1/* 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * We need access to the deprecated low level HMAC APIs for legacy purposes 12 * when the deprecated calls are not hidden 13 */ 14#ifndef OPENSSL_NO_DEPRECATED_3_0 15# define OPENSSL_SUPPRESS_DEPRECATED 16#endif 17 18#include <stdio.h> 19#include <string.h> 20 21#include <openssl/opensslconf.h> 22#include <openssl/bio.h> 23#include <openssl/crypto.h> 24#include <openssl/ssl.h> 25#include <openssl/ocsp.h> 26#include <openssl/srp.h> 27#include <openssl/txt_db.h> 28#include <openssl/aes.h> 29#include <openssl/rand.h> 30#include <openssl/core_names.h> 31#include <openssl/core_dispatch.h> 32#include <openssl/provider.h> 33#include <openssl/param_build.h> 34#include <openssl/x509v3.h> 35#include <openssl/dh.h> 36#include <openssl/engine.h> 37 38#include "helpers/ssltestlib.h" 39#include "testutil.h" 40#include "testutil/output.h" 41#include "internal/nelem.h" 42#include "internal/ktls.h" 43#include "../ssl/ssl_local.h" 44#include "filterprov.h" 45 46#undef OSSL_NO_USABLE_TLS1_3 47#if defined(OPENSSL_NO_TLS1_3) \ 48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) 49/* 50 * If we don't have ec or dh then there are no built-in groups that are usable 51 * with TLSv1.3 52 */ 53# define OSSL_NO_USABLE_TLS1_3 54#endif 55 56/* Defined in tls-provider.c */ 57int tls_provider_init(const OSSL_CORE_HANDLE *handle, 58 const OSSL_DISPATCH *in, 59 const OSSL_DISPATCH **out, 60 void **provctx); 61 62static OSSL_LIB_CTX *libctx = NULL; 63static OSSL_PROVIDER *defctxnull = NULL; 64 65#ifndef OSSL_NO_USABLE_TLS1_3 66 67static SSL_SESSION *clientpsk = NULL; 68static SSL_SESSION *serverpsk = NULL; 69static const char *pskid = "Identity"; 70static const char *srvid; 71 72static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 73 size_t *idlen, SSL_SESSION **sess); 74static int find_session_cb(SSL *ssl, const unsigned char *identity, 75 size_t identity_len, SSL_SESSION **sess); 76 77static int use_session_cb_cnt = 0; 78static int find_session_cb_cnt = 0; 79 80static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize); 81#endif 82 83static char *certsdir = NULL; 84static char *cert = NULL; 85static char *privkey = NULL; 86static char *cert2 = NULL; 87static char *privkey2 = NULL; 88static char *cert1024 = NULL; 89static char *privkey1024 = NULL; 90static char *cert3072 = NULL; 91static char *privkey3072 = NULL; 92static char *cert4096 = NULL; 93static char *privkey4096 = NULL; 94static char *cert8192 = NULL; 95static char *privkey8192 = NULL; 96static char *srpvfile = NULL; 97static char *tmpfilename = NULL; 98static char *dhfile = NULL; 99 100static int is_fips = 0; 101 102#define LOG_BUFFER_SIZE 2048 103static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 104static size_t server_log_buffer_index = 0; 105static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 106static size_t client_log_buffer_index = 0; 107static int error_writing_log = 0; 108 109#ifndef OPENSSL_NO_OCSP 110static const unsigned char orespder[] = "Dummy OCSP Response"; 111static int ocsp_server_called = 0; 112static int ocsp_client_called = 0; 113 114static int cdummyarg = 1; 115static X509 *ocspcert = NULL; 116#endif 117 118#define NUM_EXTRA_CERTS 40 119#define CLIENT_VERSION_LEN 2 120 121/* 122 * This structure is used to validate that the correct number of log messages 123 * of various types are emitted when emitting secret logs. 124 */ 125struct sslapitest_log_counts { 126 unsigned int rsa_key_exchange_count; 127 unsigned int master_secret_count; 128 unsigned int client_early_secret_count; 129 unsigned int client_handshake_secret_count; 130 unsigned int server_handshake_secret_count; 131 unsigned int client_application_secret_count; 132 unsigned int server_application_secret_count; 133 unsigned int early_exporter_secret_count; 134 unsigned int exporter_secret_count; 135}; 136 137 138static int hostname_cb(SSL *s, int *al, void *arg) 139{ 140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 141 142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 143 || strcmp(hostname, "altgoodhost") == 0)) 144 return SSL_TLSEXT_ERR_OK; 145 146 return SSL_TLSEXT_ERR_NOACK; 147} 148 149static void client_keylog_callback(const SSL *ssl, const char *line) 150{ 151 int line_length = strlen(line); 152 153 /* If the log doesn't fit, error out. */ 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) { 155 TEST_info("Client log too full"); 156 error_writing_log = 1; 157 return; 158 } 159 160 strcat(client_log_buffer, line); 161 client_log_buffer_index += line_length; 162 client_log_buffer[client_log_buffer_index++] = '\n'; 163} 164 165static void server_keylog_callback(const SSL *ssl, const char *line) 166{ 167 int line_length = strlen(line); 168 169 /* If the log doesn't fit, error out. */ 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) { 171 TEST_info("Server log too full"); 172 error_writing_log = 1; 173 return; 174 } 175 176 strcat(server_log_buffer, line); 177 server_log_buffer_index += line_length; 178 server_log_buffer[server_log_buffer_index++] = '\n'; 179} 180 181static int compare_hex_encoded_buffer(const char *hex_encoded, 182 size_t hex_length, 183 const uint8_t *raw, 184 size_t raw_length) 185{ 186 size_t i, j; 187 char hexed[3]; 188 189 if (!TEST_size_t_eq(raw_length * 2, hex_length)) 190 return 1; 191 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { 193 sprintf(hexed, "%02x", raw[i]); 194 if (!TEST_int_eq(hexed[0], hex_encoded[j]) 195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) 196 return 1; 197 } 198 199 return 0; 200} 201 202static int test_keylog_output(char *buffer, const SSL *ssl, 203 const SSL_SESSION *session, 204 struct sslapitest_log_counts *expected) 205{ 206 char *token = NULL; 207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0}; 208 size_t client_random_size = SSL3_RANDOM_SIZE; 209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0}; 210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH; 211 unsigned int rsa_key_exchange_count = 0; 212 unsigned int master_secret_count = 0; 213 unsigned int client_early_secret_count = 0; 214 unsigned int client_handshake_secret_count = 0; 215 unsigned int server_handshake_secret_count = 0; 216 unsigned int client_application_secret_count = 0; 217 unsigned int server_application_secret_count = 0; 218 unsigned int early_exporter_secret_count = 0; 219 unsigned int exporter_secret_count = 0; 220 221 for (token = strtok(buffer, " \n"); token != NULL; 222 token = strtok(NULL, " \n")) { 223 if (strcmp(token, "RSA") == 0) { 224 /* 225 * Premaster secret. Tokens should be: 16 ASCII bytes of 226 * hex-encoded encrypted secret, then the hex-encoded pre-master 227 * secret. 228 */ 229 if (!TEST_ptr(token = strtok(NULL, " \n"))) 230 return 0; 231 if (!TEST_size_t_eq(strlen(token), 16)) 232 return 0; 233 if (!TEST_ptr(token = strtok(NULL, " \n"))) 234 return 0; 235 /* 236 * We can't sensibly check the log because the premaster secret is 237 * transient, and OpenSSL doesn't keep hold of it once the master 238 * secret is generated. 239 */ 240 rsa_key_exchange_count++; 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) { 242 /* 243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded 244 * client random, then the hex-encoded master secret. 245 */ 246 client_random_size = SSL_get_client_random(ssl, 247 actual_client_random, 248 SSL3_RANDOM_SIZE); 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 250 return 0; 251 252 if (!TEST_ptr(token = strtok(NULL, " \n"))) 253 return 0; 254 if (!TEST_size_t_eq(strlen(token), 64)) 255 return 0; 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 257 actual_client_random, 258 client_random_size))) 259 return 0; 260 261 if (!TEST_ptr(token = strtok(NULL, " \n"))) 262 return 0; 263 master_key_size = SSL_SESSION_get_master_key(session, 264 actual_master_key, 265 master_key_size); 266 if (!TEST_size_t_ne(master_key_size, 0)) 267 return 0; 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token), 269 actual_master_key, 270 master_key_size))) 271 return 0; 272 master_secret_count++; 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0 274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 279 || strcmp(token, "EXPORTER_SECRET") == 0) { 280 /* 281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded 282 * client random, and then the hex-encoded secret. In this case, 283 * we treat all of these secrets identically and then just 284 * distinguish between them when counting what we saw. 285 */ 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0) 287 client_early_secret_count++; 288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) 289 client_handshake_secret_count++; 290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0) 291 server_handshake_secret_count++; 292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0) 293 client_application_secret_count++; 294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) 295 server_application_secret_count++; 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) 297 early_exporter_secret_count++; 298 else if (strcmp(token, "EXPORTER_SECRET") == 0) 299 exporter_secret_count++; 300 301 client_random_size = SSL_get_client_random(ssl, 302 actual_client_random, 303 SSL3_RANDOM_SIZE); 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 305 return 0; 306 307 if (!TEST_ptr(token = strtok(NULL, " \n"))) 308 return 0; 309 if (!TEST_size_t_eq(strlen(token), 64)) 310 return 0; 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 312 actual_client_random, 313 client_random_size))) 314 return 0; 315 316 if (!TEST_ptr(token = strtok(NULL, " \n"))) 317 return 0; 318 } else { 319 TEST_info("Unexpected token %s\n", token); 320 return 0; 321 } 322 } 323 324 /* Got what we expected? */ 325 if (!TEST_size_t_eq(rsa_key_exchange_count, 326 expected->rsa_key_exchange_count) 327 || !TEST_size_t_eq(master_secret_count, 328 expected->master_secret_count) 329 || !TEST_size_t_eq(client_early_secret_count, 330 expected->client_early_secret_count) 331 || !TEST_size_t_eq(client_handshake_secret_count, 332 expected->client_handshake_secret_count) 333 || !TEST_size_t_eq(server_handshake_secret_count, 334 expected->server_handshake_secret_count) 335 || !TEST_size_t_eq(client_application_secret_count, 336 expected->client_application_secret_count) 337 || !TEST_size_t_eq(server_application_secret_count, 338 expected->server_application_secret_count) 339 || !TEST_size_t_eq(early_exporter_secret_count, 340 expected->early_exporter_secret_count) 341 || !TEST_size_t_eq(exporter_secret_count, 342 expected->exporter_secret_count)) 343 return 0; 344 return 1; 345} 346 347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 348static int test_keylog(void) 349{ 350 SSL_CTX *cctx = NULL, *sctx = NULL; 351 SSL *clientssl = NULL, *serverssl = NULL; 352 int testresult = 0; 353 struct sslapitest_log_counts expected; 354 355 /* Clean up logging space */ 356 memset(&expected, 0, sizeof(expected)); 357 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 358 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 359 client_log_buffer_index = 0; 360 server_log_buffer_index = 0; 361 error_writing_log = 0; 362 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 364 TLS_client_method(), 365 TLS1_VERSION, 0, 366 &sctx, &cctx, cert, privkey))) 367 return 0; 368 369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */ 370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 372 373 /* We also want to ensure that we use RSA-based key exchange. */ 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA"))) 375 goto end; 376 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 379 goto end; 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 382 == client_keylog_callback)) 383 goto end; 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 386 == server_keylog_callback)) 387 goto end; 388 389 /* Now do a handshake and check that the logs have been written to. */ 390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 391 &clientssl, NULL, NULL)) 392 || !TEST_true(create_ssl_connection(serverssl, clientssl, 393 SSL_ERROR_NONE)) 394 || !TEST_false(error_writing_log) 395 || !TEST_int_gt(client_log_buffer_index, 0) 396 || !TEST_int_gt(server_log_buffer_index, 0)) 397 goto end; 398 399 /* 400 * Now we want to test that our output data was vaguely sensible. We 401 * do that by using strtok and confirming that we have more or less the 402 * data we expect. For both client and server, we expect to see one master 403 * secret. The client should also see an RSA key exchange. 404 */ 405 expected.rsa_key_exchange_count = 1; 406 expected.master_secret_count = 1; 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 408 SSL_get_session(clientssl), &expected))) 409 goto end; 410 411 expected.rsa_key_exchange_count = 0; 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl, 413 SSL_get_session(serverssl), &expected))) 414 goto end; 415 416 testresult = 1; 417 418end: 419 SSL_free(serverssl); 420 SSL_free(clientssl); 421 SSL_CTX_free(sctx); 422 SSL_CTX_free(cctx); 423 424 return testresult; 425} 426#endif 427 428#ifndef OSSL_NO_USABLE_TLS1_3 429static int test_keylog_no_master_key(void) 430{ 431 SSL_CTX *cctx = NULL, *sctx = NULL; 432 SSL *clientssl = NULL, *serverssl = NULL; 433 SSL_SESSION *sess = NULL; 434 int testresult = 0; 435 struct sslapitest_log_counts expected; 436 unsigned char buf[1]; 437 size_t readbytes, written; 438 439 /* Clean up logging space */ 440 memset(&expected, 0, sizeof(expected)); 441 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 442 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 443 client_log_buffer_index = 0; 444 server_log_buffer_index = 0; 445 error_writing_log = 0; 446 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 448 TLS_client_method(), TLS1_VERSION, 0, 449 &sctx, &cctx, cert, privkey)) 450 || !TEST_true(SSL_CTX_set_max_early_data(sctx, 451 SSL3_RT_MAX_PLAIN_LENGTH))) 452 return 0; 453 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 456 goto end; 457 458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 460 == client_keylog_callback)) 461 goto end; 462 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 465 == server_keylog_callback)) 466 goto end; 467 468 /* Now do a handshake and check that the logs have been written to. */ 469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 470 &clientssl, NULL, NULL)) 471 || !TEST_true(create_ssl_connection(serverssl, clientssl, 472 SSL_ERROR_NONE)) 473 || !TEST_false(error_writing_log)) 474 goto end; 475 476 /* 477 * Now we want to test that our output data was vaguely sensible. For this 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for 479 * TLSv1.3, but we do expect both client and server to emit keys. 480 */ 481 expected.client_handshake_secret_count = 1; 482 expected.server_handshake_secret_count = 1; 483 expected.client_application_secret_count = 1; 484 expected.server_application_secret_count = 1; 485 expected.exporter_secret_count = 1; 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 487 SSL_get_session(clientssl), &expected)) 488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 489 SSL_get_session(serverssl), 490 &expected))) 491 goto end; 492 493 /* Terminate old session and resume with early data. */ 494 sess = SSL_get1_session(clientssl); 495 SSL_shutdown(clientssl); 496 SSL_shutdown(serverssl); 497 SSL_free(serverssl); 498 SSL_free(clientssl); 499 serverssl = clientssl = NULL; 500 501 /* Reset key log */ 502 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 503 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 504 client_log_buffer_index = 0; 505 server_log_buffer_index = 0; 506 507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 508 &clientssl, NULL, NULL)) 509 || !TEST_true(SSL_set_session(clientssl, sess)) 510 /* Here writing 0 length early data is enough. */ 511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 513 &readbytes), 514 SSL_READ_EARLY_DATA_ERROR) 515 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 516 SSL_EARLY_DATA_ACCEPTED) 517 || !TEST_true(create_ssl_connection(serverssl, clientssl, 518 SSL_ERROR_NONE)) 519 || !TEST_true(SSL_session_reused(clientssl))) 520 goto end; 521 522 /* In addition to the previous entries, expect early secrets. */ 523 expected.client_early_secret_count = 1; 524 expected.early_exporter_secret_count = 1; 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 526 SSL_get_session(clientssl), &expected)) 527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 528 SSL_get_session(serverssl), 529 &expected))) 530 goto end; 531 532 testresult = 1; 533 534end: 535 SSL_SESSION_free(sess); 536 SSL_free(serverssl); 537 SSL_free(clientssl); 538 SSL_CTX_free(sctx); 539 SSL_CTX_free(cctx); 540 541 return testresult; 542} 543#endif 544 545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) 546{ 547 int res = X509_verify_cert(ctx); 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 549 SSL *ssl; 550 551 /* this should not happen but check anyway */ 552 if (idx < 0 553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 554 return 0; 555 556 if (res == 0 && X509_STORE_CTX_get_error(ctx) == 557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */ 559 return SSL_set_retry_verify(ssl); 560 561 return res; 562} 563 564static int test_client_cert_verify_cb(void) 565{ 566 /* server key, cert, chain, and root */ 567 char *skey = test_mk_file_path(certsdir, "leaf.key"); 568 char *leaf = test_mk_file_path(certsdir, "leaf.pem"); 569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem"); 570 char *int1 = test_mk_file_path(certsdir, "interCA.pem"); 571 char *root = test_mk_file_path(certsdir, "rootCA.pem"); 572 X509 *crt1 = NULL, *crt2 = NULL; 573 STACK_OF(X509) *server_chain; 574 SSL_CTX *cctx = NULL, *sctx = NULL; 575 SSL *clientssl = NULL, *serverssl = NULL; 576 int testresult = 0; 577 578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 579 TLS_client_method(), TLS1_VERSION, 0, 580 &sctx, &cctx, NULL, NULL))) 581 goto end; 582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1) 583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey, 584 SSL_FILETYPE_PEM), 1) 585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)) 586 goto end; 587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL))) 588 goto end; 589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL); 590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL); 591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 592 &clientssl, NULL, NULL))) 593 goto end; 594 595 /* attempt SSL_connect() with incomplete server chain */ 596 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 597 SSL_ERROR_WANT_RETRY_VERIFY))) 598 goto end; 599 600 /* application provides intermediate certs needed to verify server cert */ 601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx))) 602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx))) 603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl)))) 604 goto end; 605 /* add certs in reverse order to demonstrate real chain building */ 606 if (!TEST_true(sk_X509_push(server_chain, crt1))) 607 goto end; 608 crt1 = NULL; 609 if (!TEST_true(sk_X509_push(server_chain, crt2))) 610 goto end; 611 crt2 = NULL; 612 613 /* continue SSL_connect(), must now succeed with completed server chain */ 614 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 615 SSL_ERROR_NONE))) 616 goto end; 617 618 testresult = 1; 619 620end: 621 X509_free(crt1); 622 X509_free(crt2); 623 if (clientssl != NULL) { 624 SSL_shutdown(clientssl); 625 SSL_free(clientssl); 626 } 627 if (serverssl != NULL) { 628 SSL_shutdown(serverssl); 629 SSL_free(serverssl); 630 } 631 SSL_CTX_free(sctx); 632 SSL_CTX_free(cctx); 633 634 OPENSSL_free(skey); 635 OPENSSL_free(leaf); 636 OPENSSL_free(int2); 637 OPENSSL_free(int1); 638 OPENSSL_free(root); 639 640 return testresult; 641} 642 643static int test_ssl_build_cert_chain(void) 644{ 645 int ret = 0; 646 SSL_CTX *ssl_ctx = NULL; 647 SSL *ssl = NULL; 648 char *skey = test_mk_file_path(certsdir, "leaf.key"); 649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); 650 651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) 652 goto end; 653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx))) 654 goto end; 655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ 656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1) 657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1) 658 || !TEST_int_eq(SSL_check_private_key(ssl), 1)) 659 goto end; 660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT 661 | SSL_BUILD_CHAIN_FLAG_CHECK))) 662 goto end; 663 ret = 1; 664end: 665 SSL_free(ssl); 666 SSL_CTX_free(ssl_ctx); 667 OPENSSL_free(leaf_chain); 668 OPENSSL_free(skey); 669 return ret; 670} 671 672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata) 673{ 674 static const char pass[] = "testpass"; 675 676 if (!TEST_int_eq(size, PEM_BUFSIZE)) 677 return -1; 678 679 memcpy(buf, pass, sizeof(pass) - 1); 680 return sizeof(pass) - 1; 681} 682 683static int test_ssl_ctx_build_cert_chain(void) 684{ 685 int ret = 0; 686 SSL_CTX *ctx = NULL; 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key"); 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); 689 690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) 691 goto end; 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb); 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ 694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1) 695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey, 696 SSL_FILETYPE_PEM), 1) 697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1)) 698 goto end; 699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT 700 | SSL_BUILD_CHAIN_FLAG_CHECK))) 701 goto end; 702 ret = 1; 703end: 704 SSL_CTX_free(ctx); 705 OPENSSL_free(leaf_chain); 706 OPENSSL_free(skey); 707 return ret; 708} 709 710#ifndef OPENSSL_NO_TLS1_2 711static int full_client_hello_callback(SSL *s, int *al, void *arg) 712{ 713 int *ctr = arg; 714 const unsigned char *p; 715 int *exts; 716 /* We only configure two ciphers, but the SCSV is added automatically. */ 717#ifdef OPENSSL_NO_EC 718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff}; 719#else 720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0, 721 0x2c, 0x00, 0xff}; 722#endif 723 const int expected_extensions[] = { 724#ifndef OPENSSL_NO_EC 725 11, 10, 726#endif 727 35, 22, 23, 13}; 728 size_t len; 729 730 /* Make sure we can defer processing and get called back. */ 731 if ((*ctr)++ == 0) 732 return SSL_CLIENT_HELLO_RETRY; 733 734 len = SSL_client_hello_get0_ciphers(s, &p); 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) 736 || !TEST_size_t_eq( 737 SSL_client_hello_get0_compression_methods(s, &p), 1) 738 || !TEST_int_eq(*p, 0)) 739 return SSL_CLIENT_HELLO_ERROR; 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) 741 return SSL_CLIENT_HELLO_ERROR; 742 if (len != OSSL_NELEM(expected_extensions) || 743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { 744 printf("ClientHello callback expected extensions mismatch\n"); 745 OPENSSL_free(exts); 746 return SSL_CLIENT_HELLO_ERROR; 747 } 748 OPENSSL_free(exts); 749 return SSL_CLIENT_HELLO_SUCCESS; 750} 751 752static int test_client_hello_cb(void) 753{ 754 SSL_CTX *cctx = NULL, *sctx = NULL; 755 SSL *clientssl = NULL, *serverssl = NULL; 756 int testctr = 0, testresult = 0; 757 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 759 TLS_client_method(), TLS1_VERSION, 0, 760 &sctx, &cctx, cert, privkey))) 761 goto end; 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); 763 764 /* The gimpy cipher list we configure can't do TLS 1.3. */ 765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 766 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")) 769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 770 &clientssl, NULL, NULL)) 771 || !TEST_false(create_ssl_connection(serverssl, clientssl, 772 SSL_ERROR_WANT_CLIENT_HELLO_CB)) 773 /* 774 * Passing a -1 literal is a hack since 775 * the real value was lost. 776 * */ 777 || !TEST_int_eq(SSL_get_error(serverssl, -1), 778 SSL_ERROR_WANT_CLIENT_HELLO_CB) 779 || !TEST_true(create_ssl_connection(serverssl, clientssl, 780 SSL_ERROR_NONE))) 781 goto end; 782 783 testresult = 1; 784 785end: 786 SSL_free(serverssl); 787 SSL_free(clientssl); 788 SSL_CTX_free(sctx); 789 SSL_CTX_free(cctx); 790 791 return testresult; 792} 793 794static int test_no_ems(void) 795{ 796 SSL_CTX *cctx = NULL, *sctx = NULL; 797 SSL *clientssl = NULL, *serverssl = NULL; 798 int testresult = 0; 799 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), 801 TLS1_VERSION, TLS1_2_VERSION, 802 &sctx, &cctx, cert, privkey)) { 803 printf("Unable to create SSL_CTX pair\n"); 804 goto end; 805 } 806 807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET); 808 809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 810 printf("Unable to create SSL objects\n"); 811 goto end; 812 } 813 814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { 815 printf("Creating SSL connection failed\n"); 816 goto end; 817 } 818 819 if (SSL_get_extms_support(serverssl)) { 820 printf("Server reports Extended Master Secret support\n"); 821 goto end; 822 } 823 824 if (SSL_get_extms_support(clientssl)) { 825 printf("Client reports Extended Master Secret support\n"); 826 goto end; 827 } 828 testresult = 1; 829 830end: 831 SSL_free(serverssl); 832 SSL_free(clientssl); 833 SSL_CTX_free(sctx); 834 SSL_CTX_free(cctx); 835 836 return testresult; 837} 838 839/* 840 * Very focused test to exercise a single case in the server-side state 841 * machine, when the ChangeCipherState message needs to actually change 842 * from one cipher to a different cipher (i.e., not changing from null 843 * encryption to real encryption). 844 */ 845static int test_ccs_change_cipher(void) 846{ 847 SSL_CTX *cctx = NULL, *sctx = NULL; 848 SSL *clientssl = NULL, *serverssl = NULL; 849 SSL_SESSION *sess = NULL, *sesspre, *sesspost; 850 int testresult = 0; 851 int i; 852 unsigned char buf; 853 size_t readbytes; 854 855 /* 856 * Create a conection so we can resume and potentially (but not) use 857 * a different cipher in the second connection. 858 */ 859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 860 TLS_client_method(), 861 TLS1_VERSION, TLS1_2_VERSION, 862 &sctx, &cctx, cert, privkey)) 863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)) 864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 865 NULL, NULL)) 866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 867 || !TEST_true(create_ssl_connection(serverssl, clientssl, 868 SSL_ERROR_NONE)) 869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 870 || !TEST_ptr(sess = SSL_get1_session(clientssl))) 871 goto end; 872 873 shutdown_ssl_connection(serverssl, clientssl); 874 serverssl = clientssl = NULL; 875 876 /* Resume, preferring a different cipher. Our server will force the 877 * same cipher to be used as the initial handshake. */ 878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 879 NULL, NULL)) 880 || !TEST_true(SSL_set_session(clientssl, sess)) 881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256")) 882 || !TEST_true(create_ssl_connection(serverssl, clientssl, 883 SSL_ERROR_NONE)) 884 || !TEST_true(SSL_session_reused(clientssl)) 885 || !TEST_true(SSL_session_reused(serverssl)) 886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 887 || !TEST_ptr_eq(sesspre, sesspost) 888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 890 goto end; 891 shutdown_ssl_connection(serverssl, clientssl); 892 serverssl = clientssl = NULL; 893 894 /* 895 * Now create a fresh connection and try to renegotiate a different 896 * cipher on it. 897 */ 898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 899 NULL, NULL)) 900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 901 || !TEST_true(create_ssl_connection(serverssl, clientssl, 902 SSL_ERROR_NONE)) 903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")) 905 || !TEST_true(SSL_renegotiate(clientssl)) 906 || !TEST_true(SSL_renegotiate_pending(clientssl))) 907 goto end; 908 /* Actually drive the renegotiation. */ 909 for (i = 0; i < 3; i++) { 910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) { 911 if (!TEST_ulong_eq(readbytes, 0)) 912 goto end; 913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0), 914 SSL_ERROR_WANT_READ)) { 915 goto end; 916 } 917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) { 918 if (!TEST_ulong_eq(readbytes, 0)) 919 goto end; 920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0), 921 SSL_ERROR_WANT_READ)) { 922 goto end; 923 } 924 } 925 /* sesspre and sesspost should be different since the cipher changed. */ 926 if (!TEST_false(SSL_renegotiate_pending(clientssl)) 927 || !TEST_false(SSL_session_reused(clientssl)) 928 || !TEST_false(SSL_session_reused(serverssl)) 929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 930 || !TEST_ptr_ne(sesspre, sesspost) 931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 933 goto end; 934 935 shutdown_ssl_connection(serverssl, clientssl); 936 serverssl = clientssl = NULL; 937 938 testresult = 1; 939 940end: 941 SSL_free(serverssl); 942 SSL_free(clientssl); 943 SSL_CTX_free(sctx); 944 SSL_CTX_free(cctx); 945 SSL_SESSION_free(sess); 946 947 return testresult; 948} 949#endif 950 951static int execute_test_large_message(const SSL_METHOD *smeth, 952 const SSL_METHOD *cmeth, 953 int min_version, int max_version, 954 int read_ahead) 955{ 956 SSL_CTX *cctx = NULL, *sctx = NULL; 957 SSL *clientssl = NULL, *serverssl = NULL; 958 int testresult = 0; 959 int i; 960 BIO *certbio = NULL; 961 X509 *chaincert = NULL; 962 int certlen; 963 964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))) 965 goto end; 966 967 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL))) 968 goto end; 969 970 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL) 971 goto end; 972 BIO_free(certbio); 973 certbio = NULL; 974 975 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, 976 max_version, &sctx, &cctx, cert, 977 privkey))) 978 goto end; 979 980#ifdef OPENSSL_NO_DTLS1_2 981 if (smeth == DTLS_server_method()) { 982 /* 983 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 984 * level 0 985 */ 986 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 987 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 988 "DEFAULT:@SECLEVEL=0"))) 989 goto end; 990 } 991#endif 992 993 if (read_ahead) { 994 /* 995 * Test that read_ahead works correctly when dealing with large 996 * records 997 */ 998 SSL_CTX_set_read_ahead(cctx, 1); 999 } 1000 1001 /* 1002 * We assume the supplied certificate is big enough so that if we add 1003 * NUM_EXTRA_CERTS it will make the overall message large enough. The 1004 * default buffer size is requested to be 16k, but due to the way BUF_MEM 1005 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this 1006 * test we need to have a message larger than that. 1007 */ 1008 certlen = i2d_X509(chaincert, NULL); 1009 OPENSSL_assert(certlen * NUM_EXTRA_CERTS > 1010 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); 1011 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 1012 if (!X509_up_ref(chaincert)) 1013 goto end; 1014 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 1015 X509_free(chaincert); 1016 goto end; 1017 } 1018 } 1019 1020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1021 NULL, NULL)) 1022 || !TEST_true(create_ssl_connection(serverssl, clientssl, 1023 SSL_ERROR_NONE))) 1024 goto end; 1025 1026 /* 1027 * Calling SSL_clear() first is not required but this tests that SSL_clear() 1028 * doesn't leak. 1029 */ 1030 if (!TEST_true(SSL_clear(serverssl))) 1031 goto end; 1032 1033 testresult = 1; 1034 end: 1035 BIO_free(certbio); 1036 X509_free(chaincert); 1037 SSL_free(serverssl); 1038 SSL_free(clientssl); 1039 SSL_CTX_free(sctx); 1040 SSL_CTX_free(cctx); 1041 1042 return testresult; 1043} 1044 1045#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ 1046 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) 1047/* sock must be connected */ 1048static int ktls_chk_platform(int sock) 1049{ 1050 if (!ktls_enable(sock)) 1051 return 0; 1052 return 1; 1053} 1054 1055static int ping_pong_query(SSL *clientssl, SSL *serverssl) 1056{ 1057 static char count = 1; 1058 unsigned char cbuf[16000] = {0}; 1059 unsigned char sbuf[16000]; 1060 size_t err = 0; 1061 char crec_wseq_before[SEQ_NUM_SIZE]; 1062 char crec_wseq_after[SEQ_NUM_SIZE]; 1063 char crec_rseq_before[SEQ_NUM_SIZE]; 1064 char crec_rseq_after[SEQ_NUM_SIZE]; 1065 char srec_wseq_before[SEQ_NUM_SIZE]; 1066 char srec_wseq_after[SEQ_NUM_SIZE]; 1067 char srec_rseq_before[SEQ_NUM_SIZE]; 1068 char srec_rseq_after[SEQ_NUM_SIZE]; 1069 1070 cbuf[0] = count++; 1071 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1072 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1073 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1074 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1075 1076 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) 1077 goto end; 1078 1079 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) { 1080 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) { 1081 goto end; 1082 } 1083 } 1084 1085 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf))) 1086 goto end; 1087 1088 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) { 1089 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) { 1090 goto end; 1091 } 1092 } 1093 1094 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1095 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1096 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1097 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1098 1099 /* verify the payload */ 1100 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) 1101 goto end; 1102 1103 /* 1104 * If ktls is used then kernel sequences are used instead of 1105 * OpenSSL sequences 1106 */ 1107 if (!BIO_get_ktls_send(clientssl->wbio)) { 1108 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE, 1109 crec_wseq_after, SEQ_NUM_SIZE)) 1110 goto end; 1111 } else { 1112 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE, 1113 crec_wseq_after, SEQ_NUM_SIZE)) 1114 goto end; 1115 } 1116 1117 if (!BIO_get_ktls_send(serverssl->wbio)) { 1118 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE, 1119 srec_wseq_after, SEQ_NUM_SIZE)) 1120 goto end; 1121 } else { 1122 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE, 1123 srec_wseq_after, SEQ_NUM_SIZE)) 1124 goto end; 1125 } 1126 1127 if (!BIO_get_ktls_recv(clientssl->wbio)) { 1128 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE, 1129 crec_rseq_after, SEQ_NUM_SIZE)) 1130 goto end; 1131 } else { 1132 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE, 1133 crec_rseq_after, SEQ_NUM_SIZE)) 1134 goto end; 1135 } 1136 1137 if (!BIO_get_ktls_recv(serverssl->wbio)) { 1138 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE, 1139 srec_rseq_after, SEQ_NUM_SIZE)) 1140 goto end; 1141 } else { 1142 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE, 1143 srec_rseq_after, SEQ_NUM_SIZE)) 1144 goto end; 1145 } 1146 1147 return 1; 1148end: 1149 return 0; 1150} 1151 1152static int execute_test_ktls(int cis_ktls, int sis_ktls, 1153 int tls_version, const char *cipher) 1154{ 1155 SSL_CTX *cctx = NULL, *sctx = NULL; 1156 SSL *clientssl = NULL, *serverssl = NULL; 1157 int ktls_used = 0, testresult = 0; 1158 int cfd = -1, sfd = -1; 1159 int rx_supported; 1160 1161 if (!TEST_true(create_test_sockets(&cfd, &sfd))) 1162 goto end; 1163 1164 /* Skip this test if the platform does not support ktls */ 1165 if (!ktls_chk_platform(cfd)) { 1166 testresult = TEST_skip("Kernel does not support KTLS"); 1167 goto end; 1168 } 1169 1170 if (is_fips && strstr(cipher, "CHACHA") != NULL) { 1171 testresult = TEST_skip("CHACHA is not supported in FIPS"); 1172 goto end; 1173 } 1174 1175 /* Create a session based on SHA-256 */ 1176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 1177 TLS_client_method(), 1178 tls_version, tls_version, 1179 &sctx, &cctx, cert, privkey))) 1180 goto end; 1181 1182 if (tls_version == TLS1_3_VERSION) { 1183 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) 1184 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) 1185 goto end; 1186 } else { 1187 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) 1188 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) 1189 goto end; 1190 } 1191 1192 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, 1193 &clientssl, sfd, cfd))) 1194 goto end; 1195 1196 if (cis_ktls) { 1197 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS))) 1198 goto end; 1199 } 1200 1201 if (sis_ktls) { 1202 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) 1203 goto end; 1204 } 1205 1206 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 1207 goto end; 1208 1209 /* 1210 * The running kernel may not support a given cipher suite 1211 * or direction, so just check that KTLS isn't used when it 1212 * isn't enabled. 1213 */ 1214 if (!cis_ktls) { 1215 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio))) 1216 goto end; 1217 } else { 1218 if (BIO_get_ktls_send(clientssl->wbio)) 1219 ktls_used = 1; 1220 } 1221 1222 if (!sis_ktls) { 1223 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio))) 1224 goto end; 1225 } else { 1226 if (BIO_get_ktls_send(serverssl->wbio)) 1227 ktls_used = 1; 1228 } 1229 1230#if defined(OPENSSL_NO_KTLS_RX) 1231 rx_supported = 0; 1232#else 1233 rx_supported = (tls_version != TLS1_3_VERSION); 1234#endif 1235 if (!cis_ktls || !rx_supported) { 1236 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) 1237 goto end; 1238 } else { 1239 if (BIO_get_ktls_send(clientssl->rbio)) 1240 ktls_used = 1; 1241 } 1242 1243 if (!sis_ktls || !rx_supported) { 1244 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio))) 1245 goto end; 1246 } else { 1247 if (BIO_get_ktls_send(serverssl->rbio)) 1248 ktls_used = 1; 1249 } 1250 1251 if ((cis_ktls || sis_ktls) && !ktls_used) { 1252 testresult = TEST_skip("KTLS not supported for %s cipher %s", 1253 tls_version == TLS1_3_VERSION ? "TLS 1.3" : 1254 "TLS 1.2", cipher); 1255 goto end; 1256 } 1257 1258 if (!TEST_true(ping_pong_query(clientssl, serverssl))) 1259 goto end; 1260 1261 testresult = 1; 1262end: 1263 if (clientssl) { 1264 SSL_shutdown(clientssl); 1265 SSL_free(clientssl); 1266 } 1267 if (serverssl) { 1268 SSL_shutdown(serverssl); 1269 SSL_free(serverssl); 1270 } 1271 SSL_CTX_free(sctx); 1272 SSL_CTX_free(cctx); 1273 serverssl = clientssl = NULL; 1274 if (cfd != -1) 1275 close(cfd); 1276 if (sfd != -1) 1277 close(sfd); 1278 return testresult; 1279} 1280 1281#define SENDFILE_SZ (16 * 4096) 1282#define SENDFILE_CHUNK (4 * 4096) 1283#define min(a,b) ((a) > (b) ? (b) : (a)) 1284 1285static int execute_test_ktls_sendfile(int tls_version, const char *cipher) 1286{ 1287 SSL_CTX *cctx = NULL, *sctx = NULL; 1288 SSL *clientssl = NULL, *serverssl = NULL; 1289 unsigned char *buf, *buf_dst; 1290 BIO *out = NULL, *in = NULL; 1291 int cfd = -1, sfd = -1, ffd, err; 1292 ssize_t chunk_size = 0; 1293 off_t chunk_off = 0; 1294 int testresult = 0; 1295 FILE *ffdp; 1296 1297 buf = OPENSSL_zalloc(SENDFILE_SZ); 1298 buf_dst = OPENSSL_zalloc(SENDFILE_SZ); 1299 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst) 1300 || !TEST_true(create_test_sockets(&cfd, &sfd))) 1301 goto end; 1302 1303 /* Skip this test if the platform does not support ktls */ 1304 if (!ktls_chk_platform(sfd)) { 1305 testresult = TEST_skip("Kernel does not support KTLS"); 1306 goto end; 1307 } 1308 1309 if (is_fips && strstr(cipher, "CHACHA") != NULL) { 1310 testresult = TEST_skip("CHACHA is not supported in FIPS"); 1311 goto end; 1312 } 1313 1314 /* Create a session based on SHA-256 */ 1315 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 1316 TLS_client_method(), 1317 tls_version, tls_version, 1318 &sctx, &cctx, cert, privkey))) 1319 goto end; 1320 1321 if (tls_version == TLS1_3_VERSION) { 1322 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) 1323 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) 1324 goto end; 1325 } else { 1326 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) 1327 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) 1328 goto end; 1329 } 1330 1331 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, 1332 &clientssl, sfd, cfd))) 1333 goto end; 1334 1335 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) 1336 goto end; 1337 1338 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1339 SSL_ERROR_NONE))) 1340 goto end; 1341 1342 if (!BIO_get_ktls_send(serverssl->wbio)) { 1343 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s", 1344 tls_version == TLS1_3_VERSION ? "TLS 1.3" : 1345 "TLS 1.2", cipher); 1346 goto end; 1347 } 1348 1349 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0)) 1350 goto end; 1351 1352 out = BIO_new_file(tmpfilename, "wb"); 1353 if (!TEST_ptr(out)) 1354 goto end; 1355 1356 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ) 1357 goto end; 1358 1359 BIO_free(out); 1360 out = NULL; 1361 in = BIO_new_file(tmpfilename, "rb"); 1362 BIO_get_fp(in, &ffdp); 1363 ffd = fileno(ffdp); 1364 1365 while (chunk_off < SENDFILE_SZ) { 1366 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off); 1367 while ((err = SSL_sendfile(serverssl, 1368 ffd, 1369 chunk_off, 1370 chunk_size, 1371 0)) != chunk_size) { 1372 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE) 1373 goto end; 1374 } 1375 while ((err = SSL_read(clientssl, 1376 buf_dst + chunk_off, 1377 chunk_size)) != chunk_size) { 1378 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) 1379 goto end; 1380 } 1381 1382 /* verify the payload */ 1383 if (!TEST_mem_eq(buf_dst + chunk_off, 1384 chunk_size, 1385 buf + chunk_off, 1386 chunk_size)) 1387 goto end; 1388 1389 chunk_off += chunk_size; 1390 } 1391 1392 testresult = 1; 1393end: 1394 if (clientssl) { 1395 SSL_shutdown(clientssl); 1396 SSL_free(clientssl); 1397 } 1398 if (serverssl) { 1399 SSL_shutdown(serverssl); 1400 SSL_free(serverssl); 1401 } 1402 SSL_CTX_free(sctx); 1403 SSL_CTX_free(cctx); 1404 serverssl = clientssl = NULL; 1405 BIO_free(out); 1406 BIO_free(in); 1407 if (cfd != -1) 1408 close(cfd); 1409 if (sfd != -1) 1410 close(sfd); 1411 OPENSSL_free(buf); 1412 OPENSSL_free(buf_dst); 1413 return testresult; 1414} 1415 1416static struct ktls_test_cipher { 1417 int tls_version; 1418 const char *cipher; 1419} ktls_test_ciphers[] = { 1420# if !defined(OPENSSL_NO_TLS1_2) 1421# ifdef OPENSSL_KTLS_AES_GCM_128 1422 { TLS1_2_VERSION, "AES128-GCM-SHA256" }, 1423# endif 1424# ifdef OPENSSL_KTLS_AES_CCM_128 1425 { TLS1_2_VERSION, "AES128-CCM"}, 1426# endif 1427# ifdef OPENSSL_KTLS_AES_GCM_256 1428 { TLS1_2_VERSION, "AES256-GCM-SHA384"}, 1429# endif 1430# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 1431# ifndef OPENSSL_NO_EC 1432 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"}, 1433# endif 1434# endif 1435# endif 1436# if !defined(OSSL_NO_USABLE_TLS1_3) 1437# ifdef OPENSSL_KTLS_AES_GCM_128 1438 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" }, 1439# endif 1440# ifdef OPENSSL_KTLS_AES_CCM_128 1441 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" }, 1442# endif 1443# ifdef OPENSSL_KTLS_AES_GCM_256 1444 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" }, 1445# endif 1446# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 1447 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" }, 1448# endif 1449# endif 1450}; 1451 1452#define NUM_KTLS_TEST_CIPHERS \ 1453 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0])) 1454 1455static int test_ktls(int test) 1456{ 1457 struct ktls_test_cipher *cipher; 1458 int cis_ktls, sis_ktls; 1459 1460 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS); 1461 cipher = &ktls_test_ciphers[test / 4]; 1462 1463 cis_ktls = (test & 1) != 0; 1464 sis_ktls = (test & 2) != 0; 1465 1466 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version, 1467 cipher->cipher); 1468} 1469 1470static int test_ktls_sendfile(int tst) 1471{ 1472 struct ktls_test_cipher *cipher; 1473 1474 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS); 1475 cipher = &ktls_test_ciphers[tst]; 1476 1477 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher); 1478} 1479#endif 1480 1481static int test_large_message_tls(void) 1482{ 1483 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 1484 TLS1_VERSION, 0, 0); 1485} 1486 1487static int test_large_message_tls_read_ahead(void) 1488{ 1489 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 1490 TLS1_VERSION, 0, 1); 1491} 1492 1493#ifndef OPENSSL_NO_DTLS 1494static int test_large_message_dtls(void) 1495{ 1496# ifdef OPENSSL_NO_DTLS1_2 1497 /* Not supported in the FIPS provider */ 1498 if (is_fips) 1499 return 1; 1500# endif 1501 /* 1502 * read_ahead is not relevant to DTLS because DTLS always acts as if 1503 * read_ahead is set. 1504 */ 1505 return execute_test_large_message(DTLS_server_method(), 1506 DTLS_client_method(), 1507 DTLS1_VERSION, 0, 0); 1508} 1509#endif 1510 1511/* 1512 * Test we can successfully send the maximum amount of application data. We 1513 * test each protocol version individually, each with and without EtM enabled. 1514 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is 1515 * simpler this way. We also test all combinations with and without the 1516 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the 1517 * underlying buffer. 1518 */ 1519static int test_large_app_data(int tst) 1520{ 1521 SSL_CTX *cctx = NULL, *sctx = NULL; 1522 SSL *clientssl = NULL, *serverssl = NULL; 1523 int testresult = 0, prot; 1524 unsigned char *msg, *buf = NULL; 1525 size_t written, readbytes; 1526 const SSL_METHOD *smeth = TLS_server_method(); 1527 const SSL_METHOD *cmeth = TLS_client_method(); 1528 1529 switch (tst >> 2) { 1530 case 0: 1531#ifndef OSSL_NO_USABLE_TLS1_3 1532 prot = TLS1_3_VERSION; 1533 break; 1534#else 1535 return 1; 1536#endif 1537 1538 case 1: 1539#ifndef OPENSSL_NO_TLS1_2 1540 prot = TLS1_2_VERSION; 1541 break; 1542#else 1543 return 1; 1544#endif 1545 1546 case 2: 1547#ifndef OPENSSL_NO_TLS1_1 1548 prot = TLS1_1_VERSION; 1549 break; 1550#else 1551 return 1; 1552#endif 1553 1554 case 3: 1555#ifndef OPENSSL_NO_TLS1 1556 prot = TLS1_VERSION; 1557 break; 1558#else 1559 return 1; 1560#endif 1561 1562 case 4: 1563#ifndef OPENSSL_NO_SSL3 1564 prot = SSL3_VERSION; 1565 break; 1566#else 1567 return 1; 1568#endif 1569 1570 case 5: 1571#ifndef OPENSSL_NO_DTLS1_2 1572 prot = DTLS1_2_VERSION; 1573 smeth = DTLS_server_method(); 1574 cmeth = DTLS_client_method(); 1575 break; 1576#else 1577 return 1; 1578#endif 1579 1580 case 6: 1581#ifndef OPENSSL_NO_DTLS1 1582 prot = DTLS1_VERSION; 1583 smeth = DTLS_server_method(); 1584 cmeth = DTLS_client_method(); 1585 break; 1586#else 1587 return 1; 1588#endif 1589 1590 default: 1591 /* Shouldn't happen */ 1592 return 0; 1593 } 1594 1595 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips) 1596 return 1; 1597 1598 /* Maximal sized message of zeros */ 1599 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH); 1600 if (!TEST_ptr(msg)) 1601 goto end; 1602 1603 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1); 1604 if (!TEST_ptr(buf)) 1605 goto end; 1606 /* Set whole buffer to all bits set */ 1607 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1); 1608 1609 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot, 1610 &sctx, &cctx, cert, privkey))) 1611 goto end; 1612 1613 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) { 1614 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */ 1615 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")) 1616 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 1617 "DEFAULT:@SECLEVEL=0"))) 1618 goto end; 1619 } 1620 1621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1622 &clientssl, NULL, NULL))) 1623 goto end; 1624 1625 if ((tst & 1) != 0) { 1626 /* Setting this option gives us a minimally sized underlying buffer */ 1627 if (!TEST_true(SSL_set_options(serverssl, 1628 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 1629 || !TEST_true(SSL_set_options(clientssl, 1630 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) 1631 goto end; 1632 } 1633 1634 if ((tst & 2) != 0) { 1635 /* 1636 * Setting this option means the MAC is added before encryption 1637 * giving us a larger record for the encryption process 1638 */ 1639 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC)) 1640 || !TEST_true(SSL_set_options(clientssl, 1641 SSL_OP_NO_ENCRYPT_THEN_MAC))) 1642 goto end; 1643 } 1644 1645 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 1646 goto end; 1647 1648 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH, 1649 &written)) 1650 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH)) 1651 goto end; 1652 1653 /* We provide a buffer slightly larger than what we are actually expecting */ 1654 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1, 1655 &readbytes))) 1656 goto end; 1657 1658 if (!TEST_mem_eq(msg, written, buf, readbytes)) 1659 goto end; 1660 1661 testresult = 1; 1662end: 1663 OPENSSL_free(msg); 1664 OPENSSL_free(buf); 1665 SSL_free(serverssl); 1666 SSL_free(clientssl); 1667 SSL_CTX_free(sctx); 1668 SSL_CTX_free(cctx); 1669 return testresult; 1670} 1671 1672static int execute_cleanse_plaintext(const SSL_METHOD *smeth, 1673 const SSL_METHOD *cmeth, 1674 int min_version, int max_version) 1675{ 1676 size_t i; 1677 SSL_CTX *cctx = NULL, *sctx = NULL; 1678 SSL *clientssl = NULL, *serverssl = NULL; 1679 int testresult = 0; 1680 SSL3_RECORD *rr; 1681 void *zbuf; 1682 1683 static unsigned char cbuf[16000]; 1684 static unsigned char sbuf[16000]; 1685 1686 if (!TEST_true(create_ssl_ctx_pair(libctx, 1687 smeth, cmeth, 1688 min_version, max_version, 1689 &sctx, &cctx, cert, 1690 privkey))) 1691 goto end; 1692 1693#ifdef OPENSSL_NO_DTLS1_2 1694 if (smeth == DTLS_server_method()) { 1695# ifdef OPENSSL_NO_DTLS1_2 1696 /* Not supported in the FIPS provider */ 1697 if (is_fips) { 1698 testresult = 1; 1699 goto end; 1700 }; 1701# endif 1702 /* 1703 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 1704 * level 0 1705 */ 1706 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 1707 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 1708 "DEFAULT:@SECLEVEL=0"))) 1709 goto end; 1710 } 1711#endif 1712 1713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1714 NULL, NULL))) 1715 goto end; 1716 1717 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT))) 1718 goto end; 1719 1720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1721 SSL_ERROR_NONE))) 1722 goto end; 1723 1724 for (i = 0; i < sizeof(cbuf); i++) { 1725 cbuf[i] = i & 0xff; 1726 } 1727 1728 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf))) 1729 goto end; 1730 1731 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf))) 1732 goto end; 1733 1734 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) 1735 goto end; 1736 1737 /* 1738 * Since we called SSL_peek(), we know the data in the record 1739 * layer is a plaintext record. We can gather the pointer to check 1740 * for zeroization after SSL_read(). 1741 */ 1742 rr = serverssl->rlayer.rrec; 1743 zbuf = &rr->data[rr->off]; 1744 if (!TEST_int_eq(rr->length, sizeof(cbuf))) 1745 goto end; 1746 1747 /* 1748 * After SSL_peek() the plaintext must still be stored in the 1749 * record. 1750 */ 1751 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf))) 1752 goto end; 1753 1754 memset(sbuf, 0, sizeof(sbuf)); 1755 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf))) 1756 goto end; 1757 1758 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf))) 1759 goto end; 1760 1761 /* Check if rbuf is cleansed */ 1762 memset(cbuf, 0, sizeof(cbuf)); 1763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf))) 1764 goto end; 1765 1766 testresult = 1; 1767 end: 1768 SSL_free(serverssl); 1769 SSL_free(clientssl); 1770 SSL_CTX_free(sctx); 1771 SSL_CTX_free(cctx); 1772 1773 return testresult; 1774} 1775 1776static int test_cleanse_plaintext(void) 1777{ 1778#if !defined(OPENSSL_NO_TLS1_2) 1779 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), 1780 TLS_client_method(), 1781 TLS1_2_VERSION, 1782 TLS1_2_VERSION))) 1783 return 0; 1784 1785#endif 1786 1787#if !defined(OSSL_NO_USABLE_TLS1_3) 1788 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), 1789 TLS_client_method(), 1790 TLS1_3_VERSION, 1791 TLS1_3_VERSION))) 1792 return 0; 1793#endif 1794 1795#if !defined(OPENSSL_NO_DTLS) 1796 1797 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(), 1798 DTLS_client_method(), 1799 DTLS1_VERSION, 1800 0))) 1801 return 0; 1802#endif 1803 return 1; 1804} 1805 1806#ifndef OPENSSL_NO_OCSP 1807static int ocsp_server_cb(SSL *s, void *arg) 1808{ 1809 int *argi = (int *)arg; 1810 unsigned char *copy = NULL; 1811 STACK_OF(OCSP_RESPID) *ids = NULL; 1812 OCSP_RESPID *id = NULL; 1813 1814 if (*argi == 2) { 1815 /* In this test we are expecting exactly 1 OCSP_RESPID */ 1816 SSL_get_tlsext_status_ids(s, &ids); 1817 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 1818 return SSL_TLSEXT_ERR_ALERT_FATAL; 1819 1820 id = sk_OCSP_RESPID_value(ids, 0); 1821 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL)) 1822 return SSL_TLSEXT_ERR_ALERT_FATAL; 1823 } else if (*argi != 1) { 1824 return SSL_TLSEXT_ERR_ALERT_FATAL; 1825 } 1826 1827 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder)))) 1828 return SSL_TLSEXT_ERR_ALERT_FATAL; 1829 1830 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy, 1831 sizeof(orespder)))) { 1832 OPENSSL_free(copy); 1833 return SSL_TLSEXT_ERR_ALERT_FATAL; 1834 } 1835 ocsp_server_called = 1; 1836 return SSL_TLSEXT_ERR_OK; 1837} 1838 1839static int ocsp_client_cb(SSL *s, void *arg) 1840{ 1841 int *argi = (int *)arg; 1842 const unsigned char *respderin; 1843 size_t len; 1844 1845 if (*argi != 1 && *argi != 2) 1846 return 0; 1847 1848 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 1849 if (!TEST_mem_eq(orespder, len, respderin, len)) 1850 return 0; 1851 1852 ocsp_client_called = 1; 1853 return 1; 1854} 1855 1856static int test_tlsext_status_type(void) 1857{ 1858 SSL_CTX *cctx = NULL, *sctx = NULL; 1859 SSL *clientssl = NULL, *serverssl = NULL; 1860 int testresult = 0; 1861 STACK_OF(OCSP_RESPID) *ids = NULL; 1862 OCSP_RESPID *id = NULL; 1863 BIO *certbio = NULL; 1864 1865 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), 1866 TLS1_VERSION, 0, 1867 &sctx, &cctx, cert, privkey)) 1868 return 0; 1869 1870 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) 1871 goto end; 1872 1873 /* First just do various checks getting and setting tlsext_status_type */ 1874 1875 clientssl = SSL_new(cctx); 1876 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1) 1877 || !TEST_true(SSL_set_tlsext_status_type(clientssl, 1878 TLSEXT_STATUSTYPE_ocsp)) 1879 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl), 1880 TLSEXT_STATUSTYPE_ocsp)) 1881 goto end; 1882 1883 SSL_free(clientssl); 1884 clientssl = NULL; 1885 1886 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp) 1887 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) 1888 goto end; 1889 1890 clientssl = SSL_new(cctx); 1891 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) 1892 goto end; 1893 SSL_free(clientssl); 1894 clientssl = NULL; 1895 1896 /* 1897 * Now actually do a handshake and check OCSP information is exchanged and 1898 * the callbacks get called 1899 */ 1900 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 1901 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 1902 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 1903 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 1904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1905 &clientssl, NULL, NULL)) 1906 || !TEST_true(create_ssl_connection(serverssl, clientssl, 1907 SSL_ERROR_NONE)) 1908 || !TEST_true(ocsp_client_called) 1909 || !TEST_true(ocsp_server_called)) 1910 goto end; 1911 SSL_free(serverssl); 1912 SSL_free(clientssl); 1913 serverssl = NULL; 1914 clientssl = NULL; 1915 1916 /* Try again but this time force the server side callback to fail */ 1917 ocsp_client_called = 0; 1918 ocsp_server_called = 0; 1919 cdummyarg = 0; 1920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1921 &clientssl, NULL, NULL)) 1922 /* This should fail because the callback will fail */ 1923 || !TEST_false(create_ssl_connection(serverssl, clientssl, 1924 SSL_ERROR_NONE)) 1925 || !TEST_false(ocsp_client_called) 1926 || !TEST_false(ocsp_server_called)) 1927 goto end; 1928 SSL_free(serverssl); 1929 SSL_free(clientssl); 1930 serverssl = NULL; 1931 clientssl = NULL; 1932 1933 /* 1934 * This time we'll get the client to send an OCSP_RESPID that it will 1935 * accept. 1936 */ 1937 ocsp_client_called = 0; 1938 ocsp_server_called = 0; 1939 cdummyarg = 2; 1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1941 &clientssl, NULL, NULL))) 1942 goto end; 1943 1944 /* 1945 * We'll just use any old cert for this test - it doesn't have to be an OCSP 1946 * specific one. We'll use the server cert. 1947 */ 1948 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")) 1949 || !TEST_ptr(id = OCSP_RESPID_new()) 1950 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) 1951 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL)) 1952 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL)) 1953 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL)) 1954 || !TEST_true(sk_OCSP_RESPID_push(ids, id))) 1955 goto end; 1956 id = NULL; 1957 SSL_set_tlsext_status_ids(clientssl, ids); 1958 /* Control has been transferred */ 1959 ids = NULL; 1960 1961 BIO_free(certbio); 1962 certbio = NULL; 1963 1964 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1965 SSL_ERROR_NONE)) 1966 || !TEST_true(ocsp_client_called) 1967 || !TEST_true(ocsp_server_called)) 1968 goto end; 1969 1970 testresult = 1; 1971 1972 end: 1973 SSL_free(serverssl); 1974 SSL_free(clientssl); 1975 SSL_CTX_free(sctx); 1976 SSL_CTX_free(cctx); 1977 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 1978 OCSP_RESPID_free(id); 1979 BIO_free(certbio); 1980 X509_free(ocspcert); 1981 ocspcert = NULL; 1982 1983 return testresult; 1984} 1985#endif 1986 1987#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 1988static int new_called, remove_called, get_called; 1989 1990static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 1991{ 1992 new_called++; 1993 /* 1994 * sess has been up-refed for us, but we don't actually need it so free it 1995 * immediately. 1996 */ 1997 SSL_SESSION_free(sess); 1998 return 1; 1999} 2000 2001static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 2002{ 2003 remove_called++; 2004} 2005 2006static SSL_SESSION *get_sess_val = NULL; 2007 2008static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len, 2009 int *copy) 2010{ 2011 get_called++; 2012 *copy = 1; 2013 return get_sess_val; 2014} 2015 2016static int execute_test_session(int maxprot, int use_int_cache, 2017 int use_ext_cache, long s_options) 2018{ 2019 SSL_CTX *sctx = NULL, *cctx = NULL; 2020 SSL *serverssl1 = NULL, *clientssl1 = NULL; 2021 SSL *serverssl2 = NULL, *clientssl2 = NULL; 2022# ifndef OPENSSL_NO_TLS1_1 2023 SSL *serverssl3 = NULL, *clientssl3 = NULL; 2024# endif 2025 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 2026 int testresult = 0, numnewsesstick = 1; 2027 2028 new_called = remove_called = 0; 2029 2030 /* TLSv1.3 sends 2 NewSessionTickets */ 2031 if (maxprot == TLS1_3_VERSION) 2032 numnewsesstick = 2; 2033 2034 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2035 TLS_client_method(), TLS1_VERSION, 0, 2036 &sctx, &cctx, cert, privkey))) 2037 return 0; 2038 2039 /* 2040 * Only allow the max protocol version so we can force a connection failure 2041 * later 2042 */ 2043 SSL_CTX_set_min_proto_version(cctx, maxprot); 2044 SSL_CTX_set_max_proto_version(cctx, maxprot); 2045 2046 /* Set up session cache */ 2047 if (use_ext_cache) { 2048 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2049 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 2050 } 2051 if (use_int_cache) { 2052 /* Also covers instance where both are set */ 2053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 2054 } else { 2055 SSL_CTX_set_session_cache_mode(cctx, 2056 SSL_SESS_CACHE_CLIENT 2057 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2058 } 2059 2060 if (s_options) { 2061 SSL_CTX_set_options(sctx, s_options); 2062 } 2063 2064 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 2065 NULL, NULL)) 2066 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 2067 SSL_ERROR_NONE)) 2068 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))) 2069 goto end; 2070 2071 /* Should fail because it should already be in the cache */ 2072 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) 2073 goto end; 2074 if (use_ext_cache 2075 && (!TEST_int_eq(new_called, numnewsesstick) 2076 2077 || !TEST_int_eq(remove_called, 0))) 2078 goto end; 2079 2080 new_called = remove_called = 0; 2081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2082 &clientssl2, NULL, NULL)) 2083 || !TEST_true(SSL_set_session(clientssl2, sess1)) 2084 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2085 SSL_ERROR_NONE)) 2086 || !TEST_true(SSL_session_reused(clientssl2))) 2087 goto end; 2088 2089 if (maxprot == TLS1_3_VERSION) { 2090 /* 2091 * In TLSv1.3 we should have created a new session even though we have 2092 * resumed. Since we attempted a resume we should also have removed the 2093 * old ticket from the cache so that we try to only use tickets once. 2094 */ 2095 if (use_ext_cache 2096 && (!TEST_int_eq(new_called, 1) 2097 || !TEST_int_eq(remove_called, 1))) 2098 goto end; 2099 } else { 2100 /* 2101 * In TLSv1.2 we expect to have resumed so no sessions added or 2102 * removed. 2103 */ 2104 if (use_ext_cache 2105 && (!TEST_int_eq(new_called, 0) 2106 || !TEST_int_eq(remove_called, 0))) 2107 goto end; 2108 } 2109 2110 SSL_SESSION_free(sess1); 2111 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2))) 2112 goto end; 2113 shutdown_ssl_connection(serverssl2, clientssl2); 2114 serverssl2 = clientssl2 = NULL; 2115 2116 new_called = remove_called = 0; 2117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2118 &clientssl2, NULL, NULL)) 2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2120 SSL_ERROR_NONE))) 2121 goto end; 2122 2123 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) 2124 goto end; 2125 2126 if (use_ext_cache 2127 && (!TEST_int_eq(new_called, numnewsesstick) 2128 || !TEST_int_eq(remove_called, 0))) 2129 goto end; 2130 2131 new_called = remove_called = 0; 2132 /* 2133 * This should clear sess2 from the cache because it is a "bad" session. 2134 * See SSL_set_session() documentation. 2135 */ 2136 if (!TEST_true(SSL_set_session(clientssl2, sess1))) 2137 goto end; 2138 if (use_ext_cache 2139 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2140 goto end; 2141 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) 2142 goto end; 2143 2144 if (use_int_cache) { 2145 /* Should succeeded because it should not already be in the cache */ 2146 if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) 2147 || !TEST_true(SSL_CTX_remove_session(cctx, sess2))) 2148 goto end; 2149 } 2150 2151 new_called = remove_called = 0; 2152 /* This shouldn't be in the cache so should fail */ 2153 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) 2154 goto end; 2155 2156 if (use_ext_cache 2157 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2158 goto end; 2159 2160# if !defined(OPENSSL_NO_TLS1_1) 2161 new_called = remove_called = 0; 2162 /* Force a connection failure */ 2163 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 2164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, 2165 &clientssl3, NULL, NULL)) 2166 || !TEST_true(SSL_set_session(clientssl3, sess1)) 2167 /* This should fail because of the mismatched protocol versions */ 2168 || !TEST_false(create_ssl_connection(serverssl3, clientssl3, 2169 SSL_ERROR_NONE))) 2170 goto end; 2171 2172 /* We should have automatically removed the session from the cache */ 2173 if (use_ext_cache 2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2175 goto end; 2176 2177 /* Should succeed because it should not already be in the cache */ 2178 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2))) 2179 goto end; 2180# endif 2181 2182 /* Now do some tests for server side caching */ 2183 if (use_ext_cache) { 2184 SSL_CTX_sess_set_new_cb(cctx, NULL); 2185 SSL_CTX_sess_set_remove_cb(cctx, NULL); 2186 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 2187 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb); 2188 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 2189 get_sess_val = NULL; 2190 } 2191 2192 SSL_CTX_set_session_cache_mode(cctx, 0); 2193 /* Internal caching is the default on the server side */ 2194 if (!use_int_cache) 2195 SSL_CTX_set_session_cache_mode(sctx, 2196 SSL_SESS_CACHE_SERVER 2197 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2198 2199 SSL_free(serverssl1); 2200 SSL_free(clientssl1); 2201 serverssl1 = clientssl1 = NULL; 2202 SSL_free(serverssl2); 2203 SSL_free(clientssl2); 2204 serverssl2 = clientssl2 = NULL; 2205 SSL_SESSION_free(sess1); 2206 sess1 = NULL; 2207 SSL_SESSION_free(sess2); 2208 sess2 = NULL; 2209 2210 SSL_CTX_set_max_proto_version(sctx, maxprot); 2211 if (maxprot == TLS1_2_VERSION) 2212 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 2213 new_called = remove_called = get_called = 0; 2214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 2215 NULL, NULL)) 2216 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 2217 SSL_ERROR_NONE)) 2218 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)) 2219 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) 2220 goto end; 2221 2222 if (use_int_cache) { 2223 if (maxprot == TLS1_3_VERSION && !use_ext_cache) { 2224 /* 2225 * In TLSv1.3 it should not have been added to the internal cache, 2226 * except in the case where we also have an external cache (in that 2227 * case it gets added to the cache in order to generate remove 2228 * events after timeout). 2229 */ 2230 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2))) 2231 goto end; 2232 } else { 2233 /* Should fail because it should already be in the cache */ 2234 if (!TEST_false(SSL_CTX_add_session(sctx, sess2))) 2235 goto end; 2236 } 2237 } 2238 2239 if (use_ext_cache) { 2240 SSL_SESSION *tmp = sess2; 2241 2242 if (!TEST_int_eq(new_called, numnewsesstick) 2243 || !TEST_int_eq(remove_called, 0) 2244 || !TEST_int_eq(get_called, 0)) 2245 goto end; 2246 /* 2247 * Delete the session from the internal cache to force a lookup from 2248 * the external cache. We take a copy first because 2249 * SSL_CTX_remove_session() also marks the session as non-resumable. 2250 */ 2251 if (use_int_cache && maxprot != TLS1_3_VERSION) { 2252 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) 2253 || !TEST_true(sess2->owner != NULL) 2254 || !TEST_true(tmp->owner == NULL) 2255 || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) 2256 goto end; 2257 SSL_SESSION_free(sess2); 2258 } 2259 sess2 = tmp; 2260 } 2261 2262 new_called = remove_called = get_called = 0; 2263 get_sess_val = sess2; 2264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2265 &clientssl2, NULL, NULL)) 2266 || !TEST_true(SSL_set_session(clientssl2, sess1)) 2267 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2268 SSL_ERROR_NONE)) 2269 || !TEST_true(SSL_session_reused(clientssl2))) 2270 goto end; 2271 2272 if (use_ext_cache) { 2273 if (!TEST_int_eq(remove_called, 0)) 2274 goto end; 2275 2276 if (maxprot == TLS1_3_VERSION) { 2277 if (!TEST_int_eq(new_called, 1) 2278 || !TEST_int_eq(get_called, 0)) 2279 goto end; 2280 } else { 2281 if (!TEST_int_eq(new_called, 0) 2282 || !TEST_int_eq(get_called, 1)) 2283 goto end; 2284 } 2285 } 2286 /* 2287 * Make a small cache, force out all other sessions but 2288 * sess2, try to add sess1, which should succeed. Then 2289 * make sure it's there by checking the owners. Despite 2290 * the timeouts, sess1 should have kicked out sess2 2291 */ 2292 2293 /* Make sess1 expire before sess2 */ 2294 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0) 2295 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0) 2296 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0) 2297 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0)) 2298 goto end; 2299 2300 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0)) 2301 goto end; 2302 2303 /* Don't care about results - cache should only be sess2 at end */ 2304 SSL_CTX_add_session(sctx, sess1); 2305 SSL_CTX_add_session(sctx, sess2); 2306 2307 /* Now add sess1, and make sure it remains, despite timeout */ 2308 if (!TEST_true(SSL_CTX_add_session(sctx, sess1)) 2309 || !TEST_ptr(sess1->owner) 2310 || !TEST_ptr_null(sess2->owner)) 2311 goto end; 2312 2313 testresult = 1; 2314 2315 end: 2316 SSL_free(serverssl1); 2317 SSL_free(clientssl1); 2318 SSL_free(serverssl2); 2319 SSL_free(clientssl2); 2320# ifndef OPENSSL_NO_TLS1_1 2321 SSL_free(serverssl3); 2322 SSL_free(clientssl3); 2323# endif 2324 SSL_SESSION_free(sess1); 2325 SSL_SESSION_free(sess2); 2326 SSL_CTX_free(sctx); 2327 SSL_CTX_free(cctx); 2328 2329 return testresult; 2330} 2331#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 2332 2333static int test_session_with_only_int_cache(void) 2334{ 2335#ifndef OSSL_NO_USABLE_TLS1_3 2336 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0)) 2337 return 0; 2338#endif 2339 2340#ifndef OPENSSL_NO_TLS1_2 2341 return execute_test_session(TLS1_2_VERSION, 1, 0, 0); 2342#else 2343 return 1; 2344#endif 2345} 2346 2347static int test_session_with_only_ext_cache(void) 2348{ 2349#ifndef OSSL_NO_USABLE_TLS1_3 2350 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0)) 2351 return 0; 2352#endif 2353 2354#ifndef OPENSSL_NO_TLS1_2 2355 return execute_test_session(TLS1_2_VERSION, 0, 1, 0); 2356#else 2357 return 1; 2358#endif 2359} 2360 2361static int test_session_with_both_cache(void) 2362{ 2363#ifndef OSSL_NO_USABLE_TLS1_3 2364 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0)) 2365 return 0; 2366#endif 2367 2368#ifndef OPENSSL_NO_TLS1_2 2369 return execute_test_session(TLS1_2_VERSION, 1, 1, 0); 2370#else 2371 return 1; 2372#endif 2373} 2374 2375static int test_session_wo_ca_names(void) 2376{ 2377#ifndef OSSL_NO_USABLE_TLS1_3 2378 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES)) 2379 return 0; 2380#endif 2381 2382#ifndef OPENSSL_NO_TLS1_2 2383 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES); 2384#else 2385 return 1; 2386#endif 2387} 2388 2389#ifndef OSSL_NO_USABLE_TLS1_3 2390static SSL_SESSION *sesscache[6]; 2391static int do_cache; 2392 2393static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) 2394{ 2395 if (do_cache) { 2396 sesscache[new_called] = sess; 2397 } else { 2398 /* We don't need the reference to the session, so free it */ 2399 SSL_SESSION_free(sess); 2400 } 2401 new_called++; 2402 2403 return 1; 2404} 2405 2406static int post_handshake_verify(SSL *sssl, SSL *cssl) 2407{ 2408 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); 2409 if (!TEST_true(SSL_verify_client_post_handshake(sssl))) 2410 return 0; 2411 2412 /* Start handshake on the server and client */ 2413 if (!TEST_int_eq(SSL_do_handshake(sssl), 1) 2414 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) 2415 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) 2416 || !TEST_true(create_ssl_connection(sssl, cssl, 2417 SSL_ERROR_NONE))) 2418 return 0; 2419 2420 return 1; 2421} 2422 2423static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, 2424 SSL_CTX **cctx) 2425{ 2426 int sess_id_ctx = 1; 2427 2428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2429 TLS_client_method(), TLS1_VERSION, 0, 2430 sctx, cctx, cert, privkey)) 2431 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) 2432 || !TEST_true(SSL_CTX_set_session_id_context(*sctx, 2433 (void *)&sess_id_ctx, 2434 sizeof(sess_id_ctx)))) 2435 return 0; 2436 2437 if (stateful) 2438 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET); 2439 2440 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT 2441 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2442 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb); 2443 2444 return 1; 2445} 2446 2447static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ) 2448{ 2449 SSL *serverssl = NULL, *clientssl = NULL; 2450 int i; 2451 2452 /* Test that we can resume with all the tickets we got given */ 2453 for (i = 0; i < idx * 2; i++) { 2454 new_called = 0; 2455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2456 &clientssl, NULL, NULL)) 2457 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) 2458 goto end; 2459 2460 SSL_set_post_handshake_auth(clientssl, 1); 2461 2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2463 SSL_ERROR_NONE))) 2464 goto end; 2465 2466 /* 2467 * Following a successful resumption we only get 1 ticket. After a 2468 * failed one we should get idx tickets. 2469 */ 2470 if (succ) { 2471 if (!TEST_true(SSL_session_reused(clientssl)) 2472 || !TEST_int_eq(new_called, 1)) 2473 goto end; 2474 } else { 2475 if (!TEST_false(SSL_session_reused(clientssl)) 2476 || !TEST_int_eq(new_called, idx)) 2477 goto end; 2478 } 2479 2480 new_called = 0; 2481 /* After a post-handshake authentication we should get 1 new ticket */ 2482 if (succ 2483 && (!post_handshake_verify(serverssl, clientssl) 2484 || !TEST_int_eq(new_called, 1))) 2485 goto end; 2486 2487 SSL_shutdown(clientssl); 2488 SSL_shutdown(serverssl); 2489 SSL_free(serverssl); 2490 SSL_free(clientssl); 2491 serverssl = clientssl = NULL; 2492 SSL_SESSION_free(sesscache[i]); 2493 sesscache[i] = NULL; 2494 } 2495 2496 return 1; 2497 2498 end: 2499 SSL_free(clientssl); 2500 SSL_free(serverssl); 2501 return 0; 2502} 2503 2504static int test_tickets(int stateful, int idx) 2505{ 2506 SSL_CTX *sctx = NULL, *cctx = NULL; 2507 SSL *serverssl = NULL, *clientssl = NULL; 2508 int testresult = 0; 2509 size_t j; 2510 2511 /* idx is the test number, but also the number of tickets we want */ 2512 2513 new_called = 0; 2514 do_cache = 1; 2515 2516 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2517 goto end; 2518 2519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2520 &clientssl, NULL, NULL))) 2521 goto end; 2522 2523 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2524 SSL_ERROR_NONE)) 2525 /* Check we got the number of tickets we were expecting */ 2526 || !TEST_int_eq(idx, new_called)) 2527 goto end; 2528 2529 SSL_shutdown(clientssl); 2530 SSL_shutdown(serverssl); 2531 SSL_free(serverssl); 2532 SSL_free(clientssl); 2533 SSL_CTX_free(sctx); 2534 SSL_CTX_free(cctx); 2535 clientssl = serverssl = NULL; 2536 sctx = cctx = NULL; 2537 2538 /* 2539 * Now we try to resume with the tickets we previously created. The 2540 * resumption attempt is expected to fail (because we're now using a new 2541 * SSL_CTX). We should see idx number of tickets issued again. 2542 */ 2543 2544 /* Stop caching sessions - just count them */ 2545 do_cache = 0; 2546 2547 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2548 goto end; 2549 2550 if (!check_resumption(idx, sctx, cctx, 0)) 2551 goto end; 2552 2553 /* Start again with caching sessions */ 2554 new_called = 0; 2555 do_cache = 1; 2556 SSL_CTX_free(sctx); 2557 SSL_CTX_free(cctx); 2558 sctx = cctx = NULL; 2559 2560 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2561 goto end; 2562 2563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2564 &clientssl, NULL, NULL))) 2565 goto end; 2566 2567 SSL_set_post_handshake_auth(clientssl, 1); 2568 2569 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2570 SSL_ERROR_NONE)) 2571 /* Check we got the number of tickets we were expecting */ 2572 || !TEST_int_eq(idx, new_called)) 2573 goto end; 2574 2575 /* After a post-handshake authentication we should get new tickets issued */ 2576 if (!post_handshake_verify(serverssl, clientssl) 2577 || !TEST_int_eq(idx * 2, new_called)) 2578 goto end; 2579 2580 SSL_shutdown(clientssl); 2581 SSL_shutdown(serverssl); 2582 SSL_free(serverssl); 2583 SSL_free(clientssl); 2584 serverssl = clientssl = NULL; 2585 2586 /* Stop caching sessions - just count them */ 2587 do_cache = 0; 2588 2589 /* 2590 * Check we can resume with all the tickets we created. This time around the 2591 * resumptions should all be successful. 2592 */ 2593 if (!check_resumption(idx, sctx, cctx, 1)) 2594 goto end; 2595 2596 testresult = 1; 2597 2598 end: 2599 SSL_free(serverssl); 2600 SSL_free(clientssl); 2601 for (j = 0; j < OSSL_NELEM(sesscache); j++) { 2602 SSL_SESSION_free(sesscache[j]); 2603 sesscache[j] = NULL; 2604 } 2605 SSL_CTX_free(sctx); 2606 SSL_CTX_free(cctx); 2607 2608 return testresult; 2609} 2610 2611static int test_stateless_tickets(int idx) 2612{ 2613 return test_tickets(0, idx); 2614} 2615 2616static int test_stateful_tickets(int idx) 2617{ 2618 return test_tickets(1, idx); 2619} 2620 2621static int test_psk_tickets(void) 2622{ 2623 SSL_CTX *sctx = NULL, *cctx = NULL; 2624 SSL *serverssl = NULL, *clientssl = NULL; 2625 int testresult = 0; 2626 int sess_id_ctx = 1; 2627 2628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2629 TLS_client_method(), TLS1_VERSION, 0, 2630 &sctx, &cctx, NULL, NULL)) 2631 || !TEST_true(SSL_CTX_set_session_id_context(sctx, 2632 (void *)&sess_id_ctx, 2633 sizeof(sess_id_ctx)))) 2634 goto end; 2635 2636 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT 2637 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2638 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 2639 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 2640 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2641 use_session_cb_cnt = 0; 2642 find_session_cb_cnt = 0; 2643 srvid = pskid; 2644 new_called = 0; 2645 2646 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 2647 NULL, NULL))) 2648 goto end; 2649 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH); 2650 if (!TEST_ptr(clientpsk)) 2651 goto end; 2652 SSL_SESSION_up_ref(clientpsk); 2653 2654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2655 SSL_ERROR_NONE)) 2656 || !TEST_int_eq(1, find_session_cb_cnt) 2657 || !TEST_int_eq(1, use_session_cb_cnt) 2658 /* We should always get 1 ticket when using external PSK */ 2659 || !TEST_int_eq(1, new_called)) 2660 goto end; 2661 2662 testresult = 1; 2663 2664 end: 2665 SSL_free(serverssl); 2666 SSL_free(clientssl); 2667 SSL_CTX_free(sctx); 2668 SSL_CTX_free(cctx); 2669 SSL_SESSION_free(clientpsk); 2670 SSL_SESSION_free(serverpsk); 2671 clientpsk = serverpsk = NULL; 2672 2673 return testresult; 2674} 2675 2676static int test_extra_tickets(int idx) 2677{ 2678 SSL_CTX *sctx = NULL, *cctx = NULL; 2679 SSL *serverssl = NULL, *clientssl = NULL; 2680 BIO *bretry = BIO_new(bio_s_always_retry()); 2681 BIO *tmp = NULL; 2682 int testresult = 0; 2683 int stateful = 0; 2684 size_t nbytes; 2685 unsigned char c, buf[1]; 2686 2687 new_called = 0; 2688 do_cache = 1; 2689 2690 if (idx >= 3) { 2691 idx -= 3; 2692 stateful = 1; 2693 } 2694 2695 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx)) 2696 goto end; 2697 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 2698 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */ 2699 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2700 2701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2702 &clientssl, NULL, NULL))) 2703 goto end; 2704 2705 /* 2706 * Note that we have new_session_cb on both sctx and cctx, so new_called is 2707 * incremented by both client and server. 2708 */ 2709 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2710 SSL_ERROR_NONE)) 2711 /* Check we got the number of tickets we were expecting */ 2712 || !TEST_int_eq(idx * 2, new_called) 2713 || !TEST_true(SSL_new_session_ticket(serverssl)) 2714 || !TEST_true(SSL_new_session_ticket(serverssl)) 2715 || !TEST_int_eq(idx * 2, new_called)) 2716 goto end; 2717 2718 /* Now try a (real) write to actually send the tickets */ 2719 c = '1'; 2720 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2721 || !TEST_size_t_eq(1, nbytes) 2722 || !TEST_int_eq(idx * 2 + 2, new_called) 2723 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2724 || !TEST_int_eq(idx * 2 + 4, new_called) 2725 || !TEST_int_eq(sizeof(buf), nbytes) 2726 || !TEST_int_eq(c, buf[0]) 2727 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2728 goto end; 2729 2730 /* Try with only requesting one new ticket, too */ 2731 c = '2'; 2732 new_called = 0; 2733 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2734 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes)) 2735 || !TEST_size_t_eq(sizeof(c), nbytes) 2736 || !TEST_int_eq(1, new_called) 2737 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2738 || !TEST_int_eq(2, new_called) 2739 || !TEST_size_t_eq(sizeof(buf), nbytes) 2740 || !TEST_int_eq(c, buf[0])) 2741 goto end; 2742 2743 /* Do it again but use dummy writes to drive the ticket generation */ 2744 c = '3'; 2745 new_called = 0; 2746 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2747 || !TEST_true(SSL_new_session_ticket(serverssl)) 2748 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes)) 2749 || !TEST_size_t_eq(0, nbytes) 2750 || !TEST_int_eq(2, new_called) 2751 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2752 || !TEST_int_eq(4, new_called)) 2753 goto end; 2754 2755 /* Once more, but with SSL_do_handshake() to drive the ticket generation */ 2756 c = '4'; 2757 new_called = 0; 2758 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2759 || !TEST_true(SSL_new_session_ticket(serverssl)) 2760 || !TEST_true(SSL_do_handshake(serverssl)) 2761 || !TEST_int_eq(2, new_called) 2762 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2763 || !TEST_int_eq(4, new_called)) 2764 goto end; 2765 2766 /* 2767 * Use the always-retry BIO to exercise the logic that forces ticket 2768 * generation to wait until a record boundary. 2769 */ 2770 c = '5'; 2771 new_called = 0; 2772 tmp = SSL_get_wbio(serverssl); 2773 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 2774 tmp = NULL; 2775 goto end; 2776 } 2777 SSL_set0_wbio(serverssl, bretry); 2778 bretry = NULL; 2779 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2780 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE) 2781 || !TEST_size_t_eq(nbytes, 0)) 2782 goto end; 2783 /* Restore a BIO that will let the write succeed */ 2784 SSL_set0_wbio(serverssl, tmp); 2785 tmp = NULL; 2786 /* 2787 * These calls should just queue the request and not send anything 2788 * even if we explicitly try to hit the state machine. 2789 */ 2790 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2791 || !TEST_true(SSL_new_session_ticket(serverssl)) 2792 || !TEST_int_eq(0, new_called) 2793 || !TEST_true(SSL_do_handshake(serverssl)) 2794 || !TEST_int_eq(0, new_called)) 2795 goto end; 2796 /* Re-do the write; still no tickets sent */ 2797 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2798 || !TEST_size_t_eq(1, nbytes) 2799 || !TEST_int_eq(0, new_called) 2800 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2801 || !TEST_int_eq(0, new_called) 2802 || !TEST_int_eq(sizeof(buf), nbytes) 2803 || !TEST_int_eq(c, buf[0]) 2804 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2805 goto end; 2806 /* Even trying to hit the state machine now will still not send tickets */ 2807 if (!TEST_true(SSL_do_handshake(serverssl)) 2808 || !TEST_int_eq(0, new_called)) 2809 goto end; 2810 /* Now the *next* write should send the tickets */ 2811 c = '6'; 2812 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2813 || !TEST_size_t_eq(1, nbytes) 2814 || !TEST_int_eq(2, new_called) 2815 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2816 || !TEST_int_eq(4, new_called) 2817 || !TEST_int_eq(sizeof(buf), nbytes) 2818 || !TEST_int_eq(c, buf[0]) 2819 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2820 goto end; 2821 2822 SSL_shutdown(clientssl); 2823 SSL_shutdown(serverssl); 2824 testresult = 1; 2825 2826 end: 2827 BIO_free(bretry); 2828 BIO_free(tmp); 2829 SSL_free(serverssl); 2830 SSL_free(clientssl); 2831 SSL_CTX_free(sctx); 2832 SSL_CTX_free(cctx); 2833 clientssl = serverssl = NULL; 2834 sctx = cctx = NULL; 2835 return testresult; 2836} 2837#endif 2838 2839#define USE_NULL 0 2840#define USE_BIO_1 1 2841#define USE_BIO_2 2 2842#define USE_DEFAULT 3 2843 2844#define CONNTYPE_CONNECTION_SUCCESS 0 2845#define CONNTYPE_CONNECTION_FAIL 1 2846#define CONNTYPE_NO_CONNECTION 2 2847 2848#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 2849#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) 2850#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) 2851# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) 2852#else 2853# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 2854#endif 2855 2856#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \ 2857 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \ 2858 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 2859 2860static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 2861{ 2862 switch (type) { 2863 case USE_NULL: 2864 *res = NULL; 2865 break; 2866 case USE_BIO_1: 2867 *res = bio1; 2868 break; 2869 case USE_BIO_2: 2870 *res = bio2; 2871 break; 2872 } 2873} 2874 2875 2876/* 2877 * Tests calls to SSL_set_bio() under various conditions. 2878 * 2879 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with 2880 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We 2881 * then do more tests where we create a successful connection first using our 2882 * standard connection setup functions, and then call SSL_set_bio() with 2883 * various combinations of valid BIOs or NULL. We then repeat these tests 2884 * following a failed connection. In this last case we are looking to check that 2885 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL. 2886 */ 2887static int test_ssl_set_bio(int idx) 2888{ 2889 SSL_CTX *sctx = NULL, *cctx = NULL; 2890 BIO *bio1 = NULL; 2891 BIO *bio2 = NULL; 2892 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 2893 SSL *serverssl = NULL, *clientssl = NULL; 2894 int initrbio, initwbio, newrbio, newwbio, conntype; 2895 int testresult = 0; 2896 2897 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) { 2898 initrbio = idx % 3; 2899 idx /= 3; 2900 initwbio = idx % 3; 2901 idx /= 3; 2902 newrbio = idx % 3; 2903 idx /= 3; 2904 newwbio = idx % 3; 2905 conntype = CONNTYPE_NO_CONNECTION; 2906 } else { 2907 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS; 2908 initrbio = initwbio = USE_DEFAULT; 2909 newrbio = idx % 2; 2910 idx /= 2; 2911 newwbio = idx % 2; 2912 idx /= 2; 2913 conntype = idx % 2; 2914 } 2915 2916 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2917 TLS_client_method(), TLS1_VERSION, 0, 2918 &sctx, &cctx, cert, privkey))) 2919 goto end; 2920 2921 if (conntype == CONNTYPE_CONNECTION_FAIL) { 2922 /* 2923 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled 2924 * because we reduced the number of tests in the definition of 2925 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting 2926 * mismatched protocol versions we will force a connection failure. 2927 */ 2928 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION); 2929 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 2930 } 2931 2932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 2933 NULL, NULL))) 2934 goto end; 2935 2936 if (initrbio == USE_BIO_1 2937 || initwbio == USE_BIO_1 2938 || newrbio == USE_BIO_1 2939 || newwbio == USE_BIO_1) { 2940 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem()))) 2941 goto end; 2942 } 2943 2944 if (initrbio == USE_BIO_2 2945 || initwbio == USE_BIO_2 2946 || newrbio == USE_BIO_2 2947 || newwbio == USE_BIO_2) { 2948 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem()))) 2949 goto end; 2950 } 2951 2952 if (initrbio != USE_DEFAULT) { 2953 setupbio(&irbio, bio1, bio2, initrbio); 2954 setupbio(&iwbio, bio1, bio2, initwbio); 2955 SSL_set_bio(clientssl, irbio, iwbio); 2956 2957 /* 2958 * We want to maintain our own refs to these BIO, so do an up ref for 2959 * each BIO that will have ownership transferred in the SSL_set_bio() 2960 * call 2961 */ 2962 if (irbio != NULL) 2963 BIO_up_ref(irbio); 2964 if (iwbio != NULL && iwbio != irbio) 2965 BIO_up_ref(iwbio); 2966 } 2967 2968 if (conntype != CONNTYPE_NO_CONNECTION 2969 && !TEST_true(create_ssl_connection(serverssl, clientssl, 2970 SSL_ERROR_NONE) 2971 == (conntype == CONNTYPE_CONNECTION_SUCCESS))) 2972 goto end; 2973 2974 setupbio(&nrbio, bio1, bio2, newrbio); 2975 setupbio(&nwbio, bio1, bio2, newwbio); 2976 2977 /* 2978 * We will (maybe) transfer ownership again so do more up refs. 2979 * SSL_set_bio() has some really complicated ownership rules where BIOs have 2980 * already been set! 2981 */ 2982 if (nrbio != NULL 2983 && nrbio != irbio 2984 && (nwbio != iwbio || nrbio != nwbio)) 2985 BIO_up_ref(nrbio); 2986 if (nwbio != NULL 2987 && nwbio != nrbio 2988 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 2989 BIO_up_ref(nwbio); 2990 2991 SSL_set_bio(clientssl, nrbio, nwbio); 2992 2993 testresult = 1; 2994 2995 end: 2996 BIO_free(bio1); 2997 BIO_free(bio2); 2998 2999 /* 3000 * This test is checking that the ref counting for SSL_set_bio is correct. 3001 * If we get here and we did too many frees then we will fail in the above 3002 * functions. 3003 */ 3004 SSL_free(serverssl); 3005 SSL_free(clientssl); 3006 SSL_CTX_free(sctx); 3007 SSL_CTX_free(cctx); 3008 return testresult; 3009} 3010 3011typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t; 3012 3013static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) 3014{ 3015 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 3016 SSL_CTX *ctx; 3017 SSL *ssl = NULL; 3018 int testresult = 0; 3019 3020 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())) 3021 || !TEST_ptr(ssl = SSL_new(ctx)) 3022 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl())) 3023 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem()))) 3024 goto end; 3025 3026 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 3027 3028 /* 3029 * If anything goes wrong here then we could leak memory. 3030 */ 3031 BIO_push(sslbio, membio1); 3032 3033 /* Verify changing the rbio/wbio directly does not cause leaks */ 3034 if (change_bio != NO_BIO_CHANGE) { 3035 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) { 3036 ssl = NULL; 3037 goto end; 3038 } 3039 if (change_bio == CHANGE_RBIO) 3040 SSL_set0_rbio(ssl, membio2); 3041 else 3042 SSL_set0_wbio(ssl, membio2); 3043 } 3044 ssl = NULL; 3045 3046 if (pop_ssl) 3047 BIO_pop(sslbio); 3048 else 3049 BIO_pop(membio1); 3050 3051 testresult = 1; 3052 end: 3053 BIO_free(membio1); 3054 BIO_free(sslbio); 3055 SSL_free(ssl); 3056 SSL_CTX_free(ctx); 3057 3058 return testresult; 3059} 3060 3061static int test_ssl_bio_pop_next_bio(void) 3062{ 3063 return execute_test_ssl_bio(0, NO_BIO_CHANGE); 3064} 3065 3066static int test_ssl_bio_pop_ssl_bio(void) 3067{ 3068 return execute_test_ssl_bio(1, NO_BIO_CHANGE); 3069} 3070 3071static int test_ssl_bio_change_rbio(void) 3072{ 3073 return execute_test_ssl_bio(0, CHANGE_RBIO); 3074} 3075 3076static int test_ssl_bio_change_wbio(void) 3077{ 3078 return execute_test_ssl_bio(0, CHANGE_WBIO); 3079} 3080 3081#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 3082typedef struct { 3083 /* The list of sig algs */ 3084 const int *list; 3085 /* The length of the list */ 3086 size_t listlen; 3087 /* A sigalgs list in string format */ 3088 const char *liststr; 3089 /* Whether setting the list should succeed */ 3090 int valid; 3091 /* Whether creating a connection with the list should succeed */ 3092 int connsuccess; 3093} sigalgs_list; 3094 3095static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 3096# ifndef OPENSSL_NO_EC 3097static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 3098static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 3099# endif 3100static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 3101static const int invalidlist2[] = {NID_sha256, NID_undef}; 3102static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 3103static const int invalidlist4[] = {NID_sha256}; 3104static const sigalgs_list testsigalgs[] = { 3105 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 3106# ifndef OPENSSL_NO_EC 3107 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 3108 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 3109# endif 3110 {NULL, 0, "RSA+SHA256", 1, 1}, 3111# ifndef OPENSSL_NO_EC 3112 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 3113 {NULL, 0, "ECDSA+SHA512", 1, 0}, 3114# endif 3115 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 3116 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 3117 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 3118 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 3119 {NULL, 0, "RSA", 0, 0}, 3120 {NULL, 0, "SHA256", 0, 0}, 3121 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 3122 {NULL, 0, "Invalid", 0, 0} 3123}; 3124 3125static int test_set_sigalgs(int idx) 3126{ 3127 SSL_CTX *cctx = NULL, *sctx = NULL; 3128 SSL *clientssl = NULL, *serverssl = NULL; 3129 int testresult = 0; 3130 const sigalgs_list *curr; 3131 int testctx; 3132 3133 /* Should never happen */ 3134 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2)) 3135 return 0; 3136 3137 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 3138 curr = testctx ? &testsigalgs[idx] 3139 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 3140 3141 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3142 TLS_client_method(), TLS1_VERSION, 0, 3143 &sctx, &cctx, cert, privkey))) 3144 return 0; 3145 3146 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 3147 3148 if (testctx) { 3149 int ret; 3150 3151 if (curr->list != NULL) 3152 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 3153 else 3154 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 3155 3156 if (!ret) { 3157 if (curr->valid) 3158 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx); 3159 else 3160 testresult = 1; 3161 goto end; 3162 } 3163 if (!curr->valid) { 3164 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx); 3165 goto end; 3166 } 3167 } 3168 3169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3170 &clientssl, NULL, NULL))) 3171 goto end; 3172 3173 if (!testctx) { 3174 int ret; 3175 3176 if (curr->list != NULL) 3177 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 3178 else 3179 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 3180 if (!ret) { 3181 if (curr->valid) 3182 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx); 3183 else 3184 testresult = 1; 3185 goto end; 3186 } 3187 if (!curr->valid) 3188 goto end; 3189 } 3190 3191 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 3192 SSL_ERROR_NONE), 3193 curr->connsuccess)) 3194 goto end; 3195 3196 testresult = 1; 3197 3198 end: 3199 SSL_free(serverssl); 3200 SSL_free(clientssl); 3201 SSL_CTX_free(sctx); 3202 SSL_CTX_free(cctx); 3203 3204 return testresult; 3205} 3206#endif 3207 3208#ifndef OSSL_NO_USABLE_TLS1_3 3209static int psk_client_cb_cnt = 0; 3210static int psk_server_cb_cnt = 0; 3211 3212static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 3213 size_t *idlen, SSL_SESSION **sess) 3214{ 3215 switch (++use_session_cb_cnt) { 3216 case 1: 3217 /* The first call should always have a NULL md */ 3218 if (md != NULL) 3219 return 0; 3220 break; 3221 3222 case 2: 3223 /* The second call should always have an md */ 3224 if (md == NULL) 3225 return 0; 3226 break; 3227 3228 default: 3229 /* We should only be called a maximum of twice */ 3230 return 0; 3231 } 3232 3233 if (clientpsk != NULL) 3234 SSL_SESSION_up_ref(clientpsk); 3235 3236 *sess = clientpsk; 3237 *id = (const unsigned char *)pskid; 3238 *idlen = strlen(pskid); 3239 3240 return 1; 3241} 3242 3243#ifndef OPENSSL_NO_PSK 3244static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id, 3245 unsigned int max_id_len, 3246 unsigned char *psk, 3247 unsigned int max_psk_len) 3248{ 3249 unsigned int psklen = 0; 3250 3251 psk_client_cb_cnt++; 3252 3253 if (strlen(pskid) + 1 > max_id_len) 3254 return 0; 3255 3256 /* We should only ever be called a maximum of twice per connection */ 3257 if (psk_client_cb_cnt > 2) 3258 return 0; 3259 3260 if (clientpsk == NULL) 3261 return 0; 3262 3263 /* We'll reuse the PSK we set up for TLSv1.3 */ 3264 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len) 3265 return 0; 3266 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len); 3267 strncpy(id, pskid, max_id_len); 3268 3269 return psklen; 3270} 3271#endif /* OPENSSL_NO_PSK */ 3272 3273static int find_session_cb(SSL *ssl, const unsigned char *identity, 3274 size_t identity_len, SSL_SESSION **sess) 3275{ 3276 find_session_cb_cnt++; 3277 3278 /* We should only ever be called a maximum of twice per connection */ 3279 if (find_session_cb_cnt > 2) 3280 return 0; 3281 3282 if (serverpsk == NULL) 3283 return 0; 3284 3285 /* Identity should match that set by the client */ 3286 if (strlen(srvid) != identity_len 3287 || strncmp(srvid, (const char *)identity, identity_len) != 0) { 3288 /* No PSK found, continue but without a PSK */ 3289 *sess = NULL; 3290 return 1; 3291 } 3292 3293 SSL_SESSION_up_ref(serverpsk); 3294 *sess = serverpsk; 3295 3296 return 1; 3297} 3298 3299#ifndef OPENSSL_NO_PSK 3300static unsigned int psk_server_cb(SSL *ssl, const char *identity, 3301 unsigned char *psk, unsigned int max_psk_len) 3302{ 3303 unsigned int psklen = 0; 3304 3305 psk_server_cb_cnt++; 3306 3307 /* We should only ever be called a maximum of twice per connection */ 3308 if (find_session_cb_cnt > 2) 3309 return 0; 3310 3311 if (serverpsk == NULL) 3312 return 0; 3313 3314 /* Identity should match that set by the client */ 3315 if (strcmp(srvid, identity) != 0) { 3316 return 0; 3317 } 3318 3319 /* We'll reuse the PSK we set up for TLSv1.3 */ 3320 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len) 3321 return 0; 3322 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len); 3323 3324 return psklen; 3325} 3326#endif /* OPENSSL_NO_PSK */ 3327 3328#define MSG1 "Hello" 3329#define MSG2 "World." 3330#define MSG3 "This" 3331#define MSG4 "is" 3332#define MSG5 "a" 3333#define MSG6 "test" 3334#define MSG7 "message." 3335 3336#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") 3337#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") 3338#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") 3339#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") 3340#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") 3341 3342 3343static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize) 3344{ 3345 const SSL_CIPHER *cipher = NULL; 3346 const unsigned char key[] = { 3347 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 3348 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 3349 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 3350 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 3351 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */ 3352 }; 3353 SSL_SESSION *sess = NULL; 3354 3355 if (mdsize == SHA384_DIGEST_LENGTH) { 3356 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); 3357 } else if (mdsize == SHA256_DIGEST_LENGTH) { 3358 /* 3359 * Any ciphersuite using SHA256 will do - it will be compatible with 3360 * the actual ciphersuite selected as long as it too is based on SHA256 3361 */ 3362 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES); 3363 } else { 3364 /* Should not happen */ 3365 return NULL; 3366 } 3367 sess = SSL_SESSION_new(); 3368 if (!TEST_ptr(sess) 3369 || !TEST_ptr(cipher) 3370 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize)) 3371 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) 3372 || !TEST_true( 3373 SSL_SESSION_set_protocol_version(sess, 3374 TLS1_3_VERSION))) { 3375 SSL_SESSION_free(sess); 3376 return NULL; 3377 } 3378 return sess; 3379} 3380 3381/* 3382 * Helper method to setup objects for early data test. Caller frees objects on 3383 * error. 3384 */ 3385static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, 3386 SSL **serverssl, SSL_SESSION **sess, int idx, 3387 size_t mdsize) 3388{ 3389 if (*sctx == NULL 3390 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3391 TLS_client_method(), 3392 TLS1_VERSION, 0, 3393 sctx, cctx, cert, privkey))) 3394 return 0; 3395 3396 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH))) 3397 return 0; 3398 3399 if (idx == 1) { 3400 /* When idx == 1 we repeat the tests with read_ahead set */ 3401 SSL_CTX_set_read_ahead(*cctx, 1); 3402 SSL_CTX_set_read_ahead(*sctx, 1); 3403 } else if (idx == 2) { 3404 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */ 3405 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb); 3406 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb); 3407 use_session_cb_cnt = 0; 3408 find_session_cb_cnt = 0; 3409 srvid = pskid; 3410 } 3411 3412 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl, 3413 NULL, NULL))) 3414 return 0; 3415 3416 /* 3417 * For one of the run throughs (doesn't matter which one), we'll try sending 3418 * some SNI data in the initial ClientHello. This will be ignored (because 3419 * there is no SNI cb set up by the server), so it should not impact 3420 * early_data. 3421 */ 3422 if (idx == 1 3423 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost"))) 3424 return 0; 3425 3426 if (idx == 2) { 3427 clientpsk = create_a_psk(*clientssl, mdsize); 3428 if (!TEST_ptr(clientpsk) 3429 /* 3430 * We just choose an arbitrary value for max_early_data which 3431 * should be big enough for testing purposes. 3432 */ 3433 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk, 3434 0x100)) 3435 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) { 3436 SSL_SESSION_free(clientpsk); 3437 clientpsk = NULL; 3438 return 0; 3439 } 3440 serverpsk = clientpsk; 3441 3442 if (sess != NULL) { 3443 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) { 3444 SSL_SESSION_free(clientpsk); 3445 SSL_SESSION_free(serverpsk); 3446 clientpsk = serverpsk = NULL; 3447 return 0; 3448 } 3449 *sess = clientpsk; 3450 } 3451 return 1; 3452 } 3453 3454 if (sess == NULL) 3455 return 1; 3456 3457 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, 3458 SSL_ERROR_NONE))) 3459 return 0; 3460 3461 *sess = SSL_get1_session(*clientssl); 3462 SSL_shutdown(*clientssl); 3463 SSL_shutdown(*serverssl); 3464 SSL_free(*serverssl); 3465 SSL_free(*clientssl); 3466 *serverssl = *clientssl = NULL; 3467 3468 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, 3469 clientssl, NULL, NULL)) 3470 || !TEST_true(SSL_set_session(*clientssl, *sess))) 3471 return 0; 3472 3473 return 1; 3474} 3475 3476static int test_early_data_read_write(int idx) 3477{ 3478 SSL_CTX *cctx = NULL, *sctx = NULL; 3479 SSL *clientssl = NULL, *serverssl = NULL; 3480 int testresult = 0; 3481 SSL_SESSION *sess = NULL; 3482 unsigned char buf[20], data[1024]; 3483 size_t readbytes, written, eoedlen, rawread, rawwritten; 3484 BIO *rbio; 3485 3486 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3487 &serverssl, &sess, idx, 3488 SHA384_DIGEST_LENGTH))) 3489 goto end; 3490 3491 /* Write and read some early data */ 3492 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3493 &written)) 3494 || !TEST_size_t_eq(written, strlen(MSG1)) 3495 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 3496 sizeof(buf), &readbytes), 3497 SSL_READ_EARLY_DATA_SUCCESS) 3498 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 3499 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3500 SSL_EARLY_DATA_ACCEPTED)) 3501 goto end; 3502 3503 /* 3504 * Server should be able to write data, and client should be able to 3505 * read it. 3506 */ 3507 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2), 3508 &written)) 3509 || !TEST_size_t_eq(written, strlen(MSG2)) 3510 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3511 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 3512 goto end; 3513 3514 /* Even after reading normal data, client should be able write early data */ 3515 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3), 3516 &written)) 3517 || !TEST_size_t_eq(written, strlen(MSG3))) 3518 goto end; 3519 3520 /* Server should still be able read early data after writing data */ 3521 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3522 &readbytes), 3523 SSL_READ_EARLY_DATA_SUCCESS) 3524 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3))) 3525 goto end; 3526 3527 /* Write more data from server and read it from client */ 3528 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4), 3529 &written)) 3530 || !TEST_size_t_eq(written, strlen(MSG4)) 3531 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3532 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4))) 3533 goto end; 3534 3535 /* 3536 * If client writes normal data it should mean writing early data is no 3537 * longer possible. 3538 */ 3539 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 3540 || !TEST_size_t_eq(written, strlen(MSG5)) 3541 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 3542 SSL_EARLY_DATA_ACCEPTED)) 3543 goto end; 3544 3545 /* 3546 * At this point the client has written EndOfEarlyData, ClientFinished and 3547 * normal (fully protected) data. We are going to cause a delay between the 3548 * arrival of EndOfEarlyData and ClientFinished. We read out all the data 3549 * in the read BIO, and then just put back the EndOfEarlyData message. 3550 */ 3551 rbio = SSL_get_rbio(serverssl); 3552 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread)) 3553 || !TEST_size_t_lt(rawread, sizeof(data)) 3554 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH)) 3555 goto end; 3556 3557 /* Record length is in the 4th and 5th bytes of the record header */ 3558 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]); 3559 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten)) 3560 || !TEST_size_t_eq(rawwritten, eoedlen)) 3561 goto end; 3562 3563 /* Server should be told that there is no more early data */ 3564 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3565 &readbytes), 3566 SSL_READ_EARLY_DATA_FINISH) 3567 || !TEST_size_t_eq(readbytes, 0)) 3568 goto end; 3569 3570 /* 3571 * Server has not finished init yet, so should still be able to write early 3572 * data. 3573 */ 3574 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6), 3575 &written)) 3576 || !TEST_size_t_eq(written, strlen(MSG6))) 3577 goto end; 3578 3579 /* Push the ClientFinished and the normal data back into the server rbio */ 3580 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen, 3581 &rawwritten)) 3582 || !TEST_size_t_eq(rawwritten, rawread - eoedlen)) 3583 goto end; 3584 3585 /* Server should be able to read normal data */ 3586 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3587 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 3588 goto end; 3589 3590 /* Client and server should not be able to write/read early data now */ 3591 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 3592 &written))) 3593 goto end; 3594 ERR_clear_error(); 3595 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3596 &readbytes), 3597 SSL_READ_EARLY_DATA_ERROR)) 3598 goto end; 3599 ERR_clear_error(); 3600 3601 /* Client should be able to read the data sent by the server */ 3602 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3603 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6))) 3604 goto end; 3605 3606 /* 3607 * Make sure we process the two NewSessionTickets. These arrive 3608 * post-handshake. We attempt reads which we do not expect to return any 3609 * data. 3610 */ 3611 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3612 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), 3613 &readbytes))) 3614 goto end; 3615 3616 /* Server should be able to write normal data */ 3617 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written)) 3618 || !TEST_size_t_eq(written, strlen(MSG7)) 3619 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3620 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7))) 3621 goto end; 3622 3623 SSL_SESSION_free(sess); 3624 sess = SSL_get1_session(clientssl); 3625 use_session_cb_cnt = 0; 3626 find_session_cb_cnt = 0; 3627 3628 SSL_shutdown(clientssl); 3629 SSL_shutdown(serverssl); 3630 SSL_free(serverssl); 3631 SSL_free(clientssl); 3632 serverssl = clientssl = NULL; 3633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3634 &clientssl, NULL, NULL)) 3635 || !TEST_true(SSL_set_session(clientssl, sess))) 3636 goto end; 3637 3638 /* Write and read some early data */ 3639 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3640 &written)) 3641 || !TEST_size_t_eq(written, strlen(MSG1)) 3642 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3643 &readbytes), 3644 SSL_READ_EARLY_DATA_SUCCESS) 3645 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 3646 goto end; 3647 3648 if (!TEST_int_gt(SSL_connect(clientssl), 0) 3649 || !TEST_int_gt(SSL_accept(serverssl), 0)) 3650 goto end; 3651 3652 /* Client and server should not be able to write/read early data now */ 3653 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 3654 &written))) 3655 goto end; 3656 ERR_clear_error(); 3657 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3658 &readbytes), 3659 SSL_READ_EARLY_DATA_ERROR)) 3660 goto end; 3661 ERR_clear_error(); 3662 3663 /* Client and server should be able to write/read normal data */ 3664 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 3665 || !TEST_size_t_eq(written, strlen(MSG5)) 3666 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3667 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 3668 goto end; 3669 3670 testresult = 1; 3671 3672 end: 3673 SSL_SESSION_free(sess); 3674 SSL_SESSION_free(clientpsk); 3675 SSL_SESSION_free(serverpsk); 3676 clientpsk = serverpsk = NULL; 3677 SSL_free(serverssl); 3678 SSL_free(clientssl); 3679 SSL_CTX_free(sctx); 3680 SSL_CTX_free(cctx); 3681 return testresult; 3682} 3683 3684static int allow_ed_cb_called = 0; 3685 3686static int allow_early_data_cb(SSL *s, void *arg) 3687{ 3688 int *usecb = (int *)arg; 3689 3690 allow_ed_cb_called++; 3691 3692 if (*usecb == 1) 3693 return 0; 3694 3695 return 1; 3696} 3697 3698/* 3699 * idx == 0: Standard early_data setup 3700 * idx == 1: early_data setup using read_ahead 3701 * usecb == 0: Don't use a custom early data callback 3702 * usecb == 1: Use a custom early data callback and reject the early data 3703 * usecb == 2: Use a custom early data callback and accept the early data 3704 * confopt == 0: Configure anti-replay directly 3705 * confopt == 1: Configure anti-replay using SSL_CONF 3706 */ 3707static int test_early_data_replay_int(int idx, int usecb, int confopt) 3708{ 3709 SSL_CTX *cctx = NULL, *sctx = NULL; 3710 SSL *clientssl = NULL, *serverssl = NULL; 3711 int testresult = 0; 3712 SSL_SESSION *sess = NULL; 3713 size_t readbytes, written; 3714 unsigned char buf[20]; 3715 3716 allow_ed_cb_called = 0; 3717 3718 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3719 TLS_client_method(), TLS1_VERSION, 0, 3720 &sctx, &cctx, cert, privkey))) 3721 return 0; 3722 3723 if (usecb > 0) { 3724 if (confopt == 0) { 3725 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY); 3726 } else { 3727 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new(); 3728 3729 if (!TEST_ptr(confctx)) 3730 goto end; 3731 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE 3732 | SSL_CONF_FLAG_SERVER); 3733 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx); 3734 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"), 3735 2)) { 3736 SSL_CONF_CTX_free(confctx); 3737 goto end; 3738 } 3739 SSL_CONF_CTX_free(confctx); 3740 } 3741 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb); 3742 } 3743 3744 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3745 &serverssl, &sess, idx, 3746 SHA384_DIGEST_LENGTH))) 3747 goto end; 3748 3749 /* 3750 * The server is configured to accept early data. Create a connection to 3751 * "use up" the ticket 3752 */ 3753 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3754 || !TEST_true(SSL_session_reused(clientssl))) 3755 goto end; 3756 3757 SSL_shutdown(clientssl); 3758 SSL_shutdown(serverssl); 3759 SSL_free(serverssl); 3760 SSL_free(clientssl); 3761 serverssl = clientssl = NULL; 3762 3763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3764 &clientssl, NULL, NULL)) 3765 || !TEST_true(SSL_set_session(clientssl, sess))) 3766 goto end; 3767 3768 /* Write and read some early data */ 3769 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3770 &written)) 3771 || !TEST_size_t_eq(written, strlen(MSG1))) 3772 goto end; 3773 3774 if (usecb <= 1) { 3775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3776 &readbytes), 3777 SSL_READ_EARLY_DATA_FINISH) 3778 /* 3779 * The ticket was reused, so the we should have rejected the 3780 * early data 3781 */ 3782 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3783 SSL_EARLY_DATA_REJECTED)) 3784 goto end; 3785 } else { 3786 /* In this case the callback decides to accept the early data */ 3787 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3788 &readbytes), 3789 SSL_READ_EARLY_DATA_SUCCESS) 3790 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) 3791 /* 3792 * Server will have sent its flight so client can now send 3793 * end of early data and complete its half of the handshake 3794 */ 3795 || !TEST_int_gt(SSL_connect(clientssl), 0) 3796 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3797 &readbytes), 3798 SSL_READ_EARLY_DATA_FINISH) 3799 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3800 SSL_EARLY_DATA_ACCEPTED)) 3801 goto end; 3802 } 3803 3804 /* Complete the connection */ 3805 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3806 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0) 3807 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0)) 3808 goto end; 3809 3810 testresult = 1; 3811 3812 end: 3813 SSL_SESSION_free(sess); 3814 SSL_SESSION_free(clientpsk); 3815 SSL_SESSION_free(serverpsk); 3816 clientpsk = serverpsk = NULL; 3817 SSL_free(serverssl); 3818 SSL_free(clientssl); 3819 SSL_CTX_free(sctx); 3820 SSL_CTX_free(cctx); 3821 return testresult; 3822} 3823 3824static int test_early_data_replay(int idx) 3825{ 3826 int ret = 1, usecb, confopt; 3827 3828 for (usecb = 0; usecb < 3; usecb++) { 3829 for (confopt = 0; confopt < 2; confopt++) 3830 ret &= test_early_data_replay_int(idx, usecb, confopt); 3831 } 3832 3833 return ret; 3834} 3835 3836static const char *ciphersuites[] = { 3837 "TLS_AES_128_CCM_8_SHA256", 3838 "TLS_AES_128_GCM_SHA256", 3839 "TLS_AES_256_GCM_SHA384", 3840 "TLS_AES_128_CCM_SHA256", 3841#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 3842 "TLS_CHACHA20_POLY1305_SHA256" 3843#endif 3844}; 3845 3846/* 3847 * Helper function to test that a server attempting to read early data can 3848 * handle a connection from a client where the early data should be skipped. 3849 * testtype: 0 == No HRR 3850 * testtype: 1 == HRR 3851 * testtype: 2 == HRR, invalid early_data sent after HRR 3852 * testtype: 3 == recv_max_early_data set to 0 3853 */ 3854static int early_data_skip_helper(int testtype, int cipher, int idx) 3855{ 3856 SSL_CTX *cctx = NULL, *sctx = NULL; 3857 SSL *clientssl = NULL, *serverssl = NULL; 3858 int testresult = 0; 3859 SSL_SESSION *sess = NULL; 3860 unsigned char buf[20]; 3861 size_t readbytes, written; 3862 3863 if (is_fips && cipher == 4) 3864 return 1; 3865 3866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3867 TLS_client_method(), 3868 TLS1_VERSION, 0, 3869 &sctx, &cctx, cert, privkey))) 3870 goto end; 3871 3872 if (cipher == 0) { 3873 SSL_CTX_set_security_level(sctx, 0); 3874 SSL_CTX_set_security_level(cctx, 0); 3875 } 3876 3877 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher])) 3878 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher]))) 3879 goto end; 3880 3881 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3882 &serverssl, &sess, idx, 3883 cipher == 2 ? SHA384_DIGEST_LENGTH 3884 : SHA256_DIGEST_LENGTH))) 3885 goto end; 3886 3887 if (testtype == 1 || testtype == 2) { 3888 /* Force an HRR to occur */ 3889#if defined(OPENSSL_NO_EC) 3890 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) 3891 goto end; 3892#else 3893 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 3894 goto end; 3895#endif 3896 } else if (idx == 2) { 3897 /* 3898 * We force early_data rejection by ensuring the PSK identity is 3899 * unrecognised 3900 */ 3901 srvid = "Dummy Identity"; 3902 } else { 3903 /* 3904 * Deliberately corrupt the creation time. We take 20 seconds off the 3905 * time. It could be any value as long as it is not within tolerance. 3906 * This should mean the ticket is rejected. 3907 */ 3908 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) 3909 goto end; 3910 } 3911 3912 if (testtype == 3 3913 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0))) 3914 goto end; 3915 3916 /* Write some early data */ 3917 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3918 &written)) 3919 || !TEST_size_t_eq(written, strlen(MSG1))) 3920 goto end; 3921 3922 /* Server should reject the early data */ 3923 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3924 &readbytes), 3925 SSL_READ_EARLY_DATA_FINISH) 3926 || !TEST_size_t_eq(readbytes, 0) 3927 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3928 SSL_EARLY_DATA_REJECTED)) 3929 goto end; 3930 3931 switch (testtype) { 3932 case 0: 3933 /* Nothing to do */ 3934 break; 3935 3936 case 1: 3937 /* 3938 * Finish off the handshake. We perform the same writes and reads as 3939 * further down but we expect them to fail due to the incomplete 3940 * handshake. 3941 */ 3942 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 3943 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), 3944 &readbytes))) 3945 goto end; 3946 break; 3947 3948 case 2: 3949 { 3950 BIO *wbio = SSL_get_wbio(clientssl); 3951 /* A record that will appear as bad early_data */ 3952 const unsigned char bad_early_data[] = { 3953 0x17, 0x03, 0x03, 0x00, 0x01, 0x00 3954 }; 3955 3956 /* 3957 * We force the client to attempt a write. This will fail because 3958 * we're still in the handshake. It will cause the second 3959 * ClientHello to be sent. 3960 */ 3961 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), 3962 &written))) 3963 goto end; 3964 3965 /* 3966 * Inject some early_data after the second ClientHello. This should 3967 * cause the server to fail 3968 */ 3969 if (!TEST_true(BIO_write_ex(wbio, bad_early_data, 3970 sizeof(bad_early_data), &written))) 3971 goto end; 3972 } 3973 /* fallthrough */ 3974 3975 case 3: 3976 /* 3977 * This client has sent more early_data than we are willing to skip 3978 * (case 3) or sent invalid early_data (case 2) so the connection should 3979 * abort. 3980 */ 3981 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3982 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL)) 3983 goto end; 3984 3985 /* Connection has failed - nothing more to do */ 3986 testresult = 1; 3987 goto end; 3988 3989 default: 3990 TEST_error("Invalid test type"); 3991 goto end; 3992 } 3993 3994 ERR_clear_error(); 3995 /* 3996 * Should be able to send normal data despite rejection of early data. The 3997 * early_data should be skipped. 3998 */ 3999 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4000 || !TEST_size_t_eq(written, strlen(MSG2)) 4001 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4002 SSL_EARLY_DATA_REJECTED) 4003 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4004 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4005 goto end; 4006 4007 /* 4008 * Failure to decrypt early data records should not leave spurious errors 4009 * on the error stack 4010 */ 4011 if (!TEST_long_eq(ERR_peek_error(), 0)) 4012 goto end; 4013 4014 testresult = 1; 4015 4016 end: 4017 SSL_SESSION_free(clientpsk); 4018 SSL_SESSION_free(serverpsk); 4019 clientpsk = serverpsk = NULL; 4020 SSL_SESSION_free(sess); 4021 SSL_free(serverssl); 4022 SSL_free(clientssl); 4023 SSL_CTX_free(sctx); 4024 SSL_CTX_free(cctx); 4025 return testresult; 4026} 4027 4028/* 4029 * Test that a server attempting to read early data can handle a connection 4030 * from a client where the early data is not acceptable. 4031 */ 4032static int test_early_data_skip(int idx) 4033{ 4034 return early_data_skip_helper(0, 4035 idx % OSSL_NELEM(ciphersuites), 4036 idx / OSSL_NELEM(ciphersuites)); 4037} 4038 4039/* 4040 * Test that a server attempting to read early data can handle a connection 4041 * from a client where an HRR occurs. 4042 */ 4043static int test_early_data_skip_hrr(int idx) 4044{ 4045 return early_data_skip_helper(1, 4046 idx % OSSL_NELEM(ciphersuites), 4047 idx / OSSL_NELEM(ciphersuites)); 4048} 4049 4050/* 4051 * Test that a server attempting to read early data can handle a connection 4052 * from a client where an HRR occurs and correctly fails if early_data is sent 4053 * after the HRR 4054 */ 4055static int test_early_data_skip_hrr_fail(int idx) 4056{ 4057 return early_data_skip_helper(2, 4058 idx % OSSL_NELEM(ciphersuites), 4059 idx / OSSL_NELEM(ciphersuites)); 4060} 4061 4062/* 4063 * Test that a server attempting to read early data will abort if it tries to 4064 * skip over too much. 4065 */ 4066static int test_early_data_skip_abort(int idx) 4067{ 4068 return early_data_skip_helper(3, 4069 idx % OSSL_NELEM(ciphersuites), 4070 idx / OSSL_NELEM(ciphersuites)); 4071} 4072 4073/* 4074 * Test that a server attempting to read early data can handle a connection 4075 * from a client that doesn't send any. 4076 */ 4077static int test_early_data_not_sent(int idx) 4078{ 4079 SSL_CTX *cctx = NULL, *sctx = NULL; 4080 SSL *clientssl = NULL, *serverssl = NULL; 4081 int testresult = 0; 4082 SSL_SESSION *sess = NULL; 4083 unsigned char buf[20]; 4084 size_t readbytes, written; 4085 4086 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4087 &serverssl, &sess, idx, 4088 SHA384_DIGEST_LENGTH))) 4089 goto end; 4090 4091 /* Write some data - should block due to handshake with server */ 4092 SSL_set_connect_state(clientssl); 4093 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 4094 goto end; 4095 4096 /* Server should detect that early data has not been sent */ 4097 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4098 &readbytes), 4099 SSL_READ_EARLY_DATA_FINISH) 4100 || !TEST_size_t_eq(readbytes, 0) 4101 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4102 SSL_EARLY_DATA_NOT_SENT) 4103 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4104 SSL_EARLY_DATA_NOT_SENT)) 4105 goto end; 4106 4107 /* Continue writing the message we started earlier */ 4108 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4109 || !TEST_size_t_eq(written, strlen(MSG1)) 4110 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4111 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4112 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written) 4113 || !TEST_size_t_eq(written, strlen(MSG2))) 4114 goto end; 4115 4116 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 4117 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4118 goto end; 4119 4120 testresult = 1; 4121 4122 end: 4123 SSL_SESSION_free(sess); 4124 SSL_SESSION_free(clientpsk); 4125 SSL_SESSION_free(serverpsk); 4126 clientpsk = serverpsk = NULL; 4127 SSL_free(serverssl); 4128 SSL_free(clientssl); 4129 SSL_CTX_free(sctx); 4130 SSL_CTX_free(cctx); 4131 return testresult; 4132} 4133 4134static const char *servalpn; 4135 4136static int alpn_select_cb(SSL *ssl, const unsigned char **out, 4137 unsigned char *outlen, const unsigned char *in, 4138 unsigned int inlen, void *arg) 4139{ 4140 unsigned int protlen = 0; 4141 const unsigned char *prot; 4142 4143 for (prot = in; prot < in + inlen; prot += protlen) { 4144 protlen = *prot++; 4145 if (in + inlen < prot + protlen) 4146 return SSL_TLSEXT_ERR_NOACK; 4147 4148 if (protlen == strlen(servalpn) 4149 && memcmp(prot, servalpn, protlen) == 0) { 4150 *out = prot; 4151 *outlen = protlen; 4152 return SSL_TLSEXT_ERR_OK; 4153 } 4154 } 4155 4156 return SSL_TLSEXT_ERR_NOACK; 4157} 4158 4159/* Test that a PSK can be used to send early_data */ 4160static int test_early_data_psk(int idx) 4161{ 4162 SSL_CTX *cctx = NULL, *sctx = NULL; 4163 SSL *clientssl = NULL, *serverssl = NULL; 4164 int testresult = 0; 4165 SSL_SESSION *sess = NULL; 4166 unsigned char alpnlist[] = { 4167 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a', 4168 'l', 'p', 'n' 4169 }; 4170#define GOODALPNLEN 9 4171#define BADALPNLEN 8 4172#define GOODALPN (alpnlist) 4173#define BADALPN (alpnlist + GOODALPNLEN) 4174 int err = 0; 4175 unsigned char buf[20]; 4176 size_t readbytes, written; 4177 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1; 4178 int edstatus = SSL_EARLY_DATA_ACCEPTED; 4179 4180 /* We always set this up with a final parameter of "2" for PSK */ 4181 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4182 &serverssl, &sess, 2, 4183 SHA384_DIGEST_LENGTH))) 4184 goto end; 4185 4186 servalpn = "goodalpn"; 4187 4188 /* 4189 * Note: There is no test for inconsistent SNI with late client detection. 4190 * This is because servers do not acknowledge SNI even if they are using 4191 * it in a resumption handshake - so it is not actually possible for a 4192 * client to detect a problem. 4193 */ 4194 switch (idx) { 4195 case 0: 4196 /* Set inconsistent SNI (early client detection) */ 4197 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI; 4198 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 4199 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost"))) 4200 goto end; 4201 break; 4202 4203 case 1: 4204 /* Set inconsistent ALPN (early client detection) */ 4205 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN; 4206 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */ 4207 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN, 4208 GOODALPNLEN)) 4209 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN, 4210 BADALPNLEN))) 4211 goto end; 4212 break; 4213 4214 case 2: 4215 /* 4216 * Set invalid protocol version. Technically this affects PSKs without 4217 * early_data too, but we test it here because it is similar to the 4218 * SNI/ALPN consistency tests. 4219 */ 4220 err = SSL_R_BAD_PSK; 4221 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION))) 4222 goto end; 4223 break; 4224 4225 case 3: 4226 /* 4227 * Set inconsistent SNI (server side). In this case the connection 4228 * will succeed and accept early_data. In TLSv1.3 on the server side SNI 4229 * is associated with each handshake - not the session. Therefore it 4230 * should not matter that we used a different server name last time. 4231 */ 4232 SSL_SESSION_free(serverpsk); 4233 serverpsk = SSL_SESSION_dup(clientpsk); 4234 if (!TEST_ptr(serverpsk) 4235 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost"))) 4236 goto end; 4237 /* Fall through */ 4238 case 4: 4239 /* Set consistent SNI */ 4240 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 4241 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")) 4242 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 4243 hostname_cb))) 4244 goto end; 4245 break; 4246 4247 case 5: 4248 /* 4249 * Set inconsistent ALPN (server detected). In this case the connection 4250 * will succeed but reject early_data. 4251 */ 4252 servalpn = "badalpn"; 4253 edstatus = SSL_EARLY_DATA_REJECTED; 4254 readearlyres = SSL_READ_EARLY_DATA_FINISH; 4255 /* Fall through */ 4256 case 6: 4257 /* 4258 * Set consistent ALPN. 4259 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It 4260 * accepts a list of protos (each one length prefixed). 4261 * SSL_set1_alpn_selected accepts a single protocol (not length 4262 * prefixed) 4263 */ 4264 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1, 4265 GOODALPNLEN - 1)) 4266 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN, 4267 GOODALPNLEN))) 4268 goto end; 4269 4270 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 4271 break; 4272 4273 case 7: 4274 /* Set inconsistent ALPN (late client detection) */ 4275 SSL_SESSION_free(serverpsk); 4276 serverpsk = SSL_SESSION_dup(clientpsk); 4277 if (!TEST_ptr(serverpsk) 4278 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk, 4279 BADALPN + 1, 4280 BADALPNLEN - 1)) 4281 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk, 4282 GOODALPN + 1, 4283 GOODALPNLEN - 1)) 4284 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist, 4285 sizeof(alpnlist)))) 4286 goto end; 4287 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 4288 edstatus = SSL_EARLY_DATA_ACCEPTED; 4289 readearlyres = SSL_READ_EARLY_DATA_SUCCESS; 4290 /* SSL_connect() call should fail */ 4291 connectres = -1; 4292 break; 4293 4294 default: 4295 TEST_error("Bad test index"); 4296 goto end; 4297 } 4298 4299 SSL_set_connect_state(clientssl); 4300 if (err != 0) { 4301 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4302 &written)) 4303 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL) 4304 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err)) 4305 goto end; 4306 } else { 4307 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4308 &written))) 4309 goto end; 4310 4311 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4312 &readbytes), readearlyres) 4313 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS 4314 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 4315 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) 4316 || !TEST_int_eq(SSL_connect(clientssl), connectres)) 4317 goto end; 4318 } 4319 4320 testresult = 1; 4321 4322 end: 4323 SSL_SESSION_free(sess); 4324 SSL_SESSION_free(clientpsk); 4325 SSL_SESSION_free(serverpsk); 4326 clientpsk = serverpsk = NULL; 4327 SSL_free(serverssl); 4328 SSL_free(clientssl); 4329 SSL_CTX_free(sctx); 4330 SSL_CTX_free(cctx); 4331 return testresult; 4332} 4333 4334/* 4335 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites 4336 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 4337 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 4338 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 4339 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 4340 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 4341 */ 4342static int test_early_data_psk_with_all_ciphers(int idx) 4343{ 4344 SSL_CTX *cctx = NULL, *sctx = NULL; 4345 SSL *clientssl = NULL, *serverssl = NULL; 4346 int testresult = 0; 4347 SSL_SESSION *sess = NULL; 4348 unsigned char buf[20]; 4349 size_t readbytes, written; 4350 const SSL_CIPHER *cipher; 4351 const char *cipher_str[] = { 4352 TLS1_3_RFC_AES_128_GCM_SHA256, 4353 TLS1_3_RFC_AES_256_GCM_SHA384, 4354# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 4355 TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 4356# else 4357 NULL, 4358# endif 4359 TLS1_3_RFC_AES_128_CCM_SHA256, 4360 TLS1_3_RFC_AES_128_CCM_8_SHA256 4361 }; 4362 const unsigned char *cipher_bytes[] = { 4363 TLS13_AES_128_GCM_SHA256_BYTES, 4364 TLS13_AES_256_GCM_SHA384_BYTES, 4365# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 4366 TLS13_CHACHA20_POLY1305_SHA256_BYTES, 4367# else 4368 NULL, 4369# endif 4370 TLS13_AES_128_CCM_SHA256_BYTES, 4371 TLS13_AES_128_CCM_8_SHA256_BYTES 4372 }; 4373 4374 if (cipher_str[idx] == NULL) 4375 return 1; 4376 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */ 4377 if (idx == 2 && is_fips == 1) 4378 return 1; 4379 4380 /* We always set this up with a final parameter of "2" for PSK */ 4381 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4382 &serverssl, &sess, 2, 4383 SHA384_DIGEST_LENGTH))) 4384 goto end; 4385 4386 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx])) 4387 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx]))) 4388 goto end; 4389 4390 /* 4391 * 'setupearly_data_test' creates only one instance of SSL_SESSION 4392 * and assigns to both client and server with incremented reference 4393 * and the same instance is updated in 'sess'. 4394 * So updating ciphersuite in 'sess' which will get reflected in 4395 * PSK handshake using psk use sess and find sess cb. 4396 */ 4397 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]); 4398 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))) 4399 goto end; 4400 4401 SSL_set_connect_state(clientssl); 4402 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4403 &written))) 4404 goto end; 4405 4406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4407 &readbytes), 4408 SSL_READ_EARLY_DATA_SUCCESS) 4409 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4410 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4411 SSL_EARLY_DATA_ACCEPTED) 4412 || !TEST_int_eq(SSL_connect(clientssl), 1) 4413 || !TEST_int_eq(SSL_accept(serverssl), 1)) 4414 goto end; 4415 4416 /* Send some normal data from client to server */ 4417 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4418 || !TEST_size_t_eq(written, strlen(MSG2))) 4419 goto end; 4420 4421 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4422 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4423 goto end; 4424 4425 testresult = 1; 4426 end: 4427 SSL_SESSION_free(sess); 4428 SSL_SESSION_free(clientpsk); 4429 SSL_SESSION_free(serverpsk); 4430 clientpsk = serverpsk = NULL; 4431 if (clientssl != NULL) 4432 SSL_shutdown(clientssl); 4433 if (serverssl != NULL) 4434 SSL_shutdown(serverssl); 4435 SSL_free(serverssl); 4436 SSL_free(clientssl); 4437 SSL_CTX_free(sctx); 4438 SSL_CTX_free(cctx); 4439 return testresult; 4440} 4441 4442/* 4443 * Test that a server that doesn't try to read early data can handle a 4444 * client sending some. 4445 */ 4446static int test_early_data_not_expected(int idx) 4447{ 4448 SSL_CTX *cctx = NULL, *sctx = NULL; 4449 SSL *clientssl = NULL, *serverssl = NULL; 4450 int testresult = 0; 4451 SSL_SESSION *sess = NULL; 4452 unsigned char buf[20]; 4453 size_t readbytes, written; 4454 4455 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4456 &serverssl, &sess, idx, 4457 SHA384_DIGEST_LENGTH))) 4458 goto end; 4459 4460 /* Write some early data */ 4461 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4462 &written))) 4463 goto end; 4464 4465 /* 4466 * Server should skip over early data and then block waiting for client to 4467 * continue handshake 4468 */ 4469 if (!TEST_int_le(SSL_accept(serverssl), 0) 4470 || !TEST_int_gt(SSL_connect(clientssl), 0) 4471 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4472 SSL_EARLY_DATA_REJECTED) 4473 || !TEST_int_gt(SSL_accept(serverssl), 0) 4474 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4475 SSL_EARLY_DATA_REJECTED)) 4476 goto end; 4477 4478 /* Send some normal data from client to server */ 4479 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4480 || !TEST_size_t_eq(written, strlen(MSG2))) 4481 goto end; 4482 4483 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4484 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4485 goto end; 4486 4487 testresult = 1; 4488 4489 end: 4490 SSL_SESSION_free(sess); 4491 SSL_SESSION_free(clientpsk); 4492 SSL_SESSION_free(serverpsk); 4493 clientpsk = serverpsk = NULL; 4494 SSL_free(serverssl); 4495 SSL_free(clientssl); 4496 SSL_CTX_free(sctx); 4497 SSL_CTX_free(cctx); 4498 return testresult; 4499} 4500 4501 4502# ifndef OPENSSL_NO_TLS1_2 4503/* 4504 * Test that a server attempting to read early data can handle a connection 4505 * from a TLSv1.2 client. 4506 */ 4507static int test_early_data_tls1_2(int idx) 4508{ 4509 SSL_CTX *cctx = NULL, *sctx = NULL; 4510 SSL *clientssl = NULL, *serverssl = NULL; 4511 int testresult = 0; 4512 unsigned char buf[20]; 4513 size_t readbytes, written; 4514 4515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4516 &serverssl, NULL, idx, 4517 SHA384_DIGEST_LENGTH))) 4518 goto end; 4519 4520 /* Write some data - should block due to handshake with server */ 4521 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION); 4522 SSL_set_connect_state(clientssl); 4523 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 4524 goto end; 4525 4526 /* 4527 * Server should do TLSv1.2 handshake. First it will block waiting for more 4528 * messages from client after ServerDone. Then SSL_read_early_data should 4529 * finish and detect that early data has not been sent 4530 */ 4531 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4532 &readbytes), 4533 SSL_READ_EARLY_DATA_ERROR)) 4534 goto end; 4535 4536 /* 4537 * Continue writing the message we started earlier. Will still block waiting 4538 * for the CCS/Finished from server 4539 */ 4540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4541 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4542 &readbytes), 4543 SSL_READ_EARLY_DATA_FINISH) 4544 || !TEST_size_t_eq(readbytes, 0) 4545 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4546 SSL_EARLY_DATA_NOT_SENT)) 4547 goto end; 4548 4549 /* Continue writing the message we started earlier */ 4550 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4551 || !TEST_size_t_eq(written, strlen(MSG1)) 4552 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4553 SSL_EARLY_DATA_NOT_SENT) 4554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4555 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4556 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)) 4557 || !TEST_size_t_eq(written, strlen(MSG2)) 4558 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes) 4559 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4560 goto end; 4561 4562 testresult = 1; 4563 4564 end: 4565 SSL_SESSION_free(clientpsk); 4566 SSL_SESSION_free(serverpsk); 4567 clientpsk = serverpsk = NULL; 4568 SSL_free(serverssl); 4569 SSL_free(clientssl); 4570 SSL_CTX_free(sctx); 4571 SSL_CTX_free(cctx); 4572 4573 return testresult; 4574} 4575# endif /* OPENSSL_NO_TLS1_2 */ 4576 4577/* 4578 * Test configuring the TLSv1.3 ciphersuites 4579 * 4580 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list) 4581 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list) 4582 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list) 4583 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list) 4584 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 4585 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 4586 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list) 4587 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list) 4588 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list) 4589 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list) 4590 */ 4591static int test_set_ciphersuite(int idx) 4592{ 4593 SSL_CTX *cctx = NULL, *sctx = NULL; 4594 SSL *clientssl = NULL, *serverssl = NULL; 4595 int testresult = 0; 4596 4597 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4598 TLS_client_method(), TLS1_VERSION, 0, 4599 &sctx, &cctx, cert, privkey)) 4600 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4601 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) 4602 goto end; 4603 4604 if (idx >=4 && idx <= 7) { 4605 /* SSL_CTX explicit cipher list */ 4606 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384"))) 4607 goto end; 4608 } 4609 4610 if (idx == 0 || idx == 4) { 4611 /* Default ciphersuite */ 4612 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4613 "TLS_AES_128_GCM_SHA256"))) 4614 goto end; 4615 } else if (idx == 1 || idx == 5) { 4616 /* Non default ciphersuite */ 4617 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4618 "TLS_AES_128_CCM_SHA256"))) 4619 goto end; 4620 } 4621 4622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4623 &clientssl, NULL, NULL))) 4624 goto end; 4625 4626 if (idx == 8 || idx == 9) { 4627 /* SSL explicit cipher list */ 4628 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))) 4629 goto end; 4630 } 4631 4632 if (idx == 2 || idx == 6 || idx == 8) { 4633 /* Default ciphersuite */ 4634 if (!TEST_true(SSL_set_ciphersuites(clientssl, 4635 "TLS_AES_128_GCM_SHA256"))) 4636 goto end; 4637 } else if (idx == 3 || idx == 7 || idx == 9) { 4638 /* Non default ciphersuite */ 4639 if (!TEST_true(SSL_set_ciphersuites(clientssl, 4640 "TLS_AES_128_CCM_SHA256"))) 4641 goto end; 4642 } 4643 4644 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 4645 goto end; 4646 4647 testresult = 1; 4648 4649 end: 4650 SSL_free(serverssl); 4651 SSL_free(clientssl); 4652 SSL_CTX_free(sctx); 4653 SSL_CTX_free(cctx); 4654 4655 return testresult; 4656} 4657 4658static int test_ciphersuite_change(void) 4659{ 4660 SSL_CTX *cctx = NULL, *sctx = NULL; 4661 SSL *clientssl = NULL, *serverssl = NULL; 4662 SSL_SESSION *clntsess = NULL; 4663 int testresult = 0; 4664 const SSL_CIPHER *aes_128_gcm_sha256 = NULL; 4665 4666 /* Create a session based on SHA-256 */ 4667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4668 TLS_client_method(), TLS1_VERSION, 0, 4669 &sctx, &cctx, cert, privkey)) 4670 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4671 "TLS_AES_128_GCM_SHA256:" 4672 "TLS_AES_256_GCM_SHA384:" 4673 "TLS_AES_128_CCM_SHA256")) 4674 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, 4675 "TLS_AES_128_GCM_SHA256")) 4676 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4677 &clientssl, NULL, NULL)) 4678 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4679 SSL_ERROR_NONE))) 4680 goto end; 4681 4682 clntsess = SSL_get1_session(clientssl); 4683 /* Save for later */ 4684 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess); 4685 SSL_shutdown(clientssl); 4686 SSL_shutdown(serverssl); 4687 SSL_free(serverssl); 4688 SSL_free(clientssl); 4689 serverssl = clientssl = NULL; 4690 4691 /* Check we can resume a session with a different SHA-256 ciphersuite */ 4692 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4693 "TLS_AES_128_CCM_SHA256")) 4694 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4695 &clientssl, NULL, NULL)) 4696 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4697 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4698 SSL_ERROR_NONE)) 4699 || !TEST_true(SSL_session_reused(clientssl))) 4700 goto end; 4701 4702 SSL_SESSION_free(clntsess); 4703 clntsess = SSL_get1_session(clientssl); 4704 SSL_shutdown(clientssl); 4705 SSL_shutdown(serverssl); 4706 SSL_free(serverssl); 4707 SSL_free(clientssl); 4708 serverssl = clientssl = NULL; 4709 4710 /* 4711 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites 4712 * succeeds but does not resume. 4713 */ 4714 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 4715 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4716 NULL, NULL)) 4717 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4718 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4719 SSL_ERROR_SSL)) 4720 || !TEST_false(SSL_session_reused(clientssl))) 4721 goto end; 4722 4723 SSL_SESSION_free(clntsess); 4724 clntsess = NULL; 4725 SSL_shutdown(clientssl); 4726 SSL_shutdown(serverssl); 4727 SSL_free(serverssl); 4728 SSL_free(clientssl); 4729 serverssl = clientssl = NULL; 4730 4731 /* Create a session based on SHA384 */ 4732 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 4733 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4734 &clientssl, NULL, NULL)) 4735 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4736 SSL_ERROR_NONE))) 4737 goto end; 4738 4739 clntsess = SSL_get1_session(clientssl); 4740 SSL_shutdown(clientssl); 4741 SSL_shutdown(serverssl); 4742 SSL_free(serverssl); 4743 SSL_free(clientssl); 4744 serverssl = clientssl = NULL; 4745 4746 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4747 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")) 4748 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4749 "TLS_AES_256_GCM_SHA384")) 4750 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4751 NULL, NULL)) 4752 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4753 /* 4754 * We use SSL_ERROR_WANT_READ below so that we can pause the 4755 * connection after the initial ClientHello has been sent to 4756 * enable us to make some session changes. 4757 */ 4758 || !TEST_false(create_ssl_connection(serverssl, clientssl, 4759 SSL_ERROR_WANT_READ))) 4760 goto end; 4761 4762 /* Trick the client into thinking this session is for a different digest */ 4763 clntsess->cipher = aes_128_gcm_sha256; 4764 clntsess->cipher_id = clntsess->cipher->id; 4765 4766 /* 4767 * Continue the previously started connection. Server has selected a SHA-384 4768 * ciphersuite, but client thinks the session is for SHA-256, so it should 4769 * bail out. 4770 */ 4771 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 4772 SSL_ERROR_SSL)) 4773 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), 4774 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)) 4775 goto end; 4776 4777 testresult = 1; 4778 4779 end: 4780 SSL_SESSION_free(clntsess); 4781 SSL_free(serverssl); 4782 SSL_free(clientssl); 4783 SSL_CTX_free(sctx); 4784 SSL_CTX_free(cctx); 4785 4786 return testresult; 4787} 4788 4789/* 4790 * Test TLSv1.3 Key exchange 4791 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server 4792 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server 4793 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server 4794 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server 4795 * Test 4 = Test NID_X25519 with TLSv1.3 client and server 4796 * Test 5 = Test NID_X448 with TLSv1.3 client and server 4797 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server 4798 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server 4799 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server 4800 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server 4801 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server 4802 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server 4803 * Test 12 = Test all ECDHE with TLSv1.2 client and server 4804 * Test 13 = Test all FFDHE with TLSv1.2 client and server 4805 */ 4806# ifndef OPENSSL_NO_EC 4807static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, 4808 NID_secp521r1, NID_X25519, NID_X448}; 4809# endif 4810# ifndef OPENSSL_NO_DH 4811static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096, 4812 NID_ffdhe6144, NID_ffdhe8192}; 4813# endif 4814static int test_key_exchange(int idx) 4815{ 4816 SSL_CTX *sctx = NULL, *cctx = NULL; 4817 SSL *serverssl = NULL, *clientssl = NULL; 4818 int testresult = 0; 4819 int kexch_alg; 4820 int *kexch_groups = &kexch_alg; 4821 int kexch_groups_size = 1; 4822 int max_version = TLS1_3_VERSION; 4823 char *kexch_name0 = NULL; 4824 4825 switch (idx) { 4826# ifndef OPENSSL_NO_EC 4827# ifndef OPENSSL_NO_TLS1_2 4828 case 12: 4829 max_version = TLS1_2_VERSION; 4830# endif 4831 /* Fall through */ 4832 case 0: 4833 kexch_groups = ecdhe_kexch_groups; 4834 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); 4835 kexch_name0 = "secp256r1"; 4836 break; 4837 case 1: 4838 kexch_alg = NID_X9_62_prime256v1; 4839 kexch_name0 = "secp256r1"; 4840 break; 4841 case 2: 4842 kexch_alg = NID_secp384r1; 4843 kexch_name0 = "secp384r1"; 4844 break; 4845 case 3: 4846 kexch_alg = NID_secp521r1; 4847 kexch_name0 = "secp521r1"; 4848 break; 4849 case 4: 4850 kexch_alg = NID_X25519; 4851 kexch_name0 = "x25519"; 4852 break; 4853 case 5: 4854 kexch_alg = NID_X448; 4855 kexch_name0 = "x448"; 4856 break; 4857# endif 4858# ifndef OPENSSL_NO_DH 4859# ifndef OPENSSL_NO_TLS1_2 4860 case 13: 4861 max_version = TLS1_2_VERSION; 4862 kexch_name0 = "ffdhe2048"; 4863# endif 4864 /* Fall through */ 4865 case 6: 4866 kexch_groups = ffdhe_kexch_groups; 4867 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); 4868 kexch_name0 = "ffdhe2048"; 4869 break; 4870 case 7: 4871 kexch_alg = NID_ffdhe2048; 4872 kexch_name0 = "ffdhe2048"; 4873 break; 4874 case 8: 4875 kexch_alg = NID_ffdhe3072; 4876 kexch_name0 = "ffdhe3072"; 4877 break; 4878 case 9: 4879 kexch_alg = NID_ffdhe4096; 4880 kexch_name0 = "ffdhe4096"; 4881 break; 4882 case 10: 4883 kexch_alg = NID_ffdhe6144; 4884 kexch_name0 = "ffdhe6144"; 4885 break; 4886 case 11: 4887 kexch_alg = NID_ffdhe8192; 4888 kexch_name0 = "ffdhe8192"; 4889 break; 4890# endif 4891 default: 4892 /* We're skipping this test */ 4893 return 1; 4894 } 4895 4896 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4897 TLS_client_method(), TLS1_VERSION, 4898 max_version, &sctx, &cctx, cert, 4899 privkey))) 4900 goto end; 4901 4902 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, 4903 TLS1_3_RFC_AES_128_GCM_SHA256))) 4904 goto end; 4905 4906 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4907 TLS1_3_RFC_AES_128_GCM_SHA256))) 4908 goto end; 4909 4910 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, 4911 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 4912 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)) 4913 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 4914 goto end; 4915 4916 /* 4917 * Must include an EC ciphersuite so that we send supported groups in 4918 * TLSv1.2 4919 */ 4920# ifndef OPENSSL_NO_TLS1_2 4921 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 4922 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 4923 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))) 4924 goto end; 4925# endif 4926 4927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4928 NULL, NULL))) 4929 goto end; 4930 4931 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size)) 4932 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size))) 4933 goto end; 4934 4935 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 4936 goto end; 4937 4938 /* 4939 * If Handshake succeeds the negotiated kexch alg should be the first one in 4940 * configured, except in the case of FFDHE groups (idx 13), which are 4941 * TLSv1.3 only so we expect no shared group to exist. 4942 */ 4943 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), 4944 idx == 13 ? 0 : kexch_groups[0])) 4945 goto end; 4946 4947 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]), 4948 kexch_name0)) 4949 goto end; 4950 4951 /* We don't implement RFC 7919 named groups for TLS 1.2. */ 4952 if (idx != 13) { 4953 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0])) 4954 goto end; 4955 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0])) 4956 goto end; 4957 } 4958 4959 testresult = 1; 4960 end: 4961 SSL_free(serverssl); 4962 SSL_free(clientssl); 4963 SSL_CTX_free(sctx); 4964 SSL_CTX_free(cctx); 4965 return testresult; 4966} 4967 4968# if !defined(OPENSSL_NO_TLS1_2) \ 4969 && !defined(OPENSSL_NO_EC) \ 4970 && !defined(OPENSSL_NO_DH) 4971static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti, 4972 int isecdhe, int idx) 4973{ 4974 int kexch_alg; 4975 int *kexch_groups = &kexch_alg; 4976 int numec, numff; 4977 4978 numec = OSSL_NELEM(ecdhe_kexch_groups); 4979 numff = OSSL_NELEM(ffdhe_kexch_groups); 4980 if (isecdhe) 4981 kexch_alg = ecdhe_kexch_groups[idx]; 4982 else 4983 kexch_alg = ffdhe_kexch_groups[idx]; 4984 4985 if (clientmulti) { 4986 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1))) 4987 return 0; 4988 if (isecdhe) { 4989 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups, 4990 numec))) 4991 return 0; 4992 } else { 4993 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups, 4994 numff))) 4995 return 0; 4996 } 4997 } else { 4998 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1))) 4999 return 0; 5000 if (isecdhe) { 5001 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups, 5002 numec))) 5003 return 0; 5004 } else { 5005 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups, 5006 numff))) 5007 return 0; 5008 } 5009 } 5010 return 1; 5011} 5012 5013/*- 5014 * Test the SSL_get_negotiated_group() API across a battery of scenarios. 5015 * Run through both the ECDHE and FFDHE group lists used in the previous 5016 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn, 5017 * confirming the expected result; then perform a resumption handshake 5018 * while offering the same group list, and another resumption handshake 5019 * offering a different group list. The returned value should be the 5020 * negotiated group for the initial handshake; for TLS 1.3 resumption 5021 * handshakes the returned value will be negotiated on the resumption 5022 * handshake itself, but for TLS 1.2 resumption handshakes the value will 5023 * be cached in the session from the original handshake, regardless of what 5024 * was offered in the resumption ClientHello. 5025 * 5026 * Using E for the number of EC groups and F for the number of FF groups: 5027 * E tests of ECDHE with TLS 1.3, server only has one group 5028 * F tests of FFDHE with TLS 1.3, server only has one group 5029 * E tests of ECDHE with TLS 1.2, server only has one group 5030 * F tests of FFDHE with TLS 1.2, server only has one group 5031 * E tests of ECDHE with TLS 1.3, client sends only one group 5032 * F tests of FFDHE with TLS 1.3, client sends only one group 5033 * E tests of ECDHE with TLS 1.2, client sends only one group 5034 * F tests of FFDHE with TLS 1.2, client sends only one group 5035 */ 5036static int test_negotiated_group(int idx) 5037{ 5038 int clientmulti, istls13, isecdhe, numec, numff, numgroups; 5039 int expectednid; 5040 SSL_CTX *sctx = NULL, *cctx = NULL; 5041 SSL *serverssl = NULL, *clientssl = NULL; 5042 SSL_SESSION *origsess = NULL; 5043 int testresult = 0; 5044 int kexch_alg; 5045 int max_version = TLS1_3_VERSION; 5046 5047 numec = OSSL_NELEM(ecdhe_kexch_groups); 5048 numff = OSSL_NELEM(ffdhe_kexch_groups); 5049 numgroups = numec + numff; 5050 clientmulti = (idx < 2 * numgroups); 5051 idx = idx % (2 * numgroups); 5052 istls13 = (idx < numgroups); 5053 idx = idx % numgroups; 5054 isecdhe = (idx < numec); 5055 if (!isecdhe) 5056 idx -= numec; 5057 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */ 5058 if (isecdhe) 5059 kexch_alg = ecdhe_kexch_groups[idx]; 5060 else 5061 kexch_alg = ffdhe_kexch_groups[idx]; 5062 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */ 5063 if (!istls13 && !isecdhe) 5064 expectednid = NID_undef; 5065 else 5066 expectednid = kexch_alg; 5067 5068 if (!istls13) 5069 max_version = TLS1_2_VERSION; 5070 5071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5072 TLS_client_method(), TLS1_VERSION, 5073 max_version, &sctx, &cctx, cert, 5074 privkey))) 5075 goto end; 5076 5077 /* 5078 * Force (EC)DHE ciphers for TLS 1.2. 5079 * Be sure to enable auto tmp DH so that FFDHE can succeed. 5080 */ 5081 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, 5082 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 5083 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)) 5084 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 5085 goto end; 5086 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 5087 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 5088 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))) 5089 goto end; 5090 5091 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5092 NULL, NULL))) 5093 goto end; 5094 5095 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe, 5096 idx))) 5097 goto end; 5098 5099 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 5100 goto end; 5101 5102 /* Initial handshake; always the configured one */ 5103 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5104 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5105 goto end; 5106 5107 if (!TEST_ptr((origsess = SSL_get1_session(clientssl)))) 5108 goto end; 5109 5110 SSL_shutdown(clientssl); 5111 SSL_shutdown(serverssl); 5112 SSL_free(serverssl); 5113 SSL_free(clientssl); 5114 serverssl = clientssl = NULL; 5115 5116 /* First resumption attempt; use the same config as initial handshake */ 5117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5118 NULL, NULL)) 5119 || !TEST_true(SSL_set_session(clientssl, origsess)) 5120 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, 5121 isecdhe, idx))) 5122 goto end; 5123 5124 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5125 || !TEST_true(SSL_session_reused(clientssl))) 5126 goto end; 5127 5128 /* Still had better agree, since nothing changed... */ 5129 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5130 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5131 goto end; 5132 5133 SSL_shutdown(clientssl); 5134 SSL_shutdown(serverssl); 5135 SSL_free(serverssl); 5136 SSL_free(clientssl); 5137 serverssl = clientssl = NULL; 5138 5139 /*- 5140 * Second resumption attempt 5141 * The party that picks one group changes it, which we effectuate by 5142 * changing 'idx' and updating what we expect. 5143 */ 5144 if (idx == 0) 5145 idx = 1; 5146 else 5147 idx--; 5148 if (istls13) { 5149 if (isecdhe) 5150 expectednid = ecdhe_kexch_groups[idx]; 5151 else 5152 expectednid = ffdhe_kexch_groups[idx]; 5153 /* Verify that we are changing what we expect. */ 5154 if (!TEST_int_ne(expectednid, kexch_alg)) 5155 goto end; 5156 } else { 5157 /* TLS 1.2 only supports named groups for ECDHE. */ 5158 if (isecdhe) 5159 expectednid = kexch_alg; 5160 else 5161 expectednid = 0; 5162 } 5163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5164 NULL, NULL)) 5165 || !TEST_true(SSL_set_session(clientssl, origsess)) 5166 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, 5167 isecdhe, idx))) 5168 goto end; 5169 5170 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5171 || !TEST_true(SSL_session_reused(clientssl))) 5172 goto end; 5173 5174 /* Check that we get what we expected */ 5175 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5176 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5177 goto end; 5178 5179 testresult = 1; 5180 end: 5181 SSL_free(serverssl); 5182 SSL_free(clientssl); 5183 SSL_CTX_free(sctx); 5184 SSL_CTX_free(cctx); 5185 SSL_SESSION_free(origsess); 5186 return testresult; 5187} 5188# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */ 5189 5190/* 5191 * Test TLSv1.3 Cipher Suite 5192 * Test 0 = Set TLS1.3 cipher on context 5193 * Test 1 = Set TLS1.3 cipher on SSL 5194 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context 5195 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL 5196 */ 5197static int test_tls13_ciphersuite(int idx) 5198{ 5199 SSL_CTX *sctx = NULL, *cctx = NULL; 5200 SSL *serverssl = NULL, *clientssl = NULL; 5201 static const struct { 5202 const char *ciphername; 5203 int fipscapable; 5204 } t13_ciphers[] = { 5205 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 }, 5206 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 }, 5207 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 }, 5208# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 5209 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, 5210 { TLS1_3_RFC_AES_256_GCM_SHA384 5211 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, 5212# endif 5213 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 } 5214 }; 5215 const char *t13_cipher = NULL; 5216 const char *t12_cipher = NULL; 5217 const char *negotiated_scipher; 5218 const char *negotiated_ccipher; 5219 int set_at_ctx = 0; 5220 int set_at_ssl = 0; 5221 int testresult = 0; 5222 int max_ver; 5223 size_t i; 5224 5225 switch (idx) { 5226 case 0: 5227 set_at_ctx = 1; 5228 break; 5229 case 1: 5230 set_at_ssl = 1; 5231 break; 5232 case 2: 5233 set_at_ctx = 1; 5234 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256; 5235 break; 5236 case 3: 5237 set_at_ssl = 1; 5238 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256; 5239 break; 5240 } 5241 5242 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) { 5243# ifdef OPENSSL_NO_TLS1_2 5244 if (max_ver == TLS1_2_VERSION) 5245 continue; 5246# endif 5247 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) { 5248 if (is_fips && !t13_ciphers[i].fipscapable) 5249 continue; 5250 t13_cipher = t13_ciphers[i].ciphername; 5251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5252 TLS_client_method(), 5253 TLS1_VERSION, max_ver, 5254 &sctx, &cctx, cert, privkey))) 5255 goto end; 5256 5257 if (set_at_ctx) { 5258 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher)) 5259 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher))) 5260 goto end; 5261 if (t12_cipher != NULL) { 5262 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher)) 5263 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 5264 t12_cipher))) 5265 goto end; 5266 } 5267 } 5268 5269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 5270 &clientssl, NULL, NULL))) 5271 goto end; 5272 5273 if (set_at_ssl) { 5274 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher)) 5275 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher))) 5276 goto end; 5277 if (t12_cipher != NULL) { 5278 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher)) 5279 || !TEST_true(SSL_set_cipher_list(clientssl, 5280 t12_cipher))) 5281 goto end; 5282 } 5283 } 5284 5285 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 5286 SSL_ERROR_NONE))) 5287 goto end; 5288 5289 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 5290 serverssl)); 5291 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 5292 clientssl)); 5293 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher)) 5294 goto end; 5295 5296 /* 5297 * TEST_strn_eq is used below because t13_cipher can contain 5298 * multiple ciphersuites 5299 */ 5300 if (max_ver == TLS1_3_VERSION 5301 && !TEST_strn_eq(t13_cipher, negotiated_scipher, 5302 strlen(negotiated_scipher))) 5303 goto end; 5304 5305# ifndef OPENSSL_NO_TLS1_2 5306 /* Below validation is not done when t12_cipher is NULL */ 5307 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL 5308 && !TEST_str_eq(t12_cipher, negotiated_scipher)) 5309 goto end; 5310# endif 5311 5312 SSL_free(serverssl); 5313 serverssl = NULL; 5314 SSL_free(clientssl); 5315 clientssl = NULL; 5316 SSL_CTX_free(sctx); 5317 sctx = NULL; 5318 SSL_CTX_free(cctx); 5319 cctx = NULL; 5320 } 5321 } 5322 5323 testresult = 1; 5324 end: 5325 SSL_free(serverssl); 5326 SSL_free(clientssl); 5327 SSL_CTX_free(sctx); 5328 SSL_CTX_free(cctx); 5329 return testresult; 5330} 5331 5332/* 5333 * Test TLSv1.3 PSKs 5334 * Test 0 = Test new style callbacks 5335 * Test 1 = Test both new and old style callbacks 5336 * Test 2 = Test old style callbacks 5337 * Test 3 = Test old style callbacks with no certificate 5338 */ 5339static int test_tls13_psk(int idx) 5340{ 5341 SSL_CTX *sctx = NULL, *cctx = NULL; 5342 SSL *serverssl = NULL, *clientssl = NULL; 5343 const SSL_CIPHER *cipher = NULL; 5344 const unsigned char key[] = { 5345 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 5346 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 5347 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 5348 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f 5349 }; 5350 int testresult = 0; 5351 5352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5353 TLS_client_method(), TLS1_VERSION, 0, 5354 &sctx, &cctx, idx == 3 ? NULL : cert, 5355 idx == 3 ? NULL : privkey))) 5356 goto end; 5357 5358 if (idx != 3) { 5359 /* 5360 * We use a ciphersuite with SHA256 to ease testing old style PSK 5361 * callbacks which will always default to SHA256. This should not be 5362 * necessary if we have no cert/priv key. In that case the server should 5363 * prefer SHA256 automatically. 5364 */ 5365 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 5366 "TLS_AES_128_GCM_SHA256"))) 5367 goto end; 5368 } else { 5369 /* 5370 * As noted above the server should prefer SHA256 automatically. However 5371 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same 5372 * code works even if we are testing with only the FIPS provider loaded. 5373 */ 5374 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 5375 "TLS_AES_256_GCM_SHA384:" 5376 "TLS_AES_128_GCM_SHA256"))) 5377 goto end; 5378 } 5379 5380 /* 5381 * Test 0: New style callbacks only 5382 * Test 1: New and old style callbacks (only the new ones should be used) 5383 * Test 2: Old style callbacks only 5384 */ 5385 if (idx == 0 || idx == 1) { 5386 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 5387 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 5388 } 5389#ifndef OPENSSL_NO_PSK 5390 if (idx >= 1) { 5391 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb); 5392 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb); 5393 } 5394#endif 5395 srvid = pskid; 5396 use_session_cb_cnt = 0; 5397 find_session_cb_cnt = 0; 5398 psk_client_cb_cnt = 0; 5399 psk_server_cb_cnt = 0; 5400 5401 if (idx != 3) { 5402 /* 5403 * Check we can create a connection if callback decides not to send a 5404 * PSK 5405 */ 5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5407 NULL, NULL)) 5408 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5409 SSL_ERROR_NONE)) 5410 || !TEST_false(SSL_session_reused(clientssl)) 5411 || !TEST_false(SSL_session_reused(serverssl))) 5412 goto end; 5413 5414 if (idx == 0 || idx == 1) { 5415 if (!TEST_true(use_session_cb_cnt == 1) 5416 || !TEST_true(find_session_cb_cnt == 0) 5417 /* 5418 * If no old style callback then below should be 0 5419 * otherwise 1 5420 */ 5421 || !TEST_true(psk_client_cb_cnt == idx) 5422 || !TEST_true(psk_server_cb_cnt == 0)) 5423 goto end; 5424 } else { 5425 if (!TEST_true(use_session_cb_cnt == 0) 5426 || !TEST_true(find_session_cb_cnt == 0) 5427 || !TEST_true(psk_client_cb_cnt == 1) 5428 || !TEST_true(psk_server_cb_cnt == 0)) 5429 goto end; 5430 } 5431 5432 shutdown_ssl_connection(serverssl, clientssl); 5433 serverssl = clientssl = NULL; 5434 use_session_cb_cnt = psk_client_cb_cnt = 0; 5435 } 5436 5437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5438 NULL, NULL))) 5439 goto end; 5440 5441 /* Create the PSK */ 5442 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES); 5443 clientpsk = SSL_SESSION_new(); 5444 if (!TEST_ptr(clientpsk) 5445 || !TEST_ptr(cipher) 5446 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, 5447 sizeof(key))) 5448 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) 5449 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk, 5450 TLS1_3_VERSION)) 5451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) 5452 goto end; 5453 serverpsk = clientpsk; 5454 5455 /* Check we can create a connection and the PSK is used */ 5456 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5457 || !TEST_true(SSL_session_reused(clientssl)) 5458 || !TEST_true(SSL_session_reused(serverssl))) 5459 goto end; 5460 5461 if (idx == 0 || idx == 1) { 5462 if (!TEST_true(use_session_cb_cnt == 1) 5463 || !TEST_true(find_session_cb_cnt == 1) 5464 || !TEST_true(psk_client_cb_cnt == 0) 5465 || !TEST_true(psk_server_cb_cnt == 0)) 5466 goto end; 5467 } else { 5468 if (!TEST_true(use_session_cb_cnt == 0) 5469 || !TEST_true(find_session_cb_cnt == 0) 5470 || !TEST_true(psk_client_cb_cnt == 1) 5471 || !TEST_true(psk_server_cb_cnt == 1)) 5472 goto end; 5473 } 5474 5475 shutdown_ssl_connection(serverssl, clientssl); 5476 serverssl = clientssl = NULL; 5477 use_session_cb_cnt = find_session_cb_cnt = 0; 5478 psk_client_cb_cnt = psk_server_cb_cnt = 0; 5479 5480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5481 NULL, NULL))) 5482 goto end; 5483 5484 /* Force an HRR */ 5485#if defined(OPENSSL_NO_EC) 5486 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) 5487 goto end; 5488#else 5489 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 5490 goto end; 5491#endif 5492 5493 /* 5494 * Check we can create a connection, the PSK is used and the callbacks are 5495 * called twice. 5496 */ 5497 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5498 || !TEST_true(SSL_session_reused(clientssl)) 5499 || !TEST_true(SSL_session_reused(serverssl))) 5500 goto end; 5501 5502 if (idx == 0 || idx == 1) { 5503 if (!TEST_true(use_session_cb_cnt == 2) 5504 || !TEST_true(find_session_cb_cnt == 2) 5505 || !TEST_true(psk_client_cb_cnt == 0) 5506 || !TEST_true(psk_server_cb_cnt == 0)) 5507 goto end; 5508 } else { 5509 if (!TEST_true(use_session_cb_cnt == 0) 5510 || !TEST_true(find_session_cb_cnt == 0) 5511 || !TEST_true(psk_client_cb_cnt == 2) 5512 || !TEST_true(psk_server_cb_cnt == 2)) 5513 goto end; 5514 } 5515 5516 shutdown_ssl_connection(serverssl, clientssl); 5517 serverssl = clientssl = NULL; 5518 use_session_cb_cnt = find_session_cb_cnt = 0; 5519 psk_client_cb_cnt = psk_server_cb_cnt = 0; 5520 5521 if (idx != 3) { 5522 /* 5523 * Check that if the server rejects the PSK we can still connect, but with 5524 * a full handshake 5525 */ 5526 srvid = "Dummy Identity"; 5527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5528 NULL, NULL)) 5529 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5530 SSL_ERROR_NONE)) 5531 || !TEST_false(SSL_session_reused(clientssl)) 5532 || !TEST_false(SSL_session_reused(serverssl))) 5533 goto end; 5534 5535 if (idx == 0 || idx == 1) { 5536 if (!TEST_true(use_session_cb_cnt == 1) 5537 || !TEST_true(find_session_cb_cnt == 1) 5538 || !TEST_true(psk_client_cb_cnt == 0) 5539 /* 5540 * If no old style callback then below should be 0 5541 * otherwise 1 5542 */ 5543 || !TEST_true(psk_server_cb_cnt == idx)) 5544 goto end; 5545 } else { 5546 if (!TEST_true(use_session_cb_cnt == 0) 5547 || !TEST_true(find_session_cb_cnt == 0) 5548 || !TEST_true(psk_client_cb_cnt == 1) 5549 || !TEST_true(psk_server_cb_cnt == 1)) 5550 goto end; 5551 } 5552 5553 shutdown_ssl_connection(serverssl, clientssl); 5554 serverssl = clientssl = NULL; 5555 } 5556 testresult = 1; 5557 5558 end: 5559 SSL_SESSION_free(clientpsk); 5560 SSL_SESSION_free(serverpsk); 5561 clientpsk = serverpsk = NULL; 5562 SSL_free(serverssl); 5563 SSL_free(clientssl); 5564 SSL_CTX_free(sctx); 5565 SSL_CTX_free(cctx); 5566 return testresult; 5567} 5568 5569static unsigned char cookie_magic_value[] = "cookie magic"; 5570 5571static int generate_cookie_callback(SSL *ssl, unsigned char *cookie, 5572 unsigned int *cookie_len) 5573{ 5574 /* 5575 * Not suitable as a real cookie generation function but good enough for 5576 * testing! 5577 */ 5578 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1); 5579 *cookie_len = sizeof(cookie_magic_value) - 1; 5580 5581 return 1; 5582} 5583 5584static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, 5585 unsigned int cookie_len) 5586{ 5587 if (cookie_len == sizeof(cookie_magic_value) - 1 5588 && memcmp(cookie, cookie_magic_value, cookie_len) == 0) 5589 return 1; 5590 5591 return 0; 5592} 5593 5594static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, 5595 size_t *cookie_len) 5596{ 5597 unsigned int temp; 5598 int res = generate_cookie_callback(ssl, cookie, &temp); 5599 *cookie_len = temp; 5600 return res; 5601} 5602 5603static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, 5604 size_t cookie_len) 5605{ 5606 return verify_cookie_callback(ssl, cookie, cookie_len); 5607} 5608 5609static int test_stateless(void) 5610{ 5611 SSL_CTX *sctx = NULL, *cctx = NULL; 5612 SSL *serverssl = NULL, *clientssl = NULL; 5613 int testresult = 0; 5614 5615 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5616 TLS_client_method(), TLS1_VERSION, 0, 5617 &sctx, &cctx, cert, privkey))) 5618 goto end; 5619 5620 /* The arrival of CCS messages can confuse the test */ 5621 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); 5622 5623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5624 NULL, NULL)) 5625 /* Send the first ClientHello */ 5626 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5627 SSL_ERROR_WANT_READ)) 5628 /* 5629 * This should fail with a -1 return because we have no callbacks 5630 * set up 5631 */ 5632 || !TEST_int_eq(SSL_stateless(serverssl), -1)) 5633 goto end; 5634 5635 /* Fatal error so abandon the connection from this client */ 5636 SSL_free(clientssl); 5637 clientssl = NULL; 5638 5639 /* Set up the cookie generation and verification callbacks */ 5640 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback); 5641 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback); 5642 5643 /* 5644 * Create a new connection from the client (we can reuse the server SSL 5645 * object). 5646 */ 5647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5648 NULL, NULL)) 5649 /* Send the first ClientHello */ 5650 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5651 SSL_ERROR_WANT_READ)) 5652 /* This should fail because there is no cookie */ 5653 || !TEST_int_eq(SSL_stateless(serverssl), 0)) 5654 goto end; 5655 5656 /* Abandon the connection from this client */ 5657 SSL_free(clientssl); 5658 clientssl = NULL; 5659 5660 /* 5661 * Now create a connection from a new client but with the same server SSL 5662 * object 5663 */ 5664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5665 NULL, NULL)) 5666 /* Send the first ClientHello */ 5667 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5668 SSL_ERROR_WANT_READ)) 5669 /* This should fail because there is no cookie */ 5670 || !TEST_int_eq(SSL_stateless(serverssl), 0) 5671 /* Send the second ClientHello */ 5672 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5673 SSL_ERROR_WANT_READ)) 5674 /* This should succeed because a cookie is now present */ 5675 || !TEST_int_eq(SSL_stateless(serverssl), 1) 5676 /* Complete the connection */ 5677 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5678 SSL_ERROR_NONE))) 5679 goto end; 5680 5681 shutdown_ssl_connection(serverssl, clientssl); 5682 serverssl = clientssl = NULL; 5683 testresult = 1; 5684 5685 end: 5686 SSL_free(serverssl); 5687 SSL_free(clientssl); 5688 SSL_CTX_free(sctx); 5689 SSL_CTX_free(cctx); 5690 return testresult; 5691 5692} 5693#endif /* OSSL_NO_USABLE_TLS1_3 */ 5694 5695static int clntaddoldcb = 0; 5696static int clntparseoldcb = 0; 5697static int srvaddoldcb = 0; 5698static int srvparseoldcb = 0; 5699static int clntaddnewcb = 0; 5700static int clntparsenewcb = 0; 5701static int srvaddnewcb = 0; 5702static int srvparsenewcb = 0; 5703static int snicb = 0; 5704 5705#define TEST_EXT_TYPE1 0xff00 5706 5707static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 5708 size_t *outlen, int *al, void *add_arg) 5709{ 5710 int *server = (int *)add_arg; 5711 unsigned char *data; 5712 5713 if (SSL_is_server(s)) 5714 srvaddoldcb++; 5715 else 5716 clntaddoldcb++; 5717 5718 if (*server != SSL_is_server(s) 5719 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 5720 return -1; 5721 5722 *data = 1; 5723 *out = data; 5724 *outlen = sizeof(char); 5725 return 1; 5726} 5727 5728static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 5729 void *add_arg) 5730{ 5731 OPENSSL_free((unsigned char *)out); 5732} 5733 5734static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 5735 size_t inlen, int *al, void *parse_arg) 5736{ 5737 int *server = (int *)parse_arg; 5738 5739 if (SSL_is_server(s)) 5740 srvparseoldcb++; 5741 else 5742 clntparseoldcb++; 5743 5744 if (*server != SSL_is_server(s) 5745 || inlen != sizeof(char) 5746 || *in != 1) 5747 return -1; 5748 5749 return 1; 5750} 5751 5752static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context, 5753 const unsigned char **out, size_t *outlen, X509 *x, 5754 size_t chainidx, int *al, void *add_arg) 5755{ 5756 int *server = (int *)add_arg; 5757 unsigned char *data; 5758 5759 if (SSL_is_server(s)) 5760 srvaddnewcb++; 5761 else 5762 clntaddnewcb++; 5763 5764 if (*server != SSL_is_server(s) 5765 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 5766 return -1; 5767 5768 *data = 1; 5769 *out = data; 5770 *outlen = sizeof(*data); 5771 return 1; 5772} 5773 5774static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context, 5775 const unsigned char *out, void *add_arg) 5776{ 5777 OPENSSL_free((unsigned char *)out); 5778} 5779 5780static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context, 5781 const unsigned char *in, size_t inlen, X509 *x, 5782 size_t chainidx, int *al, void *parse_arg) 5783{ 5784 int *server = (int *)parse_arg; 5785 5786 if (SSL_is_server(s)) 5787 srvparsenewcb++; 5788 else 5789 clntparsenewcb++; 5790 5791 if (*server != SSL_is_server(s) 5792 || inlen != sizeof(char) || *in != 1) 5793 return -1; 5794 5795 return 1; 5796} 5797 5798static int sni_cb(SSL *s, int *al, void *arg) 5799{ 5800 SSL_CTX *ctx = (SSL_CTX *)arg; 5801 5802 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 5803 *al = SSL_AD_INTERNAL_ERROR; 5804 return SSL_TLSEXT_ERR_ALERT_FATAL; 5805 } 5806 snicb++; 5807 return SSL_TLSEXT_ERR_OK; 5808} 5809 5810static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) 5811{ 5812 return 1; 5813} 5814 5815/* 5816 * Custom call back tests. 5817 * Test 0: Old style callbacks in TLSv1.2 5818 * Test 1: New style callbacks in TLSv1.2 5819 * Test 2: New style callbacks in TLSv1.2 with SNI 5820 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE 5821 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST 5822 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert 5823 */ 5824static int test_custom_exts(int tst) 5825{ 5826 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 5827 SSL *clientssl = NULL, *serverssl = NULL; 5828 int testresult = 0; 5829 static int server = 1; 5830 static int client = 0; 5831 SSL_SESSION *sess = NULL; 5832 unsigned int context; 5833 5834#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 5835 /* Skip tests for TLSv1.2 and below in this case */ 5836 if (tst < 3) 5837 return 1; 5838#endif 5839 5840 /* Reset callback counters */ 5841 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0; 5842 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; 5843 snicb = 0; 5844 5845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5846 TLS_client_method(), TLS1_VERSION, 0, 5847 &sctx, &cctx, cert, privkey))) 5848 goto end; 5849 5850 if (tst == 2 5851 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL, 5852 TLS1_VERSION, 0, 5853 &sctx2, NULL, cert, privkey))) 5854 goto end; 5855 5856 5857 if (tst < 3) { 5858 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 5859 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 5860 if (sctx2 != NULL) 5861 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3); 5862 } 5863 5864 if (tst == 5) { 5865 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 5866 | SSL_EXT_TLS1_3_CERTIFICATE; 5867 SSL_CTX_set_verify(sctx, 5868 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 5869 verify_cb); 5870 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert, 5871 SSL_FILETYPE_PEM), 1) 5872 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey, 5873 SSL_FILETYPE_PEM), 1) 5874 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1)) 5875 goto end; 5876 } else if (tst == 4) { 5877 context = SSL_EXT_CLIENT_HELLO 5878 | SSL_EXT_TLS1_2_SERVER_HELLO 5879 | SSL_EXT_TLS1_3_SERVER_HELLO 5880 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 5881 | SSL_EXT_TLS1_3_CERTIFICATE 5882 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET; 5883 } else { 5884 context = SSL_EXT_CLIENT_HELLO 5885 | SSL_EXT_TLS1_2_SERVER_HELLO 5886 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; 5887 } 5888 5889 /* Create a client side custom extension */ 5890 if (tst == 0) { 5891 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 5892 old_add_cb, old_free_cb, 5893 &client, old_parse_cb, 5894 &client))) 5895 goto end; 5896 } else { 5897 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context, 5898 new_add_cb, new_free_cb, 5899 &client, new_parse_cb, &client))) 5900 goto end; 5901 } 5902 5903 /* Should not be able to add duplicates */ 5904 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 5905 old_add_cb, old_free_cb, 5906 &client, old_parse_cb, 5907 &client)) 5908 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, 5909 context, new_add_cb, 5910 new_free_cb, &client, 5911 new_parse_cb, &client))) 5912 goto end; 5913 5914 /* Create a server side custom extension */ 5915 if (tst == 0) { 5916 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 5917 old_add_cb, old_free_cb, 5918 &server, old_parse_cb, 5919 &server))) 5920 goto end; 5921 } else { 5922 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context, 5923 new_add_cb, new_free_cb, 5924 &server, new_parse_cb, &server))) 5925 goto end; 5926 if (sctx2 != NULL 5927 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1, 5928 context, new_add_cb, 5929 new_free_cb, &server, 5930 new_parse_cb, &server))) 5931 goto end; 5932 } 5933 5934 /* Should not be able to add duplicates */ 5935 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 5936 old_add_cb, old_free_cb, 5937 &server, old_parse_cb, 5938 &server)) 5939 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, 5940 context, new_add_cb, 5941 new_free_cb, &server, 5942 new_parse_cb, &server))) 5943 goto end; 5944 5945 if (tst == 2) { 5946 /* Set up SNI */ 5947 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 5948 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 5949 goto end; 5950 } 5951 5952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 5953 &clientssl, NULL, NULL)) 5954 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5955 SSL_ERROR_NONE))) 5956 goto end; 5957 5958 if (tst == 0) { 5959 if (clntaddoldcb != 1 5960 || clntparseoldcb != 1 5961 || srvaddoldcb != 1 5962 || srvparseoldcb != 1) 5963 goto end; 5964 } else if (tst == 1 || tst == 2 || tst == 3) { 5965 if (clntaddnewcb != 1 5966 || clntparsenewcb != 1 5967 || srvaddnewcb != 1 5968 || srvparsenewcb != 1 5969 || (tst != 2 && snicb != 0) 5970 || (tst == 2 && snicb != 1)) 5971 goto end; 5972 } else if (tst == 5) { 5973 if (clntaddnewcb != 1 5974 || clntparsenewcb != 1 5975 || srvaddnewcb != 1 5976 || srvparsenewcb != 1) 5977 goto end; 5978 } else { 5979 /* In this case there 2 NewSessionTicket messages created */ 5980 if (clntaddnewcb != 1 5981 || clntparsenewcb != 5 5982 || srvaddnewcb != 5 5983 || srvparsenewcb != 1) 5984 goto end; 5985 } 5986 5987 sess = SSL_get1_session(clientssl); 5988 SSL_shutdown(clientssl); 5989 SSL_shutdown(serverssl); 5990 SSL_free(serverssl); 5991 SSL_free(clientssl); 5992 serverssl = clientssl = NULL; 5993 5994 if (tst == 3 || tst == 5) { 5995 /* We don't bother with the resumption aspects for these tests */ 5996 testresult = 1; 5997 goto end; 5998 } 5999 6000 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6001 NULL, NULL)) 6002 || !TEST_true(SSL_set_session(clientssl, sess)) 6003 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6004 SSL_ERROR_NONE))) 6005 goto end; 6006 6007 /* 6008 * For a resumed session we expect to add the ClientHello extension. For the 6009 * old style callbacks we ignore it on the server side because they set 6010 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore 6011 * them. 6012 */ 6013 if (tst == 0) { 6014 if (clntaddoldcb != 2 6015 || clntparseoldcb != 1 6016 || srvaddoldcb != 1 6017 || srvparseoldcb != 1) 6018 goto end; 6019 } else if (tst == 1 || tst == 2 || tst == 3) { 6020 if (clntaddnewcb != 2 6021 || clntparsenewcb != 2 6022 || srvaddnewcb != 2 6023 || srvparsenewcb != 2) 6024 goto end; 6025 } else { 6026 /* 6027 * No Certificate message extensions in the resumption handshake, 6028 * 2 NewSessionTickets in the initial handshake, 1 in the resumption 6029 */ 6030 if (clntaddnewcb != 2 6031 || clntparsenewcb != 8 6032 || srvaddnewcb != 8 6033 || srvparsenewcb != 2) 6034 goto end; 6035 } 6036 6037 testresult = 1; 6038 6039end: 6040 SSL_SESSION_free(sess); 6041 SSL_free(serverssl); 6042 SSL_free(clientssl); 6043 SSL_CTX_free(sctx2); 6044 SSL_CTX_free(sctx); 6045 SSL_CTX_free(cctx); 6046 return testresult; 6047} 6048 6049#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 6050 6051#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ 6052 | SSL_EXT_CLIENT_HELLO \ 6053 | SSL_EXT_TLS1_2_SERVER_HELLO \ 6054 | SSL_EXT_IGNORE_ON_RESUMPTION) 6055 6056#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \ 6057 | SSL_EXT_TLS1_2_SERVER_HELLO \ 6058 | SSL_EXT_CLIENT_HELLO) 6059 6060#define SERVERINFO_CUSTOM \ 6061 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \ 6062 0x00, 0x03, \ 6063 0x04, 0x05, 0x06 \ 6064 6065static const unsigned char serverinfo_custom_tls13[] = { 6066 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff, 6067 SERVERINFO_CUSTOM 6068}; 6069static const unsigned char serverinfo_custom_v2[] = { 6070 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff, 6071 SERVERINFO_CUSTOM 6072}; 6073static const unsigned char serverinfo_custom_v1[] = { 6074 SERVERINFO_CUSTOM 6075}; 6076static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13); 6077static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2); 6078static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1); 6079 6080static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type, 6081 unsigned int context, 6082 const unsigned char *in, 6083 size_t inlen, X509 *x, 6084 size_t chainidx, int *al, 6085 void *parse_arg) 6086{ 6087 const size_t len = serverinfo_custom_v1_len; 6088 const unsigned char *si = &serverinfo_custom_v1[len - 3]; 6089 int *p_cb_result = (int*)parse_arg; 6090 *p_cb_result = TEST_mem_eq(in, inlen, si, 3); 6091 return 1; 6092} 6093 6094static int test_serverinfo_custom(const int idx) 6095{ 6096 SSL_CTX *sctx = NULL, *cctx = NULL; 6097 SSL *clientssl = NULL, *serverssl = NULL; 6098 int testresult = 0; 6099 int cb_result = 0; 6100 6101 /* 6102 * Following variables are set in the switch statement 6103 * according to the test iteration. 6104 * Default values do not make much sense: test would fail with them. 6105 */ 6106 int serverinfo_version = 0; 6107 int protocol_version = 0; 6108 unsigned int extension_context = 0; 6109 const unsigned char *si = NULL; 6110 size_t si_len = 0; 6111 6112 const int call_use_serverinfo_ex = idx > 0; 6113 switch (idx) { 6114 case 0: /* FALLTHROUGH */ 6115 case 1: 6116 serverinfo_version = SSL_SERVERINFOV1; 6117 protocol_version = TLS1_2_VERSION; 6118 extension_context = SYNTHV1CONTEXT; 6119 si = serverinfo_custom_v1; 6120 si_len = serverinfo_custom_v1_len; 6121 break; 6122 case 2: 6123 serverinfo_version = SSL_SERVERINFOV2; 6124 protocol_version = TLS1_2_VERSION; 6125 extension_context = SYNTHV1CONTEXT; 6126 si = serverinfo_custom_v2; 6127 si_len = serverinfo_custom_v2_len; 6128 break; 6129 case 3: 6130 serverinfo_version = SSL_SERVERINFOV2; 6131 protocol_version = TLS1_3_VERSION; 6132 extension_context = TLS13CONTEXT; 6133 si = serverinfo_custom_tls13; 6134 si_len = serverinfo_custom_tls13_len; 6135 break; 6136 } 6137 6138 if (!TEST_true(create_ssl_ctx_pair(libctx, 6139 TLS_method(), 6140 TLS_method(), 6141 protocol_version, 6142 protocol_version, 6143 &sctx, &cctx, cert, privkey))) 6144 goto end; 6145 6146 if (call_use_serverinfo_ex) { 6147 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version, 6148 si, si_len))) 6149 goto end; 6150 } else { 6151 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len))) 6152 goto end; 6153 } 6154 6155 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp, 6156 extension_context, 6157 NULL, NULL, NULL, 6158 serverinfo_custom_parse_cb, 6159 &cb_result)) 6160 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6161 NULL, NULL)) 6162 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6163 SSL_ERROR_NONE)) 6164 || !TEST_int_eq(SSL_do_handshake(clientssl), 1)) 6165 goto end; 6166 6167 if (!TEST_true(cb_result)) 6168 goto end; 6169 6170 testresult = 1; 6171 6172 end: 6173 SSL_free(serverssl); 6174 SSL_free(clientssl); 6175 SSL_CTX_free(sctx); 6176 SSL_CTX_free(cctx); 6177 6178 return testresult; 6179} 6180#endif 6181 6182/* 6183 * Test that SSL_export_keying_material() produces expected results. There are 6184 * no test vectors so all we do is test that both sides of the communication 6185 * produce the same results for different protocol versions. 6186 */ 6187#define SMALL_LABEL_LEN 10 6188#define LONG_LABEL_LEN 249 6189static int test_export_key_mat(int tst) 6190{ 6191 int testresult = 0; 6192 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 6193 SSL *clientssl = NULL, *serverssl = NULL; 6194 const char label[LONG_LABEL_LEN + 1] = "test label"; 6195 const unsigned char context[] = "context"; 6196 const unsigned char *emptycontext = NULL; 6197 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; 6198 unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; 6199 size_t labellen; 6200 const int protocols[] = { 6201 TLS1_VERSION, 6202 TLS1_1_VERSION, 6203 TLS1_2_VERSION, 6204 TLS1_3_VERSION, 6205 TLS1_3_VERSION, 6206 TLS1_3_VERSION 6207 }; 6208 6209#ifdef OPENSSL_NO_TLS1 6210 if (tst == 0) 6211 return 1; 6212#endif 6213#ifdef OPENSSL_NO_TLS1_1 6214 if (tst == 1) 6215 return 1; 6216#endif 6217 if (is_fips && (tst == 0 || tst == 1)) 6218 return 1; 6219#ifdef OPENSSL_NO_TLS1_2 6220 if (tst == 2) 6221 return 1; 6222#endif 6223#ifdef OSSL_NO_USABLE_TLS1_3 6224 if (tst >= 3) 6225 return 1; 6226#endif 6227 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6228 TLS_client_method(), TLS1_VERSION, 0, 6229 &sctx, &cctx, cert, privkey))) 6230 goto end; 6231 6232 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); 6233 SSL_CTX_set_max_proto_version(cctx, protocols[tst]); 6234 SSL_CTX_set_min_proto_version(cctx, protocols[tst]); 6235 if ((protocols[tst] < TLS1_2_VERSION) && 6236 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") 6237 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))) 6238 goto end; 6239 6240 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 6241 NULL))) 6242 goto end; 6243 6244 /* 6245 * Premature call of SSL_export_keying_material should just fail. 6246 */ 6247 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 6248 sizeof(ckeymat1), label, 6249 SMALL_LABEL_LEN + 1, context, 6250 sizeof(context) - 1, 1), 0)) 6251 goto end; 6252 6253 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 6254 SSL_ERROR_NONE))) 6255 goto end; 6256 6257 if (tst == 5) { 6258 /* 6259 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we 6260 * go over that. 6261 */ 6262 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 6263 sizeof(ckeymat1), label, 6264 LONG_LABEL_LEN + 1, context, 6265 sizeof(context) - 1, 1), 0)) 6266 goto end; 6267 6268 testresult = 1; 6269 goto end; 6270 } else if (tst == 4) { 6271 labellen = LONG_LABEL_LEN; 6272 } else { 6273 labellen = SMALL_LABEL_LEN; 6274 } 6275 6276 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, 6277 sizeof(ckeymat1), label, 6278 labellen, context, 6279 sizeof(context) - 1, 1), 1) 6280 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, 6281 sizeof(ckeymat2), label, 6282 labellen, 6283 emptycontext, 6284 0, 1), 1) 6285 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, 6286 sizeof(ckeymat3), label, 6287 labellen, 6288 NULL, 0, 0), 1) 6289 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, 6290 sizeof(skeymat1), label, 6291 labellen, 6292 context, 6293 sizeof(context) -1, 1), 6294 1) 6295 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, 6296 sizeof(skeymat2), label, 6297 labellen, 6298 emptycontext, 6299 0, 1), 1) 6300 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, 6301 sizeof(skeymat3), label, 6302 labellen, 6303 NULL, 0, 0), 1) 6304 /* 6305 * Check that both sides created the same key material with the 6306 * same context. 6307 */ 6308 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 6309 sizeof(skeymat1)) 6310 /* 6311 * Check that both sides created the same key material with an 6312 * empty context. 6313 */ 6314 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 6315 sizeof(skeymat2)) 6316 /* 6317 * Check that both sides created the same key material without a 6318 * context. 6319 */ 6320 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3, 6321 sizeof(skeymat3)) 6322 /* Different contexts should produce different results */ 6323 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 6324 sizeof(ckeymat2))) 6325 goto end; 6326 6327 /* 6328 * Check that an empty context and no context produce different results in 6329 * protocols less than TLSv1.3. In TLSv1.3 they should be the same. 6330 */ 6331 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, 6332 sizeof(ckeymat3))) 6333 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, 6334 sizeof(ckeymat3)))) 6335 goto end; 6336 6337 testresult = 1; 6338 6339 end: 6340 SSL_free(serverssl); 6341 SSL_free(clientssl); 6342 SSL_CTX_free(sctx2); 6343 SSL_CTX_free(sctx); 6344 SSL_CTX_free(cctx); 6345 6346 return testresult; 6347} 6348 6349#ifndef OSSL_NO_USABLE_TLS1_3 6350/* 6351 * Test that SSL_export_keying_material_early() produces expected 6352 * results. There are no test vectors so all we do is test that both 6353 * sides of the communication produce the same results for different 6354 * protocol versions. 6355 */ 6356static int test_export_key_mat_early(int idx) 6357{ 6358 static const char label[] = "test label"; 6359 static const unsigned char context[] = "context"; 6360 int testresult = 0; 6361 SSL_CTX *cctx = NULL, *sctx = NULL; 6362 SSL *clientssl = NULL, *serverssl = NULL; 6363 SSL_SESSION *sess = NULL; 6364 const unsigned char *emptycontext = NULL; 6365 unsigned char ckeymat1[80], ckeymat2[80]; 6366 unsigned char skeymat1[80], skeymat2[80]; 6367 unsigned char buf[1]; 6368 size_t readbytes, written; 6369 6370 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, 6371 &sess, idx, SHA384_DIGEST_LENGTH))) 6372 goto end; 6373 6374 /* Here writing 0 length early data is enough. */ 6375 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 6376 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 6377 &readbytes), 6378 SSL_READ_EARLY_DATA_ERROR) 6379 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 6380 SSL_EARLY_DATA_ACCEPTED)) 6381 goto end; 6382 6383 if (!TEST_int_eq(SSL_export_keying_material_early( 6384 clientssl, ckeymat1, sizeof(ckeymat1), label, 6385 sizeof(label) - 1, context, sizeof(context) - 1), 1) 6386 || !TEST_int_eq(SSL_export_keying_material_early( 6387 clientssl, ckeymat2, sizeof(ckeymat2), label, 6388 sizeof(label) - 1, emptycontext, 0), 1) 6389 || !TEST_int_eq(SSL_export_keying_material_early( 6390 serverssl, skeymat1, sizeof(skeymat1), label, 6391 sizeof(label) - 1, context, sizeof(context) - 1), 1) 6392 || !TEST_int_eq(SSL_export_keying_material_early( 6393 serverssl, skeymat2, sizeof(skeymat2), label, 6394 sizeof(label) - 1, emptycontext, 0), 1) 6395 /* 6396 * Check that both sides created the same key material with the 6397 * same context. 6398 */ 6399 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 6400 sizeof(skeymat1)) 6401 /* 6402 * Check that both sides created the same key material with an 6403 * empty context. 6404 */ 6405 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 6406 sizeof(skeymat2)) 6407 /* Different contexts should produce different results */ 6408 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 6409 sizeof(ckeymat2))) 6410 goto end; 6411 6412 testresult = 1; 6413 6414 end: 6415 SSL_SESSION_free(sess); 6416 SSL_SESSION_free(clientpsk); 6417 SSL_SESSION_free(serverpsk); 6418 clientpsk = serverpsk = NULL; 6419 SSL_free(serverssl); 6420 SSL_free(clientssl); 6421 SSL_CTX_free(sctx); 6422 SSL_CTX_free(cctx); 6423 6424 return testresult; 6425} 6426 6427#define NUM_KEY_UPDATE_MESSAGES 40 6428/* 6429 * Test KeyUpdate. 6430 */ 6431static int test_key_update(void) 6432{ 6433 SSL_CTX *cctx = NULL, *sctx = NULL; 6434 SSL *clientssl = NULL, *serverssl = NULL; 6435 int testresult = 0, i, j; 6436 char buf[20]; 6437 static char *mess = "A test message"; 6438 6439 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6440 TLS_client_method(), 6441 TLS1_3_VERSION, 6442 0, 6443 &sctx, &cctx, cert, privkey)) 6444 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6445 NULL, NULL)) 6446 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6447 SSL_ERROR_NONE))) 6448 goto end; 6449 6450 for (j = 0; j < 2; j++) { 6451 /* Send lots of KeyUpdate messages */ 6452 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) { 6453 if (!TEST_true(SSL_key_update(clientssl, 6454 (j == 0) 6455 ? SSL_KEY_UPDATE_NOT_REQUESTED 6456 : SSL_KEY_UPDATE_REQUESTED)) 6457 || !TEST_true(SSL_do_handshake(clientssl))) 6458 goto end; 6459 } 6460 6461 /* Check that sending and receiving app data is ok */ 6462 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess)) 6463 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), 6464 strlen(mess))) 6465 goto end; 6466 6467 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess)) 6468 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)), 6469 strlen(mess))) 6470 goto end; 6471 } 6472 6473 testresult = 1; 6474 6475 end: 6476 SSL_free(serverssl); 6477 SSL_free(clientssl); 6478 SSL_CTX_free(sctx); 6479 SSL_CTX_free(cctx); 6480 6481 return testresult; 6482} 6483 6484/* 6485 * Test we can handle a KeyUpdate (update requested) message while 6486 * write data is pending in peer. 6487 * Test 0: Client sends KeyUpdate while Server is writing 6488 * Test 1: Server sends KeyUpdate while Client is writing 6489 */ 6490static int test_key_update_peer_in_write(int tst) 6491{ 6492 SSL_CTX *cctx = NULL, *sctx = NULL; 6493 SSL *clientssl = NULL, *serverssl = NULL; 6494 int testresult = 0; 6495 char buf[20]; 6496 static char *mess = "A test message"; 6497 BIO *bretry = BIO_new(bio_s_always_retry()); 6498 BIO *tmp = NULL; 6499 SSL *peerupdate = NULL, *peerwrite = NULL; 6500 6501 if (!TEST_ptr(bretry) 6502 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6503 TLS_client_method(), 6504 TLS1_3_VERSION, 6505 0, 6506 &sctx, &cctx, cert, privkey)) 6507 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6508 NULL, NULL)) 6509 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6510 SSL_ERROR_NONE))) 6511 goto end; 6512 6513 peerupdate = tst == 0 ? clientssl : serverssl; 6514 peerwrite = tst == 0 ? serverssl : clientssl; 6515 6516 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) 6517 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1)) 6518 goto end; 6519 6520 /* Swap the writing endpoint's write BIO to force a retry */ 6521 tmp = SSL_get_wbio(peerwrite); 6522 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 6523 tmp = NULL; 6524 goto end; 6525 } 6526 SSL_set0_wbio(peerwrite, bretry); 6527 bretry = NULL; 6528 6529 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ 6530 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) 6531 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) 6532 goto end; 6533 6534 /* Reinstate the original writing endpoint's write BIO */ 6535 SSL_set0_wbio(peerwrite, tmp); 6536 tmp = NULL; 6537 6538 /* Now read some data - we will read the key update */ 6539 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) 6540 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) 6541 goto end; 6542 6543 /* 6544 * Complete the write we started previously and read it from the other 6545 * endpoint 6546 */ 6547 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 6548 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 6549 goto end; 6550 6551 /* Write more data to ensure we send the KeyUpdate message back */ 6552 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 6553 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 6554 goto end; 6555 6556 testresult = 1; 6557 6558 end: 6559 SSL_free(serverssl); 6560 SSL_free(clientssl); 6561 SSL_CTX_free(sctx); 6562 SSL_CTX_free(cctx); 6563 BIO_free(bretry); 6564 BIO_free(tmp); 6565 6566 return testresult; 6567} 6568 6569/* 6570 * Test we can handle a KeyUpdate (update requested) message while 6571 * peer read data is pending after peer accepted keyupdate(the msg header 6572 * had been read 5 bytes). 6573 * Test 0: Client sends KeyUpdate while Server is reading 6574 * Test 1: Server sends KeyUpdate while Client is reading 6575 */ 6576static int test_key_update_peer_in_read(int tst) 6577{ 6578 SSL_CTX *cctx = NULL, *sctx = NULL; 6579 SSL *clientssl = NULL, *serverssl = NULL; 6580 int testresult = 0; 6581 char prbuf[515], lwbuf[515] = {0}; 6582 static char *mess = "A test message"; 6583 BIO *lbio = NULL, *pbio = NULL; 6584 SSL *local = NULL, *peer = NULL; 6585 6586 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6587 TLS_client_method(), 6588 TLS1_3_VERSION, 6589 0, 6590 &sctx, &cctx, cert, privkey)) 6591 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6592 NULL, NULL)) 6593 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6594 SSL_ERROR_NONE))) 6595 goto end; 6596 6597 local = tst == 0 ? clientssl : serverssl; 6598 peer = tst == 0 ? serverssl : clientssl; 6599 6600 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) 6601 goto end; 6602 6603 SSL_set_bio(local, lbio, lbio); 6604 SSL_set_bio(peer, pbio, pbio); 6605 6606 /* 6607 * we first write keyupdate msg then appdata in local 6608 * write data in local will fail with SSL_ERROR_WANT_WRITE,because 6609 * lwbuf app data msg size + key updata msg size > 512(the size of 6610 * the bio pair buffer) 6611 */ 6612 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6613 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1) 6614 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) 6615 goto end; 6616 6617 /* 6618 * first read keyupdate msg in peer in peer 6619 * then read appdata that we know will fail with SSL_ERROR_WANT_READ 6620 */ 6621 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1) 6622 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ)) 6623 goto end; 6624 6625 /* Now write some data in peer - we will write the key update */ 6626 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))) 6627 goto end; 6628 6629 /* 6630 * write data in local previously that we will complete 6631 * read data in peer previously that we will complete 6632 */ 6633 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf)) 6634 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf))) 6635 goto end; 6636 6637 /* check that sending and receiving appdata ok */ 6638 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6639 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) 6640 goto end; 6641 6642 testresult = 1; 6643 6644 end: 6645 SSL_free(serverssl); 6646 SSL_free(clientssl); 6647 SSL_CTX_free(sctx); 6648 SSL_CTX_free(cctx); 6649 6650 return testresult; 6651} 6652 6653/* 6654 * Test we can't send a KeyUpdate (update requested) message while 6655 * local write data is pending. 6656 * Test 0: Client sends KeyUpdate while Client is writing 6657 * Test 1: Server sends KeyUpdate while Server is writing 6658 */ 6659static int test_key_update_local_in_write(int tst) 6660{ 6661 SSL_CTX *cctx = NULL, *sctx = NULL; 6662 SSL *clientssl = NULL, *serverssl = NULL; 6663 int testresult = 0; 6664 char buf[20]; 6665 static char *mess = "A test message"; 6666 BIO *bretry = BIO_new(bio_s_always_retry()); 6667 BIO *tmp = NULL; 6668 SSL *local = NULL, *peer = NULL; 6669 6670 if (!TEST_ptr(bretry) 6671 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6672 TLS_client_method(), 6673 TLS1_3_VERSION, 6674 0, 6675 &sctx, &cctx, cert, privkey)) 6676 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6677 NULL, NULL)) 6678 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6679 SSL_ERROR_NONE))) 6680 goto end; 6681 6682 local = tst == 0 ? clientssl : serverssl; 6683 peer = tst == 0 ? serverssl : clientssl; 6684 6685 /* Swap the writing endpoint's write BIO to force a retry */ 6686 tmp = SSL_get_wbio(local); 6687 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 6688 tmp = NULL; 6689 goto end; 6690 } 6691 SSL_set0_wbio(local, bretry); 6692 bretry = NULL; 6693 6694 /* write data in local will fail with SSL_ERROR_WANT_WRITE */ 6695 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1) 6696 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) 6697 goto end; 6698 6699 /* Reinstate the original writing endpoint's write BIO */ 6700 SSL_set0_wbio(local, tmp); 6701 tmp = NULL; 6702 6703 /* SSL_key_update will fail, because writing in local*/ 6704 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6705 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY)) 6706 goto end; 6707 6708 ERR_clear_error(); 6709 /* write data in local previously that we will complete */ 6710 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))) 6711 goto end; 6712 6713 /* SSL_key_update will succeed because there is no pending write data */ 6714 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6715 || !TEST_int_eq(SSL_do_handshake(local), 1)) 6716 goto end; 6717 6718 /* 6719 * we write some appdata in local 6720 * read data in peer - we will read the keyupdate msg 6721 */ 6722 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6723 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess))) 6724 goto end; 6725 6726 /* Write more peer more data to ensure we send the keyupdate message back */ 6727 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) 6728 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess))) 6729 goto end; 6730 6731 testresult = 1; 6732 6733 end: 6734 SSL_free(serverssl); 6735 SSL_free(clientssl); 6736 SSL_CTX_free(sctx); 6737 SSL_CTX_free(cctx); 6738 BIO_free(bretry); 6739 BIO_free(tmp); 6740 6741 return testresult; 6742} 6743 6744/* 6745 * Test we can handle a KeyUpdate (update requested) message while 6746 * local read data is pending(the msg header had been read 5 bytes). 6747 * Test 0: Client sends KeyUpdate while Client is reading 6748 * Test 1: Server sends KeyUpdate while Server is reading 6749 */ 6750static int test_key_update_local_in_read(int tst) 6751{ 6752 SSL_CTX *cctx = NULL, *sctx = NULL; 6753 SSL *clientssl = NULL, *serverssl = NULL; 6754 int testresult = 0; 6755 char lrbuf[515], pwbuf[515] = {0}, prbuf[20]; 6756 static char *mess = "A test message"; 6757 BIO *lbio = NULL, *pbio = NULL; 6758 SSL *local = NULL, *peer = NULL; 6759 6760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6761 TLS_client_method(), 6762 TLS1_3_VERSION, 6763 0, 6764 &sctx, &cctx, cert, privkey)) 6765 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6766 NULL, NULL)) 6767 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6768 SSL_ERROR_NONE))) 6769 goto end; 6770 6771 local = tst == 0 ? clientssl : serverssl; 6772 peer = tst == 0 ? serverssl : clientssl; 6773 6774 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) 6775 goto end; 6776 6777 SSL_set_bio(local, lbio, lbio); 6778 SSL_set_bio(peer, pbio, pbio); 6779 6780 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */ 6781 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1) 6782 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE)) 6783 goto end; 6784 6785 /* read appdata in local will fail with SSL_ERROR_WANT_READ */ 6786 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1) 6787 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ)) 6788 goto end; 6789 6790 /* SSL_do_handshake will send keyupdate msg */ 6791 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6792 || !TEST_int_eq(SSL_do_handshake(local), 1)) 6793 goto end; 6794 6795 /* 6796 * write data in peer previously that we will complete 6797 * read data in local previously that we will complete 6798 */ 6799 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf)) 6800 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf))) 6801 goto end; 6802 6803 /* 6804 * write data in local 6805 * read data in peer - we will read the key update 6806 */ 6807 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6808 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) 6809 goto end; 6810 6811 /* Write more peer data to ensure we send the keyupdate message back */ 6812 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) 6813 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess))) 6814 goto end; 6815 6816 testresult = 1; 6817 6818 end: 6819 SSL_free(serverssl); 6820 SSL_free(clientssl); 6821 SSL_CTX_free(sctx); 6822 SSL_CTX_free(cctx); 6823 6824 return testresult; 6825} 6826#endif /* OSSL_NO_USABLE_TLS1_3 */ 6827 6828static int test_ssl_clear(int idx) 6829{ 6830 SSL_CTX *cctx = NULL, *sctx = NULL; 6831 SSL *clientssl = NULL, *serverssl = NULL; 6832 int testresult = 0; 6833 6834#ifdef OPENSSL_NO_TLS1_2 6835 if (idx == 1) 6836 return 1; 6837#endif 6838 6839 /* Create an initial connection */ 6840 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6841 TLS_client_method(), TLS1_VERSION, 0, 6842 &sctx, &cctx, cert, privkey)) 6843 || (idx == 1 6844 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, 6845 TLS1_2_VERSION))) 6846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 6847 &clientssl, NULL, NULL)) 6848 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6849 SSL_ERROR_NONE))) 6850 goto end; 6851 6852 SSL_shutdown(clientssl); 6853 SSL_shutdown(serverssl); 6854 SSL_free(serverssl); 6855 serverssl = NULL; 6856 6857 /* Clear clientssl - we're going to reuse the object */ 6858 if (!TEST_true(SSL_clear(clientssl))) 6859 goto end; 6860 6861 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6862 NULL, NULL)) 6863 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6864 SSL_ERROR_NONE)) 6865 || !TEST_true(SSL_session_reused(clientssl))) 6866 goto end; 6867 6868 SSL_shutdown(clientssl); 6869 SSL_shutdown(serverssl); 6870 6871 testresult = 1; 6872 6873 end: 6874 SSL_free(serverssl); 6875 SSL_free(clientssl); 6876 SSL_CTX_free(sctx); 6877 SSL_CTX_free(cctx); 6878 6879 return testresult; 6880} 6881 6882/* Parse CH and retrieve any MFL extension value if present */ 6883static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code) 6884{ 6885 long len; 6886 unsigned char *data; 6887 PACKET pkt, pkt2, pkt3; 6888 unsigned int MFL_code = 0, type = 0; 6889 6890 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) ) 6891 goto end; 6892 6893 memset(&pkt, 0, sizeof(pkt)); 6894 memset(&pkt2, 0, sizeof(pkt2)); 6895 memset(&pkt3, 0, sizeof(pkt3)); 6896 6897 if (!TEST_long_gt(len, 0) 6898 || !TEST_true( PACKET_buf_init( &pkt, data, len ) ) 6899 /* Skip the record header */ 6900 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH) 6901 /* Skip the handshake message header */ 6902 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH)) 6903 /* Skip client version and random */ 6904 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN 6905 + SSL3_RANDOM_SIZE)) 6906 /* Skip session id */ 6907 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 6908 /* Skip ciphers */ 6909 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2)) 6910 /* Skip compression */ 6911 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 6912 /* Extensions len */ 6913 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2))) 6914 goto end; 6915 6916 /* Loop through all extensions */ 6917 while (PACKET_remaining(&pkt2)) { 6918 if (!TEST_true(PACKET_get_net_2(&pkt2, &type)) 6919 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3))) 6920 goto end; 6921 6922 if (type == TLSEXT_TYPE_max_fragment_length) { 6923 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0) 6924 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code))) 6925 goto end; 6926 6927 *mfl_codemfl_code = MFL_code; 6928 return 1; 6929 } 6930 } 6931 6932 end: 6933 return 0; 6934} 6935 6936/* Maximum-Fragment-Length TLS extension mode to test */ 6937static const unsigned char max_fragment_len_test[] = { 6938 TLSEXT_max_fragment_length_512, 6939 TLSEXT_max_fragment_length_1024, 6940 TLSEXT_max_fragment_length_2048, 6941 TLSEXT_max_fragment_length_4096 6942}; 6943 6944static int test_max_fragment_len_ext(int idx_tst) 6945{ 6946 SSL_CTX *ctx = NULL; 6947 SSL *con = NULL; 6948 int testresult = 0, MFL_mode = 0; 6949 BIO *rbio, *wbio; 6950 6951 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(), 6952 TLS1_VERSION, 0, NULL, &ctx, NULL, 6953 NULL))) 6954 return 0; 6955 6956 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( 6957 ctx, max_fragment_len_test[idx_tst]))) 6958 goto end; 6959 6960 con = SSL_new(ctx); 6961 if (!TEST_ptr(con)) 6962 goto end; 6963 6964 rbio = BIO_new(BIO_s_mem()); 6965 wbio = BIO_new(BIO_s_mem()); 6966 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { 6967 BIO_free(rbio); 6968 BIO_free(wbio); 6969 goto end; 6970 } 6971 6972 SSL_set_bio(con, rbio, wbio); 6973 6974 if (!TEST_int_le(SSL_connect(con), 0)) { 6975 /* This shouldn't succeed because we don't have a server! */ 6976 goto end; 6977 } 6978 6979 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode))) 6980 /* no MFL in client hello */ 6981 goto end; 6982 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode)) 6983 goto end; 6984 6985 testresult = 1; 6986 6987end: 6988 SSL_free(con); 6989 SSL_CTX_free(ctx); 6990 6991 return testresult; 6992} 6993 6994#ifndef OSSL_NO_USABLE_TLS1_3 6995static int test_pha_key_update(void) 6996{ 6997 SSL_CTX *cctx = NULL, *sctx = NULL; 6998 SSL *clientssl = NULL, *serverssl = NULL; 6999 int testresult = 0; 7000 7001 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7002 TLS_client_method(), TLS1_VERSION, 0, 7003 &sctx, &cctx, cert, privkey))) 7004 return 0; 7005 7006 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION)) 7007 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION)) 7008 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION)) 7009 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) 7010 goto end; 7011 7012 SSL_CTX_set_post_handshake_auth(cctx, 1); 7013 7014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7015 NULL, NULL))) 7016 goto end; 7017 7018 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 7019 SSL_ERROR_NONE))) 7020 goto end; 7021 7022 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 7023 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 7024 goto end; 7025 7026 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) 7027 goto end; 7028 7029 /* Start handshake on the server */ 7030 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)) 7031 goto end; 7032 7033 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */ 7034 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 7035 SSL_ERROR_NONE))) 7036 goto end; 7037 7038 SSL_shutdown(clientssl); 7039 SSL_shutdown(serverssl); 7040 7041 testresult = 1; 7042 7043 end: 7044 SSL_free(serverssl); 7045 SSL_free(clientssl); 7046 SSL_CTX_free(sctx); 7047 SSL_CTX_free(cctx); 7048 return testresult; 7049} 7050#endif 7051 7052#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 7053 7054static SRP_VBASE *vbase = NULL; 7055 7056static int ssl_srp_cb(SSL *s, int *ad, void *arg) 7057{ 7058 int ret = SSL3_AL_FATAL; 7059 char *username; 7060 SRP_user_pwd *user = NULL; 7061 7062 username = SSL_get_srp_username(s); 7063 if (username == NULL) { 7064 *ad = SSL_AD_INTERNAL_ERROR; 7065 goto err; 7066 } 7067 7068 user = SRP_VBASE_get1_by_user(vbase, username); 7069 if (user == NULL) { 7070 *ad = SSL_AD_INTERNAL_ERROR; 7071 goto err; 7072 } 7073 7074 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v, 7075 user->info) <= 0) { 7076 *ad = SSL_AD_INTERNAL_ERROR; 7077 goto err; 7078 } 7079 7080 ret = 0; 7081 7082 err: 7083 SRP_user_pwd_free(user); 7084 return ret; 7085} 7086 7087static int create_new_vfile(char *userid, char *password, const char *filename) 7088{ 7089 char *gNid = NULL; 7090 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1)); 7091 TXT_DB *db = NULL; 7092 int ret = 0; 7093 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0); 7094 size_t i; 7095 7096 if (!TEST_ptr(dummy) || !TEST_ptr(row)) 7097 goto end; 7098 7099 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt], 7100 &row[DB_srpverifier], NULL, NULL, libctx, NULL); 7101 if (!TEST_ptr(gNid)) 7102 goto end; 7103 7104 /* 7105 * The only way to create an empty TXT_DB is to provide a BIO with no data 7106 * in it! 7107 */ 7108 db = TXT_DB_read(dummy, DB_NUMBER); 7109 if (!TEST_ptr(db)) 7110 goto end; 7111 7112 out = BIO_new_file(filename, "w"); 7113 if (!TEST_ptr(out)) 7114 goto end; 7115 7116 row[DB_srpid] = OPENSSL_strdup(userid); 7117 row[DB_srptype] = OPENSSL_strdup("V"); 7118 row[DB_srpgN] = OPENSSL_strdup(gNid); 7119 7120 if (!TEST_ptr(row[DB_srpid]) 7121 || !TEST_ptr(row[DB_srptype]) 7122 || !TEST_ptr(row[DB_srpgN]) 7123 || !TEST_true(TXT_DB_insert(db, row))) 7124 goto end; 7125 7126 row = NULL; 7127 7128 if (TXT_DB_write(out, db) <= 0) 7129 goto end; 7130 7131 ret = 1; 7132 end: 7133 if (row != NULL) { 7134 for (i = 0; i < DB_NUMBER; i++) 7135 OPENSSL_free(row[i]); 7136 } 7137 OPENSSL_free(row); 7138 BIO_free(dummy); 7139 BIO_free(out); 7140 TXT_DB_free(db); 7141 7142 return ret; 7143} 7144 7145static int create_new_vbase(char *userid, char *password) 7146{ 7147 BIGNUM *verifier = NULL, *salt = NULL; 7148 const SRP_gN *lgN = NULL; 7149 SRP_user_pwd *user_pwd = NULL; 7150 int ret = 0; 7151 7152 lgN = SRP_get_default_gN(NULL); 7153 if (!TEST_ptr(lgN)) 7154 goto end; 7155 7156 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier, 7157 lgN->N, lgN->g, libctx, NULL))) 7158 goto end; 7159 7160 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd)); 7161 if (!TEST_ptr(user_pwd)) 7162 goto end; 7163 7164 user_pwd->N = lgN->N; 7165 user_pwd->g = lgN->g; 7166 user_pwd->id = OPENSSL_strdup(userid); 7167 if (!TEST_ptr(user_pwd->id)) 7168 goto end; 7169 7170 user_pwd->v = verifier; 7171 user_pwd->s = salt; 7172 verifier = salt = NULL; 7173 7174 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0) 7175 goto end; 7176 user_pwd = NULL; 7177 7178 ret = 1; 7179end: 7180 SRP_user_pwd_free(user_pwd); 7181 BN_free(salt); 7182 BN_free(verifier); 7183 7184 return ret; 7185} 7186 7187/* 7188 * SRP tests 7189 * 7190 * Test 0: Simple successful SRP connection, new vbase 7191 * Test 1: Connection failure due to bad password, new vbase 7192 * Test 2: Simple successful SRP connection, vbase loaded from existing file 7193 * Test 3: Connection failure due to bad password, vbase loaded from existing 7194 * file 7195 * Test 4: Simple successful SRP connection, vbase loaded from new file 7196 * Test 5: Connection failure due to bad password, vbase loaded from new file 7197 */ 7198static int test_srp(int tst) 7199{ 7200 char *userid = "test", *password = "password", *tstsrpfile; 7201 SSL_CTX *cctx = NULL, *sctx = NULL; 7202 SSL *clientssl = NULL, *serverssl = NULL; 7203 int ret, testresult = 0; 7204 7205 vbase = SRP_VBASE_new(NULL); 7206 if (!TEST_ptr(vbase)) 7207 goto end; 7208 7209 if (tst == 0 || tst == 1) { 7210 if (!TEST_true(create_new_vbase(userid, password))) 7211 goto end; 7212 } else { 7213 if (tst == 4 || tst == 5) { 7214 if (!TEST_true(create_new_vfile(userid, password, tmpfilename))) 7215 goto end; 7216 tstsrpfile = tmpfilename; 7217 } else { 7218 tstsrpfile = srpvfile; 7219 } 7220 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR)) 7221 goto end; 7222 } 7223 7224 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7225 TLS_client_method(), TLS1_VERSION, 0, 7226 &sctx, &cctx, cert, privkey))) 7227 goto end; 7228 7229 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0) 7230 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA")) 7231 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION)) 7232 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) 7233 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0)) 7234 goto end; 7235 7236 if (tst % 2 == 1) { 7237 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0)) 7238 goto end; 7239 } else { 7240 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0)) 7241 goto end; 7242 } 7243 7244 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7245 NULL, NULL))) 7246 goto end; 7247 7248 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 7249 if (ret) { 7250 if (!TEST_true(tst % 2 == 0)) 7251 goto end; 7252 } else { 7253 if (!TEST_true(tst % 2 == 1)) 7254 goto end; 7255 } 7256 7257 testresult = 1; 7258 7259 end: 7260 SRP_VBASE_free(vbase); 7261 vbase = NULL; 7262 SSL_free(serverssl); 7263 SSL_free(clientssl); 7264 SSL_CTX_free(sctx); 7265 SSL_CTX_free(cctx); 7266 7267 return testresult; 7268} 7269#endif 7270 7271static int info_cb_failed = 0; 7272static int info_cb_offset = 0; 7273static int info_cb_this_state = -1; 7274 7275static struct info_cb_states_st { 7276 int where; 7277 const char *statestr; 7278} info_cb_states[][60] = { 7279 { 7280 /* TLSv1.2 server followed by resumption */ 7281 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7282 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7283 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"}, 7284 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"}, 7285 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"}, 7286 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7287 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7288 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 7289 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, 7290 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7291 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"}, 7292 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7293 {SSL_CB_EXIT, NULL}, {0, NULL}, 7294 }, { 7295 /* TLSv1.2 client followed by resumption */ 7296 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7297 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7298 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"}, 7299 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"}, 7300 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, 7301 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 7302 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 7303 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7304 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7305 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 7306 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7307 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7308 }, { 7309 /* TLSv1.3 server followed by resumption */ 7310 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7311 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7312 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, 7313 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, 7314 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, 7315 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 7316 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 7317 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7318 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7319 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 7320 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, 7321 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7322 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7323 }, { 7324 /* TLSv1.3 client followed by resumption */ 7325 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7326 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7327 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, 7328 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, 7329 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7330 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, 7331 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, 7332 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, 7333 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 7334 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, 7335 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 7336 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7337 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7338 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, 7339 {SSL_CB_EXIT, NULL}, {0, NULL}, 7340 }, { 7341 /* TLSv1.3 server, early_data */ 7342 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7343 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 7345 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7346 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 7347 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, 7348 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 7349 {SSL_CB_EXIT, NULL}, {0, NULL}, 7350 }, { 7351 /* TLSv1.3 client, early_data */ 7352 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7353 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"}, 7354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7355 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 7356 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 7357 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, 7358 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7359 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, 7360 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7361 }, { 7362 {0, NULL}, 7363 } 7364}; 7365 7366static void sslapi_info_callback(const SSL *s, int where, int ret) 7367{ 7368 struct info_cb_states_st *state = info_cb_states[info_cb_offset]; 7369 7370 /* We do not ever expect a connection to fail in this test */ 7371 if (!TEST_false(ret == 0)) { 7372 info_cb_failed = 1; 7373 return; 7374 } 7375 7376 /* 7377 * Do some sanity checks. We never expect these things to happen in this 7378 * test 7379 */ 7380 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0)) 7381 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0) 7382 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) { 7383 info_cb_failed = 1; 7384 return; 7385 } 7386 7387 /* Now check we're in the right state */ 7388 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) { 7389 info_cb_failed = 1; 7390 return; 7391 } 7392 if ((where & SSL_CB_LOOP) != 0 7393 && !TEST_int_eq(strcmp(SSL_state_string(s), 7394 state[info_cb_this_state].statestr), 0)) { 7395 info_cb_failed = 1; 7396 return; 7397 } 7398 7399 /* 7400 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init 7401 */ 7402 if ((where & SSL_CB_HANDSHAKE_DONE) 7403 && SSL_in_init((SSL *)s) != 0) { 7404 info_cb_failed = 1; 7405 return; 7406 } 7407} 7408 7409/* 7410 * Test the info callback gets called when we expect it to. 7411 * 7412 * Test 0: TLSv1.2, server 7413 * Test 1: TLSv1.2, client 7414 * Test 2: TLSv1.3, server 7415 * Test 3: TLSv1.3, client 7416 * Test 4: TLSv1.3, server, early_data 7417 * Test 5: TLSv1.3, client, early_data 7418 */ 7419static int test_info_callback(int tst) 7420{ 7421 SSL_CTX *cctx = NULL, *sctx = NULL; 7422 SSL *clientssl = NULL, *serverssl = NULL; 7423 SSL_SESSION *clntsess = NULL; 7424 int testresult = 0; 7425 int tlsvers; 7426 7427 if (tst < 2) { 7428/* We need either ECDHE or DHE for the TLSv1.2 test to work */ 7429#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \ 7430 || !defined(OPENSSL_NO_DH)) 7431 tlsvers = TLS1_2_VERSION; 7432#else 7433 return 1; 7434#endif 7435 } else { 7436#ifndef OSSL_NO_USABLE_TLS1_3 7437 tlsvers = TLS1_3_VERSION; 7438#else 7439 return 1; 7440#endif 7441 } 7442 7443 /* Reset globals */ 7444 info_cb_failed = 0; 7445 info_cb_this_state = -1; 7446 info_cb_offset = tst; 7447 7448#ifndef OSSL_NO_USABLE_TLS1_3 7449 if (tst >= 4) { 7450 SSL_SESSION *sess = NULL; 7451 size_t written, readbytes; 7452 unsigned char buf[80]; 7453 7454 /* early_data tests */ 7455 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 7456 &serverssl, &sess, 0, 7457 SHA384_DIGEST_LENGTH))) 7458 goto end; 7459 7460 /* We don't actually need this reference */ 7461 SSL_SESSION_free(sess); 7462 7463 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl, 7464 sslapi_info_callback); 7465 7466 /* Write and read some early data and then complete the connection */ 7467 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 7468 &written)) 7469 || !TEST_size_t_eq(written, strlen(MSG1)) 7470 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 7471 sizeof(buf), &readbytes), 7472 SSL_READ_EARLY_DATA_SUCCESS) 7473 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 7474 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 7475 SSL_EARLY_DATA_ACCEPTED) 7476 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7477 SSL_ERROR_NONE)) 7478 || !TEST_false(info_cb_failed)) 7479 goto end; 7480 7481 testresult = 1; 7482 goto end; 7483 } 7484#endif 7485 7486 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7487 TLS_client_method(), 7488 tlsvers, tlsvers, &sctx, &cctx, cert, 7489 privkey))) 7490 goto end; 7491 7492 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 7493 goto end; 7494 7495 /* 7496 * For even numbered tests we check the server callbacks. For odd numbers we 7497 * check the client. 7498 */ 7499 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx, 7500 sslapi_info_callback); 7501 7502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 7503 &clientssl, NULL, NULL)) 7504 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7505 SSL_ERROR_NONE)) 7506 || !TEST_false(info_cb_failed)) 7507 goto end; 7508 7509 7510 7511 clntsess = SSL_get1_session(clientssl); 7512 SSL_shutdown(clientssl); 7513 SSL_shutdown(serverssl); 7514 SSL_free(serverssl); 7515 SSL_free(clientssl); 7516 serverssl = clientssl = NULL; 7517 7518 /* Now do a resumption */ 7519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 7520 NULL)) 7521 || !TEST_true(SSL_set_session(clientssl, clntsess)) 7522 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7523 SSL_ERROR_NONE)) 7524 || !TEST_true(SSL_session_reused(clientssl)) 7525 || !TEST_false(info_cb_failed)) 7526 goto end; 7527 7528 testresult = 1; 7529 7530 end: 7531 SSL_free(serverssl); 7532 SSL_free(clientssl); 7533 SSL_SESSION_free(clntsess); 7534 SSL_CTX_free(sctx); 7535 SSL_CTX_free(cctx); 7536 return testresult; 7537} 7538 7539static int test_ssl_pending(int tst) 7540{ 7541 SSL_CTX *cctx = NULL, *sctx = NULL; 7542 SSL *clientssl = NULL, *serverssl = NULL; 7543 int testresult = 0; 7544 char msg[] = "A test message"; 7545 char buf[5]; 7546 size_t written, readbytes; 7547 7548 if (tst == 0) { 7549 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7550 TLS_client_method(), 7551 TLS1_VERSION, 0, 7552 &sctx, &cctx, cert, privkey))) 7553 goto end; 7554 } else { 7555#ifndef OPENSSL_NO_DTLS 7556 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(), 7557 DTLS_client_method(), 7558 DTLS1_VERSION, 0, 7559 &sctx, &cctx, cert, privkey))) 7560 goto end; 7561 7562# ifdef OPENSSL_NO_DTLS1_2 7563 /* Not supported in the FIPS provider */ 7564 if (is_fips) { 7565 testresult = 1; 7566 goto end; 7567 }; 7568 /* 7569 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 7570 * level 0 7571 */ 7572 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 7573 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 7574 "DEFAULT:@SECLEVEL=0"))) 7575 goto end; 7576# endif 7577#else 7578 return 1; 7579#endif 7580 } 7581 7582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7583 NULL, NULL)) 7584 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7585 SSL_ERROR_NONE))) 7586 goto end; 7587 7588 if (!TEST_int_eq(SSL_pending(clientssl), 0) 7589 || !TEST_false(SSL_has_pending(clientssl)) 7590 || !TEST_int_eq(SSL_pending(serverssl), 0) 7591 || !TEST_false(SSL_has_pending(serverssl)) 7592 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 7593 || !TEST_size_t_eq(written, sizeof(msg)) 7594 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 7595 || !TEST_size_t_eq(readbytes, sizeof(buf)) 7596 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes)) 7597 || !TEST_true(SSL_has_pending(clientssl))) 7598 goto end; 7599 7600 testresult = 1; 7601 7602 end: 7603 SSL_free(serverssl); 7604 SSL_free(clientssl); 7605 SSL_CTX_free(sctx); 7606 SSL_CTX_free(cctx); 7607 7608 return testresult; 7609} 7610 7611static struct { 7612 unsigned int maxprot; 7613 const char *clntciphers; 7614 const char *clnttls13ciphers; 7615 const char *srvrciphers; 7616 const char *srvrtls13ciphers; 7617 const char *shared; 7618 const char *fipsshared; 7619} shared_ciphers_data[] = { 7620/* 7621 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if 7622 * TLSv1.3 is enabled but TLSv1.2 is disabled. 7623 */ 7624#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 7625 { 7626 TLS1_2_VERSION, 7627 "AES128-SHA:AES256-SHA", 7628 NULL, 7629 "AES256-SHA:DHE-RSA-AES128-SHA", 7630 NULL, 7631 "AES256-SHA", 7632 "AES256-SHA" 7633 }, 7634# if !defined(OPENSSL_NO_CHACHA) \ 7635 && !defined(OPENSSL_NO_POLY1305) \ 7636 && !defined(OPENSSL_NO_EC) 7637 { 7638 TLS1_2_VERSION, 7639 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7640 NULL, 7641 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7642 NULL, 7643 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7644 "AES128-SHA" 7645 }, 7646# endif 7647 { 7648 TLS1_2_VERSION, 7649 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA", 7650 NULL, 7651 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA", 7652 NULL, 7653 "AES128-SHA:AES256-SHA", 7654 "AES128-SHA:AES256-SHA" 7655 }, 7656 { 7657 TLS1_2_VERSION, 7658 "AES128-SHA:AES256-SHA", 7659 NULL, 7660 "AES128-SHA:DHE-RSA-AES128-SHA", 7661 NULL, 7662 "AES128-SHA", 7663 "AES128-SHA" 7664 }, 7665#endif 7666/* 7667 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be 7668 * enabled. 7669 */ 7670#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ 7671 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 7672 { 7673 TLS1_3_VERSION, 7674 "AES128-SHA:AES256-SHA", 7675 NULL, 7676 "AES256-SHA:AES128-SHA256", 7677 NULL, 7678 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" 7679 "TLS_AES_128_GCM_SHA256:AES256-SHA", 7680 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" 7681 }, 7682#endif 7683#ifndef OSSL_NO_USABLE_TLS1_3 7684 { 7685 TLS1_3_VERSION, 7686 "AES128-SHA", 7687 "TLS_AES_256_GCM_SHA384", 7688 "AES256-SHA", 7689 "TLS_AES_256_GCM_SHA384", 7690 "TLS_AES_256_GCM_SHA384", 7691 "TLS_AES_256_GCM_SHA384" 7692 }, 7693#endif 7694}; 7695 7696static int int_test_ssl_get_shared_ciphers(int tst, int clnt) 7697{ 7698 SSL_CTX *cctx = NULL, *sctx = NULL; 7699 SSL *clientssl = NULL, *serverssl = NULL; 7700 int testresult = 0; 7701 char buf[1024]; 7702 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new(); 7703 7704 if (!TEST_ptr(tmplibctx)) 7705 goto end; 7706 7707 /* 7708 * Regardless of whether we're testing with the FIPS provider loaded into 7709 * libctx, we want one peer to always use the full set of ciphersuites 7710 * available. Therefore we use a separate libctx with the default provider 7711 * loaded into it. We run the same tests twice - once with the client side 7712 * having the full set of ciphersuites and once with the server side. 7713 */ 7714 if (clnt) { 7715 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method()); 7716 if (!TEST_ptr(cctx)) 7717 goto end; 7718 } else { 7719 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method()); 7720 if (!TEST_ptr(sctx)) 7721 goto end; 7722 } 7723 7724 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7725 TLS_client_method(), 7726 TLS1_VERSION, 7727 shared_ciphers_data[tst].maxprot, 7728 &sctx, &cctx, cert, privkey))) 7729 goto end; 7730 7731 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 7732 shared_ciphers_data[tst].clntciphers)) 7733 || (shared_ciphers_data[tst].clnttls13ciphers != NULL 7734 && !TEST_true(SSL_CTX_set_ciphersuites(cctx, 7735 shared_ciphers_data[tst].clnttls13ciphers))) 7736 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 7737 shared_ciphers_data[tst].srvrciphers)) 7738 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL 7739 && !TEST_true(SSL_CTX_set_ciphersuites(sctx, 7740 shared_ciphers_data[tst].srvrtls13ciphers)))) 7741 goto end; 7742 7743 7744 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7745 NULL, NULL)) 7746 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7747 SSL_ERROR_NONE))) 7748 goto end; 7749 7750 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf))) 7751 || !TEST_int_eq(strcmp(buf, 7752 is_fips 7753 ? shared_ciphers_data[tst].fipsshared 7754 : shared_ciphers_data[tst].shared), 7755 0)) { 7756 TEST_info("Shared ciphers are: %s\n", buf); 7757 goto end; 7758 } 7759 7760 testresult = 1; 7761 7762 end: 7763 SSL_free(serverssl); 7764 SSL_free(clientssl); 7765 SSL_CTX_free(sctx); 7766 SSL_CTX_free(cctx); 7767 OSSL_LIB_CTX_free(tmplibctx); 7768 7769 return testresult; 7770} 7771 7772static int test_ssl_get_shared_ciphers(int tst) 7773{ 7774 return int_test_ssl_get_shared_ciphers(tst, 0) 7775 && int_test_ssl_get_shared_ciphers(tst, 1); 7776} 7777 7778 7779static const char *appdata = "Hello World"; 7780static int gen_tick_called, dec_tick_called, tick_key_cb_called; 7781static int tick_key_renew = 0; 7782static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT; 7783 7784static int gen_tick_cb(SSL *s, void *arg) 7785{ 7786 gen_tick_called = 1; 7787 7788 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata, 7789 strlen(appdata)); 7790} 7791 7792static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss, 7793 const unsigned char *keyname, 7794 size_t keyname_length, 7795 SSL_TICKET_STATUS status, 7796 void *arg) 7797{ 7798 void *tickdata; 7799 size_t tickdlen; 7800 7801 dec_tick_called = 1; 7802 7803 if (status == SSL_TICKET_EMPTY) 7804 return SSL_TICKET_RETURN_IGNORE_RENEW; 7805 7806 if (!TEST_true(status == SSL_TICKET_SUCCESS 7807 || status == SSL_TICKET_SUCCESS_RENEW)) 7808 return SSL_TICKET_RETURN_ABORT; 7809 7810 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata, 7811 &tickdlen)) 7812 || !TEST_size_t_eq(tickdlen, strlen(appdata)) 7813 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0)) 7814 return SSL_TICKET_RETURN_ABORT; 7815 7816 if (tick_key_cb_called) { 7817 /* Don't change what the ticket key callback wanted to do */ 7818 switch (status) { 7819 case SSL_TICKET_NO_DECRYPT: 7820 return SSL_TICKET_RETURN_IGNORE_RENEW; 7821 7822 case SSL_TICKET_SUCCESS: 7823 return SSL_TICKET_RETURN_USE; 7824 7825 case SSL_TICKET_SUCCESS_RENEW: 7826 return SSL_TICKET_RETURN_USE_RENEW; 7827 7828 default: 7829 return SSL_TICKET_RETURN_ABORT; 7830 } 7831 } 7832 return tick_dec_ret; 7833 7834} 7835 7836#ifndef OPENSSL_NO_DEPRECATED_3_0 7837static int tick_key_cb(SSL *s, unsigned char key_name[16], 7838 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx, 7839 HMAC_CTX *hctx, int enc) 7840{ 7841 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 7842 const unsigned char tick_hmac_key[16] = "0123456789abcdef"; 7843 EVP_CIPHER *aes128cbc; 7844 EVP_MD *sha256; 7845 int ret; 7846 7847 tick_key_cb_called = 1; 7848 7849 if (tick_key_renew == -1) 7850 return 0; 7851 7852 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); 7853 if (!TEST_ptr(aes128cbc)) 7854 return 0; 7855 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL); 7856 if (!TEST_ptr(sha256)) { 7857 EVP_CIPHER_free(aes128cbc); 7858 return 0; 7859 } 7860 7861 memset(iv, 0, AES_BLOCK_SIZE); 7862 memset(key_name, 0, 16); 7863 if (aes128cbc == NULL 7864 || sha256 == NULL 7865 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) 7866 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256, 7867 NULL)) 7868 ret = -1; 7869 else 7870 ret = tick_key_renew ? 2 : 1; 7871 7872 EVP_CIPHER_free(aes128cbc); 7873 EVP_MD_free(sha256); 7874 7875 return ret; 7876} 7877#endif 7878 7879static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], 7880 unsigned char iv[EVP_MAX_IV_LENGTH], 7881 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc) 7882{ 7883 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 7884 unsigned char tick_hmac_key[16] = "0123456789abcdef"; 7885 OSSL_PARAM params[2]; 7886 EVP_CIPHER *aes128cbc; 7887 int ret; 7888 7889 tick_key_cb_called = 1; 7890 7891 if (tick_key_renew == -1) 7892 return 0; 7893 7894 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); 7895 if (!TEST_ptr(aes128cbc)) 7896 return 0; 7897 7898 memset(iv, 0, AES_BLOCK_SIZE); 7899 memset(key_name, 0, 16); 7900 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 7901 "SHA256", 0); 7902 params[1] = OSSL_PARAM_construct_end(); 7903 if (aes128cbc == NULL 7904 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) 7905 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key), 7906 params)) 7907 ret = -1; 7908 else 7909 ret = tick_key_renew ? 2 : 1; 7910 7911 EVP_CIPHER_free(aes128cbc); 7912 7913 return ret; 7914} 7915 7916/* 7917 * Test the various ticket callbacks 7918 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal 7919 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal 7920 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal 7921 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal 7922 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal 7923 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal 7924 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal 7925 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal 7926 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal 7927 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal 7928 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal 7929 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal 7930 * Test 12: TLSv1.2, old ticket key callback, no ticket 7931 * Test 13: TLSv1.3, old ticket key callback, no ticket 7932 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal 7933 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal 7934 * Test 16: TLSv1.2, ticket key callback, ticket, renewal 7935 * Test 17: TLSv1.3, ticket key callback, ticket, renewal 7936 * Test 18: TLSv1.2, ticket key callback, no ticket 7937 * Test 19: TLSv1.3, ticket key callback, no ticket 7938 */ 7939static int test_ticket_callbacks(int tst) 7940{ 7941 SSL_CTX *cctx = NULL, *sctx = NULL; 7942 SSL *clientssl = NULL, *serverssl = NULL; 7943 SSL_SESSION *clntsess = NULL; 7944 int testresult = 0; 7945 7946#ifdef OPENSSL_NO_TLS1_2 7947 if (tst % 2 == 0) 7948 return 1; 7949#endif 7950#ifdef OSSL_NO_USABLE_TLS1_3 7951 if (tst % 2 == 1) 7952 return 1; 7953#endif 7954#ifdef OPENSSL_NO_DEPRECATED_3_0 7955 if (tst >= 8 && tst <= 13) 7956 return 1; 7957#endif 7958 7959 gen_tick_called = dec_tick_called = tick_key_cb_called = 0; 7960 7961 /* Which tests the ticket key callback should request renewal for */ 7962 7963 if (tst == 10 || tst == 11 || tst == 16 || tst == 17) 7964 tick_key_renew = 1; 7965 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19) 7966 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */ 7967 else 7968 tick_key_renew = 0; 7969 7970 /* Which tests the decrypt ticket callback should request renewal for */ 7971 switch (tst) { 7972 case 0: 7973 case 1: 7974 tick_dec_ret = SSL_TICKET_RETURN_IGNORE; 7975 break; 7976 7977 case 2: 7978 case 3: 7979 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW; 7980 break; 7981 7982 case 4: 7983 case 5: 7984 tick_dec_ret = SSL_TICKET_RETURN_USE; 7985 break; 7986 7987 case 6: 7988 case 7: 7989 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW; 7990 break; 7991 7992 default: 7993 tick_dec_ret = SSL_TICKET_RETURN_ABORT; 7994 } 7995 7996 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7997 TLS_client_method(), 7998 TLS1_VERSION, 7999 ((tst % 2) == 0) ? TLS1_2_VERSION 8000 : TLS1_3_VERSION, 8001 &sctx, &cctx, cert, privkey))) 8002 goto end; 8003 8004 /* 8005 * We only want sessions to resume from tickets - not the session cache. So 8006 * switch the cache off. 8007 */ 8008 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF))) 8009 goto end; 8010 8011 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb, 8012 NULL))) 8013 goto end; 8014 8015 if (tst >= 14) { 8016 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb))) 8017 goto end; 8018#ifndef OPENSSL_NO_DEPRECATED_3_0 8019 } else if (tst >= 8) { 8020 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb))) 8021 goto end; 8022#endif 8023 } 8024 8025 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8026 NULL, NULL)) 8027 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8028 SSL_ERROR_NONE))) 8029 goto end; 8030 8031 /* 8032 * The decrypt ticket key callback in TLSv1.2 should be called even though 8033 * we have no ticket yet, because it gets called with a status of 8034 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not 8035 * actually send any ticket data). This does not happen in TLSv1.3 because 8036 * it is not valid to send empty ticket data in TLSv1.3. 8037 */ 8038 if (!TEST_int_eq(gen_tick_called, 1) 8039 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0)) 8040 goto end; 8041 8042 gen_tick_called = dec_tick_called = 0; 8043 8044 clntsess = SSL_get1_session(clientssl); 8045 SSL_shutdown(clientssl); 8046 SSL_shutdown(serverssl); 8047 SSL_free(serverssl); 8048 SSL_free(clientssl); 8049 serverssl = clientssl = NULL; 8050 8051 /* Now do a resumption */ 8052 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 8053 NULL)) 8054 || !TEST_true(SSL_set_session(clientssl, clntsess)) 8055 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8056 SSL_ERROR_NONE))) 8057 goto end; 8058 8059 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE 8060 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 8061 || tick_key_renew == -1) { 8062 if (!TEST_false(SSL_session_reused(clientssl))) 8063 goto end; 8064 } else { 8065 if (!TEST_true(SSL_session_reused(clientssl))) 8066 goto end; 8067 } 8068 8069 if (!TEST_int_eq(gen_tick_called, 8070 (tick_key_renew 8071 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 8072 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW) 8073 ? 1 : 0) 8074 /* There is no ticket to decrypt in tests 13 and 19 */ 8075 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1)) 8076 goto end; 8077 8078 testresult = 1; 8079 8080 end: 8081 SSL_SESSION_free(clntsess); 8082 SSL_free(serverssl); 8083 SSL_free(clientssl); 8084 SSL_CTX_free(sctx); 8085 SSL_CTX_free(cctx); 8086 8087 return testresult; 8088} 8089 8090/* 8091 * Test incorrect shutdown. 8092 * Test 0: client does not shutdown properly, 8093 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF, 8094 * server should get SSL_ERROR_SSL 8095 * Test 1: client does not shutdown properly, 8096 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF, 8097 * server should get SSL_ERROR_ZERO_RETURN 8098 */ 8099static int test_incorrect_shutdown(int tst) 8100{ 8101 SSL_CTX *cctx = NULL, *sctx = NULL; 8102 SSL *clientssl = NULL, *serverssl = NULL; 8103 int testresult = 0; 8104 char buf[80]; 8105 BIO *c2s; 8106 8107 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8108 TLS_client_method(), 0, 0, 8109 &sctx, &cctx, cert, privkey))) 8110 goto end; 8111 8112 if (tst == 1) 8113 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF); 8114 8115 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8116 NULL, NULL))) 8117 goto end; 8118 8119 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 8120 SSL_ERROR_NONE))) 8121 goto end; 8122 8123 c2s = SSL_get_rbio(serverssl); 8124 BIO_set_mem_eof_return(c2s, 0); 8125 8126 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf)))) 8127 goto end; 8128 8129 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) ) 8130 goto end; 8131 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) ) 8132 goto end; 8133 8134 testresult = 1; 8135 8136 end: 8137 SSL_free(serverssl); 8138 SSL_free(clientssl); 8139 SSL_CTX_free(sctx); 8140 SSL_CTX_free(cctx); 8141 8142 return testresult; 8143} 8144 8145/* 8146 * Test bi-directional shutdown. 8147 * Test 0: TLSv1.2 8148 * Test 1: TLSv1.2, server continues to read/write after client shutdown 8149 * Test 2: TLSv1.3, no pending NewSessionTicket messages 8150 * Test 3: TLSv1.3, pending NewSessionTicket messages 8151 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server 8152 * sends key update, client reads it 8153 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server 8154 * sends CertificateRequest, client reads and ignores it 8155 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client 8156 * doesn't read it 8157 */ 8158static int test_shutdown(int tst) 8159{ 8160 SSL_CTX *cctx = NULL, *sctx = NULL; 8161 SSL *clientssl = NULL, *serverssl = NULL; 8162 int testresult = 0; 8163 char msg[] = "A test message"; 8164 char buf[80]; 8165 size_t written, readbytes; 8166 SSL_SESSION *sess; 8167 8168#ifdef OPENSSL_NO_TLS1_2 8169 if (tst <= 1) 8170 return 1; 8171#endif 8172#ifdef OSSL_NO_USABLE_TLS1_3 8173 if (tst >= 2) 8174 return 1; 8175#endif 8176 8177 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8178 TLS_client_method(), 8179 TLS1_VERSION, 8180 (tst <= 1) ? TLS1_2_VERSION 8181 : TLS1_3_VERSION, 8182 &sctx, &cctx, cert, privkey))) 8183 goto end; 8184 8185 if (tst == 5) 8186 SSL_CTX_set_post_handshake_auth(cctx, 1); 8187 8188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8189 NULL, NULL))) 8190 goto end; 8191 8192 if (tst == 3) { 8193 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, 8194 SSL_ERROR_NONE, 1)) 8195 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8196 || !TEST_false(SSL_SESSION_is_resumable(sess))) 8197 goto end; 8198 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl, 8199 SSL_ERROR_NONE)) 8200 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8201 || !TEST_true(SSL_SESSION_is_resumable(sess))) { 8202 goto end; 8203 } 8204 8205 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)) 8206 goto end; 8207 8208 if (tst >= 4) { 8209 /* 8210 * Reading on the server after the client has sent close_notify should 8211 * fail and provide SSL_ERROR_ZERO_RETURN 8212 */ 8213 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 8214 || !TEST_int_eq(SSL_get_error(serverssl, 0), 8215 SSL_ERROR_ZERO_RETURN) 8216 || !TEST_int_eq(SSL_get_shutdown(serverssl), 8217 SSL_RECEIVED_SHUTDOWN) 8218 /* 8219 * Even though we're shutdown on receive we should still be 8220 * able to write. 8221 */ 8222 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 8223 goto end; 8224 if (tst == 4 8225 && !TEST_true(SSL_key_update(serverssl, 8226 SSL_KEY_UPDATE_REQUESTED))) 8227 goto end; 8228 if (tst == 5) { 8229 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 8230 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 8231 goto end; 8232 } 8233 if ((tst == 4 || tst == 5) 8234 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 8235 goto end; 8236 if (!TEST_int_eq(SSL_shutdown(serverssl), 1)) 8237 goto end; 8238 if (tst == 4 || tst == 5) { 8239 /* Should still be able to read data from server */ 8240 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 8241 &readbytes)) 8242 || !TEST_size_t_eq(readbytes, sizeof(msg)) 8243 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0) 8244 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 8245 &readbytes)) 8246 || !TEST_size_t_eq(readbytes, sizeof(msg)) 8247 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)) 8248 goto end; 8249 } 8250 } 8251 8252 /* Writing on the client after sending close_notify shouldn't be possible */ 8253 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written))) 8254 goto end; 8255 8256 if (tst < 4) { 8257 /* 8258 * For these tests the client has sent close_notify but it has not yet 8259 * been received by the server. The server has not sent close_notify 8260 * yet. 8261 */ 8262 if (!TEST_int_eq(SSL_shutdown(serverssl), 0) 8263 /* 8264 * Writing on the server after sending close_notify shouldn't 8265 * be possible. 8266 */ 8267 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 8268 || !TEST_int_eq(SSL_shutdown(clientssl), 1) 8269 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8270 || !TEST_true(SSL_SESSION_is_resumable(sess)) 8271 || !TEST_int_eq(SSL_shutdown(serverssl), 1)) 8272 goto end; 8273 } else if (tst == 4 || tst == 5) { 8274 /* 8275 * In this test the client has sent close_notify and it has been 8276 * received by the server which has responded with a close_notify. The 8277 * client needs to read the close_notify sent by the server. 8278 */ 8279 if (!TEST_int_eq(SSL_shutdown(clientssl), 1) 8280 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8281 || !TEST_true(SSL_SESSION_is_resumable(sess))) 8282 goto end; 8283 } else { 8284 /* 8285 * tst == 6 8286 * 8287 * The client has sent close_notify and is expecting a close_notify 8288 * back, but instead there is application data first. The shutdown 8289 * should fail with a fatal error. 8290 */ 8291 if (!TEST_int_eq(SSL_shutdown(clientssl), -1) 8292 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL)) 8293 goto end; 8294 } 8295 8296 testresult = 1; 8297 8298 end: 8299 SSL_free(serverssl); 8300 SSL_free(clientssl); 8301 SSL_CTX_free(sctx); 8302 SSL_CTX_free(cctx); 8303 8304 return testresult; 8305} 8306 8307#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 8308static int cert_cb_cnt; 8309 8310static int cert_cb(SSL *s, void *arg) 8311{ 8312 SSL_CTX *ctx = (SSL_CTX *)arg; 8313 BIO *in = NULL; 8314 EVP_PKEY *pkey = NULL; 8315 X509 *x509 = NULL, *rootx = NULL; 8316 STACK_OF(X509) *chain = NULL; 8317 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL; 8318 int ret = 0; 8319 8320 if (cert_cb_cnt == 0) { 8321 /* Suspend the handshake */ 8322 cert_cb_cnt++; 8323 return -1; 8324 } else if (cert_cb_cnt == 1) { 8325 /* 8326 * Update the SSL_CTX, set the certificate and private key and then 8327 * continue the handshake normally. 8328 */ 8329 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx))) 8330 return 0; 8331 8332 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM)) 8333 || !TEST_true(SSL_use_PrivateKey_file(s, privkey, 8334 SSL_FILETYPE_PEM)) 8335 || !TEST_true(SSL_check_private_key(s))) 8336 return 0; 8337 cert_cb_cnt++; 8338 return 1; 8339 } else if (cert_cb_cnt == 3) { 8340 int rv; 8341 8342 rootfile = test_mk_file_path(certsdir, "rootcert.pem"); 8343 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 8344 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 8345 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey)) 8346 goto out; 8347 chain = sk_X509_new_null(); 8348 if (!TEST_ptr(chain)) 8349 goto out; 8350 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8351 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0) 8352 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL)) 8353 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL)) 8354 || !TEST_true(sk_X509_push(chain, rootx))) 8355 goto out; 8356 rootx = NULL; 8357 BIO_free(in); 8358 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8359 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0) 8360 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL)) 8361 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL))) 8362 goto out; 8363 BIO_free(in); 8364 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8365 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0) 8366 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL, 8367 NULL, NULL, 8368 libctx, NULL))) 8369 goto out; 8370 rv = SSL_check_chain(s, x509, pkey, chain); 8371 /* 8372 * If the cert doesn't show as valid here (e.g., because we don't 8373 * have any shared sigalgs), then we will not set it, and there will 8374 * be no certificate at all on the SSL or SSL_CTX. This, in turn, 8375 * will cause tls_choose_sigalgs() to fail the connection. 8376 */ 8377 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) 8378 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) { 8379 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1)) 8380 goto out; 8381 } 8382 8383 ret = 1; 8384 } 8385 8386 /* Abort the handshake */ 8387 out: 8388 OPENSSL_free(ecdsacert); 8389 OPENSSL_free(ecdsakey); 8390 OPENSSL_free(rootfile); 8391 BIO_free(in); 8392 EVP_PKEY_free(pkey); 8393 X509_free(x509); 8394 X509_free(rootx); 8395 sk_X509_pop_free(chain, X509_free); 8396 return ret; 8397} 8398 8399/* 8400 * Test the certificate callback. 8401 * Test 0: Callback fails 8402 * Test 1: Success - no SSL_set_SSL_CTX() in the callback 8403 * Test 2: Success - SSL_set_SSL_CTX() in the callback 8404 * Test 3: Success - Call SSL_check_chain from the callback 8405 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the 8406 * chain 8407 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert 8408 */ 8409static int test_cert_cb_int(int prot, int tst) 8410{ 8411 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL; 8412 SSL *clientssl = NULL, *serverssl = NULL; 8413 int testresult = 0, ret; 8414 8415#ifdef OPENSSL_NO_EC 8416 /* We use an EC cert in these tests, so we skip in a no-ec build */ 8417 if (tst >= 3) 8418 return 1; 8419#endif 8420 8421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8422 TLS_client_method(), 8423 TLS1_VERSION, 8424 prot, 8425 &sctx, &cctx, NULL, NULL))) 8426 goto end; 8427 8428 if (tst == 0) 8429 cert_cb_cnt = -1; 8430 else if (tst >= 3) 8431 cert_cb_cnt = 3; 8432 else 8433 cert_cb_cnt = 0; 8434 8435 if (tst == 2) { 8436 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 8437 if (!TEST_ptr(snictx)) 8438 goto end; 8439 } 8440 8441 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); 8442 8443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8444 NULL, NULL))) 8445 goto end; 8446 8447 if (tst == 4) { 8448 /* 8449 * We cause SSL_check_chain() to fail by specifying sig_algs that 8450 * the chain doesn't meet (the root uses an RSA cert) 8451 */ 8452 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 8453 "ecdsa_secp256r1_sha256"))) 8454 goto end; 8455 } else if (tst == 5) { 8456 /* 8457 * We cause SSL_check_chain() to fail by specifying sig_algs that 8458 * the ee cert doesn't meet (the ee uses an ECDSA cert) 8459 */ 8460 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 8461 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))) 8462 goto end; 8463 } 8464 8465 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 8466 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret) 8467 || (tst > 0 8468 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) { 8469 goto end; 8470 } 8471 8472 testresult = 1; 8473 8474 end: 8475 SSL_free(serverssl); 8476 SSL_free(clientssl); 8477 SSL_CTX_free(sctx); 8478 SSL_CTX_free(cctx); 8479 SSL_CTX_free(snictx); 8480 8481 return testresult; 8482} 8483#endif 8484 8485static int test_cert_cb(int tst) 8486{ 8487 int testresult = 1; 8488 8489#ifndef OPENSSL_NO_TLS1_2 8490 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); 8491#endif 8492#ifndef OSSL_NO_USABLE_TLS1_3 8493 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); 8494#endif 8495 8496 return testresult; 8497} 8498 8499static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 8500{ 8501 X509 *xcert; 8502 EVP_PKEY *privpkey; 8503 BIO *in = NULL; 8504 BIO *priv_in = NULL; 8505 8506 /* Check that SSL_get0_peer_certificate() returns something sensible */ 8507 if (!TEST_ptr(SSL_get0_peer_certificate(ssl))) 8508 return 0; 8509 8510 in = BIO_new_file(cert, "r"); 8511 if (!TEST_ptr(in)) 8512 return 0; 8513 8514 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL)) 8515 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL)) 8516 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r")) 8517 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL, 8518 NULL, NULL, 8519 libctx, NULL))) 8520 goto err; 8521 8522 *x509 = xcert; 8523 *pkey = privpkey; 8524 8525 BIO_free(in); 8526 BIO_free(priv_in); 8527 return 1; 8528err: 8529 X509_free(xcert); 8530 BIO_free(in); 8531 BIO_free(priv_in); 8532 return 0; 8533} 8534 8535static int test_client_cert_cb(int tst) 8536{ 8537 SSL_CTX *cctx = NULL, *sctx = NULL; 8538 SSL *clientssl = NULL, *serverssl = NULL; 8539 int testresult = 0; 8540 8541#ifdef OPENSSL_NO_TLS1_2 8542 if (tst == 0) 8543 return 1; 8544#endif 8545#ifdef OSSL_NO_USABLE_TLS1_3 8546 if (tst == 1) 8547 return 1; 8548#endif 8549 8550 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8551 TLS_client_method(), 8552 TLS1_VERSION, 8553 tst == 0 ? TLS1_2_VERSION 8554 : TLS1_3_VERSION, 8555 &sctx, &cctx, cert, privkey))) 8556 goto end; 8557 8558 /* 8559 * Test that setting a client_cert_cb results in a client certificate being 8560 * sent. 8561 */ 8562 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb); 8563 SSL_CTX_set_verify(sctx, 8564 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 8565 verify_cb); 8566 8567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8568 NULL, NULL)) 8569 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8570 SSL_ERROR_NONE))) 8571 goto end; 8572 8573 testresult = 1; 8574 8575 end: 8576 SSL_free(serverssl); 8577 SSL_free(clientssl); 8578 SSL_CTX_free(sctx); 8579 SSL_CTX_free(cctx); 8580 8581 return testresult; 8582} 8583 8584#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 8585/* 8586 * Test setting certificate authorities on both client and server. 8587 * 8588 * Test 0: SSL_CTX_set0_CA_list() only 8589 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list() 8590 * Test 2: Only SSL_CTX_set_client_CA_list() 8591 */ 8592static int test_ca_names_int(int prot, int tst) 8593{ 8594 SSL_CTX *cctx = NULL, *sctx = NULL; 8595 SSL *clientssl = NULL, *serverssl = NULL; 8596 int testresult = 0; 8597 size_t i; 8598 X509_NAME *name[] = { NULL, NULL, NULL, NULL }; 8599 char *strnames[] = { "Jack", "Jill", "John", "Joanne" }; 8600 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL; 8601 const STACK_OF(X509_NAME) *sktmp = NULL; 8602 8603 for (i = 0; i < OSSL_NELEM(name); i++) { 8604 name[i] = X509_NAME_new(); 8605 if (!TEST_ptr(name[i]) 8606 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN", 8607 MBSTRING_ASC, 8608 (unsigned char *) 8609 strnames[i], 8610 -1, -1, 0))) 8611 goto end; 8612 } 8613 8614 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8615 TLS_client_method(), 8616 TLS1_VERSION, 8617 prot, 8618 &sctx, &cctx, cert, privkey))) 8619 goto end; 8620 8621 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL); 8622 8623 if (tst == 0 || tst == 1) { 8624 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 8625 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0]))) 8626 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1]))) 8627 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 8628 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0]))) 8629 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1])))) 8630 goto end; 8631 8632 SSL_CTX_set0_CA_list(sctx, sk1); 8633 SSL_CTX_set0_CA_list(cctx, sk2); 8634 sk1 = sk2 = NULL; 8635 } 8636 if (tst == 1 || tst == 2) { 8637 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 8638 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2]))) 8639 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3]))) 8640 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 8641 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2]))) 8642 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3])))) 8643 goto end; 8644 8645 SSL_CTX_set_client_CA_list(sctx, sk1); 8646 SSL_CTX_set_client_CA_list(cctx, sk2); 8647 sk1 = sk2 = NULL; 8648 } 8649 8650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8651 NULL, NULL)) 8652 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8653 SSL_ERROR_NONE))) 8654 goto end; 8655 8656 /* 8657 * We only expect certificate authorities to have been sent to the server 8658 * if we are using TLSv1.3 and SSL_set0_CA_list() was used 8659 */ 8660 sktmp = SSL_get0_peer_CA_list(serverssl); 8661 if (prot == TLS1_3_VERSION 8662 && (tst == 0 || tst == 1)) { 8663 if (!TEST_ptr(sktmp) 8664 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 8665 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 8666 name[0]), 0) 8667 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 8668 name[1]), 0)) 8669 goto end; 8670 } else if (!TEST_ptr_null(sktmp)) { 8671 goto end; 8672 } 8673 8674 /* 8675 * In all tests we expect certificate authorities to have been sent to the 8676 * client. However, SSL_set_client_CA_list() should override 8677 * SSL_set0_CA_list() 8678 */ 8679 sktmp = SSL_get0_peer_CA_list(clientssl); 8680 if (!TEST_ptr(sktmp) 8681 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 8682 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 8683 name[tst == 0 ? 0 : 2]), 0) 8684 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 8685 name[tst == 0 ? 1 : 3]), 0)) 8686 goto end; 8687 8688 testresult = 1; 8689 8690 end: 8691 SSL_free(serverssl); 8692 SSL_free(clientssl); 8693 SSL_CTX_free(sctx); 8694 SSL_CTX_free(cctx); 8695 for (i = 0; i < OSSL_NELEM(name); i++) 8696 X509_NAME_free(name[i]); 8697 sk_X509_NAME_pop_free(sk1, X509_NAME_free); 8698 sk_X509_NAME_pop_free(sk2, X509_NAME_free); 8699 8700 return testresult; 8701} 8702#endif 8703 8704static int test_ca_names(int tst) 8705{ 8706 int testresult = 1; 8707 8708#ifndef OPENSSL_NO_TLS1_2 8709 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); 8710#endif 8711#ifndef OSSL_NO_USABLE_TLS1_3 8712 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); 8713#endif 8714 8715 return testresult; 8716} 8717 8718#ifndef OPENSSL_NO_TLS1_2 8719static const char *multiblock_cipherlist_data[]= 8720{ 8721 "AES128-SHA", 8722 "AES128-SHA256", 8723 "AES256-SHA", 8724 "AES256-SHA256", 8725}; 8726 8727/* Reduce the fragment size - so the multiblock test buffer can be small */ 8728# define MULTIBLOCK_FRAGSIZE 512 8729 8730static int test_multiblock_write(int test_index) 8731{ 8732 static const char *fetchable_ciphers[]= 8733 { 8734 "AES-128-CBC-HMAC-SHA1", 8735 "AES-128-CBC-HMAC-SHA256", 8736 "AES-256-CBC-HMAC-SHA1", 8737 "AES-256-CBC-HMAC-SHA256" 8738 }; 8739 const char *cipherlist = multiblock_cipherlist_data[test_index]; 8740 const SSL_METHOD *smeth = TLS_server_method(); 8741 const SSL_METHOD *cmeth = TLS_client_method(); 8742 int min_version = TLS1_VERSION; 8743 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */ 8744 SSL_CTX *cctx = NULL, *sctx = NULL; 8745 SSL *clientssl = NULL, *serverssl = NULL; 8746 int testresult = 0; 8747 8748 /* 8749 * Choose a buffer large enough to perform a multi-block operation 8750 * i.e: write_len >= 4 * frag_size 8751 * 9 * is chosen so that multiple multiblocks are used + some leftover. 8752 */ 8753 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9]; 8754 unsigned char buf[sizeof(msg)], *p = buf; 8755 size_t readbytes, written, len; 8756 EVP_CIPHER *ciph = NULL; 8757 8758 /* 8759 * Check if the cipher exists before attempting to use it since it only has 8760 * a hardware specific implementation. 8761 */ 8762 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], ""); 8763 if (ciph == NULL) { 8764 TEST_skip("Multiblock cipher is not available for %s", cipherlist); 8765 return 1; 8766 } 8767 EVP_CIPHER_free(ciph); 8768 8769 /* Set up a buffer with some data that will be sent to the client */ 8770 RAND_bytes(msg, sizeof(msg)); 8771 8772 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, 8773 max_version, &sctx, &cctx, cert, 8774 privkey))) 8775 goto end; 8776 8777 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE))) 8778 goto end; 8779 8780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8781 NULL, NULL))) 8782 goto end; 8783 8784 /* settings to force it to use AES-CBC-HMAC_SHA */ 8785 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC); 8786 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist))) 8787 goto end; 8788 8789 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 8790 goto end; 8791 8792 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 8793 || !TEST_size_t_eq(written, sizeof(msg))) 8794 goto end; 8795 8796 len = written; 8797 while (len > 0) { 8798 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes))) 8799 goto end; 8800 p += readbytes; 8801 len -= readbytes; 8802 } 8803 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf))) 8804 goto end; 8805 8806 testresult = 1; 8807end: 8808 SSL_free(serverssl); 8809 SSL_free(clientssl); 8810 SSL_CTX_free(sctx); 8811 SSL_CTX_free(cctx); 8812 8813 return testresult; 8814} 8815#endif /* OPENSSL_NO_TLS1_2 */ 8816 8817static int test_session_timeout(int test) 8818{ 8819 /* 8820 * Test session ordering and timeout 8821 * Can't explicitly test performance of the new code, 8822 * but can test to see if the ordering of the sessions 8823 * are correct, and they they are removed as expected 8824 */ 8825 SSL_SESSION *early = NULL; 8826 SSL_SESSION *middle = NULL; 8827 SSL_SESSION *late = NULL; 8828 SSL_CTX *ctx; 8829 int testresult = 0; 8830 long now = (long)time(NULL); 8831#define TIMEOUT 10 8832 8833 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())) 8834 || !TEST_ptr(early = SSL_SESSION_new()) 8835 || !TEST_ptr(middle = SSL_SESSION_new()) 8836 || !TEST_ptr(late = SSL_SESSION_new())) 8837 goto end; 8838 8839 /* assign unique session ids */ 8840 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8841 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH); 8842 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8843 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH); 8844 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8845 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH); 8846 8847 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 8848 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1) 8849 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1)) 8850 goto end; 8851 8852 /* Make sure they are all added */ 8853 if (!TEST_ptr(early->prev) 8854 || !TEST_ptr(middle->prev) 8855 || !TEST_ptr(late->prev)) 8856 goto end; 8857 8858 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0) 8859 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0) 8860 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0)) 8861 goto end; 8862 8863 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0) 8864 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0) 8865 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0)) 8866 goto end; 8867 8868 /* Make sure they are all still there */ 8869 if (!TEST_ptr(early->prev) 8870 || !TEST_ptr(middle->prev) 8871 || !TEST_ptr(late->prev)) 8872 goto end; 8873 8874 /* Make sure they are in the expected order */ 8875 if (!TEST_ptr_eq(late->next, middle) 8876 || !TEST_ptr_eq(middle->next, early) 8877 || !TEST_ptr_eq(early->prev, middle) 8878 || !TEST_ptr_eq(middle->prev, late)) 8879 goto end; 8880 8881 /* This should remove "early" */ 8882 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1); 8883 if (!TEST_ptr_null(early->prev) 8884 || !TEST_ptr(middle->prev) 8885 || !TEST_ptr(late->prev)) 8886 goto end; 8887 8888 /* This should remove "middle" */ 8889 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1); 8890 if (!TEST_ptr_null(early->prev) 8891 || !TEST_ptr_null(middle->prev) 8892 || !TEST_ptr(late->prev)) 8893 goto end; 8894 8895 /* This should remove "late" */ 8896 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11); 8897 if (!TEST_ptr_null(early->prev) 8898 || !TEST_ptr_null(middle->prev) 8899 || !TEST_ptr_null(late->prev)) 8900 goto end; 8901 8902 /* Add them back in again */ 8903 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 8904 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1) 8905 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1)) 8906 goto end; 8907 8908 /* Make sure they are all added */ 8909 if (!TEST_ptr(early->prev) 8910 || !TEST_ptr(middle->prev) 8911 || !TEST_ptr(late->prev)) 8912 goto end; 8913 8914 /* This should remove all of them */ 8915 SSL_CTX_flush_sessions(ctx, 0); 8916 if (!TEST_ptr_null(early->prev) 8917 || !TEST_ptr_null(middle->prev) 8918 || !TEST_ptr_null(late->prev)) 8919 goto end; 8920 8921 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME 8922 | SSL_CTX_get_session_cache_mode(ctx)); 8923 8924 /* make sure |now| is NOT equal to the current time */ 8925 now -= 10; 8926 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0) 8927 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 8928 || !TEST_long_ne(SSL_SESSION_get_time(early), now)) 8929 goto end; 8930 8931 testresult = 1; 8932 end: 8933 SSL_CTX_free(ctx); 8934 SSL_SESSION_free(early); 8935 SSL_SESSION_free(middle); 8936 SSL_SESSION_free(late); 8937 return testresult; 8938} 8939 8940/* 8941 * Test that a session cache overflow works as expected 8942 * Test 0: TLSv1.3, timeout on new session later than old session 8943 * Test 1: TLSv1.2, timeout on new session later than old session 8944 * Test 2: TLSv1.3, timeout on new session earlier than old session 8945 * Test 3: TLSv1.2, timeout on new session earlier than old session 8946 */ 8947#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 8948static int test_session_cache_overflow(int idx) 8949{ 8950 SSL_CTX *sctx = NULL, *cctx = NULL; 8951 SSL *serverssl = NULL, *clientssl = NULL; 8952 int testresult = 0; 8953 SSL_SESSION *sess = NULL; 8954 8955#ifdef OSSL_NO_USABLE_TLS1_3 8956 /* If no TLSv1.3 available then do nothing in this case */ 8957 if (idx % 2 == 0) 8958 return TEST_skip("No TLSv1.3 available"); 8959#endif 8960#ifdef OPENSSL_NO_TLS1_2 8961 /* If no TLSv1.2 available then do nothing in this case */ 8962 if (idx % 2 == 1) 8963 return TEST_skip("No TLSv1.2 available"); 8964#endif 8965 8966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8967 TLS_client_method(), TLS1_VERSION, 8968 (idx % 2 == 0) ? TLS1_3_VERSION 8969 : TLS1_2_VERSION, 8970 &sctx, &cctx, cert, privkey)) 8971 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))) 8972 goto end; 8973 8974 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 8975 get_sess_val = NULL; 8976 8977 SSL_CTX_sess_set_cache_size(sctx, 1); 8978 8979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8980 NULL, NULL))) 8981 goto end; 8982 8983 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 8984 goto end; 8985 8986 if (idx > 1) { 8987 sess = SSL_get_session(serverssl); 8988 if (!TEST_ptr(sess)) 8989 goto end; 8990 8991 /* 8992 * Cause this session to have a longer timeout than the next session to 8993 * be added. 8994 */ 8995 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) { 8996 sess = NULL; 8997 goto end; 8998 } 8999 sess = NULL; 9000 } 9001 9002 SSL_shutdown(serverssl); 9003 SSL_shutdown(clientssl); 9004 SSL_free(serverssl); 9005 SSL_free(clientssl); 9006 serverssl = clientssl = NULL; 9007 9008 /* 9009 * Session cache size is 1 and we already populated the cache with a session 9010 * so the next connection should cause an overflow. 9011 */ 9012 9013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9014 NULL, NULL))) 9015 goto end; 9016 9017 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9018 goto end; 9019 9020 /* 9021 * The session we just negotiated may have been already removed from the 9022 * internal cache - but we will return it anyway from our external cache. 9023 */ 9024 get_sess_val = SSL_get_session(serverssl); 9025 if (!TEST_ptr(get_sess_val)) 9026 goto end; 9027 sess = SSL_get1_session(clientssl); 9028 if (!TEST_ptr(sess)) 9029 goto end; 9030 9031 SSL_shutdown(serverssl); 9032 SSL_shutdown(clientssl); 9033 SSL_free(serverssl); 9034 SSL_free(clientssl); 9035 serverssl = clientssl = NULL; 9036 9037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9038 NULL, NULL))) 9039 goto end; 9040 9041 if (!TEST_true(SSL_set_session(clientssl, sess))) 9042 goto end; 9043 9044 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9045 goto end; 9046 9047 testresult = 1; 9048 9049 end: 9050 SSL_free(serverssl); 9051 SSL_free(clientssl); 9052 SSL_CTX_free(sctx); 9053 SSL_CTX_free(cctx); 9054 SSL_SESSION_free(sess); 9055 9056 return testresult; 9057} 9058#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 9059 9060/* 9061 * Test 0: Client sets servername and server acknowledges it (TLSv1.2) 9062 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) 9063 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2) 9064 * Test 3: Client does not set servername on initial handshake (TLSv1.2) 9065 * Test 4: Client does not set servername on resumption handshake (TLSv1.2) 9066 * Test 5: Client sets servername and server acknowledges it (TLSv1.3) 9067 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3) 9068 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3) 9069 * Test 8: Client does not set servername on initial handshake(TLSv1.3) 9070 * Test 9: Client does not set servername on resumption handshake (TLSv1.3) 9071 */ 9072static int test_servername(int tst) 9073{ 9074 SSL_CTX *cctx = NULL, *sctx = NULL; 9075 SSL *clientssl = NULL, *serverssl = NULL; 9076 int testresult = 0; 9077 SSL_SESSION *sess = NULL; 9078 const char *sexpectedhost = NULL, *cexpectedhost = NULL; 9079 9080#ifdef OPENSSL_NO_TLS1_2 9081 if (tst <= 4) 9082 return 1; 9083#endif 9084#ifdef OSSL_NO_USABLE_TLS1_3 9085 if (tst >= 5) 9086 return 1; 9087#endif 9088 9089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9090 TLS_client_method(), 9091 TLS1_VERSION, 9092 (tst <= 4) ? TLS1_2_VERSION 9093 : TLS1_3_VERSION, 9094 &sctx, &cctx, cert, privkey)) 9095 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9096 NULL, NULL))) 9097 goto end; 9098 9099 if (tst != 1 && tst != 6) { 9100 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 9101 hostname_cb))) 9102 goto end; 9103 } 9104 9105 if (tst != 3 && tst != 8) { 9106 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 9107 goto end; 9108 sexpectedhost = cexpectedhost = "goodhost"; 9109 } 9110 9111 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9112 goto end; 9113 9114 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name), 9115 cexpectedhost) 9116 || !TEST_str_eq(SSL_get_servername(serverssl, 9117 TLSEXT_NAMETYPE_host_name), 9118 sexpectedhost)) 9119 goto end; 9120 9121 /* Now repeat with a resumption handshake */ 9122 9123 if (!TEST_int_eq(SSL_shutdown(clientssl), 0) 9124 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL) 9125 || !TEST_true(SSL_SESSION_is_resumable(sess)) 9126 || !TEST_int_eq(SSL_shutdown(serverssl), 0)) 9127 goto end; 9128 9129 SSL_free(clientssl); 9130 SSL_free(serverssl); 9131 clientssl = serverssl = NULL; 9132 9133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 9134 NULL))) 9135 goto end; 9136 9137 if (!TEST_true(SSL_set_session(clientssl, sess))) 9138 goto end; 9139 9140 sexpectedhost = cexpectedhost = "goodhost"; 9141 if (tst == 2 || tst == 7) { 9142 /* Set an inconsistent hostname */ 9143 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost"))) 9144 goto end; 9145 /* 9146 * In TLSv1.2 we expect the hostname from the original handshake, in 9147 * TLSv1.3 we expect the hostname from this handshake 9148 */ 9149 if (tst == 7) 9150 sexpectedhost = cexpectedhost = "altgoodhost"; 9151 9152 if (!TEST_str_eq(SSL_get_servername(clientssl, 9153 TLSEXT_NAMETYPE_host_name), 9154 "altgoodhost")) 9155 goto end; 9156 } else if (tst == 4 || tst == 9) { 9157 /* 9158 * A TLSv1.3 session does not associate a session with a servername, 9159 * but a TLSv1.2 session does. 9160 */ 9161 if (tst == 9) 9162 sexpectedhost = cexpectedhost = NULL; 9163 9164 if (!TEST_str_eq(SSL_get_servername(clientssl, 9165 TLSEXT_NAMETYPE_host_name), 9166 cexpectedhost)) 9167 goto end; 9168 } else { 9169 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 9170 goto end; 9171 /* 9172 * In a TLSv1.2 resumption where the hostname was not acknowledged 9173 * we expect the hostname on the server to be empty. On the client we 9174 * return what was requested in this case. 9175 * 9176 * Similarly if the client didn't set a hostname on an original TLSv1.2 9177 * session but is now, the server hostname will be empty, but the client 9178 * is as we set it. 9179 */ 9180 if (tst == 1 || tst == 3) 9181 sexpectedhost = NULL; 9182 9183 if (!TEST_str_eq(SSL_get_servername(clientssl, 9184 TLSEXT_NAMETYPE_host_name), 9185 "goodhost")) 9186 goto end; 9187 } 9188 9189 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9190 goto end; 9191 9192 if (!TEST_true(SSL_session_reused(clientssl)) 9193 || !TEST_true(SSL_session_reused(serverssl)) 9194 || !TEST_str_eq(SSL_get_servername(clientssl, 9195 TLSEXT_NAMETYPE_host_name), 9196 cexpectedhost) 9197 || !TEST_str_eq(SSL_get_servername(serverssl, 9198 TLSEXT_NAMETYPE_host_name), 9199 sexpectedhost)) 9200 goto end; 9201 9202 testresult = 1; 9203 9204 end: 9205 SSL_SESSION_free(sess); 9206 SSL_free(serverssl); 9207 SSL_free(clientssl); 9208 SSL_CTX_free(sctx); 9209 SSL_CTX_free(cctx); 9210 9211 return testresult; 9212} 9213 9214#if !defined(OPENSSL_NO_EC) \ 9215 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 9216/* 9217 * Test that if signature algorithms are not available, then we do not offer or 9218 * accept them. 9219 * Test 0: Two RSA sig algs available: both RSA sig algs shared 9220 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared 9221 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared 9222 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared 9223 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared 9224 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared 9225 */ 9226static int test_sigalgs_available(int idx) 9227{ 9228 SSL_CTX *cctx = NULL, *sctx = NULL; 9229 SSL *clientssl = NULL, *serverssl = NULL; 9230 int testresult = 0; 9231 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new(); 9232 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx; 9233 OSSL_PROVIDER *filterprov = NULL; 9234 int sig, hash; 9235 9236 if (!TEST_ptr(tmpctx)) 9237 goto end; 9238 9239 if (idx != 0 && idx != 3) { 9240 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter", 9241 filter_provider_init))) 9242 goto end; 9243 9244 filterprov = OSSL_PROVIDER_load(tmpctx, "filter"); 9245 if (!TEST_ptr(filterprov)) 9246 goto end; 9247 9248 if (idx < 3) { 9249 /* 9250 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered 9251 * or accepted for the peer that uses this libctx. Note that libssl 9252 * *requires* SHA2-256 to be available so we cannot disable that. We 9253 * also need SHA1 for our certificate. 9254 */ 9255 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST, 9256 "SHA2-256:SHA1"))) 9257 goto end; 9258 } else { 9259 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE, 9260 "ECDSA")) 9261 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, 9262 "EC:X25519:X448"))) 9263 goto end; 9264 } 9265 9266 if (idx == 1 || idx == 4) 9267 clientctx = tmpctx; 9268 else 9269 serverctx = tmpctx; 9270 } 9271 9272 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method()); 9273 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method()); 9274 if (!TEST_ptr(cctx) || !TEST_ptr(sctx)) 9275 goto end; 9276 9277 if (idx != 5) { 9278 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9279 TLS_client_method(), 9280 TLS1_VERSION, 9281 0, 9282 &sctx, &cctx, cert, privkey))) 9283 goto end; 9284 } else { 9285 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9286 TLS_client_method(), 9287 TLS1_VERSION, 9288 0, 9289 &sctx, &cctx, cert2, privkey2))) 9290 goto end; 9291 } 9292 9293 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */ 9294 if (idx < 4) { 9295 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 9296 "ECDHE-RSA-AES128-GCM-SHA256"))) 9297 goto end; 9298 } else { 9299 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 9300 "ECDHE-ECDSA-AES128-GCM-SHA256"))) 9301 goto end; 9302 } 9303 9304 if (idx < 3) { 9305 if (!SSL_CTX_set1_sigalgs_list(cctx, 9306 "rsa_pss_rsae_sha384" 9307 ":rsa_pss_rsae_sha256") 9308 || !SSL_CTX_set1_sigalgs_list(sctx, 9309 "rsa_pss_rsae_sha384" 9310 ":rsa_pss_rsae_sha256")) 9311 goto end; 9312 } else { 9313 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256") 9314 || !SSL_CTX_set1_sigalgs_list(sctx, 9315 "rsa_pss_rsae_sha256:ECDSA+SHA256")) 9316 goto end; 9317 } 9318 9319 if (idx != 5 9320 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2, 9321 SSL_FILETYPE_PEM), 1) 9322 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, 9323 privkey2, 9324 SSL_FILETYPE_PEM), 1) 9325 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))) 9326 goto end; 9327 9328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9329 NULL, NULL))) 9330 goto end; 9331 9332 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9333 goto end; 9334 9335 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */ 9336 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL, 9337 NULL, NULL), 9338 (idx == 0 || idx == 3) ? 2 : 1)) 9339 goto end; 9340 9341 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256)) 9342 goto end; 9343 9344 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC 9345 : NID_rsassaPss)) 9346 goto end; 9347 9348 testresult = filter_provider_check_clean_finish(); 9349 9350 end: 9351 SSL_free(serverssl); 9352 SSL_free(clientssl); 9353 SSL_CTX_free(sctx); 9354 SSL_CTX_free(cctx); 9355 OSSL_PROVIDER_unload(filterprov); 9356 OSSL_LIB_CTX_free(tmpctx); 9357 9358 return testresult; 9359} 9360#endif /* 9361 * !defined(OPENSSL_NO_EC) \ 9362 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 9363 */ 9364 9365#ifndef OPENSSL_NO_TLS1_3 9366/* This test can run in TLSv1.3 even if ec and dh are disabled */ 9367static int test_pluggable_group(int idx) 9368{ 9369 SSL_CTX *cctx = NULL, *sctx = NULL; 9370 SSL *clientssl = NULL, *serverssl = NULL; 9371 int testresult = 0; 9372 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider"); 9373 /* Check that we are not impacted by a provider without any groups */ 9374 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); 9375 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup"; 9376 9377 if (!TEST_ptr(tlsprov)) 9378 goto end; 9379 9380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9381 TLS_client_method(), 9382 TLS1_3_VERSION, 9383 TLS1_3_VERSION, 9384 &sctx, &cctx, cert, privkey)) 9385 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9386 NULL, NULL))) 9387 goto end; 9388 9389 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */ 9390 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43")) 9391 /* removing a single algorithm from the list makes the test pass */ 9392 || !TEST_true(SSL_set1_groups_list(clientssl, group_name))) 9393 goto end; 9394 9395 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9396 goto end; 9397 9398 if (!TEST_str_eq(group_name, 9399 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0)))) 9400 goto end; 9401 9402 testresult = 1; 9403 9404 end: 9405 SSL_free(serverssl); 9406 SSL_free(clientssl); 9407 SSL_CTX_free(sctx); 9408 SSL_CTX_free(cctx); 9409 OSSL_PROVIDER_unload(tlsprov); 9410 OSSL_PROVIDER_unload(legacyprov); 9411 9412 return testresult; 9413} 9414#endif 9415 9416#ifndef OPENSSL_NO_TLS1_2 9417static int test_ssl_dup(void) 9418{ 9419 SSL_CTX *cctx = NULL, *sctx = NULL; 9420 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL; 9421 int testresult = 0; 9422 BIO *rbio = NULL, *wbio = NULL; 9423 9424 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9425 TLS_client_method(), 9426 0, 9427 0, 9428 &sctx, &cctx, cert, privkey))) 9429 goto end; 9430 9431 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9432 NULL, NULL))) 9433 goto end; 9434 9435 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) 9436 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION))) 9437 goto end; 9438 9439 client2ssl = SSL_dup(clientssl); 9440 rbio = SSL_get_rbio(clientssl); 9441 if (!TEST_ptr(rbio) 9442 || !TEST_true(BIO_up_ref(rbio))) 9443 goto end; 9444 SSL_set0_rbio(client2ssl, rbio); 9445 rbio = NULL; 9446 9447 wbio = SSL_get_wbio(clientssl); 9448 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio))) 9449 goto end; 9450 SSL_set0_wbio(client2ssl, wbio); 9451 rbio = NULL; 9452 9453 if (!TEST_ptr(client2ssl) 9454 /* Handshake not started so pointers should be different */ 9455 || !TEST_ptr_ne(clientssl, client2ssl)) 9456 goto end; 9457 9458 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION) 9459 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION)) 9460 goto end; 9461 9462 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE))) 9463 goto end; 9464 9465 SSL_free(clientssl); 9466 clientssl = SSL_dup(client2ssl); 9467 if (!TEST_ptr(clientssl) 9468 /* Handshake has finished so pointers should be the same */ 9469 || !TEST_ptr_eq(clientssl, client2ssl)) 9470 goto end; 9471 9472 testresult = 1; 9473 9474 end: 9475 SSL_free(serverssl); 9476 SSL_free(clientssl); 9477 SSL_free(client2ssl); 9478 SSL_CTX_free(sctx); 9479 SSL_CTX_free(cctx); 9480 9481 return testresult; 9482} 9483 9484# ifndef OPENSSL_NO_DH 9485 9486static EVP_PKEY *tmp_dh_params = NULL; 9487 9488/* Helper function for the test_set_tmp_dh() tests */ 9489static EVP_PKEY *get_tmp_dh_params(void) 9490{ 9491 if (tmp_dh_params == NULL) { 9492 BIGNUM *p = NULL; 9493 OSSL_PARAM_BLD *tmpl = NULL; 9494 EVP_PKEY_CTX *pctx = NULL; 9495 OSSL_PARAM *params = NULL; 9496 EVP_PKEY *dhpkey = NULL; 9497 9498 p = BN_get_rfc3526_prime_2048(NULL); 9499 if (!TEST_ptr(p)) 9500 goto end; 9501 9502 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL); 9503 if (!TEST_ptr(pctx) 9504 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1)) 9505 goto end; 9506 9507 tmpl = OSSL_PARAM_BLD_new(); 9508 if (!TEST_ptr(tmpl) 9509 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl, 9510 OSSL_PKEY_PARAM_FFC_P, 9511 p)) 9512 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl, 9513 OSSL_PKEY_PARAM_FFC_G, 9514 2))) 9515 goto end; 9516 9517 params = OSSL_PARAM_BLD_to_param(tmpl); 9518 if (!TEST_ptr(params) 9519 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey, 9520 EVP_PKEY_KEY_PARAMETERS, 9521 params), 1)) 9522 goto end; 9523 9524 tmp_dh_params = dhpkey; 9525 end: 9526 BN_free(p); 9527 EVP_PKEY_CTX_free(pctx); 9528 OSSL_PARAM_BLD_free(tmpl); 9529 OSSL_PARAM_free(params); 9530 } 9531 9532 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params)) 9533 return NULL; 9534 9535 return tmp_dh_params; 9536} 9537 9538# ifndef OPENSSL_NO_DEPRECATED_3_0 9539/* Callback used by test_set_tmp_dh() */ 9540static DH *tmp_dh_callback(SSL *s, int is_export, int keylen) 9541{ 9542 EVP_PKEY *dhpkey = get_tmp_dh_params(); 9543 DH *ret = NULL; 9544 9545 if (!TEST_ptr(dhpkey)) 9546 return NULL; 9547 9548 /* 9549 * libssl does not free the returned DH, so we free it now knowing that even 9550 * after we free dhpkey, there will still be a reference to the owning 9551 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length 9552 * of time we need it for. 9553 */ 9554 ret = EVP_PKEY_get1_DH(dhpkey); 9555 DH_free(ret); 9556 9557 EVP_PKEY_free(dhpkey); 9558 9559 return ret; 9560} 9561# endif 9562 9563/* 9564 * Test the various methods for setting temporary DH parameters 9565 * 9566 * Test 0: Default (no auto) setting 9567 * Test 1: Explicit SSL_CTX auto off 9568 * Test 2: Explicit SSL auto off 9569 * Test 3: Explicit SSL_CTX auto on 9570 * Test 4: Explicit SSL auto on 9571 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY 9572 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY 9573 * 9574 * The following are testing deprecated APIs, so we only run them if available 9575 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH 9576 * Test 8: Explicit SSL auto off, custom DH params via DH 9577 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback 9578 * Test 10: Explicit SSL auto off, custom DH params via callback 9579 */ 9580static int test_set_tmp_dh(int idx) 9581{ 9582 SSL_CTX *cctx = NULL, *sctx = NULL; 9583 SSL *clientssl = NULL, *serverssl = NULL; 9584 int testresult = 0; 9585 int dhauto = (idx == 3 || idx == 4) ? 1 : 0; 9586 int expected = (idx <= 2) ? 0 : 1; 9587 EVP_PKEY *dhpkey = NULL; 9588# ifndef OPENSSL_NO_DEPRECATED_3_0 9589 DH *dh = NULL; 9590# else 9591 9592 if (idx >= 7) 9593 return 1; 9594# endif 9595 9596 if (idx >= 5 && idx <= 8) { 9597 dhpkey = get_tmp_dh_params(); 9598 if (!TEST_ptr(dhpkey)) 9599 goto end; 9600 } 9601# ifndef OPENSSL_NO_DEPRECATED_3_0 9602 if (idx == 7 || idx == 8) { 9603 dh = EVP_PKEY_get1_DH(dhpkey); 9604 if (!TEST_ptr(dh)) 9605 goto end; 9606 } 9607# endif 9608 9609 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9610 TLS_client_method(), 9611 0, 9612 0, 9613 &sctx, &cctx, cert, privkey))) 9614 goto end; 9615 9616 if ((idx & 1) == 1) { 9617 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto))) 9618 goto end; 9619 } 9620 9621 if (idx == 5) { 9622 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey))) 9623 goto end; 9624 dhpkey = NULL; 9625 } 9626# ifndef OPENSSL_NO_DEPRECATED_3_0 9627 else if (idx == 7) { 9628 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh))) 9629 goto end; 9630 } else if (idx == 9) { 9631 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback); 9632 } 9633# endif 9634 9635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9636 NULL, NULL))) 9637 goto end; 9638 9639 if ((idx & 1) == 0 && idx != 0) { 9640 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto))) 9641 goto end; 9642 } 9643 if (idx == 6) { 9644 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey))) 9645 goto end; 9646 dhpkey = NULL; 9647 } 9648# ifndef OPENSSL_NO_DEPRECATED_3_0 9649 else if (idx == 8) { 9650 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh))) 9651 goto end; 9652 } else if (idx == 10) { 9653 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback); 9654 } 9655# endif 9656 9657 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION)) 9658 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)) 9659 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA"))) 9660 goto end; 9661 9662 /* 9663 * If autoon then we should succeed. Otherwise we expect failure because 9664 * there are no parameters 9665 */ 9666 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 9667 SSL_ERROR_NONE), expected)) 9668 goto end; 9669 9670 testresult = 1; 9671 9672 end: 9673# ifndef OPENSSL_NO_DEPRECATED_3_0 9674 DH_free(dh); 9675# endif 9676 SSL_free(serverssl); 9677 SSL_free(clientssl); 9678 SSL_CTX_free(sctx); 9679 SSL_CTX_free(cctx); 9680 EVP_PKEY_free(dhpkey); 9681 9682 return testresult; 9683} 9684 9685/* 9686 * Test the auto DH keys are appropriately sized 9687 */ 9688static int test_dh_auto(int idx) 9689{ 9690 SSL_CTX *cctx = NULL, *sctx = NULL; 9691 SSL *clientssl = NULL, *serverssl = NULL; 9692 int testresult = 0; 9693 EVP_PKEY *tmpkey = NULL; 9694 char *thiscert = NULL, *thiskey = NULL; 9695 size_t expdhsize = 0; 9696 const char *ciphersuite = "DHE-RSA-AES128-SHA"; 9697 9698 switch (idx) { 9699 case 0: 9700 /* The FIPS provider doesn't support this DH size - so we ignore it */ 9701 if (is_fips) 9702 return 1; 9703 thiscert = cert1024; 9704 thiskey = privkey1024; 9705 expdhsize = 1024; 9706 break; 9707 case 1: 9708 /* 2048 bit prime */ 9709 thiscert = cert; 9710 thiskey = privkey; 9711 expdhsize = 2048; 9712 break; 9713 case 2: 9714 thiscert = cert3072; 9715 thiskey = privkey3072; 9716 expdhsize = 3072; 9717 break; 9718 case 3: 9719 thiscert = cert4096; 9720 thiskey = privkey4096; 9721 expdhsize = 4096; 9722 break; 9723 case 4: 9724 thiscert = cert8192; 9725 thiskey = privkey8192; 9726 expdhsize = 8192; 9727 break; 9728 /* No certificate cases */ 9729 case 5: 9730 /* The FIPS provider doesn't support this DH size - so we ignore it */ 9731 if (is_fips) 9732 return 1; 9733 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0"; 9734 expdhsize = 1024; 9735 break; 9736 case 6: 9737 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0"; 9738 expdhsize = 3072; 9739 break; 9740 default: 9741 TEST_error("Invalid text index"); 9742 goto end; 9743 } 9744 9745 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9746 TLS_client_method(), 9747 0, 9748 0, 9749 &sctx, &cctx, thiscert, thiskey))) 9750 goto end; 9751 9752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9753 NULL, NULL))) 9754 goto end; 9755 9756 if (!TEST_true(SSL_set_dh_auto(serverssl, 1)) 9757 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION)) 9758 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)) 9759 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite)) 9760 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite))) 9761 goto end; 9762 9763 /* 9764 * Send the server's first flight. At this point the server has created the 9765 * temporary DH key but hasn't finished using it yet. Once used it is 9766 * removed, so we cannot test it. 9767 */ 9768 if (!TEST_int_le(SSL_connect(clientssl), 0) 9769 || !TEST_int_le(SSL_accept(serverssl), 0)) 9770 goto end; 9771 9772 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0)) 9773 goto end; 9774 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize)) 9775 goto end; 9776 9777 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9778 goto end; 9779 9780 testresult = 1; 9781 9782 end: 9783 SSL_free(serverssl); 9784 SSL_free(clientssl); 9785 SSL_CTX_free(sctx); 9786 SSL_CTX_free(cctx); 9787 EVP_PKEY_free(tmpkey); 9788 9789 return testresult; 9790 9791} 9792# endif /* OPENSSL_NO_DH */ 9793#endif /* OPENSSL_NO_TLS1_2 */ 9794 9795#ifndef OSSL_NO_USABLE_TLS1_3 9796/* 9797 * Test that setting an SNI callback works with TLSv1.3. Specifically we check 9798 * that it works even without a certificate configured for the original 9799 * SSL_CTX 9800 */ 9801static int test_sni_tls13(void) 9802{ 9803 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 9804 SSL *clientssl = NULL, *serverssl = NULL; 9805 int testresult = 0; 9806 9807 /* Reset callback counter */ 9808 snicb = 0; 9809 9810 /* Create an initial SSL_CTX with no certificate configured */ 9811 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 9812 if (!TEST_ptr(sctx)) 9813 goto end; 9814 /* Require TLSv1.3 as a minimum */ 9815 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9816 TLS_client_method(), TLS1_3_VERSION, 0, 9817 &sctx2, &cctx, cert, privkey))) 9818 goto end; 9819 9820 /* Set up SNI */ 9821 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 9822 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 9823 goto end; 9824 9825 /* 9826 * Connection should still succeed because the final SSL_CTX has the right 9827 * certificates configured. 9828 */ 9829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 9830 &clientssl, NULL, NULL)) 9831 || !TEST_true(create_ssl_connection(serverssl, clientssl, 9832 SSL_ERROR_NONE))) 9833 goto end; 9834 9835 /* We should have had the SNI callback called exactly once */ 9836 if (!TEST_int_eq(snicb, 1)) 9837 goto end; 9838 9839 testresult = 1; 9840 9841end: 9842 SSL_free(serverssl); 9843 SSL_free(clientssl); 9844 SSL_CTX_free(sctx2); 9845 SSL_CTX_free(sctx); 9846 SSL_CTX_free(cctx); 9847 return testresult; 9848} 9849 9850/* 9851 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week 9852 * 0 = TLSv1.2 9853 * 1 = TLSv1.3 9854 */ 9855static int test_ticket_lifetime(int idx) 9856{ 9857 SSL_CTX *cctx = NULL, *sctx = NULL; 9858 SSL *clientssl = NULL, *serverssl = NULL; 9859 int testresult = 0; 9860 int version = TLS1_3_VERSION; 9861 9862#define ONE_WEEK_SEC (7 * 24 * 60 * 60) 9863#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) 9864 9865 if (idx == 0) { 9866#ifdef OPENSSL_NO_TLS1_2 9867 return TEST_skip("TLS 1.2 is disabled."); 9868#else 9869 version = TLS1_2_VERSION; 9870#endif 9871 } 9872 9873 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9874 TLS_client_method(), version, version, 9875 &sctx, &cctx, cert, privkey))) 9876 goto end; 9877 9878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 9879 &clientssl, NULL, NULL))) 9880 goto end; 9881 9882 /* 9883 * Set the timeout to be more than 1 week 9884 * make sure the returned value is the default 9885 */ 9886 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), 9887 SSL_get_default_timeout(serverssl))) 9888 goto end; 9889 9890 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9891 goto end; 9892 9893 if (idx == 0) { 9894 /* TLSv1.2 uses the set value */ 9895 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) 9896 goto end; 9897 } else { 9898 /* TLSv1.3 uses the limited value */ 9899 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) 9900 goto end; 9901 } 9902 testresult = 1; 9903 9904end: 9905 SSL_free(serverssl); 9906 SSL_free(clientssl); 9907 SSL_CTX_free(sctx); 9908 SSL_CTX_free(cctx); 9909 return testresult; 9910} 9911#endif 9912/* 9913 * Test that setting an ALPN does not violate RFC 9914 */ 9915static int test_set_alpn(void) 9916{ 9917 SSL_CTX *ctx = NULL; 9918 SSL *ssl = NULL; 9919 int testresult = 0; 9920 9921 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' }; 9922 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' }; 9923 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' }; 9924 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00}; 9925 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'}; 9926 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'}; 9927 9928 /* Create an initial SSL_CTX with no certificate configured */ 9929 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 9930 if (!TEST_ptr(ctx)) 9931 goto end; 9932 9933 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */ 9934 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2))) 9935 goto end; 9936 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0))) 9937 goto end; 9938 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good)))) 9939 goto end; 9940 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1))) 9941 goto end; 9942 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0)))) 9943 goto end; 9944 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1)))) 9945 goto end; 9946 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2)))) 9947 goto end; 9948 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3)))) 9949 goto end; 9950 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4)))) 9951 goto end; 9952 9953 ssl = SSL_new(ctx); 9954 if (!TEST_ptr(ssl)) 9955 goto end; 9956 9957 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2))) 9958 goto end; 9959 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0))) 9960 goto end; 9961 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good)))) 9962 goto end; 9963 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1))) 9964 goto end; 9965 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0)))) 9966 goto end; 9967 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1)))) 9968 goto end; 9969 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2)))) 9970 goto end; 9971 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3)))) 9972 goto end; 9973 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4)))) 9974 goto end; 9975 9976 testresult = 1; 9977 9978end: 9979 SSL_free(ssl); 9980 SSL_CTX_free(ctx); 9981 return testresult; 9982} 9983 9984/* 9985 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store. 9986 */ 9987static int test_set_verify_cert_store_ssl_ctx(void) 9988{ 9989 SSL_CTX *ctx = NULL; 9990 int testresult = 0; 9991 X509_STORE *store = NULL, *new_store = NULL, 9992 *cstore = NULL, *new_cstore = NULL; 9993 9994 /* Create an initial SSL_CTX. */ 9995 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 9996 if (!TEST_ptr(ctx)) 9997 goto end; 9998 9999 /* Retrieve verify store pointer. */ 10000 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10001 goto end; 10002 10003 /* Retrieve chain store pointer. */ 10004 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10005 goto end; 10006 10007 /* We haven't set any yet, so this should be NULL. */ 10008 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10009 goto end; 10010 10011 /* Create stores. We use separate stores so pointers are different. */ 10012 new_store = X509_STORE_new(); 10013 if (!TEST_ptr(new_store)) 10014 goto end; 10015 10016 new_cstore = X509_STORE_new(); 10017 if (!TEST_ptr(new_cstore)) 10018 goto end; 10019 10020 /* Set stores. */ 10021 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store))) 10022 goto end; 10023 10024 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore))) 10025 goto end; 10026 10027 /* Should be able to retrieve the same pointer. */ 10028 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10029 goto end; 10030 10031 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10032 goto end; 10033 10034 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) 10035 goto end; 10036 10037 /* Should be able to unset again. */ 10038 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL))) 10039 goto end; 10040 10041 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL))) 10042 goto end; 10043 10044 /* Should now be NULL. */ 10045 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10046 goto end; 10047 10048 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10049 goto end; 10050 10051 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10052 goto end; 10053 10054 testresult = 1; 10055 10056end: 10057 X509_STORE_free(new_store); 10058 X509_STORE_free(new_cstore); 10059 SSL_CTX_free(ctx); 10060 return testresult; 10061} 10062 10063/* 10064 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store. 10065 */ 10066static int test_set_verify_cert_store_ssl(void) 10067{ 10068 SSL_CTX *ctx = NULL; 10069 SSL *ssl = NULL; 10070 int testresult = 0; 10071 X509_STORE *store = NULL, *new_store = NULL, 10072 *cstore = NULL, *new_cstore = NULL; 10073 10074 /* Create an initial SSL_CTX. */ 10075 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10076 if (!TEST_ptr(ctx)) 10077 goto end; 10078 10079 /* Create an SSL object. */ 10080 ssl = SSL_new(ctx); 10081 if (!TEST_ptr(ssl)) 10082 goto end; 10083 10084 /* Retrieve verify store pointer. */ 10085 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10086 goto end; 10087 10088 /* Retrieve chain store pointer. */ 10089 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10090 goto end; 10091 10092 /* We haven't set any yet, so this should be NULL. */ 10093 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10094 goto end; 10095 10096 /* Create stores. We use separate stores so pointers are different. */ 10097 new_store = X509_STORE_new(); 10098 if (!TEST_ptr(new_store)) 10099 goto end; 10100 10101 new_cstore = X509_STORE_new(); 10102 if (!TEST_ptr(new_cstore)) 10103 goto end; 10104 10105 /* Set stores. */ 10106 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store))) 10107 goto end; 10108 10109 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore))) 10110 goto end; 10111 10112 /* Should be able to retrieve the same pointer. */ 10113 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10114 goto end; 10115 10116 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10117 goto end; 10118 10119 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) 10120 goto end; 10121 10122 /* Should be able to unset again. */ 10123 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL))) 10124 goto end; 10125 10126 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL))) 10127 goto end; 10128 10129 /* Should now be NULL. */ 10130 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10131 goto end; 10132 10133 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10134 goto end; 10135 10136 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10137 goto end; 10138 10139 testresult = 1; 10140 10141end: 10142 X509_STORE_free(new_store); 10143 X509_STORE_free(new_cstore); 10144 SSL_free(ssl); 10145 SSL_CTX_free(ctx); 10146 return testresult; 10147} 10148 10149 10150static int test_inherit_verify_param(void) 10151{ 10152 int testresult = 0; 10153 10154 SSL_CTX *ctx = NULL; 10155 X509_VERIFY_PARAM *cp = NULL; 10156 SSL *ssl = NULL; 10157 X509_VERIFY_PARAM *sp = NULL; 10158 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 10159 10160 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10161 if (!TEST_ptr(ctx)) 10162 goto end; 10163 10164 cp = SSL_CTX_get0_param(ctx); 10165 if (!TEST_ptr(cp)) 10166 goto end; 10167 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0)) 10168 goto end; 10169 10170 X509_VERIFY_PARAM_set_hostflags(cp, hostflags); 10171 10172 ssl = SSL_new(ctx); 10173 if (!TEST_ptr(ssl)) 10174 goto end; 10175 10176 sp = SSL_get0_param(ssl); 10177 if (!TEST_ptr(sp)) 10178 goto end; 10179 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags)) 10180 goto end; 10181 10182 testresult = 1; 10183 10184 end: 10185 SSL_free(ssl); 10186 SSL_CTX_free(ctx); 10187 10188 return testresult; 10189} 10190 10191static int test_load_dhfile(void) 10192{ 10193#ifndef OPENSSL_NO_DH 10194 int testresult = 0; 10195 10196 SSL_CTX *ctx = NULL; 10197 SSL_CONF_CTX *cctx = NULL; 10198 10199 if (dhfile == NULL) 10200 return 1; 10201 10202 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method())) 10203 || !TEST_ptr(cctx = SSL_CONF_CTX_new())) 10204 goto end; 10205 10206 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); 10207 SSL_CONF_CTX_set_flags(cctx, 10208 SSL_CONF_FLAG_CERTIFICATE 10209 | SSL_CONF_FLAG_SERVER 10210 | SSL_CONF_FLAG_FILE); 10211 10212 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2)) 10213 goto end; 10214 10215 testresult = 1; 10216end: 10217 SSL_CONF_CTX_free(cctx); 10218 SSL_CTX_free(ctx); 10219 10220 return testresult; 10221#else 10222 return TEST_skip("DH not supported by this build"); 10223#endif 10224} 10225 10226#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) 10227/* 10228 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not 10229 * support this yet. The only pipeline capable cipher that we have is in the 10230 * dasync engine (providers don't support this yet), so we have to use 10231 * deprecated APIs for this test. 10232 * 10233 * Test 0: Client has pipelining enabled, server does not 10234 * Test 1: Server has pipelining enabled, client does not 10235 * Test 2: Client has pipelining enabled, server does not: not enough data to 10236 * fill all the pipelines 10237 * Test 3: Client has pipelining enabled, server does not: not enough data to 10238 * fill all the pipelines by more than a full pipeline's worth 10239 * Test 4: Client has pipelining enabled, server does not: more data than all 10240 * the available pipelines can take 10241 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline 10242 */ 10243static int test_pipelining(int idx) 10244{ 10245 SSL_CTX *cctx = NULL, *sctx = NULL; 10246 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb; 10247 int testresult = 0, numreads; 10248 /* A 55 byte message */ 10249 unsigned char *msg = (unsigned char *) 10250 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123"; 10251 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5; 10252 size_t expectedreads; 10253 unsigned char *buf = NULL; 10254 ENGINE *e; 10255 10256 if (!TEST_ptr(e = ENGINE_by_id("dasync"))) 10257 return 0; 10258 10259 if (!TEST_true(ENGINE_init(e))) { 10260 ENGINE_free(e); 10261 return 0; 10262 } 10263 10264 if (!TEST_true(ENGINE_register_ciphers(e))) 10265 goto end; 10266 10267 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 10268 TLS_client_method(), 0, 10269 TLS1_2_VERSION, &sctx, &cctx, cert, 10270 privkey))) 10271 goto end; 10272 10273 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 10274 &clientssl, NULL, NULL))) 10275 goto end; 10276 10277 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA"))) 10278 goto end; 10279 10280 /* peera is always configured for pipelining, while peerb is not. */ 10281 if (idx == 1) { 10282 peera = serverssl; 10283 peerb = clientssl; 10284 10285 } else { 10286 peera = clientssl; 10287 peerb = serverssl; 10288 } 10289 10290 if (idx == 5) { 10291 numpipes = 2; 10292 /* Maximum allowed fragment size */ 10293 fragsize = SSL3_RT_MAX_PLAIN_LENGTH; 10294 msglen = fragsize * numpipes; 10295 msg = OPENSSL_malloc(msglen); 10296 if (!TEST_ptr(msg)) 10297 goto end; 10298 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0)) 10299 goto end; 10300 } else if (idx == 4) { 10301 msglen = 55; 10302 } else { 10303 msglen = 50; 10304 } 10305 if (idx == 2) 10306 msglen -= 2; /* Send 2 less bytes */ 10307 else if (idx == 3) 10308 msglen -= 12; /* Send 12 less bytes */ 10309 10310 buf = OPENSSL_malloc(msglen); 10311 if (!TEST_ptr(buf)) 10312 goto end; 10313 10314 if (idx == 5) { 10315 /* 10316 * Test that setting a split send fragment longer than the maximum 10317 * allowed fails 10318 */ 10319 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1))) 10320 goto end; 10321 } 10322 10323 /* 10324 * In the normal case. We have 5 pipelines with 10 bytes per pipeline 10325 * (50 bytes in total). This is a ridiculously small number of bytes - 10326 * but sufficient for our purposes 10327 */ 10328 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes)) 10329 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize))) 10330 goto end; 10331 10332 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 10333 goto end; 10334 10335 /* Write some data from peera to peerb */ 10336 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written)) 10337 || !TEST_size_t_eq(written, msglen)) 10338 goto end; 10339 10340 /* 10341 * If the pipelining code worked, then we expect all |numpipes| pipelines to 10342 * have been used - except in test 3 where only |numpipes - 1| pipelines 10343 * will be used. This will result in |numpipes| records (|numpipes - 1| for 10344 * test 3) having been sent to peerb. Since peerb is not using read_ahead we 10345 * expect this to be read in |numpipes| or |numpipes - 1| separate 10346 * SSL_read_ex calls. In the case of test 4, there is then one additional 10347 * read for left over data that couldn't fit in the previous pipelines 10348 */ 10349 for (offset = 0, numreads = 0; 10350 offset < msglen; 10351 offset += readbytes, numreads++) { 10352 if (!TEST_true(SSL_read_ex(peerb, buf + offset, 10353 msglen - offset, &readbytes))) 10354 goto end; 10355 } 10356 10357 expectedreads = idx == 4 ? numpipes + 1 10358 : (idx == 3 ? numpipes - 1 : numpipes); 10359 if (!TEST_mem_eq(msg, msglen, buf, offset) 10360 || !TEST_int_eq(numreads, expectedreads)) 10361 goto end; 10362 10363 /* 10364 * Write some data from peerb to peera. We do this in up to |numpipes + 1| 10365 * chunks to exercise the read pipelining code on peera. 10366 */ 10367 for (offset = 0; offset < msglen; offset += fragsize) { 10368 size_t sendlen = msglen - offset; 10369 10370 if (sendlen > fragsize) 10371 sendlen = fragsize; 10372 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written)) 10373 || !TEST_size_t_eq(written, sendlen)) 10374 goto end; 10375 } 10376 10377 /* 10378 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1| 10379 * separate chunks (depending on which test we are running). If the 10380 * pipelining is working then we expect peera to read up to numpipes chunks 10381 * and process them in parallel, giving back the complete result in a single 10382 * call to SSL_read_ex 10383 */ 10384 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes)) 10385 || !TEST_size_t_le(readbytes, msglen)) 10386 goto end; 10387 10388 if (idx == 4) { 10389 size_t readbytes2; 10390 10391 if (!TEST_true(SSL_read_ex(peera, buf + readbytes, 10392 msglen - readbytes, &readbytes2))) 10393 goto end; 10394 readbytes += readbytes2; 10395 if (!TEST_size_t_le(readbytes, msglen)) 10396 goto end; 10397 } 10398 10399 if (!TEST_mem_eq(msg, msglen, buf, readbytes)) 10400 goto end; 10401 10402 testresult = 1; 10403end: 10404 SSL_free(serverssl); 10405 SSL_free(clientssl); 10406 SSL_CTX_free(sctx); 10407 SSL_CTX_free(cctx); 10408 ENGINE_unregister_ciphers(e); 10409 ENGINE_finish(e); 10410 ENGINE_free(e); 10411 OPENSSL_free(buf); 10412 if (idx == 5) 10413 OPENSSL_free(msg); 10414 return testresult; 10415} 10416#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */ 10417 10418struct resume_servername_cb_data { 10419 int i; 10420 SSL_CTX *cctx; 10421 SSL_CTX *sctx; 10422 SSL_SESSION *sess; 10423 int recurse; 10424}; 10425 10426/* 10427 * Servername callback. We use it here to run another complete handshake using 10428 * the same session - and mark the session as not_resuamble at the end 10429 */ 10430static int resume_servername_cb(SSL *s, int *ad, void *arg) 10431{ 10432 struct resume_servername_cb_data *cbdata = arg; 10433 SSL *serverssl = NULL, *clientssl = NULL; 10434 int ret = SSL_TLSEXT_ERR_ALERT_FATAL; 10435 10436 if (cbdata->recurse) 10437 return SSL_TLSEXT_ERR_ALERT_FATAL; 10438 10439 if ((cbdata->i % 3) != 1) 10440 return SSL_TLSEXT_ERR_OK; 10441 10442 cbdata->recurse = 1; 10443 10444 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl, 10445 &clientssl, NULL, NULL)) 10446 || !TEST_true(SSL_set_session(clientssl, cbdata->sess))) 10447 goto end; 10448 10449 ERR_set_mark(); 10450 /* 10451 * We expect this to fail - because the servername cb will fail. This will 10452 * mark the session as not_resumable. 10453 */ 10454 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) { 10455 ERR_clear_last_mark(); 10456 goto end; 10457 } 10458 ERR_pop_to_mark(); 10459 10460 ret = SSL_TLSEXT_ERR_OK; 10461 end: 10462 SSL_free(serverssl); 10463 SSL_free(clientssl); 10464 cbdata->recurse = 0; 10465 return ret; 10466} 10467 10468/* 10469 * Test multiple resumptions and cache size handling 10470 * Test 0: TLSv1.3 (max_early_data set) 10471 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) 10472 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) 10473 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes) 10474 * Test 4: TLSv1.2 10475 */ 10476static int test_multi_resume(int idx) 10477{ 10478 SSL_CTX *sctx = NULL, *cctx = NULL; 10479 SSL *serverssl = NULL, *clientssl = NULL; 10480 SSL_SESSION *sess = NULL; 10481 int max_version = TLS1_3_VERSION; 10482 int i, testresult = 0; 10483 struct resume_servername_cb_data cbdata; 10484 10485#if defined(OPENSSL_NO_TLS1_2) 10486 if (idx == 4) 10487 return TEST_skip("TLSv1.2 is disabled in this build"); 10488#else 10489 if (idx == 4) 10490 max_version = TLS1_2_VERSION; 10491#endif 10492#if defined(OSSL_NO_USABLE_TLS1_3) 10493 if (idx != 4) 10494 return TEST_skip("No usable TLSv1.3 in this build"); 10495#endif 10496 10497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 10498 TLS_client_method(), TLS1_VERSION, 10499 max_version, &sctx, &cctx, cert, 10500 privkey))) 10501 goto end; 10502 10503 /* 10504 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for 10505 * replay protection), or if SSL_OP_NO_TICKET is in use 10506 */ 10507 if (idx == 0 || idx == 2) { 10508 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) 10509 goto end; 10510 } 10511 if (idx == 1 || idx == 2 || idx == 3) 10512 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 10513 10514 SSL_CTX_sess_set_cache_size(sctx, 5); 10515 10516 if (idx == 3) { 10517 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb); 10518 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata); 10519 cbdata.cctx = cctx; 10520 cbdata.sctx = sctx; 10521 cbdata.recurse = 0; 10522 } 10523 10524 for (i = 0; i < 30; i++) { 10525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 10526 NULL, NULL)) 10527 || !TEST_true(SSL_set_session(clientssl, sess))) 10528 goto end; 10529 10530 /* 10531 * Check simultaneous resumes. We pause the connection part way through 10532 * the handshake by (mis)using the servername_cb. The pause occurs after 10533 * session resumption has already occurred, but before any session 10534 * tickets have been issued. While paused we run another complete 10535 * handshake resuming the same session. 10536 */ 10537 if (idx == 3) { 10538 cbdata.i = i; 10539 cbdata.sess = sess; 10540 } 10541 10542 /* 10543 * Recreate a bug where dynamically changing the max_early_data value 10544 * can cause sessions in the session cache which cannot be deleted. 10545 */ 10546 if ((idx == 0 || idx == 2) && (i % 3) == 2) 10547 SSL_set_max_early_data(serverssl, 0); 10548 10549 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 10550 goto end; 10551 10552 if (sess == NULL || (idx == 0 && (i % 3) == 2)) { 10553 if (!TEST_false(SSL_session_reused(clientssl))) 10554 goto end; 10555 } else { 10556 if (!TEST_true(SSL_session_reused(clientssl))) 10557 goto end; 10558 } 10559 SSL_SESSION_free(sess); 10560 10561 /* Do a full handshake, followed by two resumptions */ 10562 if ((i % 3) == 2) { 10563 sess = NULL; 10564 } else { 10565 if (!TEST_ptr((sess = SSL_get1_session(clientssl)))) 10566 goto end; 10567 } 10568 10569 SSL_shutdown(clientssl); 10570 SSL_shutdown(serverssl); 10571 SSL_free(serverssl); 10572 SSL_free(clientssl); 10573 serverssl = clientssl = NULL; 10574 } 10575 10576 /* We should never exceed the session cache size limit */ 10577 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5)) 10578 goto end; 10579 10580 testresult = 1; 10581 end: 10582 SSL_free(serverssl); 10583 SSL_free(clientssl); 10584 SSL_CTX_free(sctx); 10585 SSL_CTX_free(cctx); 10586 SSL_SESSION_free(sess); 10587 return testresult; 10588} 10589 10590OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") 10591 10592int setup_tests(void) 10593{ 10594 char *modulename; 10595 char *configfile; 10596 10597 libctx = OSSL_LIB_CTX_new(); 10598 if (!TEST_ptr(libctx)) 10599 return 0; 10600 10601 defctxnull = OSSL_PROVIDER_load(NULL, "null"); 10602 10603 /* 10604 * Verify that the default and fips providers in the default libctx are not 10605 * available 10606 */ 10607 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) 10608 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) 10609 return 0; 10610 10611 if (!test_skip_common_options()) { 10612 TEST_error("Error parsing test options\n"); 10613 return 0; 10614 } 10615 10616 if (!TEST_ptr(certsdir = test_get_argument(0)) 10617 || !TEST_ptr(srpvfile = test_get_argument(1)) 10618 || !TEST_ptr(tmpfilename = test_get_argument(2)) 10619 || !TEST_ptr(modulename = test_get_argument(3)) 10620 || !TEST_ptr(configfile = test_get_argument(4)) 10621 || !TEST_ptr(dhfile = test_get_argument(5))) 10622 return 0; 10623 10624 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile))) 10625 return 0; 10626 10627 /* Check we have the expected provider available */ 10628 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename))) 10629 return 0; 10630 10631 /* Check the default provider is not available */ 10632 if (strcmp(modulename, "default") != 0 10633 && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) 10634 return 0; 10635 10636 if (strcmp(modulename, "fips") == 0) 10637 is_fips = 1; 10638 10639 /* 10640 * We add, but don't load the test "tls-provider". We'll load it when we 10641 * need it. 10642 */ 10643 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider", 10644 tls_provider_init))) 10645 return 0; 10646 10647 10648 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { 10649#ifdef OPENSSL_NO_CRYPTO_MDEBUG 10650 TEST_error("not supported in this build"); 10651 return 0; 10652#else 10653 int i, mcount, rcount, fcount; 10654 10655 for (i = 0; i < 4; i++) 10656 test_export_key_mat(i); 10657 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount); 10658 test_printf_stdout("malloc %d realloc %d free %d\n", 10659 mcount, rcount, fcount); 10660 return 1; 10661#endif 10662 } 10663 10664 cert = test_mk_file_path(certsdir, "servercert.pem"); 10665 if (cert == NULL) 10666 goto err; 10667 10668 privkey = test_mk_file_path(certsdir, "serverkey.pem"); 10669 if (privkey == NULL) 10670 goto err; 10671 10672 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 10673 if (cert2 == NULL) 10674 goto err; 10675 10676 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 10677 if (privkey2 == NULL) 10678 goto err; 10679 10680 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem"); 10681 if (cert1024 == NULL) 10682 goto err; 10683 10684 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem"); 10685 if (privkey1024 == NULL) 10686 goto err; 10687 10688 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem"); 10689 if (cert3072 == NULL) 10690 goto err; 10691 10692 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem"); 10693 if (privkey3072 == NULL) 10694 goto err; 10695 10696 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem"); 10697 if (cert4096 == NULL) 10698 goto err; 10699 10700 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem"); 10701 if (privkey4096 == NULL) 10702 goto err; 10703 10704 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem"); 10705 if (cert8192 == NULL) 10706 goto err; 10707 10708 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem"); 10709 if (privkey8192 == NULL) 10710 goto err; 10711 10712#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) 10713# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 10714 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); 10715 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS); 10716# endif 10717#endif 10718 ADD_TEST(test_large_message_tls); 10719 ADD_TEST(test_large_message_tls_read_ahead); 10720#ifndef OPENSSL_NO_DTLS 10721 ADD_TEST(test_large_message_dtls); 10722#endif 10723 ADD_ALL_TESTS(test_large_app_data, 28); 10724 ADD_TEST(test_cleanse_plaintext); 10725#ifndef OPENSSL_NO_OCSP 10726 ADD_TEST(test_tlsext_status_type); 10727#endif 10728 ADD_TEST(test_session_with_only_int_cache); 10729 ADD_TEST(test_session_with_only_ext_cache); 10730 ADD_TEST(test_session_with_both_cache); 10731 ADD_TEST(test_session_wo_ca_names); 10732#ifndef OSSL_NO_USABLE_TLS1_3 10733 ADD_ALL_TESTS(test_stateful_tickets, 3); 10734 ADD_ALL_TESTS(test_stateless_tickets, 3); 10735 ADD_TEST(test_psk_tickets); 10736 ADD_ALL_TESTS(test_extra_tickets, 6); 10737#endif 10738 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 10739 ADD_TEST(test_ssl_bio_pop_next_bio); 10740 ADD_TEST(test_ssl_bio_pop_ssl_bio); 10741 ADD_TEST(test_ssl_bio_change_rbio); 10742 ADD_TEST(test_ssl_bio_change_wbio); 10743#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 10744 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 10745 ADD_TEST(test_keylog); 10746#endif 10747#ifndef OSSL_NO_USABLE_TLS1_3 10748 ADD_TEST(test_keylog_no_master_key); 10749#endif 10750 ADD_TEST(test_client_cert_verify_cb); 10751 ADD_TEST(test_ssl_build_cert_chain); 10752 ADD_TEST(test_ssl_ctx_build_cert_chain); 10753#ifndef OPENSSL_NO_TLS1_2 10754 ADD_TEST(test_client_hello_cb); 10755 ADD_TEST(test_no_ems); 10756 ADD_TEST(test_ccs_change_cipher); 10757#endif 10758#ifndef OSSL_NO_USABLE_TLS1_3 10759 ADD_ALL_TESTS(test_early_data_read_write, 6); 10760 /* 10761 * We don't do replay tests for external PSK. Replay protection isn't used 10762 * in that scenario. 10763 */ 10764 ADD_ALL_TESTS(test_early_data_replay, 2); 10765 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3); 10766 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3); 10767 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3); 10768 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3); 10769 ADD_ALL_TESTS(test_early_data_not_sent, 3); 10770 ADD_ALL_TESTS(test_early_data_psk, 8); 10771 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5); 10772 ADD_ALL_TESTS(test_early_data_not_expected, 3); 10773# ifndef OPENSSL_NO_TLS1_2 10774 ADD_ALL_TESTS(test_early_data_tls1_2, 3); 10775# endif 10776#endif 10777#ifndef OSSL_NO_USABLE_TLS1_3 10778 ADD_ALL_TESTS(test_set_ciphersuite, 10); 10779 ADD_TEST(test_ciphersuite_change); 10780 ADD_ALL_TESTS(test_tls13_ciphersuite, 4); 10781# ifdef OPENSSL_NO_PSK 10782 ADD_ALL_TESTS(test_tls13_psk, 1); 10783# else 10784 ADD_ALL_TESTS(test_tls13_psk, 4); 10785# endif /* OPENSSL_NO_PSK */ 10786# ifndef OPENSSL_NO_TLS1_2 10787 /* Test with both TLSv1.3 and 1.2 versions */ 10788 ADD_ALL_TESTS(test_key_exchange, 14); 10789# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) 10790 ADD_ALL_TESTS(test_negotiated_group, 10791 4 * (OSSL_NELEM(ecdhe_kexch_groups) 10792 + OSSL_NELEM(ffdhe_kexch_groups))); 10793# endif 10794# else 10795 /* Test with only TLSv1.3 versions */ 10796 ADD_ALL_TESTS(test_key_exchange, 12); 10797# endif 10798 ADD_ALL_TESTS(test_custom_exts, 6); 10799 ADD_TEST(test_stateless); 10800 ADD_TEST(test_pha_key_update); 10801#else 10802 ADD_ALL_TESTS(test_custom_exts, 3); 10803#endif 10804 ADD_ALL_TESTS(test_export_key_mat, 6); 10805#ifndef OSSL_NO_USABLE_TLS1_3 10806 ADD_ALL_TESTS(test_export_key_mat_early, 3); 10807 ADD_TEST(test_key_update); 10808 ADD_ALL_TESTS(test_key_update_peer_in_write, 2); 10809 ADD_ALL_TESTS(test_key_update_peer_in_read, 2); 10810 ADD_ALL_TESTS(test_key_update_local_in_write, 2); 10811 ADD_ALL_TESTS(test_key_update_local_in_read, 2); 10812#endif 10813 ADD_ALL_TESTS(test_ssl_clear, 2); 10814 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); 10815#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 10816 ADD_ALL_TESTS(test_srp, 6); 10817#endif 10818 ADD_ALL_TESTS(test_info_callback, 6); 10819 ADD_ALL_TESTS(test_ssl_pending, 2); 10820 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); 10821 ADD_ALL_TESTS(test_ticket_callbacks, 20); 10822 ADD_ALL_TESTS(test_shutdown, 7); 10823 ADD_ALL_TESTS(test_incorrect_shutdown, 2); 10824 ADD_ALL_TESTS(test_cert_cb, 6); 10825 ADD_ALL_TESTS(test_client_cert_cb, 2); 10826 ADD_ALL_TESTS(test_ca_names, 3); 10827#ifndef OPENSSL_NO_TLS1_2 10828 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); 10829#endif 10830 ADD_ALL_TESTS(test_servername, 10); 10831#if !defined(OPENSSL_NO_EC) \ 10832 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 10833 ADD_ALL_TESTS(test_sigalgs_available, 6); 10834#endif 10835#ifndef OPENSSL_NO_TLS1_3 10836 ADD_ALL_TESTS(test_pluggable_group, 2); 10837#endif 10838#ifndef OPENSSL_NO_TLS1_2 10839 ADD_TEST(test_ssl_dup); 10840# ifndef OPENSSL_NO_DH 10841 ADD_ALL_TESTS(test_set_tmp_dh, 11); 10842 ADD_ALL_TESTS(test_dh_auto, 7); 10843# endif 10844#endif 10845#ifndef OSSL_NO_USABLE_TLS1_3 10846 ADD_TEST(test_sni_tls13); 10847 ADD_ALL_TESTS(test_ticket_lifetime, 2); 10848#endif 10849 ADD_TEST(test_inherit_verify_param); 10850 ADD_TEST(test_set_alpn); 10851 ADD_TEST(test_set_verify_cert_store_ssl_ctx); 10852 ADD_TEST(test_set_verify_cert_store_ssl); 10853 ADD_ALL_TESTS(test_session_timeout, 1); 10854#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 10855 ADD_ALL_TESTS(test_session_cache_overflow, 4); 10856#endif 10857 ADD_TEST(test_load_dhfile); 10858#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 10859 ADD_ALL_TESTS(test_serverinfo_custom, 4); 10860#endif 10861#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) 10862 ADD_ALL_TESTS(test_pipelining, 6); 10863#endif 10864 ADD_ALL_TESTS(test_multi_resume, 5); 10865 return 1; 10866 10867 err: 10868 OPENSSL_free(cert); 10869 OPENSSL_free(privkey); 10870 OPENSSL_free(cert2); 10871 OPENSSL_free(privkey2); 10872 return 0; 10873} 10874 10875void cleanup_tests(void) 10876{ 10877# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH) 10878 EVP_PKEY_free(tmp_dh_params); 10879#endif 10880 OPENSSL_free(cert); 10881 OPENSSL_free(privkey); 10882 OPENSSL_free(cert2); 10883 OPENSSL_free(privkey2); 10884 OPENSSL_free(cert1024); 10885 OPENSSL_free(privkey1024); 10886 OPENSSL_free(cert3072); 10887 OPENSSL_free(privkey3072); 10888 OPENSSL_free(cert4096); 10889 OPENSSL_free(privkey4096); 10890 OPENSSL_free(cert8192); 10891 OPENSSL_free(privkey8192); 10892 bio_s_mempacket_test_free(); 10893 bio_s_always_retry_free(); 10894 OSSL_PROVIDER_unload(defctxnull); 10895 OSSL_LIB_CTX_free(libctx); 10896} 10897