 * Can't explicitly test performance of the new code,
8474 * but can test to see if the ordering of the sessions
8475 * are correct, and they they are removed as expected
8476 */
8477 SSL_SESSION *early = NULL;
8478 SSL_SESSION *middle = NULL;
8479 SSL_SESSION *late = NULL;
8480 SSL_CTX *ctx;
8481 int testresult = 0;
8482 long now = (long)time(NULL);
8483#define TIMEOUT 10
8484
8485 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8486 || !TEST_ptr(early = SSL_SESSION_new())
8487 || !TEST_ptr(middle = SSL_SESSION_new())
8488 || !TEST_ptr(late = SSL_SESSION_new()))
8489 goto end;
8490
8491 /* assign unique session ids */
8492 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8493 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8494 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8495 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8496 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8497 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8498
8499 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8500 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8501 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8502 goto end;
8503
8504 /* Make sure they are all added */
8505 if (!TEST_ptr(early->prev)
8506 || !TEST_ptr(middle->prev)
8507 || !TEST_ptr(late->prev))
8508 goto end;
8509
8510 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8511 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8512 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8513 goto end;
8514
8515 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8516 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8517 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8518 goto end;
8519
8520 /* Make sure they are all still there */
8521 if (!TEST_ptr(early->prev)
8522 || !TEST_ptr(middle->prev)
8523 || !TEST_ptr(late->prev))
8524 goto end;
8525
8526 /* Make sure they are in the expected order */
8527 if (!TEST_ptr_eq(late->next, middle)
8528 || !TEST_ptr_eq(middle->next, early)
8529 || !TEST_ptr_eq(early->prev, middle)
8530 || !TEST_ptr_eq(middle->prev, late))
8531 goto end;
8532
8533 /* This should remove "early" */
8534 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8535 if (!TEST_ptr_null(early->prev)
8536 || !TEST_ptr(middle->prev)
8537 || !TEST_ptr(late->prev))
8538 goto end;
8539
8540 /* This should remove "middle" */
8541 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8542 if (!TEST_ptr_null(early->prev)
8543 || !TEST_ptr_null(middle->prev)
8544 || !TEST_ptr(late->prev))
8545 goto end;
8546
8547 /* This should remove "late" */
8548 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8549 if (!TEST_ptr_null(early->prev)
8550 || !TEST_ptr_null(middle->prev)
8551 || !TEST_ptr_null(late->prev))
8552 goto end;
8553
8554 /* Add them back in again */
8555 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8556 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8557 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8558 goto end;
8559
8560 /* Make sure they are all added */
8561 if (!TEST_ptr(early->prev)
8562 || !TEST_ptr(middle->prev)
8563 || !TEST_ptr(late->prev))
8564 goto end;
8565
8566 /* This should remove all of them */
8567 SSL_CTX_flush_sessions(ctx, 0);
8568 if (!TEST_ptr_null(early->prev)
8569 || !TEST_ptr_null(middle->prev)
8570 || !TEST_ptr_null(late->prev))
8571 goto end;
8572
8573 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8574 | SSL_CTX_get_session_cache_mode(ctx));
8575
8576 /* make sure |now| is NOT equal to the current time */
8577 now -= 10;
8578 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8579 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8580 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8581 goto end;
8582
8583 testresult = 1;
8584 end:
8585 SSL_CTX_free(ctx);
8586 SSL_SESSION_free(early);
8587 SSL_SESSION_free(middle);
8588 SSL_SESSION_free(late);
8589 return testresult;
8590}
8591
8592/*
8593 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8594 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8595 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8596 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8597 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8598 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8599 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8600 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8601 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8602 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8603 */
8604static int test_servername(int tst)
8605{
8606 SSL_CTX *cctx = NULL, *sctx = NULL;
8607 SSL *clientssl = NULL, *serverssl = NULL;
8608 int testresult = 0;
8609 SSL_SESSION *sess = NULL;
8610 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8611
8612#ifdef OPENSSL_NO_TLS1_2
8613 if (tst <= 4)
8614 return 1;
8615#endif
8616#ifdef OSSL_NO_USABLE_TLS1_3
8617 if (tst >= 5)
8618 return 1;
8619#endif
8620
8621 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8622 TLS_client_method(),
8623 TLS1_VERSION,
8624 (tst <= 4) ? TLS1_2_VERSION
8625 : TLS1_3_VERSION,
8626 &sctx, &cctx, cert, privkey))
8627 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8628 NULL, NULL)))
8629 goto end;
8630
8631 if (tst != 1 && tst != 6) {
8632 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8633 hostname_cb)))
8634 goto end;
8635 }
8636
8637 if (tst != 3 && tst != 8) {
8638 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8639 goto end;
8640 sexpectedhost = cexpectedhost = "goodhost";
8641 }
8642
8643 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8644 goto end;
8645
8646 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8647 cexpectedhost)
8648 || !TEST_str_eq(SSL_get_servername(serverssl,
8649 TLSEXT_NAMETYPE_host_name),
8650 sexpectedhost))
8651 goto end;
8652
8653 /* Now repeat with a resumption handshake */
8654
8655 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8656 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8657 || !TEST_true(SSL_SESSION_is_resumable(sess))
8658 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8659 goto end;
8660
8661 SSL_free(clientssl);
8662 SSL_free(serverssl);
8663 clientssl = serverssl = NULL;
8664
8665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8666 NULL)))
8667 goto end;
8668
8669 if (!TEST_true(SSL_set_session(clientssl, sess)))
8670 goto end;
8671
8672 sexpectedhost = cexpectedhost = "goodhost";
8673 if (tst == 2 || tst == 7) {
8674 /* Set an inconsistent hostname */
8675 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8676 goto end;
8677 /*
8678 * In TLSv1.2 we expect the hostname from the original handshake, in
8679 * TLSv1.3 we expect the hostname from this handshake
8680 */
8681 if (tst == 7)
8682 sexpectedhost = cexpectedhost = "altgoodhost";
8683
8684 if (!TEST_str_eq(SSL_get_servername(clientssl,
8685 TLSEXT_NAMETYPE_host_name),
8686 "altgoodhost"))
8687 goto end;
8688 } else if (tst == 4 || tst == 9) {
8689 /*
8690 * A TLSv1.3 session does not associate a session with a servername,
8691 * but a TLSv1.2 session does.
8692 */
8693 if (tst == 9)
8694 sexpectedhost = cexpectedhost = NULL;
8695
8696 if (!TEST_str_eq(SSL_get_servername(clientssl,
8697 TLSEXT_NAMETYPE_host_name),
8698 cexpectedhost))
8699 goto end;
8700 } else {
8701 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8702 goto end;
8703 /*
8704 * In a TLSv1.2 resumption where the hostname was not acknowledged
8705 * we expect the hostname on the server to be empty. On the client we
8706 * return what was requested in this case.
8707 *
8708 * Similarly if the client didn't set a hostname on an original TLSv1.2
8709 * session but is now, the server hostname will be empty, but the client
8710 * is as we set it.
8711 */
8712 if (tst == 1 || tst == 3)
8713 sexpectedhost = NULL;
8714
8715 if (!TEST_str_eq(SSL_get_servername(clientssl,
8716 TLSEXT_NAMETYPE_host_name),
8717 "goodhost"))
8718 goto end;
8719 }
8720
8721 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8722 goto end;
8723
8724 if (!TEST_true(SSL_session_reused(clientssl))
8725 || !TEST_true(SSL_session_reused(serverssl))
8726 || !TEST_str_eq(SSL_get_servername(clientssl,
8727 TLSEXT_NAMETYPE_host_name),
8728 cexpectedhost)
8729 || !TEST_str_eq(SSL_get_servername(serverssl,
8730 TLSEXT_NAMETYPE_host_name),
8731 sexpectedhost))
8732 goto end;
8733
8734 testresult = 1;
8735
8736 end:
8737 SSL_SESSION_free(sess);
8738 SSL_free(serverssl);
8739 SSL_free(clientssl);
8740 SSL_CTX_free(sctx);
8741 SSL_CTX_free(cctx);
8742
8743 return testresult;
8744}
8745
8746#if !defined(OPENSSL_NO_EC) \
8747 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8748/*
8749 * Test that if signature algorithms are not available, then we do not offer or
8750 * accept them.
8751 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8752 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8753 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8754 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8755 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8756 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8757 */
8758static int test_sigalgs_available(int idx)
8759{
8760 SSL_CTX *cctx = NULL, *sctx = NULL;
8761 SSL *clientssl = NULL, *serverssl = NULL;
8762 int testresult = 0;
8763 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8764 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8765 OSSL_PROVIDER *filterprov = NULL;
8766 int sig, hash;
8767
8768 if (!TEST_ptr(tmpctx))
8769 goto end;
8770
8771 if (idx != 0 && idx != 3) {
8772 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8773 filter_provider_init)))
8774 goto end;
8775
8776 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8777 if (!TEST_ptr(filterprov))
8778 goto end;
8779
8780 if (idx < 3) {
8781 /*
8782 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8783 * or accepted for the peer that uses this libctx. Note that libssl
8784 * *requires* SHA2-256 to be available so we cannot disable that. We
8785 * also need SHA1 for our certificate.
8786 */
8787 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8788 "SHA2-256:SHA1")))
8789 goto end;
8790 } else {
8791 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8792 "ECDSA"))
8793 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8794 "EC:X25519:X448")))
8795 goto end;
8796 }
8797
8798 if (idx == 1 || idx == 4)
8799 clientctx = tmpctx;
8800 else
8801 serverctx = tmpctx;
8802 }
8803
8804 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8805 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8806 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8807 goto end;
8808
8809 if (idx != 5) {
8810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8811 TLS_client_method(),
8812 TLS1_VERSION,
8813 0,
8814 &sctx, &cctx, cert, privkey)))
8815 goto end;
8816 } else {
8817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8818 TLS_client_method(),
8819 TLS1_VERSION,
8820 0,
8821 &sctx, &cctx, cert2, privkey2)))
8822 goto end;
8823 }
8824
8825 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8826 if (idx < 4) {
8827 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8828 "ECDHE-RSA-AES128-GCM-SHA256")))
8829 goto end;
8830 } else {
8831 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8832 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8833 goto end;
8834 }
8835
8836 if (idx < 3) {
8837 if (!SSL_CTX_set1_sigalgs_list(cctx,
8838 "rsa_pss_rsae_sha384"
8839 ":rsa_pss_rsae_sha256")
8840 || !SSL_CTX_set1_sigalgs_list(sctx,
8841 "rsa_pss_rsae_sha384"
8842 ":rsa_pss_rsae_sha256"))
8843 goto end;
8844 } else {
8845 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8846 || !SSL_CTX_set1_sigalgs_list(sctx,
8847 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8848 goto end;
8849 }
8850
8851 if (idx != 5
8852 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8853 SSL_FILETYPE_PEM), 1)
8854 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8855 privkey2,
8856 SSL_FILETYPE_PEM), 1)
8857 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8858 goto end;
8859
8860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8861 NULL, NULL)))
8862 goto end;
8863
8864 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8865 goto end;
8866
8867 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8868 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8869 NULL, NULL),
8870 (idx == 0 || idx == 3) ? 2 : 1))
8871 goto end;
8872
8873 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8874 goto end;
8875
8876 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8877 : NID_rsassaPss))
8878 goto end;
8879
8880 testresult = filter_provider_check_clean_finish();
8881
8882 end:
8883 SSL_free(serverssl);
8884 SSL_free(clientssl);
8885 SSL_CTX_free(sctx);
8886 SSL_CTX_free(cctx);
8887 OSSL_PROVIDER_unload(filterprov);
8888 OSSL_LIB_CTX_free(tmpctx);
8889
8890 return testresult;
8891}
8892#endif /*
8893 * !defined(OPENSSL_NO_EC) \
8894 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8895 */
8896
8897#ifndef OPENSSL_NO_TLS1_3
8898/* This test can run in TLSv1.3 even if ec and dh are disabled */
8899static int test_pluggable_group(int idx)
8900{
8901 SSL_CTX *cctx = NULL, *sctx = NULL;
8902 SSL *clientssl = NULL, *serverssl = NULL;
8903 int testresult = 0;
8904 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8905 /* Check that we are not impacted by a provider without any groups */
8906 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8907 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8908
8909 if (!TEST_ptr(tlsprov))
8910 goto end;
8911
8912 if (legacyprov == NULL) {
8913 /*
8914 * In this case we assume we've been built with "no-legacy" and skip
8915 * this test (there is no OPENSSL_NO_LEGACY)
8916 */
8917 testresult = 1;
8918 goto end;
8919 }
8920
8921 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8922 TLS_client_method(),
8923 TLS1_3_VERSION,
8924 TLS1_3_VERSION,
8925 &sctx, &cctx, cert, privkey))
8926 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8927 NULL, NULL)))
8928 goto end;
8929
8930 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8931 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8932 goto end;
8933
8934 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8935 goto end;
8936
8937 if (!TEST_str_eq(group_name,
8938 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8939 goto end;
8940
8941 testresult = 1;
8942
8943 end:
8944 SSL_free(serverssl);
8945 SSL_free(clientssl);
8946 SSL_CTX_free(sctx);
8947 SSL_CTX_free(cctx);
8948 OSSL_PROVIDER_unload(tlsprov);
8949 OSSL_PROVIDER_unload(legacyprov);
8950
8951 return testresult;
8952}
8953#endif
8954
8955#ifndef OPENSSL_NO_TLS1_2
8956static int test_ssl_dup(void)
8957{
8958 SSL_CTX *cctx = NULL, *sctx = NULL;
8959 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8960 int testresult = 0;
8961 BIO *rbio = NULL, *wbio = NULL;
8962
8963 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8964 TLS_client_method(),
8965 0,
8966 0,
8967 &sctx, &cctx, cert, privkey)))
8968 goto end;
8969
8970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8971 NULL, NULL)))
8972 goto end;
8973
8974 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8975 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8976 goto end;
8977
8978 client2ssl = SSL_dup(clientssl);
8979 rbio = SSL_get_rbio(clientssl);
8980 if (!TEST_ptr(rbio)
8981 || !TEST_true(BIO_up_ref(rbio)))
8982 goto end;
8983 SSL_set0_rbio(client2ssl, rbio);
8984 rbio = NULL;
8985
8986 wbio = SSL_get_wbio(clientssl);
8987 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8988 goto end;
8989 SSL_set0_wbio(client2ssl, wbio);
8990 rbio = NULL;
8991
8992 if (!TEST_ptr(client2ssl)
8993 /* Handshake not started so pointers should be different */
8994 || !TEST_ptr_ne(clientssl, client2ssl))
8995 goto end;
8996
8997 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8998 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8999 goto end;
9000
9001 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9002 goto end;
9003
9004 SSL_free(clientssl);
9005 clientssl = SSL_dup(client2ssl);
9006 if (!TEST_ptr(clientssl)
9007 /* Handshake has finished so pointers should be the same */
9008 || !TEST_ptr_eq(clientssl, client2ssl))
9009 goto end;
9010
9011 testresult = 1;
9012
9013 end:
9014 SSL_free(serverssl);
9015 SSL_free(clientssl);
9016 SSL_free(client2ssl);
9017 SSL_CTX_free(sctx);
9018 SSL_CTX_free(cctx);
9019
9020 return testresult;
9021}
9022
9023# ifndef OPENSSL_NO_DH
9024
9025static EVP_PKEY *tmp_dh_params = NULL;
9026
9027/* Helper function for the test_set_tmp_dh() tests */
9028static EVP_PKEY *get_tmp_dh_params(void)
9029{
9030 if (tmp_dh_params == NULL) {
9031 BIGNUM *p = NULL;
9032 OSSL_PARAM_BLD *tmpl = NULL;
9033 EVP_PKEY_CTX *pctx = NULL;
9034 OSSL_PARAM *params = NULL;
9035 EVP_PKEY *dhpkey = NULL;
9036
9037 p = BN_get_rfc3526_prime_2048(NULL);
9038 if (!TEST_ptr(p))
9039 goto end;
9040
9041 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9042 if (!TEST_ptr(pctx)
9043 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9044 goto end;
9045
9046 tmpl = OSSL_PARAM_BLD_new();
9047 if (!TEST_ptr(tmpl)
9048 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9049 OSSL_PKEY_PARAM_FFC_P,
9050 p))
9051 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9052 OSSL_PKEY_PARAM_FFC_G,
9053 2)))
9054 goto end;
9055
9056 params = OSSL_PARAM_BLD_to_param(tmpl);
9057 if (!TEST_ptr(params)
9058 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9059 EVP_PKEY_KEY_PARAMETERS,
9060 params), 1))
9061 goto end;
9062
9063 tmp_dh_params = dhpkey;
9064 end:
9065 BN_free(p);
9066 EVP_PKEY_CTX_free(pctx);
9067 OSSL_PARAM_BLD_free(tmpl);
9068 OSSL_PARAM_free(params);
9069 }
9070
9071 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9072 return NULL;
9073
9074 return tmp_dh_params;
9075}
9076
9077# ifndef OPENSSL_NO_DEPRECATED_3_0
9078/* Callback used by test_set_tmp_dh() */
9079static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9080{
9081 EVP_PKEY *dhpkey = get_tmp_dh_params();
9082 DH *ret = NULL;
9083
9084 if (!TEST_ptr(dhpkey))
9085 return NULL;
9086
9087 /*
9088 * libssl does not free the returned DH, so we free it now knowing that even
9089 * after we free dhpkey, there will still be a reference to the owning
9090 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9091 * of time we need it for.
9092 */
9093 ret = EVP_PKEY_get1_DH(dhpkey);
9094 DH_free(ret);
9095
9096 EVP_PKEY_free(dhpkey);
9097
9098 return ret;
9099}
9100# endif
9101
9102/*
9103 * Test the various methods for setting temporary DH parameters
9104 *
9105 * Test 0: Default (no auto) setting
9106 * Test 1: Explicit SSL_CTX auto off
9107 * Test 2: Explicit SSL auto off
9108 * Test 3: Explicit SSL_CTX auto on
9109 * Test 4: Explicit SSL auto on
9110 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9111 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9112 *
9113 * The following are testing deprecated APIs, so we only run them if available
9114 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9115 * Test 8: Explicit SSL auto off, custom DH params via DH
9116 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9117 * Test 10: Explicit SSL auto off, custom DH params via callback
9118 */
9119static int test_set_tmp_dh(int idx)
9120{
9121 SSL_CTX *cctx = NULL, *sctx = NULL;
9122 SSL *clientssl = NULL, *serverssl = NULL;
9123 int testresult = 0;
9124 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9125 int expected = (idx <= 2) ? 0 : 1;
9126 EVP_PKEY *dhpkey = NULL;
9127# ifndef OPENSSL_NO_DEPRECATED_3_0
9128 DH *dh = NULL;
9129# else
9130
9131 if (idx >= 7)
9132 return 1;
9133# endif
9134
9135 if (idx >= 5 && idx <= 8) {
9136 dhpkey = get_tmp_dh_params();
9137 if (!TEST_ptr(dhpkey))
9138 goto end;
9139 }
9140# ifndef OPENSSL_NO_DEPRECATED_3_0
9141 if (idx == 7 || idx == 8) {
9142 dh = EVP_PKEY_get1_DH(dhpkey);
9143 if (!TEST_ptr(dh))
9144 goto end;
9145 }
9146# endif
9147
9148 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9149 TLS_client_method(),
9150 0,
9151 0,
9152 &sctx, &cctx, cert, privkey)))
9153 goto end;
9154
9155 if ((idx & 1) == 1) {
9156 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9157 goto end;
9158 }
9159
9160 if (idx == 5) {
9161 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9162 goto end;
9163 dhpkey = NULL;
9164 }
9165# ifndef OPENSSL_NO_DEPRECATED_3_0
9166 else if (idx == 7) {
9167 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9168 goto end;
9169 } else if (idx == 9) {
9170 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9171 }
9172# endif
9173
9174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9175 NULL, NULL)))
9176 goto end;
9177
9178 if ((idx & 1) == 0 && idx != 0) {
9179 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9180 goto end;
9181 }
9182 if (idx == 6) {
9183 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9184 goto end;
9185 dhpkey = NULL;
9186 }
9187# ifndef OPENSSL_NO_DEPRECATED_3_0
9188 else if (idx == 8) {
9189 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9190 goto end;
9191 } else if (idx == 10) {
9192 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9193 }
9194# endif
9195
9196 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9197 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9198 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9199 goto end;
9200
9201 /*
9202 * If autoon then we should succeed. Otherwise we expect failure because
9203 * there are no parameters
9204 */
9205 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9206 SSL_ERROR_NONE), expected))
9207 goto end;
9208
9209 testresult = 1;
9210
9211 end:
9212# ifndef OPENSSL_NO_DEPRECATED_3_0
9213 DH_free(dh);
9214# endif
9215 SSL_free(serverssl);
9216 SSL_free(clientssl);
9217 SSL_CTX_free(sctx);
9218 SSL_CTX_free(cctx);
9219 EVP_PKEY_free(dhpkey);
9220
9221 return testresult;
9222}
9223
9224/*
9225 * Test the auto DH keys are appropriately sized
9226 */
9227static int test_dh_auto(int idx)
9228{
9229 SSL_CTX *cctx = NULL, *sctx = NULL;
9230 SSL *clientssl = NULL, *serverssl = NULL;
9231 int testresult = 0;
9232 EVP_PKEY *tmpkey = NULL;
9233 char *thiscert = NULL, *thiskey = NULL;
9234 size_t expdhsize = 0;
9235 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9236
9237 switch (idx) {
9238 case 0:
9239 /* The FIPS provider doesn't support this DH size - so we ignore it */
9240 if (is_fips)
9241 return 1;
9242 thiscert = cert1024;
9243 thiskey = privkey1024;
9244 expdhsize = 1024;
9245 break;
9246 case 1:
9247 /* 2048 bit prime */
9248 thiscert = cert;
9249 thiskey = privkey;
9250 expdhsize = 2048;
9251 break;
9252 case 2:
9253 thiscert = cert3072;
9254 thiskey = privkey3072;
9255 expdhsize = 3072;
9256 break;
9257 case 3:
9258 thiscert = cert4096;
9259 thiskey = privkey4096;
9260 expdhsize = 4096;
9261 break;
9262 case 4:
9263 thiscert = cert8192;
9264 thiskey = privkey8192;
9265 expdhsize = 8192;
9266 break;
9267 /* No certificate cases */
9268 case 5:
9269 /* The FIPS provider doesn't support this DH size - so we ignore it */
9270 if (is_fips)
9271 return 1;
9272 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9273 expdhsize = 1024;
9274 break;
9275 case 6:
9276 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9277 expdhsize = 3072;
9278 break;
9279 default:
9280 TEST_error("Invalid text index");
9281 goto end;
9282 }
9283
9284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9285 TLS_client_method(),
9286 0,
9287 0,
9288 &sctx, &cctx, thiscert, thiskey)))
9289 goto end;
9290
9291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9292 NULL, NULL)))
9293 goto end;
9294
9295 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9296 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9297 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9298 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9299 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9300 goto end;
9301
9302 /*
9303 * Send the server's first flight. At this point the server has created the
9304 * temporary DH key but hasn't finished using it yet. Once used it is
9305 * removed, so we cannot test it.
9306 */
9307 if (!TEST_int_le(SSL_connect(clientssl), 0)
9308 || !TEST_int_le(SSL_accept(serverssl), 0))
9309 goto end;
9310
9311 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9312 goto end;
9313 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9314 goto end;
9315
9316 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9317 goto end;
9318
9319 testresult = 1;
9320
9321 end:
9322 SSL_free(serverssl);
9323 SSL_free(clientssl);
9324 SSL_CTX_free(sctx);
9325 SSL_CTX_free(cctx);
9326 EVP_PKEY_free(tmpkey);
9327
9328 return testresult;
9329
9330}
9331# endif /* OPENSSL_NO_DH */
9332#endif /* OPENSSL_NO_TLS1_2 */
9333
9334#ifndef OSSL_NO_USABLE_TLS1_3
9335/*
9336 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9337 * that it works even without a certificate configured for the original
9338 * SSL_CTX
9339 */
9340static int test_sni_tls13(void)
9341{
9342 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9343 SSL *clientssl = NULL, *serverssl = NULL;
9344 int testresult = 0;
9345
9346 /* Reset callback counter */
9347 snicb = 0;
9348
9349 /* Create an initial SSL_CTX with no certificate configured */
9350 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9351 if (!TEST_ptr(sctx))
9352 goto end;
9353 /* Require TLSv1.3 as a minimum */
9354 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9355 TLS_client_method(), TLS1_3_VERSION, 0,
9356 &sctx2, &cctx, cert, privkey)))
9357 goto end;
9358
9359 /* Set up SNI */
9360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9361 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9362 goto end;
9363
9364 /*
9365 * Connection should still succeed because the final SSL_CTX has the right
9366 * certificates configured.
9367 */
9368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9369 &clientssl, NULL, NULL))
9370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9371 SSL_ERROR_NONE)))
9372 goto end;
9373
9374 /* We should have had the SNI callback called exactly once */
9375 if (!TEST_int_eq(snicb, 1))
9376 goto end;
9377
9378 testresult = 1;
9379
9380end:
9381 SSL_free(serverssl);
9382 SSL_free(clientssl);
9383 SSL_CTX_free(sctx2);
9384 SSL_CTX_free(sctx);
9385 SSL_CTX_free(cctx);
9386 return testresult;
9387}
9388
9389/*
9390 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9391 * 0 = TLSv1.2
9392 * 1 = TLSv1.3
9393 */
9394static int test_ticket_lifetime(int idx)
9395{
9396 SSL_CTX *cctx = NULL, *sctx = NULL;
9397 SSL *clientssl = NULL, *serverssl = NULL;
9398 int testresult = 0;
9399 int version = TLS1_3_VERSION;
9400
9401#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9402#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9403
9404 if (idx == 0) {
9405#ifdef OPENSSL_NO_TLS1_2
9406 return TEST_skip("TLS 1.2 is disabled.");
9407#else
9408 version = TLS1_2_VERSION;
9409#endif
9410 }
9411
9412 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9413 TLS_client_method(), version, version,
9414 &sctx, &cctx, cert, privkey)))
9415 goto end;
9416
9417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9418 &clientssl, NULL, NULL)))
9419 goto end;
9420
9421 /*
9422 * Set the timeout to be more than 1 week
9423 * make sure the returned value is the default
9424 */
9425 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9426 SSL_get_default_timeout(serverssl)))
9427 goto end;
9428
9429 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9430 goto end;
9431
9432 if (idx == 0) {
9433 /* TLSv1.2 uses the set value */
9434 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9435 goto end;
9436 } else {
9437 /* TLSv1.3 uses the limited value */
9438 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9439 goto end;
9440 }
9441 testresult = 1;
9442
9443end:
9444 SSL_free(serverssl);
9445 SSL_free(clientssl);
9446 SSL_CTX_free(sctx);
9447 SSL_CTX_free(cctx);
9448 return testresult;
9449}
9450#endif
9451/*
9452 * Test that setting an ALPN does not violate RFC
9453 */
9454static int test_set_alpn(void)
9455{
9456 SSL_CTX *ctx = NULL;
9457 SSL *ssl = NULL;
9458 int testresult = 0;
9459
9460 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9461 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9462 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9463 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9464 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9465 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9466
9467 /* Create an initial SSL_CTX with no certificate configured */
9468 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9469 if (!TEST_ptr(ctx))
9470 goto end;
9471
9472 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9473 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9474 goto end;
9475 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9476 goto end;
9477 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9478 goto end;
9479 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9480 goto end;
9481 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9482 goto end;
9483 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9484 goto end;
9485 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9486 goto end;
9487 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9488 goto end;
9489 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9490 goto end;
9491
9492 ssl = SSL_new(ctx);
9493 if (!TEST_ptr(ssl))
9494 goto end;
9495
9496 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9497 goto end;
9498 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9499 goto end;
9500 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9501 goto end;
9502 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9503 goto end;
9504 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9505 goto end;
9506 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9507 goto end;
9508 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9509 goto end;
9510 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9511 goto end;
9512 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9513 goto end;
9514
9515 testresult = 1;
9516
9517end:
9518 SSL_free(ssl);
9519 SSL_CTX_free(ctx);
9520 return testresult;
9521}
9522
9523/*
9524 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9525 */
9526static int test_set_verify_cert_store_ssl_ctx(void)
9527{
9528 SSL_CTX *ctx = NULL;
9529 int testresult = 0;
9530 X509_STORE *store = NULL, *new_store = NULL,
9531 *cstore = NULL, *new_cstore = NULL;
9532
9533 /* Create an initial SSL_CTX. */
9534 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9535 if (!TEST_ptr(ctx))
9536 goto end;
9537
9538 /* Retrieve verify store pointer. */
9539 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9540 goto end;
9541
9542 /* Retrieve chain store pointer. */
9543 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9544 goto end;
9545
9546 /* We haven't set any yet, so this should be NULL. */
9547 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9548 goto end;
9549
9550 /* Create stores. We use separate stores so pointers are different. */
9551 new_store = X509_STORE_new();
9552 if (!TEST_ptr(new_store))
9553 goto end;
9554
9555 new_cstore = X509_STORE_new();
9556 if (!TEST_ptr(new_cstore))
9557 goto end;
9558
9559 /* Set stores. */
9560 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9561 goto end;
9562
9563 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9564 goto end;
9565
9566 /* Should be able to retrieve the same pointer. */
9567 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9568 goto end;
9569
9570 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9571 goto end;
9572
9573 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9574 goto end;
9575
9576 /* Should be able to unset again. */
9577 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9578 goto end;
9579
9580 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9581 goto end;
9582
9583 /* Should now be NULL. */
9584 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9585 goto end;
9586
9587 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9588 goto end;
9589
9590 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9591 goto end;
9592
9593 testresult = 1;
9594
9595end:
9596 X509_STORE_free(new_store);
9597 X509_STORE_free(new_cstore);
9598 SSL_CTX_free(ctx);
9599 return testresult;
9600}
9601
9602/*
9603 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9604 */
9605static int test_set_verify_cert_store_ssl(void)
9606{
9607 SSL_CTX *ctx = NULL;
9608 SSL *ssl = NULL;
9609 int testresult = 0;
9610 X509_STORE *store = NULL, *new_store = NULL,
9611 *cstore = NULL, *new_cstore = NULL;
9612
9613 /* Create an initial SSL_CTX. */
9614 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9615 if (!TEST_ptr(ctx))
9616 goto end;
9617
9618 /* Create an SSL object. */
9619 ssl = SSL_new(ctx);
9620 if (!TEST_ptr(ssl))
9621 goto end;
9622
9623 /* Retrieve verify store pointer. */
9624 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9625 goto end;
9626
9627 /* Retrieve chain store pointer. */
9628 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9629 goto end;
9630
9631 /* We haven't set any yet, so this should be NULL. */
9632 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9633 goto end;
9634
9635 /* Create stores. We use separate stores so pointers are different. */
9636 new_store = X509_STORE_new();
9637 if (!TEST_ptr(new_store))
9638 goto end;
9639
9640 new_cstore = X509_STORE_new();
9641 if (!TEST_ptr(new_cstore))
9642 goto end;
9643
9644 /* Set stores. */
9645 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9646 goto end;
9647
9648 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9649 goto end;
9650
9651 /* Should be able to retrieve the same pointer. */
9652 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9653 goto end;
9654
9655 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9656 goto end;
9657
9658 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9659 goto end;
9660
9661 /* Should be able to unset again. */
9662 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9663 goto end;
9664
9665 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9666 goto end;
9667
9668 /* Should now be NULL. */
9669 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9670 goto end;
9671
9672 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9673 goto end;
9674
9675 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9676 goto end;
9677
9678 testresult = 1;
9679
9680end:
9681 X509_STORE_free(new_store);
9682 X509_STORE_free(new_cstore);
9683 SSL_free(ssl);
9684 SSL_CTX_free(ctx);
9685 return testresult;
9686}
9687
9688
9689static int test_inherit_verify_param(void)
9690{
9691 int testresult = 0;
9692
9693 SSL_CTX *ctx = NULL;
9694 X509_VERIFY_PARAM *cp = NULL;
9695 SSL *ssl = NULL;
9696 X509_VERIFY_PARAM *sp = NULL;
9697 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9698
9699 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9700 if (!TEST_ptr(ctx))
9701 goto end;
9702
9703 cp = SSL_CTX_get0_param(ctx);
9704 if (!TEST_ptr(cp))
9705 goto end;
9706 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9707 goto end;
9708
9709 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9710
9711 ssl = SSL_new(ctx);
9712 if (!TEST_ptr(ssl))
9713 goto end;
9714
9715 sp = SSL_get0_param(ssl);
9716 if (!TEST_ptr(sp))
9717 goto end;
9718 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9719 goto end;
9720
9721 testresult = 1;
9722
9723 end:
9724 SSL_free(ssl);
9725 SSL_CTX_free(ctx);
9726
9727 return testresult;
9728}
9729
9730static int test_load_dhfile(void)
9731{
9732#ifndef OPENSSL_NO_DH
9733 int testresult = 0;
9734
9735 SSL_CTX *ctx = NULL;
9736 SSL_CONF_CTX *cctx = NULL;
9737
9738 if (dhfile == NULL)
9739 return 1;
9740
9741 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9742 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9743 goto end;
9744
9745 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9746 SSL_CONF_CTX_set_flags(cctx,
9747 SSL_CONF_FLAG_CERTIFICATE
9748 | SSL_CONF_FLAG_SERVER
9749 | SSL_CONF_FLAG_FILE);
9750
9751 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9752 goto end;
9753
9754 testresult = 1;
9755end:
9756 SSL_CONF_CTX_free(cctx);
9757 SSL_CTX_free(ctx);
9758
9759 return testresult;
9760#else
9761 return TEST_skip("DH not supported by this build");
9762#endif
9763}
9764
9765OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
9766
9767int setup_tests(void)
9768{
9769 char *modulename;
9770 char *configfile;
9771
9772 libctx = OSSL_LIB_CTX_new();
9773 if (!TEST_ptr(libctx))
9774 return 0;
9775
9776 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9777
9778 /*
9779 * Verify that the default and fips providers in the default libctx are not
9780 * available
9781 */
9782 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9783 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9784 return 0;
9785
9786 if (!test_skip_common_options()) {
9787 TEST_error("Error parsing test options\n");
9788 return 0;
9789 }
9790
9791 if (!TEST_ptr(certsdir = test_get_argument(0))
9792 || !TEST_ptr(srpvfile = test_get_argument(1))
9793 || !TEST_ptr(tmpfilename = test_get_argument(2))
9794 || !TEST_ptr(modulename = test_get_argument(3))
9795 || !TEST_ptr(configfile = test_get_argument(4))
9796 || !TEST_ptr(dhfile = test_get_argument(5)))
9797 return 0;
9798
9799 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9800 return 0;
9801
9802 /* Check we have the expected provider available */
9803 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9804 return 0;
9805
9806 /* Check the default provider is not available */
9807 if (strcmp(modulename, "default") != 0
9808 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9809 return 0;
9810
9811 if (strcmp(modulename, "fips") == 0)
9812 is_fips = 1;
9813
9814 /*
9815 * We add, but don't load the test "tls-provider". We'll load it when we
9816 * need it.
9817 */
9818 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9819 tls_provider_init)))
9820 return 0;
9821
9822
9823 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9824#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9825 TEST_error("not supported in this build");
9826 return 0;
9827#else
9828 int i, mcount, rcount, fcount;
9829
9830 for (i = 0; i < 4; i++)
9831 test_export_key_mat(i);
9832 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9833 test_printf_stdout("malloc %d realloc %d free %d\n",
9834 mcount, rcount, fcount);
9835 return 1;
9836#endif
9837 }
9838
9839 cert = test_mk_file_path(certsdir, "servercert.pem");
9840 if (cert == NULL)
9841 goto err;
9842
9843 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9844 if (privkey == NULL)
9845 goto err;
9846
9847 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9848 if (cert2 == NULL)
9849 goto err;
9850
9851 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9852 if (privkey2 == NULL)
9853 goto err;
9854
9855 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9856 if (cert1024 == NULL)
9857 goto err;
9858
9859 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9860 if (privkey1024 == NULL)
9861 goto err;
9862
9863 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9864 if (cert3072 == NULL)
9865 goto err;
9866
9867 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9868 if (privkey3072 == NULL)
9869 goto err;
9870
9871 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9872 if (cert4096 == NULL)
9873 goto err;
9874
9875 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9876 if (privkey4096 == NULL)
9877 goto err;
9878
9879 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9880 if (cert8192 == NULL)
9881 goto err;
9882
9883 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9884 if (privkey8192 == NULL)
9885 goto err;
9886
9887#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9888# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9889 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9890 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9891# endif
9892#endif
9893 ADD_TEST(test_large_message_tls);
9894 ADD_TEST(test_large_message_tls_read_ahead);
9895#ifndef OPENSSL_NO_DTLS
9896 ADD_TEST(test_large_message_dtls);
9897#endif
9898 ADD_TEST(test_cleanse_plaintext);
9899#ifndef OPENSSL_NO_OCSP
9900 ADD_TEST(test_tlsext_status_type);
9901#endif
9902 ADD_TEST(test_session_with_only_int_cache);
9903 ADD_TEST(test_session_with_only_ext_cache);
9904 ADD_TEST(test_session_with_both_cache);
9905 ADD_TEST(test_session_wo_ca_names);
9906#ifndef OSSL_NO_USABLE_TLS1_3
9907 ADD_ALL_TESTS(test_stateful_tickets, 3);
9908 ADD_ALL_TESTS(test_stateless_tickets, 3);
9909 ADD_TEST(test_psk_tickets);
9910 ADD_ALL_TESTS(test_extra_tickets, 6);
9911#endif
9912 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9913 ADD_TEST(test_ssl_bio_pop_next_bio);
9914 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9915 ADD_TEST(test_ssl_bio_change_rbio);
9916 ADD_TEST(test_ssl_bio_change_wbio);
9917#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9918 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9919 ADD_TEST(test_keylog);
9920#endif
9921#ifndef OSSL_NO_USABLE_TLS1_3
9922 ADD_TEST(test_keylog_no_master_key);
9923#endif
9924 ADD_TEST(test_client_cert_verify_cb);
9925 ADD_TEST(test_ssl_build_cert_chain);
9926 ADD_TEST(test_ssl_ctx_build_cert_chain);
9927#ifndef OPENSSL_NO_TLS1_2
9928 ADD_TEST(test_client_hello_cb);
9929 ADD_TEST(test_no_ems);
9930 ADD_TEST(test_ccs_change_cipher);
9931#endif
9932#ifndef OSSL_NO_USABLE_TLS1_3
9933 ADD_ALL_TESTS(test_early_data_read_write, 3);
9934 /*
9935 * We don't do replay tests for external PSK. Replay protection isn't used
9936 * in that scenario.
9937 */
9938 ADD_ALL_TESTS(test_early_data_replay, 2);
9939 ADD_ALL_TESTS(test_early_data_skip, 3);
9940 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9941 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9942 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9943 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9944 ADD_ALL_TESTS(test_early_data_psk, 8);
9945 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9946 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9947# ifndef OPENSSL_NO_TLS1_2
9948 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9949# endif
9950#endif
9951#ifndef OSSL_NO_USABLE_TLS1_3
9952 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9953 ADD_TEST(test_ciphersuite_change);
9954 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9955# ifdef OPENSSL_NO_PSK
9956 ADD_ALL_TESTS(test_tls13_psk, 1);
9957# else
9958 ADD_ALL_TESTS(test_tls13_psk, 4);
9959# endif /* OPENSSL_NO_PSK */
9960# ifndef OPENSSL_NO_TLS1_2
9961 /* Test with both TLSv1.3 and 1.2 versions */
9962 ADD_ALL_TESTS(test_key_exchange, 14);
9963# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9964 ADD_ALL_TESTS(test_negotiated_group,
9965 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9966 + OSSL_NELEM(ffdhe_kexch_groups)));
9967# endif
9968# else
9969 /* Test with only TLSv1.3 versions */
9970 ADD_ALL_TESTS(test_key_exchange, 12);
9971# endif
9972 ADD_ALL_TESTS(test_custom_exts, 6);
9973 ADD_TEST(test_stateless);
9974 ADD_TEST(test_pha_key_update);
9975#else
9976 ADD_ALL_TESTS(test_custom_exts, 3);
9977#endif
9978 ADD_ALL_TESTS(test_serverinfo, 8);
9979 ADD_ALL_TESTS(test_export_key_mat, 6);
9980#ifndef OSSL_NO_USABLE_TLS1_3
9981 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9982 ADD_TEST(test_key_update);
9983 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9984 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9985 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9986 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9987#endif
9988 ADD_ALL_TESTS(test_ssl_clear, 2);
9989 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9990#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9991 ADD_ALL_TESTS(test_srp, 6);
9992#endif
9993 ADD_ALL_TESTS(test_info_callback, 6);
9994 ADD_ALL_TESTS(test_ssl_pending, 2);
9995 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9996 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9997 ADD_ALL_TESTS(test_shutdown, 7);
9998 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9999 ADD_ALL_TESTS(test_cert_cb, 6);
10000 ADD_ALL_TESTS(test_client_cert_cb, 2);
10001 ADD_ALL_TESTS(test_ca_names, 3);
10002#ifndef OPENSSL_NO_TLS1_2
10003 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10004#endif
10005 ADD_ALL_TESTS(test_servername, 10);
10006#if !defined(OPENSSL_NO_EC) \
10007 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10008 ADD_ALL_TESTS(test_sigalgs_available, 6);
10009#endif
10010#ifndef OPENSSL_NO_TLS1_3
10011 ADD_ALL_TESTS(test_pluggable_group, 2);
10012#endif
10013#ifndef OPENSSL_NO_TLS1_2
10014 ADD_TEST(test_ssl_dup);
10015# ifndef OPENSSL_NO_DH
10016 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10017 ADD_ALL_TESTS(test_dh_auto, 7);
10018# endif
10019#endif
10020#ifndef OSSL_NO_USABLE_TLS1_3
10021 ADD_TEST(test_sni_tls13);
10022 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10023#endif
10024 ADD_TEST(test_inherit_verify_param);
10025 ADD_TEST(test_set_alpn);
10026 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10027 ADD_TEST(test_set_verify_cert_store_ssl);
10028 ADD_ALL_TESTS(test_session_timeout, 1);
10029 ADD_TEST(test_load_dhfile);
10030 return 1;
10031
10032 err:
10033 OPENSSL_free(cert);
10034 OPENSSL_free(privkey);
10035 OPENSSL_free(cert2);
10036 OPENSSL_free(privkey2);
10037 return 0;
10038}
10039
10040void cleanup_tests(void)
10041{
10042# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10043 EVP_PKEY_free(tmp_dh_params);
10044#endif
10045 OPENSSL_free(cert);
10046 OPENSSL_free(privkey);
10047 OPENSSL_free(cert2);
10048 OPENSSL_free(privkey2);
10049 OPENSSL_free(cert1024);
10050 OPENSSL_free(privkey1024);
10051 OPENSSL_free(cert3072);
10052 OPENSSL_free(privkey3072);
10053 OPENSSL_free(cert4096);
10054 OPENSSL_free(privkey4096);
10055 OPENSSL_free(cert8192);
10056 OPENSSL_free(privkey8192);
10057 bio_s_mempacket_test_free();
10058 bio_s_always_retry_free();
10059 OSSL_PROVIDER_unload(defctxnull);
10060 OSSL_LIB_CTX_free(libctx);
10061}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette