1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
20 #include <openssl/x509v3.h>
21
22 #include "ssltestlib.h"
23 #include "testutil.h"
24 #include "testutil/output.h"
25 #include "internal/nelem.h"
26 #include "../ssl/ssl_local.h"
27
28 #ifndef OPENSSL_NO_TLS1_3
29
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
34
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
39
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
42
43 static SSL_SESSION *create_a_psk(SSL *ssl);
44 #endif
45
46 static char *certsdir = NULL;
47 static char *cert = NULL;
48 static char *privkey = NULL;
49 static char *srpvfile = NULL;
50 static char *tmpfilename = NULL;
51
52 #define LOG_BUFFER_SIZE 2048
53 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
54 static size_t server_log_buffer_index = 0;
55 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t client_log_buffer_index = 0;
57 static int error_writing_log = 0;
58
59 #ifndef OPENSSL_NO_OCSP
60 static const unsigned char orespder[] = "Dummy OCSP Response";
61 static int ocsp_server_called = 0;
62 static int ocsp_client_called = 0;
63
64 static int cdummyarg = 1;
65 static X509 *ocspcert = NULL;
66 #endif
67
68 #define NUM_EXTRA_CERTS 40
69 #define CLIENT_VERSION_LEN 2
70
71 /*
72 * This structure is used to validate that the correct number of log messages
73 * of various types are emitted when emitting secret logs.
74 */
75 struct sslapitest_log_counts {
76 unsigned int rsa_key_exchange_count;
77 unsigned int master_secret_count;
78 unsigned int client_early_secret_count;
79 unsigned int client_handshake_secret_count;
80 unsigned int server_handshake_secret_count;
81 unsigned int client_application_secret_count;
82 unsigned int server_application_secret_count;
83 unsigned int early_exporter_secret_count;
84 unsigned int exporter_secret_count;
85 };
86
87
hostname_cb(SSL * s,int * al,void * arg)88 static int hostname_cb(SSL *s, int *al, void *arg)
89 {
90 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
91
92 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
93 || strcmp(hostname, "altgoodhost") == 0))
94 return SSL_TLSEXT_ERR_OK;
95
96 return SSL_TLSEXT_ERR_NOACK;
97 }
98
client_keylog_callback(const SSL * ssl,const char * line)99 static void client_keylog_callback(const SSL *ssl, const char *line)
100 {
101 int line_length = strlen(line);
102
103 /* If the log doesn't fit, error out. */
104 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
105 TEST_info("Client log too full");
106 error_writing_log = 1;
107 return;
108 }
109
110 strcat(client_log_buffer, line);
111 client_log_buffer_index += line_length;
112 client_log_buffer[client_log_buffer_index++] = '\n';
113 }
114
server_keylog_callback(const SSL * ssl,const char * line)115 static void server_keylog_callback(const SSL *ssl, const char *line)
116 {
117 int line_length = strlen(line);
118
119 /* If the log doesn't fit, error out. */
120 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
121 TEST_info("Server log too full");
122 error_writing_log = 1;
123 return;
124 }
125
126 strcat(server_log_buffer, line);
127 server_log_buffer_index += line_length;
128 server_log_buffer[server_log_buffer_index++] = '\n';
129 }
130
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)131 static int compare_hex_encoded_buffer(const char *hex_encoded,
132 size_t hex_length,
133 const uint8_t *raw,
134 size_t raw_length)
135 {
136 size_t i, j;
137 char hexed[3];
138
139 if (!TEST_size_t_eq(raw_length * 2, hex_length))
140 return 1;
141
142 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
143 sprintf(hexed, "%02x", raw[i]);
144 if (!TEST_int_eq(hexed[0], hex_encoded[j])
145 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
146 return 1;
147 }
148
149 return 0;
150 }
151
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)152 static int test_keylog_output(char *buffer, const SSL *ssl,
153 const SSL_SESSION *session,
154 struct sslapitest_log_counts *expected)
155 {
156 char *token = NULL;
157 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
158 size_t client_random_size = SSL3_RANDOM_SIZE;
159 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
160 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
161 unsigned int rsa_key_exchange_count = 0;
162 unsigned int master_secret_count = 0;
163 unsigned int client_early_secret_count = 0;
164 unsigned int client_handshake_secret_count = 0;
165 unsigned int server_handshake_secret_count = 0;
166 unsigned int client_application_secret_count = 0;
167 unsigned int server_application_secret_count = 0;
168 unsigned int early_exporter_secret_count = 0;
169 unsigned int exporter_secret_count = 0;
170
171 for (token = strtok(buffer, " \n"); token != NULL;
172 token = strtok(NULL, " \n")) {
173 if (strcmp(token, "RSA") == 0) {
174 /*
175 * Premaster secret. Tokens should be: 16 ASCII bytes of
176 * hex-encoded encrypted secret, then the hex-encoded pre-master
177 * secret.
178 */
179 if (!TEST_ptr(token = strtok(NULL, " \n")))
180 return 0;
181 if (!TEST_size_t_eq(strlen(token), 16))
182 return 0;
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
184 return 0;
185 /*
186 * We can't sensibly check the log because the premaster secret is
187 * transient, and OpenSSL doesn't keep hold of it once the master
188 * secret is generated.
189 */
190 rsa_key_exchange_count++;
191 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
192 /*
193 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
194 * client random, then the hex-encoded master secret.
195 */
196 client_random_size = SSL_get_client_random(ssl,
197 actual_client_random,
198 SSL3_RANDOM_SIZE);
199 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
200 return 0;
201
202 if (!TEST_ptr(token = strtok(NULL, " \n")))
203 return 0;
204 if (!TEST_size_t_eq(strlen(token), 64))
205 return 0;
206 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
207 actual_client_random,
208 client_random_size)))
209 return 0;
210
211 if (!TEST_ptr(token = strtok(NULL, " \n")))
212 return 0;
213 master_key_size = SSL_SESSION_get_master_key(session,
214 actual_master_key,
215 master_key_size);
216 if (!TEST_size_t_ne(master_key_size, 0))
217 return 0;
218 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
219 actual_master_key,
220 master_key_size)))
221 return 0;
222 master_secret_count++;
223 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
224 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
225 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
227 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
228 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
229 || strcmp(token, "EXPORTER_SECRET") == 0) {
230 /*
231 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
232 * client random, and then the hex-encoded secret. In this case,
233 * we treat all of these secrets identically and then just
234 * distinguish between them when counting what we saw.
235 */
236 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
237 client_early_secret_count++;
238 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
239 client_handshake_secret_count++;
240 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 server_handshake_secret_count++;
242 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
243 client_application_secret_count++;
244 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
245 server_application_secret_count++;
246 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
247 early_exporter_secret_count++;
248 else if (strcmp(token, "EXPORTER_SECRET") == 0)
249 exporter_secret_count++;
250
251 client_random_size = SSL_get_client_random(ssl,
252 actual_client_random,
253 SSL3_RANDOM_SIZE);
254 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
255 return 0;
256
257 if (!TEST_ptr(token = strtok(NULL, " \n")))
258 return 0;
259 if (!TEST_size_t_eq(strlen(token), 64))
260 return 0;
261 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
262 actual_client_random,
263 client_random_size)))
264 return 0;
265
266 if (!TEST_ptr(token = strtok(NULL, " \n")))
267 return 0;
268
269 /*
270 * TODO(TLS1.3): test that application traffic secrets are what
271 * we expect */
272 } else {
273 TEST_info("Unexpected token %s\n", token);
274 return 0;
275 }
276 }
277
278 /* Got what we expected? */
279 if (!TEST_size_t_eq(rsa_key_exchange_count,
280 expected->rsa_key_exchange_count)
281 || !TEST_size_t_eq(master_secret_count,
282 expected->master_secret_count)
283 || !TEST_size_t_eq(client_early_secret_count,
284 expected->client_early_secret_count)
285 || !TEST_size_t_eq(client_handshake_secret_count,
286 expected->client_handshake_secret_count)
287 || !TEST_size_t_eq(server_handshake_secret_count,
288 expected->server_handshake_secret_count)
289 || !TEST_size_t_eq(client_application_secret_count,
290 expected->client_application_secret_count)
291 || !TEST_size_t_eq(server_application_secret_count,
292 expected->server_application_secret_count)
293 || !TEST_size_t_eq(early_exporter_secret_count,
294 expected->early_exporter_secret_count)
295 || !TEST_size_t_eq(exporter_secret_count,
296 expected->exporter_secret_count))
297 return 0;
298 return 1;
299 }
300
301 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
test_keylog(void)302 static int test_keylog(void)
303 {
304 SSL_CTX *cctx = NULL, *sctx = NULL;
305 SSL *clientssl = NULL, *serverssl = NULL;
306 int testresult = 0;
307 struct sslapitest_log_counts expected = {0};
308
309 /* Clean up logging space */
310 memset(client_log_buffer, 0, sizeof(client_log_buffer));
311 memset(server_log_buffer, 0, sizeof(server_log_buffer));
312 client_log_buffer_index = 0;
313 server_log_buffer_index = 0;
314 error_writing_log = 0;
315
316 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
317 TLS_client_method(),
318 TLS1_VERSION, TLS_MAX_VERSION,
319 &sctx, &cctx, cert, privkey)))
320 return 0;
321
322 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
323 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
324 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
325
326 /* We also want to ensure that we use RSA-based key exchange. */
327 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
328 goto end;
329
330 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
331 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
332 goto end;
333 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
334 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
335 == client_keylog_callback))
336 goto end;
337 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
338 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
339 == server_keylog_callback))
340 goto end;
341
342 /* Now do a handshake and check that the logs have been written to. */
343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
344 &clientssl, NULL, NULL))
345 || !TEST_true(create_ssl_connection(serverssl, clientssl,
346 SSL_ERROR_NONE))
347 || !TEST_false(error_writing_log)
348 || !TEST_int_gt(client_log_buffer_index, 0)
349 || !TEST_int_gt(server_log_buffer_index, 0))
350 goto end;
351
352 /*
353 * Now we want to test that our output data was vaguely sensible. We
354 * do that by using strtok and confirming that we have more or less the
355 * data we expect. For both client and server, we expect to see one master
356 * secret. The client should also see a RSA key exchange.
357 */
358 expected.rsa_key_exchange_count = 1;
359 expected.master_secret_count = 1;
360 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
361 SSL_get_session(clientssl), &expected)))
362 goto end;
363
364 expected.rsa_key_exchange_count = 0;
365 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
366 SSL_get_session(serverssl), &expected)))
367 goto end;
368
369 testresult = 1;
370
371 end:
372 SSL_free(serverssl);
373 SSL_free(clientssl);
374 SSL_CTX_free(sctx);
375 SSL_CTX_free(cctx);
376
377 return testresult;
378 }
379 #endif
380
381 #ifndef OPENSSL_NO_TLS1_3
test_keylog_no_master_key(void)382 static int test_keylog_no_master_key(void)
383 {
384 SSL_CTX *cctx = NULL, *sctx = NULL;
385 SSL *clientssl = NULL, *serverssl = NULL;
386 SSL_SESSION *sess = NULL;
387 int testresult = 0;
388 struct sslapitest_log_counts expected = {0};
389 unsigned char buf[1];
390 size_t readbytes, written;
391
392 /* Clean up logging space */
393 memset(client_log_buffer, 0, sizeof(client_log_buffer));
394 memset(server_log_buffer, 0, sizeof(server_log_buffer));
395 client_log_buffer_index = 0;
396 server_log_buffer_index = 0;
397 error_writing_log = 0;
398
399 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
400 TLS1_VERSION, TLS_MAX_VERSION,
401 &sctx, &cctx, cert, privkey))
402 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
403 SSL3_RT_MAX_PLAIN_LENGTH)))
404 return 0;
405
406 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
407 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
408 goto end;
409
410 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
411 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
412 == client_keylog_callback))
413 goto end;
414
415 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
416 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
417 == server_keylog_callback))
418 goto end;
419
420 /* Now do a handshake and check that the logs have been written to. */
421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
422 &clientssl, NULL, NULL))
423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
424 SSL_ERROR_NONE))
425 || !TEST_false(error_writing_log))
426 goto end;
427
428 /*
429 * Now we want to test that our output data was vaguely sensible. For this
430 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
431 * TLSv1.3, but we do expect both client and server to emit keys.
432 */
433 expected.client_handshake_secret_count = 1;
434 expected.server_handshake_secret_count = 1;
435 expected.client_application_secret_count = 1;
436 expected.server_application_secret_count = 1;
437 expected.exporter_secret_count = 1;
438 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
439 SSL_get_session(clientssl), &expected))
440 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
441 SSL_get_session(serverssl),
442 &expected)))
443 goto end;
444
445 /* Terminate old session and resume with early data. */
446 sess = SSL_get1_session(clientssl);
447 SSL_shutdown(clientssl);
448 SSL_shutdown(serverssl);
449 SSL_free(serverssl);
450 SSL_free(clientssl);
451 serverssl = clientssl = NULL;
452
453 /* Reset key log */
454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458
459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
460 &clientssl, NULL, NULL))
461 || !TEST_true(SSL_set_session(clientssl, sess))
462 /* Here writing 0 length early data is enough. */
463 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
464 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
465 &readbytes),
466 SSL_READ_EARLY_DATA_ERROR)
467 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
468 SSL_EARLY_DATA_ACCEPTED)
469 || !TEST_true(create_ssl_connection(serverssl, clientssl,
470 SSL_ERROR_NONE))
471 || !TEST_true(SSL_session_reused(clientssl)))
472 goto end;
473
474 /* In addition to the previous entries, expect early secrets. */
475 expected.client_early_secret_count = 1;
476 expected.early_exporter_secret_count = 1;
477 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
478 SSL_get_session(clientssl), &expected))
479 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
480 SSL_get_session(serverssl),
481 &expected)))
482 goto end;
483
484 testresult = 1;
485
486 end:
487 SSL_SESSION_free(sess);
488 SSL_free(serverssl);
489 SSL_free(clientssl);
490 SSL_CTX_free(sctx);
491 SSL_CTX_free(cctx);
492
493 return testresult;
494 }
495 #endif
496
497 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)498 static int full_client_hello_callback(SSL *s, int *al, void *arg)
499 {
500 int *ctr = arg;
501 const unsigned char *p;
502 int *exts;
503 /* We only configure two ciphers, but the SCSV is added automatically. */
504 #ifdef OPENSSL_NO_EC
505 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
506 #else
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
508 0x2c, 0x00, 0xff};
509 #endif
510 const int expected_extensions[] = {
511 #ifndef OPENSSL_NO_EC
512 11, 10,
513 #endif
514 35, 22, 23, 13};
515 size_t len;
516
517 /* Make sure we can defer processing and get called back. */
518 if ((*ctr)++ == 0)
519 return SSL_CLIENT_HELLO_RETRY;
520
521 len = SSL_client_hello_get0_ciphers(s, &p);
522 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
523 || !TEST_size_t_eq(
524 SSL_client_hello_get0_compression_methods(s, &p), 1)
525 || !TEST_int_eq(*p, 0))
526 return SSL_CLIENT_HELLO_ERROR;
527 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
528 return SSL_CLIENT_HELLO_ERROR;
529 if (len != OSSL_NELEM(expected_extensions) ||
530 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
531 printf("ClientHello callback expected extensions mismatch\n");
532 OPENSSL_free(exts);
533 return SSL_CLIENT_HELLO_ERROR;
534 }
535 OPENSSL_free(exts);
536 return SSL_CLIENT_HELLO_SUCCESS;
537 }
538
test_client_hello_cb(void)539 static int test_client_hello_cb(void)
540 {
541 SSL_CTX *cctx = NULL, *sctx = NULL;
542 SSL *clientssl = NULL, *serverssl = NULL;
543 int testctr = 0, testresult = 0;
544
545 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
546 TLS1_VERSION, TLS_MAX_VERSION,
547 &sctx, &cctx, cert, privkey)))
548 goto end;
549 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
550
551 /* The gimpy cipher list we configure can't do TLS 1.3. */
552 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
553
554 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
555 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
556 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
557 &clientssl, NULL, NULL))
558 || !TEST_false(create_ssl_connection(serverssl, clientssl,
559 SSL_ERROR_WANT_CLIENT_HELLO_CB))
560 /*
561 * Passing a -1 literal is a hack since
562 * the real value was lost.
563 * */
564 || !TEST_int_eq(SSL_get_error(serverssl, -1),
565 SSL_ERROR_WANT_CLIENT_HELLO_CB)
566 || !TEST_true(create_ssl_connection(serverssl, clientssl,
567 SSL_ERROR_NONE)))
568 goto end;
569
570 testresult = 1;
571
572 end:
573 SSL_free(serverssl);
574 SSL_free(clientssl);
575 SSL_CTX_free(sctx);
576 SSL_CTX_free(cctx);
577
578 return testresult;
579 }
580
581 /*
582 * Very focused test to exercise a single case in the server-side state
583 * machine, when the ChangeCipherState message needs to actually change
584 * from one cipher to a different cipher (i.e., not changing from null
585 * encryption to real encryption).
586 */
test_ccs_change_cipher(void)587 static int test_ccs_change_cipher(void)
588 {
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
591 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
592 int testresult = 0;
593 int i;
594 unsigned char buf;
595 size_t readbytes;
596
597 /*
598 * Create a conection so we can resume and potentially (but not) use
599 * a different cipher in the second connection.
600 */
601 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
602 TLS_client_method(),
603 TLS1_VERSION, TLS1_2_VERSION,
604 &sctx, &cctx, cert, privkey))
605 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
606 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
607 NULL, NULL))
608 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
609 || !TEST_true(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_NONE))
611 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
612 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
613 goto end;
614
615 shutdown_ssl_connection(serverssl, clientssl);
616 serverssl = clientssl = NULL;
617
618 /* Resume, preferring a different cipher. Our server will force the
619 * same cipher to be used as the initial handshake. */
620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
621 NULL, NULL))
622 || !TEST_true(SSL_set_session(clientssl, sess))
623 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
624 || !TEST_true(create_ssl_connection(serverssl, clientssl,
625 SSL_ERROR_NONE))
626 || !TEST_true(SSL_session_reused(clientssl))
627 || !TEST_true(SSL_session_reused(serverssl))
628 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
629 || !TEST_ptr_eq(sesspre, sesspost)
630 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
631 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
632 goto end;
633 shutdown_ssl_connection(serverssl, clientssl);
634 serverssl = clientssl = NULL;
635
636 /*
637 * Now create a fresh connection and try to renegotiate a different
638 * cipher on it.
639 */
640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
641 NULL, NULL))
642 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
644 SSL_ERROR_NONE))
645 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
646 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
647 || !TEST_true(SSL_renegotiate(clientssl))
648 || !TEST_true(SSL_renegotiate_pending(clientssl)))
649 goto end;
650 /* Actually drive the renegotiation. */
651 for (i = 0; i < 3; i++) {
652 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
653 if (!TEST_ulong_eq(readbytes, 0))
654 goto end;
655 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
656 SSL_ERROR_WANT_READ)) {
657 goto end;
658 }
659 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
660 if (!TEST_ulong_eq(readbytes, 0))
661 goto end;
662 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
663 SSL_ERROR_WANT_READ)) {
664 goto end;
665 }
666 }
667 /* sesspre and sesspost should be different since the cipher changed. */
668 if (!TEST_false(SSL_renegotiate_pending(clientssl))
669 || !TEST_false(SSL_session_reused(clientssl))
670 || !TEST_false(SSL_session_reused(serverssl))
671 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
672 || !TEST_ptr_ne(sesspre, sesspost)
673 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
674 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
675 goto end;
676
677 shutdown_ssl_connection(serverssl, clientssl);
678 serverssl = clientssl = NULL;
679
680 testresult = 1;
681
682 end:
683 SSL_free(serverssl);
684 SSL_free(clientssl);
685 SSL_CTX_free(sctx);
686 SSL_CTX_free(cctx);
687 SSL_SESSION_free(sess);
688
689 return testresult;
690 }
691 #endif
692
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)693 static int execute_test_large_message(const SSL_METHOD *smeth,
694 const SSL_METHOD *cmeth,
695 int min_version, int max_version,
696 int read_ahead)
697 {
698 SSL_CTX *cctx = NULL, *sctx = NULL;
699 SSL *clientssl = NULL, *serverssl = NULL;
700 int testresult = 0;
701 int i;
702 BIO *certbio = NULL;
703 X509 *chaincert = NULL;
704 int certlen;
705
706 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
707 goto end;
708 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
709 BIO_free(certbio);
710 certbio = NULL;
711 if (!TEST_ptr(chaincert))
712 goto end;
713
714 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
715 &sctx, &cctx, cert, privkey)))
716 goto end;
717
718 if (read_ahead) {
719 /*
720 * Test that read_ahead works correctly when dealing with large
721 * records
722 */
723 SSL_CTX_set_read_ahead(cctx, 1);
724 }
725
726 /*
727 * We assume the supplied certificate is big enough so that if we add
728 * NUM_EXTRA_CERTS it will make the overall message large enough. The
729 * default buffer size is requested to be 16k, but due to the way BUF_MEM
730 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
731 * test we need to have a message larger than that.
732 */
733 certlen = i2d_X509(chaincert, NULL);
734 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
735 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
736 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
737 if (!X509_up_ref(chaincert))
738 goto end;
739 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
740 X509_free(chaincert);
741 goto end;
742 }
743 }
744
745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
746 NULL, NULL))
747 || !TEST_true(create_ssl_connection(serverssl, clientssl,
748 SSL_ERROR_NONE)))
749 goto end;
750
751 /*
752 * Calling SSL_clear() first is not required but this tests that SSL_clear()
753 * doesn't leak (when using enable-crypto-mdebug).
754 */
755 if (!TEST_true(SSL_clear(serverssl)))
756 goto end;
757
758 testresult = 1;
759 end:
760 X509_free(chaincert);
761 SSL_free(serverssl);
762 SSL_free(clientssl);
763 SSL_CTX_free(sctx);
764 SSL_CTX_free(cctx);
765
766 return testresult;
767 }
768
test_large_message_tls(void)769 static int test_large_message_tls(void)
770 {
771 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
772 TLS1_VERSION, TLS_MAX_VERSION,
773 0);
774 }
775
test_large_message_tls_read_ahead(void)776 static int test_large_message_tls_read_ahead(void)
777 {
778 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
779 TLS1_VERSION, TLS_MAX_VERSION,
780 1);
781 }
782
783 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)784 static int test_large_message_dtls(void)
785 {
786 /*
787 * read_ahead is not relevant to DTLS because DTLS always acts as if
788 * read_ahead is set.
789 */
790 return execute_test_large_message(DTLS_server_method(),
791 DTLS_client_method(),
792 DTLS1_VERSION, DTLS_MAX_VERSION,
793 0);
794 }
795 #endif
796
797 /*
798 * Test we can successfully send the maximum amount of application data. We
799 * test each protocol version individually, each with and without EtM enabled.
800 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
801 * simpler this way. We also test all combinations with and without the
802 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
803 * underlying buffer.
804 */
test_large_app_data(int tst)805 static int test_large_app_data(int tst)
806 {
807 SSL_CTX *cctx = NULL, *sctx = NULL;
808 SSL *clientssl = NULL, *serverssl = NULL;
809 int testresult = 0, prot;
810 unsigned char *msg, *buf = NULL;
811 size_t written, readbytes;
812 const SSL_METHOD *smeth = TLS_server_method();
813 const SSL_METHOD *cmeth = TLS_client_method();
814
815 switch (tst >> 2) {
816 case 0:
817 #ifndef OPENSSL_NO_TLS1_3
818 prot = TLS1_3_VERSION;
819 break;
820 #else
821 return 1;
822 #endif
823
824 case 1:
825 #ifndef OPENSSL_NO_TLS1_2
826 prot = TLS1_2_VERSION;
827 break;
828 #else
829 return 1;
830 #endif
831
832 case 2:
833 #ifndef OPENSSL_NO_TLS1_1
834 prot = TLS1_1_VERSION;
835 break;
836 #else
837 return 1;
838 #endif
839
840 case 3:
841 #ifndef OPENSSL_NO_TLS1
842 prot = TLS1_VERSION;
843 break;
844 #else
845 return 1;
846 #endif
847
848 case 4:
849 #ifndef OPENSSL_NO_SSL3
850 prot = SSL3_VERSION;
851 break;
852 #else
853 return 1;
854 #endif
855
856 case 5:
857 #ifndef OPENSSL_NO_DTLS1_2
858 prot = DTLS1_2_VERSION;
859 smeth = DTLS_server_method();
860 cmeth = DTLS_client_method();
861 break;
862 #else
863 return 1;
864 #endif
865
866 case 6:
867 #ifndef OPENSSL_NO_DTLS1
868 prot = DTLS1_VERSION;
869 smeth = DTLS_server_method();
870 cmeth = DTLS_client_method();
871 break;
872 #else
873 return 1;
874 #endif
875
876 default:
877 /* Shouldn't happen */
878 return 0;
879 }
880
881 /* Maximal sized message of zeros */
882 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
883 if (!TEST_ptr(msg))
884 goto end;
885
886 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
887 if (!TEST_ptr(buf))
888 goto end;
889 /* Set whole buffer to all bits set */
890 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
891
892 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, prot, prot, &sctx, &cctx,
893 cert, privkey)))
894 goto end;
895
896 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
897 &clientssl, NULL, NULL)))
898 goto end;
899
900 if ((tst & 1) != 0) {
901 /* Setting this option gives us a minimally sized underlying buffer */
902 if (!TEST_true(SSL_set_options(serverssl,
903 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
904 || !TEST_true(SSL_set_options(clientssl,
905 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
906 goto end;
907 }
908
909 if ((tst & 2) != 0) {
910 /*
911 * Setting this option means the MAC is added before encryption
912 * giving us a larger record for the encryption process
913 */
914 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
915 || !TEST_true(SSL_set_options(clientssl,
916 SSL_OP_NO_ENCRYPT_THEN_MAC)))
917 goto end;
918 }
919
920 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
921 goto end;
922
923 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
924 &written))
925 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
926 goto end;
927
928 /* We provide a buffer slightly larger than what we are actually expecting */
929 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
930 &readbytes)))
931 goto end;
932
933 if (!TEST_mem_eq(msg, written, buf, readbytes))
934 goto end;
935
936 testresult = 1;
937 end:
938 OPENSSL_free(msg);
939 OPENSSL_free(buf);
940 SSL_free(serverssl);
941 SSL_free(clientssl);
942 SSL_CTX_free(sctx);
943 SSL_CTX_free(cctx);
944 return testresult;
945 }
946
947
948 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)949 static int ocsp_server_cb(SSL *s, void *arg)
950 {
951 int *argi = (int *)arg;
952 unsigned char *copy = NULL;
953 STACK_OF(OCSP_RESPID) *ids = NULL;
954 OCSP_RESPID *id = NULL;
955
956 if (*argi == 2) {
957 /* In this test we are expecting exactly 1 OCSP_RESPID */
958 SSL_get_tlsext_status_ids(s, &ids);
959 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
960 return SSL_TLSEXT_ERR_ALERT_FATAL;
961
962 id = sk_OCSP_RESPID_value(ids, 0);
963 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
964 return SSL_TLSEXT_ERR_ALERT_FATAL;
965 } else if (*argi != 1) {
966 return SSL_TLSEXT_ERR_ALERT_FATAL;
967 }
968
969 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
970 return SSL_TLSEXT_ERR_ALERT_FATAL;
971
972 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
973 ocsp_server_called = 1;
974 return SSL_TLSEXT_ERR_OK;
975 }
976
ocsp_client_cb(SSL * s,void * arg)977 static int ocsp_client_cb(SSL *s, void *arg)
978 {
979 int *argi = (int *)arg;
980 const unsigned char *respderin;
981 size_t len;
982
983 if (*argi != 1 && *argi != 2)
984 return 0;
985
986 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
987 if (!TEST_mem_eq(orespder, len, respderin, len))
988 return 0;
989
990 ocsp_client_called = 1;
991 return 1;
992 }
993
test_tlsext_status_type(void)994 static int test_tlsext_status_type(void)
995 {
996 SSL_CTX *cctx = NULL, *sctx = NULL;
997 SSL *clientssl = NULL, *serverssl = NULL;
998 int testresult = 0;
999 STACK_OF(OCSP_RESPID) *ids = NULL;
1000 OCSP_RESPID *id = NULL;
1001 BIO *certbio = NULL;
1002
1003 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1004 TLS1_VERSION, TLS_MAX_VERSION,
1005 &sctx, &cctx, cert, privkey))
1006 return 0;
1007
1008 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1009 goto end;
1010
1011 /* First just do various checks getting and setting tlsext_status_type */
1012
1013 clientssl = SSL_new(cctx);
1014 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1015 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1016 TLSEXT_STATUSTYPE_ocsp))
1017 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1018 TLSEXT_STATUSTYPE_ocsp))
1019 goto end;
1020
1021 SSL_free(clientssl);
1022 clientssl = NULL;
1023
1024 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1025 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1026 goto end;
1027
1028 clientssl = SSL_new(cctx);
1029 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1030 goto end;
1031 SSL_free(clientssl);
1032 clientssl = NULL;
1033
1034 /*
1035 * Now actually do a handshake and check OCSP information is exchanged and
1036 * the callbacks get called
1037 */
1038 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1039 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1040 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1041 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1043 &clientssl, NULL, NULL))
1044 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1045 SSL_ERROR_NONE))
1046 || !TEST_true(ocsp_client_called)
1047 || !TEST_true(ocsp_server_called))
1048 goto end;
1049 SSL_free(serverssl);
1050 SSL_free(clientssl);
1051 serverssl = NULL;
1052 clientssl = NULL;
1053
1054 /* Try again but this time force the server side callback to fail */
1055 ocsp_client_called = 0;
1056 ocsp_server_called = 0;
1057 cdummyarg = 0;
1058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1059 &clientssl, NULL, NULL))
1060 /* This should fail because the callback will fail */
1061 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1062 SSL_ERROR_NONE))
1063 || !TEST_false(ocsp_client_called)
1064 || !TEST_false(ocsp_server_called))
1065 goto end;
1066 SSL_free(serverssl);
1067 SSL_free(clientssl);
1068 serverssl = NULL;
1069 clientssl = NULL;
1070
1071 /*
1072 * This time we'll get the client to send an OCSP_RESPID that it will
1073 * accept.
1074 */
1075 ocsp_client_called = 0;
1076 ocsp_server_called = 0;
1077 cdummyarg = 2;
1078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1079 &clientssl, NULL, NULL)))
1080 goto end;
1081
1082 /*
1083 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1084 * specific one. We'll use the server cert.
1085 */
1086 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1087 || !TEST_ptr(id = OCSP_RESPID_new())
1088 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1089 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1090 NULL, NULL, NULL))
1091 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1092 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1093 goto end;
1094 id = NULL;
1095 SSL_set_tlsext_status_ids(clientssl, ids);
1096 /* Control has been transferred */
1097 ids = NULL;
1098
1099 BIO_free(certbio);
1100 certbio = NULL;
1101
1102 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1103 SSL_ERROR_NONE))
1104 || !TEST_true(ocsp_client_called)
1105 || !TEST_true(ocsp_server_called))
1106 goto end;
1107
1108 testresult = 1;
1109
1110 end:
1111 SSL_free(serverssl);
1112 SSL_free(clientssl);
1113 SSL_CTX_free(sctx);
1114 SSL_CTX_free(cctx);
1115 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1116 OCSP_RESPID_free(id);
1117 BIO_free(certbio);
1118 X509_free(ocspcert);
1119 ocspcert = NULL;
1120
1121 return testresult;
1122 }
1123 #endif
1124
1125 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1126 static int new_called, remove_called, get_called;
1127
new_session_cb(SSL * ssl,SSL_SESSION * sess)1128 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1129 {
1130 new_called++;
1131 /*
1132 * sess has been up-refed for us, but we don't actually need it so free it
1133 * immediately.
1134 */
1135 SSL_SESSION_free(sess);
1136 return 1;
1137 }
1138
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)1139 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1140 {
1141 remove_called++;
1142 }
1143
1144 static SSL_SESSION *get_sess_val = NULL;
1145
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)1146 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1147 int *copy)
1148 {
1149 get_called++;
1150 *copy = 1;
1151 return get_sess_val;
1152 }
1153
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache)1154 static int execute_test_session(int maxprot, int use_int_cache,
1155 int use_ext_cache)
1156 {
1157 SSL_CTX *sctx = NULL, *cctx = NULL;
1158 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1159 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1160 # ifndef OPENSSL_NO_TLS1_1
1161 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1162 # endif
1163 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1164 int testresult = 0, numnewsesstick = 1;
1165
1166 new_called = remove_called = 0;
1167
1168 /* TLSv1.3 sends 2 NewSessionTickets */
1169 if (maxprot == TLS1_3_VERSION)
1170 numnewsesstick = 2;
1171
1172 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1173 TLS1_VERSION, TLS_MAX_VERSION,
1174 &sctx, &cctx, cert, privkey)))
1175 return 0;
1176
1177 /*
1178 * Only allow the max protocol version so we can force a connection failure
1179 * later
1180 */
1181 SSL_CTX_set_min_proto_version(cctx, maxprot);
1182 SSL_CTX_set_max_proto_version(cctx, maxprot);
1183
1184 /* Set up session cache */
1185 if (use_ext_cache) {
1186 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1187 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1188 }
1189 if (use_int_cache) {
1190 /* Also covers instance where both are set */
1191 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1192 } else {
1193 SSL_CTX_set_session_cache_mode(cctx,
1194 SSL_SESS_CACHE_CLIENT
1195 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1196 }
1197
1198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1199 NULL, NULL))
1200 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1201 SSL_ERROR_NONE))
1202 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1203 goto end;
1204
1205 /* Should fail because it should already be in the cache */
1206 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1207 goto end;
1208 if (use_ext_cache
1209 && (!TEST_int_eq(new_called, numnewsesstick)
1210
1211 || !TEST_int_eq(remove_called, 0)))
1212 goto end;
1213
1214 new_called = remove_called = 0;
1215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1216 &clientssl2, NULL, NULL))
1217 || !TEST_true(SSL_set_session(clientssl2, sess1))
1218 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1219 SSL_ERROR_NONE))
1220 || !TEST_true(SSL_session_reused(clientssl2)))
1221 goto end;
1222
1223 if (maxprot == TLS1_3_VERSION) {
1224 /*
1225 * In TLSv1.3 we should have created a new session even though we have
1226 * resumed. Since we attempted a resume we should also have removed the
1227 * old ticket from the cache so that we try to only use tickets once.
1228 */
1229 if (use_ext_cache
1230 && (!TEST_int_eq(new_called, 1)
1231 || !TEST_int_eq(remove_called, 1)))
1232 goto end;
1233 } else {
1234 /*
1235 * In TLSv1.2 we expect to have resumed so no sessions added or
1236 * removed.
1237 */
1238 if (use_ext_cache
1239 && (!TEST_int_eq(new_called, 0)
1240 || !TEST_int_eq(remove_called, 0)))
1241 goto end;
1242 }
1243
1244 SSL_SESSION_free(sess1);
1245 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1246 goto end;
1247 shutdown_ssl_connection(serverssl2, clientssl2);
1248 serverssl2 = clientssl2 = NULL;
1249
1250 new_called = remove_called = 0;
1251 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1252 &clientssl2, NULL, NULL))
1253 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1254 SSL_ERROR_NONE)))
1255 goto end;
1256
1257 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1258 goto end;
1259
1260 if (use_ext_cache
1261 && (!TEST_int_eq(new_called, numnewsesstick)
1262 || !TEST_int_eq(remove_called, 0)))
1263 goto end;
1264
1265 new_called = remove_called = 0;
1266 /*
1267 * This should clear sess2 from the cache because it is a "bad" session.
1268 * See SSL_set_session() documentation.
1269 */
1270 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1271 goto end;
1272 if (use_ext_cache
1273 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1274 goto end;
1275 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1276 goto end;
1277
1278 if (use_int_cache) {
1279 /* Should succeeded because it should not already be in the cache */
1280 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1281 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1282 goto end;
1283 }
1284
1285 new_called = remove_called = 0;
1286 /* This shouldn't be in the cache so should fail */
1287 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1288 goto end;
1289
1290 if (use_ext_cache
1291 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1292 goto end;
1293
1294 # if !defined(OPENSSL_NO_TLS1_1)
1295 new_called = remove_called = 0;
1296 /* Force a connection failure */
1297 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1299 &clientssl3, NULL, NULL))
1300 || !TEST_true(SSL_set_session(clientssl3, sess1))
1301 /* This should fail because of the mismatched protocol versions */
1302 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1303 SSL_ERROR_NONE)))
1304 goto end;
1305
1306 /* We should have automatically removed the session from the cache */
1307 if (use_ext_cache
1308 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1309 goto end;
1310
1311 /* Should succeed because it should not already be in the cache */
1312 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1313 goto end;
1314 # endif
1315
1316 /* Now do some tests for server side caching */
1317 if (use_ext_cache) {
1318 SSL_CTX_sess_set_new_cb(cctx, NULL);
1319 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1320 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1321 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1322 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1323 get_sess_val = NULL;
1324 }
1325
1326 SSL_CTX_set_session_cache_mode(cctx, 0);
1327 /* Internal caching is the default on the server side */
1328 if (!use_int_cache)
1329 SSL_CTX_set_session_cache_mode(sctx,
1330 SSL_SESS_CACHE_SERVER
1331 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1332
1333 SSL_free(serverssl1);
1334 SSL_free(clientssl1);
1335 serverssl1 = clientssl1 = NULL;
1336 SSL_free(serverssl2);
1337 SSL_free(clientssl2);
1338 serverssl2 = clientssl2 = NULL;
1339 SSL_SESSION_free(sess1);
1340 sess1 = NULL;
1341 SSL_SESSION_free(sess2);
1342 sess2 = NULL;
1343
1344 SSL_CTX_set_max_proto_version(sctx, maxprot);
1345 if (maxprot == TLS1_2_VERSION)
1346 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1347 new_called = remove_called = get_called = 0;
1348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1349 NULL, NULL))
1350 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1351 SSL_ERROR_NONE))
1352 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1353 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1354 goto end;
1355
1356 if (use_int_cache) {
1357 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1358 /*
1359 * In TLSv1.3 it should not have been added to the internal cache,
1360 * except in the case where we also have an external cache (in that
1361 * case it gets added to the cache in order to generate remove
1362 * events after timeout).
1363 */
1364 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1365 goto end;
1366 } else {
1367 /* Should fail because it should already be in the cache */
1368 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1369 goto end;
1370 }
1371 }
1372
1373 if (use_ext_cache) {
1374 SSL_SESSION *tmp = sess2;
1375
1376 if (!TEST_int_eq(new_called, numnewsesstick)
1377 || !TEST_int_eq(remove_called, 0)
1378 || !TEST_int_eq(get_called, 0))
1379 goto end;
1380 /*
1381 * Delete the session from the internal cache to force a lookup from
1382 * the external cache. We take a copy first because
1383 * SSL_CTX_remove_session() also marks the session as non-resumable.
1384 */
1385 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1386 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1387 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1388 goto end;
1389 SSL_SESSION_free(sess2);
1390 }
1391 sess2 = tmp;
1392 }
1393
1394 new_called = remove_called = get_called = 0;
1395 get_sess_val = sess2;
1396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1397 &clientssl2, NULL, NULL))
1398 || !TEST_true(SSL_set_session(clientssl2, sess1))
1399 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1400 SSL_ERROR_NONE))
1401 || !TEST_true(SSL_session_reused(clientssl2)))
1402 goto end;
1403
1404 if (use_ext_cache) {
1405 if (!TEST_int_eq(remove_called, 0))
1406 goto end;
1407
1408 if (maxprot == TLS1_3_VERSION) {
1409 if (!TEST_int_eq(new_called, 1)
1410 || !TEST_int_eq(get_called, 0))
1411 goto end;
1412 } else {
1413 if (!TEST_int_eq(new_called, 0)
1414 || !TEST_int_eq(get_called, 1))
1415 goto end;
1416 }
1417 }
1418
1419 testresult = 1;
1420
1421 end:
1422 SSL_free(serverssl1);
1423 SSL_free(clientssl1);
1424 SSL_free(serverssl2);
1425 SSL_free(clientssl2);
1426 # ifndef OPENSSL_NO_TLS1_1
1427 SSL_free(serverssl3);
1428 SSL_free(clientssl3);
1429 # endif
1430 SSL_SESSION_free(sess1);
1431 SSL_SESSION_free(sess2);
1432 SSL_CTX_free(sctx);
1433 SSL_CTX_free(cctx);
1434
1435 return testresult;
1436 }
1437 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1438
test_session_with_only_int_cache(void)1439 static int test_session_with_only_int_cache(void)
1440 {
1441 #ifndef OPENSSL_NO_TLS1_3
1442 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1443 return 0;
1444 #endif
1445
1446 #ifndef OPENSSL_NO_TLS1_2
1447 return execute_test_session(TLS1_2_VERSION, 1, 0);
1448 #else
1449 return 1;
1450 #endif
1451 }
1452
test_session_with_only_ext_cache(void)1453 static int test_session_with_only_ext_cache(void)
1454 {
1455 #ifndef OPENSSL_NO_TLS1_3
1456 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1457 return 0;
1458 #endif
1459
1460 #ifndef OPENSSL_NO_TLS1_2
1461 return execute_test_session(TLS1_2_VERSION, 0, 1);
1462 #else
1463 return 1;
1464 #endif
1465 }
1466
test_session_with_both_cache(void)1467 static int test_session_with_both_cache(void)
1468 {
1469 #ifndef OPENSSL_NO_TLS1_3
1470 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1471 return 0;
1472 #endif
1473
1474 #ifndef OPENSSL_NO_TLS1_2
1475 return execute_test_session(TLS1_2_VERSION, 1, 1);
1476 #else
1477 return 1;
1478 #endif
1479 }
1480
1481 #ifndef OPENSSL_NO_TLS1_3
1482 static SSL_SESSION *sesscache[6];
1483 static int do_cache;
1484
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)1485 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1486 {
1487 if (do_cache) {
1488 sesscache[new_called] = sess;
1489 } else {
1490 /* We don't need the reference to the session, so free it */
1491 SSL_SESSION_free(sess);
1492 }
1493 new_called++;
1494
1495 return 1;
1496 }
1497
post_handshake_verify(SSL * sssl,SSL * cssl)1498 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1499 {
1500 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1501 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1502 return 0;
1503
1504 /* Start handshake on the server and client */
1505 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1506 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1507 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1508 || !TEST_true(create_ssl_connection(sssl, cssl,
1509 SSL_ERROR_NONE)))
1510 return 0;
1511
1512 return 1;
1513 }
1514
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)1515 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1516 SSL_CTX **cctx)
1517 {
1518 int sess_id_ctx = 1;
1519
1520 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1522 cctx, cert, privkey))
1523 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1524 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1525 (void *)&sess_id_ctx,
1526 sizeof(sess_id_ctx))))
1527 return 0;
1528
1529 if (stateful)
1530 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1531
1532 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1533 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1534 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1535
1536 return 1;
1537 }
1538
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)1539 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1540 {
1541 SSL *serverssl = NULL, *clientssl = NULL;
1542 int i;
1543
1544 /* Test that we can resume with all the tickets we got given */
1545 for (i = 0; i < idx * 2; i++) {
1546 new_called = 0;
1547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1548 &clientssl, NULL, NULL))
1549 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1550 goto end;
1551
1552 SSL_set_post_handshake_auth(clientssl, 1);
1553
1554 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1555 SSL_ERROR_NONE)))
1556 goto end;
1557
1558 /*
1559 * Following a successful resumption we only get 1 ticket. After a
1560 * failed one we should get idx tickets.
1561 */
1562 if (succ) {
1563 if (!TEST_true(SSL_session_reused(clientssl))
1564 || !TEST_int_eq(new_called, 1))
1565 goto end;
1566 } else {
1567 if (!TEST_false(SSL_session_reused(clientssl))
1568 || !TEST_int_eq(new_called, idx))
1569 goto end;
1570 }
1571
1572 new_called = 0;
1573 /* After a post-handshake authentication we should get 1 new ticket */
1574 if (succ
1575 && (!post_handshake_verify(serverssl, clientssl)
1576 || !TEST_int_eq(new_called, 1)))
1577 goto end;
1578
1579 SSL_shutdown(clientssl);
1580 SSL_shutdown(serverssl);
1581 SSL_free(serverssl);
1582 SSL_free(clientssl);
1583 serverssl = clientssl = NULL;
1584 SSL_SESSION_free(sesscache[i]);
1585 sesscache[i] = NULL;
1586 }
1587
1588 return 1;
1589
1590 end:
1591 SSL_free(clientssl);
1592 SSL_free(serverssl);
1593 return 0;
1594 }
1595
test_tickets(int stateful,int idx)1596 static int test_tickets(int stateful, int idx)
1597 {
1598 SSL_CTX *sctx = NULL, *cctx = NULL;
1599 SSL *serverssl = NULL, *clientssl = NULL;
1600 int testresult = 0;
1601 size_t j;
1602
1603 /* idx is the test number, but also the number of tickets we want */
1604
1605 new_called = 0;
1606 do_cache = 1;
1607
1608 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1609 goto end;
1610
1611 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1612 &clientssl, NULL, NULL)))
1613 goto end;
1614
1615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1616 SSL_ERROR_NONE))
1617 /* Check we got the number of tickets we were expecting */
1618 || !TEST_int_eq(idx, new_called))
1619 goto end;
1620
1621 SSL_shutdown(clientssl);
1622 SSL_shutdown(serverssl);
1623 SSL_free(serverssl);
1624 SSL_free(clientssl);
1625 SSL_CTX_free(sctx);
1626 SSL_CTX_free(cctx);
1627 clientssl = serverssl = NULL;
1628 sctx = cctx = NULL;
1629
1630 /*
1631 * Now we try to resume with the tickets we previously created. The
1632 * resumption attempt is expected to fail (because we're now using a new
1633 * SSL_CTX). We should see idx number of tickets issued again.
1634 */
1635
1636 /* Stop caching sessions - just count them */
1637 do_cache = 0;
1638
1639 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1640 goto end;
1641
1642 if (!check_resumption(idx, sctx, cctx, 0))
1643 goto end;
1644
1645 /* Start again with caching sessions */
1646 new_called = 0;
1647 do_cache = 1;
1648 SSL_CTX_free(sctx);
1649 SSL_CTX_free(cctx);
1650 sctx = cctx = NULL;
1651
1652 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1653 goto end;
1654
1655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1656 &clientssl, NULL, NULL)))
1657 goto end;
1658
1659 SSL_set_post_handshake_auth(clientssl, 1);
1660
1661 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1662 SSL_ERROR_NONE))
1663 /* Check we got the number of tickets we were expecting */
1664 || !TEST_int_eq(idx, new_called))
1665 goto end;
1666
1667 /* After a post-handshake authentication we should get new tickets issued */
1668 if (!post_handshake_verify(serverssl, clientssl)
1669 || !TEST_int_eq(idx * 2, new_called))
1670 goto end;
1671
1672 SSL_shutdown(clientssl);
1673 SSL_shutdown(serverssl);
1674 SSL_free(serverssl);
1675 SSL_free(clientssl);
1676 serverssl = clientssl = NULL;
1677
1678 /* Stop caching sessions - just count them */
1679 do_cache = 0;
1680
1681 /*
1682 * Check we can resume with all the tickets we created. This time around the
1683 * resumptions should all be successful.
1684 */
1685 if (!check_resumption(idx, sctx, cctx, 1))
1686 goto end;
1687
1688 testresult = 1;
1689
1690 end:
1691 SSL_free(serverssl);
1692 SSL_free(clientssl);
1693 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1694 SSL_SESSION_free(sesscache[j]);
1695 sesscache[j] = NULL;
1696 }
1697 SSL_CTX_free(sctx);
1698 SSL_CTX_free(cctx);
1699
1700 return testresult;
1701 }
1702
test_stateless_tickets(int idx)1703 static int test_stateless_tickets(int idx)
1704 {
1705 return test_tickets(0, idx);
1706 }
1707
test_stateful_tickets(int idx)1708 static int test_stateful_tickets(int idx)
1709 {
1710 return test_tickets(1, idx);
1711 }
1712
test_psk_tickets(void)1713 static int test_psk_tickets(void)
1714 {
1715 SSL_CTX *sctx = NULL, *cctx = NULL;
1716 SSL *serverssl = NULL, *clientssl = NULL;
1717 int testresult = 0;
1718 int sess_id_ctx = 1;
1719
1720 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1721 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1722 &cctx, NULL, NULL))
1723 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1724 (void *)&sess_id_ctx,
1725 sizeof(sess_id_ctx))))
1726 goto end;
1727
1728 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1729 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1730 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1731 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1732 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1733 use_session_cb_cnt = 0;
1734 find_session_cb_cnt = 0;
1735 srvid = pskid;
1736 new_called = 0;
1737
1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1739 NULL, NULL)))
1740 goto end;
1741 clientpsk = serverpsk = create_a_psk(clientssl);
1742 if (!TEST_ptr(clientpsk))
1743 goto end;
1744 SSL_SESSION_up_ref(clientpsk);
1745
1746 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1747 SSL_ERROR_NONE))
1748 || !TEST_int_eq(1, find_session_cb_cnt)
1749 || !TEST_int_eq(1, use_session_cb_cnt)
1750 /* We should always get 1 ticket when using external PSK */
1751 || !TEST_int_eq(1, new_called))
1752 goto end;
1753
1754 testresult = 1;
1755
1756 end:
1757 SSL_free(serverssl);
1758 SSL_free(clientssl);
1759 SSL_CTX_free(sctx);
1760 SSL_CTX_free(cctx);
1761 SSL_SESSION_free(clientpsk);
1762 SSL_SESSION_free(serverpsk);
1763 clientpsk = serverpsk = NULL;
1764
1765 return testresult;
1766 }
1767 #endif
1768
1769 #define USE_NULL 0
1770 #define USE_BIO_1 1
1771 #define USE_BIO_2 2
1772 #define USE_DEFAULT 3
1773
1774 #define CONNTYPE_CONNECTION_SUCCESS 0
1775 #define CONNTYPE_CONNECTION_FAIL 1
1776 #define CONNTYPE_NO_CONNECTION 2
1777
1778 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1779 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1780 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1781 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1782 #else
1783 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1784 #endif
1785
1786 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1787 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1788 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1789
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)1790 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1791 {
1792 switch (type) {
1793 case USE_NULL:
1794 *res = NULL;
1795 break;
1796 case USE_BIO_1:
1797 *res = bio1;
1798 break;
1799 case USE_BIO_2:
1800 *res = bio2;
1801 break;
1802 }
1803 }
1804
1805
1806 /*
1807 * Tests calls to SSL_set_bio() under various conditions.
1808 *
1809 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1810 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1811 * then do more tests where we create a successful connection first using our
1812 * standard connection setup functions, and then call SSL_set_bio() with
1813 * various combinations of valid BIOs or NULL. We then repeat these tests
1814 * following a failed connection. In this last case we are looking to check that
1815 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1816 */
test_ssl_set_bio(int idx)1817 static int test_ssl_set_bio(int idx)
1818 {
1819 SSL_CTX *sctx = NULL, *cctx = NULL;
1820 BIO *bio1 = NULL;
1821 BIO *bio2 = NULL;
1822 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1823 SSL *serverssl = NULL, *clientssl = NULL;
1824 int initrbio, initwbio, newrbio, newwbio, conntype;
1825 int testresult = 0;
1826
1827 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1828 initrbio = idx % 3;
1829 idx /= 3;
1830 initwbio = idx % 3;
1831 idx /= 3;
1832 newrbio = idx % 3;
1833 idx /= 3;
1834 newwbio = idx % 3;
1835 conntype = CONNTYPE_NO_CONNECTION;
1836 } else {
1837 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1838 initrbio = initwbio = USE_DEFAULT;
1839 newrbio = idx % 2;
1840 idx /= 2;
1841 newwbio = idx % 2;
1842 idx /= 2;
1843 conntype = idx % 2;
1844 }
1845
1846 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1847 TLS1_VERSION, TLS_MAX_VERSION,
1848 &sctx, &cctx, cert, privkey)))
1849 goto end;
1850
1851 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1852 /*
1853 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1854 * because we reduced the number of tests in the definition of
1855 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1856 * mismatched protocol versions we will force a connection failure.
1857 */
1858 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1859 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1860 }
1861
1862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1863 NULL, NULL)))
1864 goto end;
1865
1866 if (initrbio == USE_BIO_1
1867 || initwbio == USE_BIO_1
1868 || newrbio == USE_BIO_1
1869 || newwbio == USE_BIO_1) {
1870 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1871 goto end;
1872 }
1873
1874 if (initrbio == USE_BIO_2
1875 || initwbio == USE_BIO_2
1876 || newrbio == USE_BIO_2
1877 || newwbio == USE_BIO_2) {
1878 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1879 goto end;
1880 }
1881
1882 if (initrbio != USE_DEFAULT) {
1883 setupbio(&irbio, bio1, bio2, initrbio);
1884 setupbio(&iwbio, bio1, bio2, initwbio);
1885 SSL_set_bio(clientssl, irbio, iwbio);
1886
1887 /*
1888 * We want to maintain our own refs to these BIO, so do an up ref for
1889 * each BIO that will have ownership transferred in the SSL_set_bio()
1890 * call
1891 */
1892 if (irbio != NULL)
1893 BIO_up_ref(irbio);
1894 if (iwbio != NULL && iwbio != irbio)
1895 BIO_up_ref(iwbio);
1896 }
1897
1898 if (conntype != CONNTYPE_NO_CONNECTION
1899 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1900 SSL_ERROR_NONE)
1901 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1902 goto end;
1903
1904 setupbio(&nrbio, bio1, bio2, newrbio);
1905 setupbio(&nwbio, bio1, bio2, newwbio);
1906
1907 /*
1908 * We will (maybe) transfer ownership again so do more up refs.
1909 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1910 * already been set!
1911 */
1912 if (nrbio != NULL
1913 && nrbio != irbio
1914 && (nwbio != iwbio || nrbio != nwbio))
1915 BIO_up_ref(nrbio);
1916 if (nwbio != NULL
1917 && nwbio != nrbio
1918 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1919 BIO_up_ref(nwbio);
1920
1921 SSL_set_bio(clientssl, nrbio, nwbio);
1922
1923 testresult = 1;
1924
1925 end:
1926 BIO_free(bio1);
1927 BIO_free(bio2);
1928
1929 /*
1930 * This test is checking that the ref counting for SSL_set_bio is correct.
1931 * If we get here and we did too many frees then we will fail in the above
1932 * functions. If we haven't done enough then this will only be detected in
1933 * a crypto-mdebug build
1934 */
1935 SSL_free(serverssl);
1936 SSL_free(clientssl);
1937 SSL_CTX_free(sctx);
1938 SSL_CTX_free(cctx);
1939 return testresult;
1940 }
1941
1942 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1943
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)1944 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1945 {
1946 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1947 SSL_CTX *ctx;
1948 SSL *ssl = NULL;
1949 int testresult = 0;
1950
1951 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1952 || !TEST_ptr(ssl = SSL_new(ctx))
1953 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1954 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1955 goto end;
1956
1957 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1958
1959 /*
1960 * If anything goes wrong here then we could leak memory, so this will
1961 * be caught in a crypto-mdebug build
1962 */
1963 BIO_push(sslbio, membio1);
1964
1965 /* Verify changing the rbio/wbio directly does not cause leaks */
1966 if (change_bio != NO_BIO_CHANGE) {
1967 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
1968 ssl = NULL;
1969 goto end;
1970 }
1971 if (change_bio == CHANGE_RBIO)
1972 SSL_set0_rbio(ssl, membio2);
1973 else
1974 SSL_set0_wbio(ssl, membio2);
1975 }
1976 ssl = NULL;
1977
1978 if (pop_ssl)
1979 BIO_pop(sslbio);
1980 else
1981 BIO_pop(membio1);
1982
1983 testresult = 1;
1984 end:
1985 BIO_free(membio1);
1986 BIO_free(sslbio);
1987 SSL_free(ssl);
1988 SSL_CTX_free(ctx);
1989
1990 return testresult;
1991 }
1992
test_ssl_bio_pop_next_bio(void)1993 static int test_ssl_bio_pop_next_bio(void)
1994 {
1995 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1996 }
1997
test_ssl_bio_pop_ssl_bio(void)1998 static int test_ssl_bio_pop_ssl_bio(void)
1999 {
2000 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2001 }
2002
test_ssl_bio_change_rbio(void)2003 static int test_ssl_bio_change_rbio(void)
2004 {
2005 return execute_test_ssl_bio(0, CHANGE_RBIO);
2006 }
2007
test_ssl_bio_change_wbio(void)2008 static int test_ssl_bio_change_wbio(void)
2009 {
2010 return execute_test_ssl_bio(0, CHANGE_WBIO);
2011 }
2012
2013 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2014 typedef struct {
2015 /* The list of sig algs */
2016 const int *list;
2017 /* The length of the list */
2018 size_t listlen;
2019 /* A sigalgs list in string format */
2020 const char *liststr;
2021 /* Whether setting the list should succeed */
2022 int valid;
2023 /* Whether creating a connection with the list should succeed */
2024 int connsuccess;
2025 } sigalgs_list;
2026
2027 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2028 # ifndef OPENSSL_NO_EC
2029 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2030 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2031 # endif
2032 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2033 static const int invalidlist2[] = {NID_sha256, NID_undef};
2034 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2035 static const int invalidlist4[] = {NID_sha256};
2036 static const sigalgs_list testsigalgs[] = {
2037 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2038 # ifndef OPENSSL_NO_EC
2039 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2040 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2041 # endif
2042 {NULL, 0, "RSA+SHA256", 1, 1},
2043 # ifndef OPENSSL_NO_EC
2044 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2045 {NULL, 0, "ECDSA+SHA512", 1, 0},
2046 # endif
2047 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2048 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2049 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2050 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2051 {NULL, 0, "RSA", 0, 0},
2052 {NULL, 0, "SHA256", 0, 0},
2053 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2054 {NULL, 0, "Invalid", 0, 0}
2055 };
2056
test_set_sigalgs(int idx)2057 static int test_set_sigalgs(int idx)
2058 {
2059 SSL_CTX *cctx = NULL, *sctx = NULL;
2060 SSL *clientssl = NULL, *serverssl = NULL;
2061 int testresult = 0;
2062 const sigalgs_list *curr;
2063 int testctx;
2064
2065 /* Should never happen */
2066 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2067 return 0;
2068
2069 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2070 curr = testctx ? &testsigalgs[idx]
2071 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2072
2073 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2074 TLS1_VERSION, TLS_MAX_VERSION,
2075 &sctx, &cctx, cert, privkey)))
2076 return 0;
2077
2078 /*
2079 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2080 * for TLSv1.2 for now until we add a new API.
2081 */
2082 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2083
2084 if (testctx) {
2085 int ret;
2086
2087 if (curr->list != NULL)
2088 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2089 else
2090 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2091
2092 if (!ret) {
2093 if (curr->valid)
2094 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2095 else
2096 testresult = 1;
2097 goto end;
2098 }
2099 if (!curr->valid) {
2100 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2101 goto end;
2102 }
2103 }
2104
2105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2106 &clientssl, NULL, NULL)))
2107 goto end;
2108
2109 if (!testctx) {
2110 int ret;
2111
2112 if (curr->list != NULL)
2113 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2114 else
2115 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2116 if (!ret) {
2117 if (curr->valid)
2118 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2119 else
2120 testresult = 1;
2121 goto end;
2122 }
2123 if (!curr->valid)
2124 goto end;
2125 }
2126
2127 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2128 SSL_ERROR_NONE),
2129 curr->connsuccess))
2130 goto end;
2131
2132 testresult = 1;
2133
2134 end:
2135 SSL_free(serverssl);
2136 SSL_free(clientssl);
2137 SSL_CTX_free(sctx);
2138 SSL_CTX_free(cctx);
2139
2140 return testresult;
2141 }
2142 #endif
2143
2144 #ifndef OPENSSL_NO_TLS1_3
2145 static int psk_client_cb_cnt = 0;
2146 static int psk_server_cb_cnt = 0;
2147
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)2148 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2149 size_t *idlen, SSL_SESSION **sess)
2150 {
2151 switch (++use_session_cb_cnt) {
2152 case 1:
2153 /* The first call should always have a NULL md */
2154 if (md != NULL)
2155 return 0;
2156 break;
2157
2158 case 2:
2159 /* The second call should always have an md */
2160 if (md == NULL)
2161 return 0;
2162 break;
2163
2164 default:
2165 /* We should only be called a maximum of twice */
2166 return 0;
2167 }
2168
2169 if (clientpsk != NULL)
2170 SSL_SESSION_up_ref(clientpsk);
2171
2172 *sess = clientpsk;
2173 *id = (const unsigned char *)pskid;
2174 *idlen = strlen(pskid);
2175
2176 return 1;
2177 }
2178
2179 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)2180 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2181 unsigned int max_id_len,
2182 unsigned char *psk,
2183 unsigned int max_psk_len)
2184 {
2185 unsigned int psklen = 0;
2186
2187 psk_client_cb_cnt++;
2188
2189 if (strlen(pskid) + 1 > max_id_len)
2190 return 0;
2191
2192 /* We should only ever be called a maximum of twice per connection */
2193 if (psk_client_cb_cnt > 2)
2194 return 0;
2195
2196 if (clientpsk == NULL)
2197 return 0;
2198
2199 /* We'll reuse the PSK we set up for TLSv1.3 */
2200 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2201 return 0;
2202 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2203 strncpy(id, pskid, max_id_len);
2204
2205 return psklen;
2206 }
2207 #endif /* OPENSSL_NO_PSK */
2208
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)2209 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2210 size_t identity_len, SSL_SESSION **sess)
2211 {
2212 find_session_cb_cnt++;
2213
2214 /* We should only ever be called a maximum of twice per connection */
2215 if (find_session_cb_cnt > 2)
2216 return 0;
2217
2218 if (serverpsk == NULL)
2219 return 0;
2220
2221 /* Identity should match that set by the client */
2222 if (strlen(srvid) != identity_len
2223 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2224 /* No PSK found, continue but without a PSK */
2225 *sess = NULL;
2226 return 1;
2227 }
2228
2229 SSL_SESSION_up_ref(serverpsk);
2230 *sess = serverpsk;
2231
2232 return 1;
2233 }
2234
2235 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)2236 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2237 unsigned char *psk, unsigned int max_psk_len)
2238 {
2239 unsigned int psklen = 0;
2240
2241 psk_server_cb_cnt++;
2242
2243 /* We should only ever be called a maximum of twice per connection */
2244 if (find_session_cb_cnt > 2)
2245 return 0;
2246
2247 if (serverpsk == NULL)
2248 return 0;
2249
2250 /* Identity should match that set by the client */
2251 if (strcmp(srvid, identity) != 0) {
2252 return 0;
2253 }
2254
2255 /* We'll reuse the PSK we set up for TLSv1.3 */
2256 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2257 return 0;
2258 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2259
2260 return psklen;
2261 }
2262 #endif /* OPENSSL_NO_PSK */
2263
2264 #define MSG1 "Hello"
2265 #define MSG2 "World."
2266 #define MSG3 "This"
2267 #define MSG4 "is"
2268 #define MSG5 "a"
2269 #define MSG6 "test"
2270 #define MSG7 "message."
2271
2272 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2273 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2274 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2275 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2276 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2277
2278
create_a_psk(SSL * ssl)2279 static SSL_SESSION *create_a_psk(SSL *ssl)
2280 {
2281 const SSL_CIPHER *cipher = NULL;
2282 const unsigned char key[] = {
2283 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2284 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2285 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2286 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2287 0x2c, 0x2d, 0x2e, 0x2f
2288 };
2289 SSL_SESSION *sess = NULL;
2290
2291 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2292 sess = SSL_SESSION_new();
2293 if (!TEST_ptr(sess)
2294 || !TEST_ptr(cipher)
2295 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2296 sizeof(key)))
2297 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2298 || !TEST_true(
2299 SSL_SESSION_set_protocol_version(sess,
2300 TLS1_3_VERSION))) {
2301 SSL_SESSION_free(sess);
2302 return NULL;
2303 }
2304 return sess;
2305 }
2306
2307 /*
2308 * Helper method to setup objects for early data test. Caller frees objects on
2309 * error.
2310 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx)2311 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2312 SSL **serverssl, SSL_SESSION **sess, int idx)
2313 {
2314 if (*sctx == NULL
2315 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2316 TLS_client_method(),
2317 TLS1_VERSION, TLS_MAX_VERSION,
2318 sctx, cctx, cert, privkey)))
2319 return 0;
2320
2321 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2322 return 0;
2323
2324 if (idx == 1) {
2325 /* When idx == 1 we repeat the tests with read_ahead set */
2326 SSL_CTX_set_read_ahead(*cctx, 1);
2327 SSL_CTX_set_read_ahead(*sctx, 1);
2328 } else if (idx == 2) {
2329 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2330 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2331 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2332 use_session_cb_cnt = 0;
2333 find_session_cb_cnt = 0;
2334 srvid = pskid;
2335 }
2336
2337 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2338 NULL, NULL)))
2339 return 0;
2340
2341 /*
2342 * For one of the run throughs (doesn't matter which one), we'll try sending
2343 * some SNI data in the initial ClientHello. This will be ignored (because
2344 * there is no SNI cb set up by the server), so it should not impact
2345 * early_data.
2346 */
2347 if (idx == 1
2348 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2349 return 0;
2350
2351 if (idx == 2) {
2352 clientpsk = create_a_psk(*clientssl);
2353 if (!TEST_ptr(clientpsk)
2354 /*
2355 * We just choose an arbitrary value for max_early_data which
2356 * should be big enough for testing purposes.
2357 */
2358 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2359 0x100))
2360 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2361 SSL_SESSION_free(clientpsk);
2362 clientpsk = NULL;
2363 return 0;
2364 }
2365 serverpsk = clientpsk;
2366
2367 if (sess != NULL) {
2368 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2369 SSL_SESSION_free(clientpsk);
2370 SSL_SESSION_free(serverpsk);
2371 clientpsk = serverpsk = NULL;
2372 return 0;
2373 }
2374 *sess = clientpsk;
2375 }
2376 return 1;
2377 }
2378
2379 if (sess == NULL)
2380 return 1;
2381
2382 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2383 SSL_ERROR_NONE)))
2384 return 0;
2385
2386 *sess = SSL_get1_session(*clientssl);
2387 SSL_shutdown(*clientssl);
2388 SSL_shutdown(*serverssl);
2389 SSL_free(*serverssl);
2390 SSL_free(*clientssl);
2391 *serverssl = *clientssl = NULL;
2392
2393 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2394 clientssl, NULL, NULL))
2395 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2396 return 0;
2397
2398 return 1;
2399 }
2400
test_early_data_read_write(int idx)2401 static int test_early_data_read_write(int idx)
2402 {
2403 SSL_CTX *cctx = NULL, *sctx = NULL;
2404 SSL *clientssl = NULL, *serverssl = NULL;
2405 int testresult = 0;
2406 SSL_SESSION *sess = NULL;
2407 unsigned char buf[20], data[1024];
2408 size_t readbytes, written, eoedlen, rawread, rawwritten;
2409 BIO *rbio;
2410
2411 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2412 &serverssl, &sess, idx)))
2413 goto end;
2414
2415 /* Write and read some early data */
2416 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2417 &written))
2418 || !TEST_size_t_eq(written, strlen(MSG1))
2419 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2420 sizeof(buf), &readbytes),
2421 SSL_READ_EARLY_DATA_SUCCESS)
2422 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2423 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2424 SSL_EARLY_DATA_ACCEPTED))
2425 goto end;
2426
2427 /*
2428 * Server should be able to write data, and client should be able to
2429 * read it.
2430 */
2431 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2432 &written))
2433 || !TEST_size_t_eq(written, strlen(MSG2))
2434 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2435 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2436 goto end;
2437
2438 /* Even after reading normal data, client should be able write early data */
2439 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2440 &written))
2441 || !TEST_size_t_eq(written, strlen(MSG3)))
2442 goto end;
2443
2444 /* Server should still be able read early data after writing data */
2445 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2446 &readbytes),
2447 SSL_READ_EARLY_DATA_SUCCESS)
2448 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2449 goto end;
2450
2451 /* Write more data from server and read it from client */
2452 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2453 &written))
2454 || !TEST_size_t_eq(written, strlen(MSG4))
2455 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2456 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2457 goto end;
2458
2459 /*
2460 * If client writes normal data it should mean writing early data is no
2461 * longer possible.
2462 */
2463 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2464 || !TEST_size_t_eq(written, strlen(MSG5))
2465 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2466 SSL_EARLY_DATA_ACCEPTED))
2467 goto end;
2468
2469 /*
2470 * At this point the client has written EndOfEarlyData, ClientFinished and
2471 * normal (fully protected) data. We are going to cause a delay between the
2472 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2473 * in the read BIO, and then just put back the EndOfEarlyData message.
2474 */
2475 rbio = SSL_get_rbio(serverssl);
2476 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2477 || !TEST_size_t_lt(rawread, sizeof(data))
2478 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2479 goto end;
2480
2481 /* Record length is in the 4th and 5th bytes of the record header */
2482 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2483 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2484 || !TEST_size_t_eq(rawwritten, eoedlen))
2485 goto end;
2486
2487 /* Server should be told that there is no more early data */
2488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2489 &readbytes),
2490 SSL_READ_EARLY_DATA_FINISH)
2491 || !TEST_size_t_eq(readbytes, 0))
2492 goto end;
2493
2494 /*
2495 * Server has not finished init yet, so should still be able to write early
2496 * data.
2497 */
2498 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2499 &written))
2500 || !TEST_size_t_eq(written, strlen(MSG6)))
2501 goto end;
2502
2503 /* Push the ClientFinished and the normal data back into the server rbio */
2504 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2505 &rawwritten))
2506 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2507 goto end;
2508
2509 /* Server should be able to read normal data */
2510 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2511 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2512 goto end;
2513
2514 /* Client and server should not be able to write/read early data now */
2515 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2516 &written)))
2517 goto end;
2518 ERR_clear_error();
2519 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2520 &readbytes),
2521 SSL_READ_EARLY_DATA_ERROR))
2522 goto end;
2523 ERR_clear_error();
2524
2525 /* Client should be able to read the data sent by the server */
2526 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2527 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2528 goto end;
2529
2530 /*
2531 * Make sure we process the two NewSessionTickets. These arrive
2532 * post-handshake. We attempt reads which we do not expect to return any
2533 * data.
2534 */
2535 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2536 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2537 &readbytes)))
2538 goto end;
2539
2540 /* Server should be able to write normal data */
2541 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2542 || !TEST_size_t_eq(written, strlen(MSG7))
2543 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2544 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2545 goto end;
2546
2547 SSL_SESSION_free(sess);
2548 sess = SSL_get1_session(clientssl);
2549 use_session_cb_cnt = 0;
2550 find_session_cb_cnt = 0;
2551
2552 SSL_shutdown(clientssl);
2553 SSL_shutdown(serverssl);
2554 SSL_free(serverssl);
2555 SSL_free(clientssl);
2556 serverssl = clientssl = NULL;
2557 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2558 &clientssl, NULL, NULL))
2559 || !TEST_true(SSL_set_session(clientssl, sess)))
2560 goto end;
2561
2562 /* Write and read some early data */
2563 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2564 &written))
2565 || !TEST_size_t_eq(written, strlen(MSG1))
2566 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2567 &readbytes),
2568 SSL_READ_EARLY_DATA_SUCCESS)
2569 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2570 goto end;
2571
2572 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2573 || !TEST_int_gt(SSL_accept(serverssl), 0))
2574 goto end;
2575
2576 /* Client and server should not be able to write/read early data now */
2577 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2578 &written)))
2579 goto end;
2580 ERR_clear_error();
2581 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2582 &readbytes),
2583 SSL_READ_EARLY_DATA_ERROR))
2584 goto end;
2585 ERR_clear_error();
2586
2587 /* Client and server should be able to write/read normal data */
2588 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2589 || !TEST_size_t_eq(written, strlen(MSG5))
2590 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2591 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2592 goto end;
2593
2594 testresult = 1;
2595
2596 end:
2597 SSL_SESSION_free(sess);
2598 SSL_SESSION_free(clientpsk);
2599 SSL_SESSION_free(serverpsk);
2600 clientpsk = serverpsk = NULL;
2601 SSL_free(serverssl);
2602 SSL_free(clientssl);
2603 SSL_CTX_free(sctx);
2604 SSL_CTX_free(cctx);
2605 return testresult;
2606 }
2607
2608 static int allow_ed_cb_called = 0;
2609
allow_early_data_cb(SSL * s,void * arg)2610 static int allow_early_data_cb(SSL *s, void *arg)
2611 {
2612 int *usecb = (int *)arg;
2613
2614 allow_ed_cb_called++;
2615
2616 if (*usecb == 1)
2617 return 0;
2618
2619 return 1;
2620 }
2621
2622 /*
2623 * idx == 0: Standard early_data setup
2624 * idx == 1: early_data setup using read_ahead
2625 * usecb == 0: Don't use a custom early data callback
2626 * usecb == 1: Use a custom early data callback and reject the early data
2627 * usecb == 2: Use a custom early data callback and accept the early data
2628 * confopt == 0: Configure anti-replay directly
2629 * confopt == 1: Configure anti-replay using SSL_CONF
2630 */
test_early_data_replay_int(int idx,int usecb,int confopt)2631 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2632 {
2633 SSL_CTX *cctx = NULL, *sctx = NULL;
2634 SSL *clientssl = NULL, *serverssl = NULL;
2635 int testresult = 0;
2636 SSL_SESSION *sess = NULL;
2637 size_t readbytes, written;
2638 unsigned char buf[20];
2639
2640 allow_ed_cb_called = 0;
2641
2642 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2643 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2644 &cctx, cert, privkey)))
2645 return 0;
2646
2647 if (usecb > 0) {
2648 if (confopt == 0) {
2649 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2650 } else {
2651 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2652
2653 if (!TEST_ptr(confctx))
2654 goto end;
2655 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2656 | SSL_CONF_FLAG_SERVER);
2657 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2658 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2659 2)) {
2660 SSL_CONF_CTX_free(confctx);
2661 goto end;
2662 }
2663 SSL_CONF_CTX_free(confctx);
2664 }
2665 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2666 }
2667
2668 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2669 &serverssl, &sess, idx)))
2670 goto end;
2671
2672 /*
2673 * The server is configured to accept early data. Create a connection to
2674 * "use up" the ticket
2675 */
2676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2677 || !TEST_true(SSL_session_reused(clientssl)))
2678 goto end;
2679
2680 SSL_shutdown(clientssl);
2681 SSL_shutdown(serverssl);
2682 SSL_free(serverssl);
2683 SSL_free(clientssl);
2684 serverssl = clientssl = NULL;
2685
2686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2687 &clientssl, NULL, NULL))
2688 || !TEST_true(SSL_set_session(clientssl, sess)))
2689 goto end;
2690
2691 /* Write and read some early data */
2692 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2693 &written))
2694 || !TEST_size_t_eq(written, strlen(MSG1)))
2695 goto end;
2696
2697 if (usecb <= 1) {
2698 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2699 &readbytes),
2700 SSL_READ_EARLY_DATA_FINISH)
2701 /*
2702 * The ticket was reused, so the we should have rejected the
2703 * early data
2704 */
2705 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2706 SSL_EARLY_DATA_REJECTED))
2707 goto end;
2708 } else {
2709 /* In this case the callback decides to accept the early data */
2710 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2711 &readbytes),
2712 SSL_READ_EARLY_DATA_SUCCESS)
2713 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2714 /*
2715 * Server will have sent its flight so client can now send
2716 * end of early data and complete its half of the handshake
2717 */
2718 || !TEST_int_gt(SSL_connect(clientssl), 0)
2719 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2720 &readbytes),
2721 SSL_READ_EARLY_DATA_FINISH)
2722 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2723 SSL_EARLY_DATA_ACCEPTED))
2724 goto end;
2725 }
2726
2727 /* Complete the connection */
2728 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2729 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2730 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2731 goto end;
2732
2733 testresult = 1;
2734
2735 end:
2736 SSL_SESSION_free(sess);
2737 SSL_SESSION_free(clientpsk);
2738 SSL_SESSION_free(serverpsk);
2739 clientpsk = serverpsk = NULL;
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 SSL_CTX_free(sctx);
2743 SSL_CTX_free(cctx);
2744 return testresult;
2745 }
2746
test_early_data_replay(int idx)2747 static int test_early_data_replay(int idx)
2748 {
2749 int ret = 1, usecb, confopt;
2750
2751 for (usecb = 0; usecb < 3; usecb++) {
2752 for (confopt = 0; confopt < 2; confopt++)
2753 ret &= test_early_data_replay_int(idx, usecb, confopt);
2754 }
2755
2756 return ret;
2757 }
2758
2759 /*
2760 * Helper function to test that a server attempting to read early data can
2761 * handle a connection from a client where the early data should be skipped.
2762 * testtype: 0 == No HRR
2763 * testtype: 1 == HRR
2764 * testtype: 2 == HRR, invalid early_data sent after HRR
2765 * testtype: 3 == recv_max_early_data set to 0
2766 */
early_data_skip_helper(int testtype,int idx)2767 static int early_data_skip_helper(int testtype, int idx)
2768 {
2769 SSL_CTX *cctx = NULL, *sctx = NULL;
2770 SSL *clientssl = NULL, *serverssl = NULL;
2771 int testresult = 0;
2772 SSL_SESSION *sess = NULL;
2773 unsigned char buf[20];
2774 size_t readbytes, written;
2775
2776 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2777 &serverssl, &sess, idx)))
2778 goto end;
2779
2780 if (testtype == 1 || testtype == 2) {
2781 /* Force an HRR to occur */
2782 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2783 goto end;
2784 } else if (idx == 2) {
2785 /*
2786 * We force early_data rejection by ensuring the PSK identity is
2787 * unrecognised
2788 */
2789 srvid = "Dummy Identity";
2790 } else {
2791 /*
2792 * Deliberately corrupt the creation time. We take 20 seconds off the
2793 * time. It could be any value as long as it is not within tolerance.
2794 * This should mean the ticket is rejected.
2795 */
2796 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2797 goto end;
2798 }
2799
2800 if (testtype == 3
2801 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2802 goto end;
2803
2804 /* Write some early data */
2805 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2806 &written))
2807 || !TEST_size_t_eq(written, strlen(MSG1)))
2808 goto end;
2809
2810 /* Server should reject the early data */
2811 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2812 &readbytes),
2813 SSL_READ_EARLY_DATA_FINISH)
2814 || !TEST_size_t_eq(readbytes, 0)
2815 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2816 SSL_EARLY_DATA_REJECTED))
2817 goto end;
2818
2819 switch (testtype) {
2820 case 0:
2821 /* Nothing to do */
2822 break;
2823
2824 case 1:
2825 /*
2826 * Finish off the handshake. We perform the same writes and reads as
2827 * further down but we expect them to fail due to the incomplete
2828 * handshake.
2829 */
2830 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2831 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2832 &readbytes)))
2833 goto end;
2834 break;
2835
2836 case 2:
2837 {
2838 BIO *wbio = SSL_get_wbio(clientssl);
2839 /* A record that will appear as bad early_data */
2840 const unsigned char bad_early_data[] = {
2841 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2842 };
2843
2844 /*
2845 * We force the client to attempt a write. This will fail because
2846 * we're still in the handshake. It will cause the second
2847 * ClientHello to be sent.
2848 */
2849 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2850 &written)))
2851 goto end;
2852
2853 /*
2854 * Inject some early_data after the second ClientHello. This should
2855 * cause the server to fail
2856 */
2857 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2858 sizeof(bad_early_data), &written)))
2859 goto end;
2860 }
2861 /* fallthrough */
2862
2863 case 3:
2864 /*
2865 * This client has sent more early_data than we are willing to skip
2866 * (case 3) or sent invalid early_data (case 2) so the connection should
2867 * abort.
2868 */
2869 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2870 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2871 goto end;
2872
2873 /* Connection has failed - nothing more to do */
2874 testresult = 1;
2875 goto end;
2876
2877 default:
2878 TEST_error("Invalid test type");
2879 goto end;
2880 }
2881
2882 /*
2883 * Should be able to send normal data despite rejection of early data. The
2884 * early_data should be skipped.
2885 */
2886 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2887 || !TEST_size_t_eq(written, strlen(MSG2))
2888 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2889 SSL_EARLY_DATA_REJECTED)
2890 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2891 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2892 goto end;
2893
2894 testresult = 1;
2895
2896 end:
2897 SSL_SESSION_free(clientpsk);
2898 SSL_SESSION_free(serverpsk);
2899 clientpsk = serverpsk = NULL;
2900 SSL_SESSION_free(sess);
2901 SSL_free(serverssl);
2902 SSL_free(clientssl);
2903 SSL_CTX_free(sctx);
2904 SSL_CTX_free(cctx);
2905 return testresult;
2906 }
2907
2908 /*
2909 * Test that a server attempting to read early data can handle a connection
2910 * from a client where the early data is not acceptable.
2911 */
test_early_data_skip(int idx)2912 static int test_early_data_skip(int idx)
2913 {
2914 return early_data_skip_helper(0, idx);
2915 }
2916
2917 /*
2918 * Test that a server attempting to read early data can handle a connection
2919 * from a client where an HRR occurs.
2920 */
test_early_data_skip_hrr(int idx)2921 static int test_early_data_skip_hrr(int idx)
2922 {
2923 return early_data_skip_helper(1, idx);
2924 }
2925
2926 /*
2927 * Test that a server attempting to read early data can handle a connection
2928 * from a client where an HRR occurs and correctly fails if early_data is sent
2929 * after the HRR
2930 */
test_early_data_skip_hrr_fail(int idx)2931 static int test_early_data_skip_hrr_fail(int idx)
2932 {
2933 return early_data_skip_helper(2, idx);
2934 }
2935
2936 /*
2937 * Test that a server attempting to read early data will abort if it tries to
2938 * skip over too much.
2939 */
test_early_data_skip_abort(int idx)2940 static int test_early_data_skip_abort(int idx)
2941 {
2942 return early_data_skip_helper(3, idx);
2943 }
2944
2945 /*
2946 * Test that a server attempting to read early data can handle a connection
2947 * from a client that doesn't send any.
2948 */
test_early_data_not_sent(int idx)2949 static int test_early_data_not_sent(int idx)
2950 {
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 int testresult = 0;
2954 SSL_SESSION *sess = NULL;
2955 unsigned char buf[20];
2956 size_t readbytes, written;
2957
2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
2960 goto end;
2961
2962 /* Write some data - should block due to handshake with server */
2963 SSL_set_connect_state(clientssl);
2964 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2965 goto end;
2966
2967 /* Server should detect that early data has not been sent */
2968 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2969 &readbytes),
2970 SSL_READ_EARLY_DATA_FINISH)
2971 || !TEST_size_t_eq(readbytes, 0)
2972 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2973 SSL_EARLY_DATA_NOT_SENT)
2974 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2975 SSL_EARLY_DATA_NOT_SENT))
2976 goto end;
2977
2978 /* Continue writing the message we started earlier */
2979 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2980 || !TEST_size_t_eq(written, strlen(MSG1))
2981 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2982 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2983 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2984 || !TEST_size_t_eq(written, strlen(MSG2)))
2985 goto end;
2986
2987 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2988 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2989 goto end;
2990
2991 testresult = 1;
2992
2993 end:
2994 SSL_SESSION_free(sess);
2995 SSL_SESSION_free(clientpsk);
2996 SSL_SESSION_free(serverpsk);
2997 clientpsk = serverpsk = NULL;
2998 SSL_free(serverssl);
2999 SSL_free(clientssl);
3000 SSL_CTX_free(sctx);
3001 SSL_CTX_free(cctx);
3002 return testresult;
3003 }
3004
3005 static const char *servalpn;
3006
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)3007 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3008 unsigned char *outlen, const unsigned char *in,
3009 unsigned int inlen, void *arg)
3010 {
3011 unsigned int protlen = 0;
3012 const unsigned char *prot;
3013
3014 for (prot = in; prot < in + inlen; prot += protlen) {
3015 protlen = *prot++;
3016 if (in + inlen < prot + protlen)
3017 return SSL_TLSEXT_ERR_NOACK;
3018
3019 if (protlen == strlen(servalpn)
3020 && memcmp(prot, servalpn, protlen) == 0) {
3021 *out = prot;
3022 *outlen = protlen;
3023 return SSL_TLSEXT_ERR_OK;
3024 }
3025 }
3026
3027 return SSL_TLSEXT_ERR_NOACK;
3028 }
3029
3030 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)3031 static int test_early_data_psk(int idx)
3032 {
3033 SSL_CTX *cctx = NULL, *sctx = NULL;
3034 SSL *clientssl = NULL, *serverssl = NULL;
3035 int testresult = 0;
3036 SSL_SESSION *sess = NULL;
3037 unsigned char alpnlist[] = {
3038 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3039 'l', 'p', 'n'
3040 };
3041 #define GOODALPNLEN 9
3042 #define BADALPNLEN 8
3043 #define GOODALPN (alpnlist)
3044 #define BADALPN (alpnlist + GOODALPNLEN)
3045 int err = 0;
3046 unsigned char buf[20];
3047 size_t readbytes, written;
3048 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3049 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3050
3051 /* We always set this up with a final parameter of "2" for PSK */
3052 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3053 &serverssl, &sess, 2)))
3054 goto end;
3055
3056 servalpn = "goodalpn";
3057
3058 /*
3059 * Note: There is no test for inconsistent SNI with late client detection.
3060 * This is because servers do not acknowledge SNI even if they are using
3061 * it in a resumption handshake - so it is not actually possible for a
3062 * client to detect a problem.
3063 */
3064 switch (idx) {
3065 case 0:
3066 /* Set inconsistent SNI (early client detection) */
3067 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3068 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3069 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3070 goto end;
3071 break;
3072
3073 case 1:
3074 /* Set inconsistent ALPN (early client detection) */
3075 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3076 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3077 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3078 GOODALPNLEN))
3079 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3080 BADALPNLEN)))
3081 goto end;
3082 break;
3083
3084 case 2:
3085 /*
3086 * Set invalid protocol version. Technically this affects PSKs without
3087 * early_data too, but we test it here because it is similar to the
3088 * SNI/ALPN consistency tests.
3089 */
3090 err = SSL_R_BAD_PSK;
3091 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3092 goto end;
3093 break;
3094
3095 case 3:
3096 /*
3097 * Set inconsistent SNI (server side). In this case the connection
3098 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3099 * is associated with each handshake - not the session. Therefore it
3100 * should not matter that we used a different server name last time.
3101 */
3102 SSL_SESSION_free(serverpsk);
3103 serverpsk = SSL_SESSION_dup(clientpsk);
3104 if (!TEST_ptr(serverpsk)
3105 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3106 goto end;
3107 /* Fall through */
3108 case 4:
3109 /* Set consistent SNI */
3110 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3111 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3112 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3113 hostname_cb)))
3114 goto end;
3115 break;
3116
3117 case 5:
3118 /*
3119 * Set inconsistent ALPN (server detected). In this case the connection
3120 * will succeed but reject early_data.
3121 */
3122 servalpn = "badalpn";
3123 edstatus = SSL_EARLY_DATA_REJECTED;
3124 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3125 /* Fall through */
3126 case 6:
3127 /*
3128 * Set consistent ALPN.
3129 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3130 * accepts a list of protos (each one length prefixed).
3131 * SSL_set1_alpn_selected accepts a single protocol (not length
3132 * prefixed)
3133 */
3134 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3135 GOODALPNLEN - 1))
3136 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3137 GOODALPNLEN)))
3138 goto end;
3139
3140 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3141 break;
3142
3143 case 7:
3144 /* Set inconsistent ALPN (late client detection) */
3145 SSL_SESSION_free(serverpsk);
3146 serverpsk = SSL_SESSION_dup(clientpsk);
3147 if (!TEST_ptr(serverpsk)
3148 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3149 BADALPN + 1,
3150 BADALPNLEN - 1))
3151 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3152 GOODALPN + 1,
3153 GOODALPNLEN - 1))
3154 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3155 sizeof(alpnlist))))
3156 goto end;
3157 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3158 edstatus = SSL_EARLY_DATA_ACCEPTED;
3159 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3160 /* SSL_connect() call should fail */
3161 connectres = -1;
3162 break;
3163
3164 default:
3165 TEST_error("Bad test index");
3166 goto end;
3167 }
3168
3169 SSL_set_connect_state(clientssl);
3170 if (err != 0) {
3171 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3172 &written))
3173 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3174 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3175 goto end;
3176 } else {
3177 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3178 &written)))
3179 goto end;
3180
3181 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3182 &readbytes), readearlyres)
3183 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3184 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3185 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3186 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3187 goto end;
3188 }
3189
3190 testresult = 1;
3191
3192 end:
3193 SSL_SESSION_free(sess);
3194 SSL_SESSION_free(clientpsk);
3195 SSL_SESSION_free(serverpsk);
3196 clientpsk = serverpsk = NULL;
3197 SSL_free(serverssl);
3198 SSL_free(clientssl);
3199 SSL_CTX_free(sctx);
3200 SSL_CTX_free(cctx);
3201 return testresult;
3202 }
3203
3204 /*
3205 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3206 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3207 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3208 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3209 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3210 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3211 */
test_early_data_psk_with_all_ciphers(int idx)3212 static int test_early_data_psk_with_all_ciphers(int idx)
3213 {
3214 SSL_CTX *cctx = NULL, *sctx = NULL;
3215 SSL *clientssl = NULL, *serverssl = NULL;
3216 int testresult = 0;
3217 SSL_SESSION *sess = NULL;
3218 unsigned char buf[20];
3219 size_t readbytes, written;
3220 const SSL_CIPHER *cipher;
3221 const char *cipher_str[] = {
3222 TLS1_3_RFC_AES_128_GCM_SHA256,
3223 TLS1_3_RFC_AES_256_GCM_SHA384,
3224 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3225 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3226 # else
3227 NULL,
3228 # endif
3229 TLS1_3_RFC_AES_128_CCM_SHA256,
3230 TLS1_3_RFC_AES_128_CCM_8_SHA256
3231 };
3232 const unsigned char *cipher_bytes[] = {
3233 TLS13_AES_128_GCM_SHA256_BYTES,
3234 TLS13_AES_256_GCM_SHA384_BYTES,
3235 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3236 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3237 # else
3238 NULL,
3239 # endif
3240 TLS13_AES_128_CCM_SHA256_BYTES,
3241 TLS13_AES_128_CCM_8_SHA256_BYTES
3242 };
3243
3244 if (cipher_str[idx] == NULL)
3245 return 1;
3246
3247 /* We always set this up with a final parameter of "2" for PSK */
3248 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3249 &serverssl, &sess, 2)))
3250 goto end;
3251
3252 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3253 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3254 goto end;
3255
3256 /*
3257 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3258 * and assigns to both client and server with incremented reference
3259 * and the same instance is updated in 'sess'.
3260 * So updating ciphersuite in 'sess' which will get reflected in
3261 * PSK handshake using psk use sess and find sess cb.
3262 */
3263 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3264 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3265 goto end;
3266
3267 SSL_set_connect_state(clientssl);
3268 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3269 &written)))
3270 goto end;
3271
3272 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3273 &readbytes),
3274 SSL_READ_EARLY_DATA_SUCCESS)
3275 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3276 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3277 SSL_EARLY_DATA_ACCEPTED)
3278 || !TEST_int_eq(SSL_connect(clientssl), 1)
3279 || !TEST_int_eq(SSL_accept(serverssl), 1))
3280 goto end;
3281
3282 /* Send some normal data from client to server */
3283 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3284 || !TEST_size_t_eq(written, strlen(MSG2)))
3285 goto end;
3286
3287 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3288 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3289 goto end;
3290
3291 testresult = 1;
3292 end:
3293 SSL_SESSION_free(sess);
3294 SSL_SESSION_free(clientpsk);
3295 SSL_SESSION_free(serverpsk);
3296 clientpsk = serverpsk = NULL;
3297 if (clientssl != NULL)
3298 SSL_shutdown(clientssl);
3299 if (serverssl != NULL)
3300 SSL_shutdown(serverssl);
3301 SSL_free(serverssl);
3302 SSL_free(clientssl);
3303 SSL_CTX_free(sctx);
3304 SSL_CTX_free(cctx);
3305 return testresult;
3306 }
3307
3308 /*
3309 * Test that a server that doesn't try to read early data can handle a
3310 * client sending some.
3311 */
test_early_data_not_expected(int idx)3312 static int test_early_data_not_expected(int idx)
3313 {
3314 SSL_CTX *cctx = NULL, *sctx = NULL;
3315 SSL *clientssl = NULL, *serverssl = NULL;
3316 int testresult = 0;
3317 SSL_SESSION *sess = NULL;
3318 unsigned char buf[20];
3319 size_t readbytes, written;
3320
3321 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3322 &serverssl, &sess, idx)))
3323 goto end;
3324
3325 /* Write some early data */
3326 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3327 &written)))
3328 goto end;
3329
3330 /*
3331 * Server should skip over early data and then block waiting for client to
3332 * continue handshake
3333 */
3334 if (!TEST_int_le(SSL_accept(serverssl), 0)
3335 || !TEST_int_gt(SSL_connect(clientssl), 0)
3336 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3337 SSL_EARLY_DATA_REJECTED)
3338 || !TEST_int_gt(SSL_accept(serverssl), 0)
3339 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3340 SSL_EARLY_DATA_REJECTED))
3341 goto end;
3342
3343 /* Send some normal data from client to server */
3344 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3345 || !TEST_size_t_eq(written, strlen(MSG2)))
3346 goto end;
3347
3348 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3349 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3350 goto end;
3351
3352 testresult = 1;
3353
3354 end:
3355 SSL_SESSION_free(sess);
3356 SSL_SESSION_free(clientpsk);
3357 SSL_SESSION_free(serverpsk);
3358 clientpsk = serverpsk = NULL;
3359 SSL_free(serverssl);
3360 SSL_free(clientssl);
3361 SSL_CTX_free(sctx);
3362 SSL_CTX_free(cctx);
3363 return testresult;
3364 }
3365
3366
3367 # ifndef OPENSSL_NO_TLS1_2
3368 /*
3369 * Test that a server attempting to read early data can handle a connection
3370 * from a TLSv1.2 client.
3371 */
test_early_data_tls1_2(int idx)3372 static int test_early_data_tls1_2(int idx)
3373 {
3374 SSL_CTX *cctx = NULL, *sctx = NULL;
3375 SSL *clientssl = NULL, *serverssl = NULL;
3376 int testresult = 0;
3377 unsigned char buf[20];
3378 size_t readbytes, written;
3379
3380 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3381 &serverssl, NULL, idx)))
3382 goto end;
3383
3384 /* Write some data - should block due to handshake with server */
3385 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3386 SSL_set_connect_state(clientssl);
3387 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3388 goto end;
3389
3390 /*
3391 * Server should do TLSv1.2 handshake. First it will block waiting for more
3392 * messages from client after ServerDone. Then SSL_read_early_data should
3393 * finish and detect that early data has not been sent
3394 */
3395 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3396 &readbytes),
3397 SSL_READ_EARLY_DATA_ERROR))
3398 goto end;
3399
3400 /*
3401 * Continue writing the message we started earlier. Will still block waiting
3402 * for the CCS/Finished from server
3403 */
3404 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3405 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3406 &readbytes),
3407 SSL_READ_EARLY_DATA_FINISH)
3408 || !TEST_size_t_eq(readbytes, 0)
3409 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3410 SSL_EARLY_DATA_NOT_SENT))
3411 goto end;
3412
3413 /* Continue writing the message we started earlier */
3414 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3415 || !TEST_size_t_eq(written, strlen(MSG1))
3416 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3417 SSL_EARLY_DATA_NOT_SENT)
3418 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3419 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3420 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3421 || !TEST_size_t_eq(written, strlen(MSG2))
3422 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3423 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3424 goto end;
3425
3426 testresult = 1;
3427
3428 end:
3429 SSL_SESSION_free(clientpsk);
3430 SSL_SESSION_free(serverpsk);
3431 clientpsk = serverpsk = NULL;
3432 SSL_free(serverssl);
3433 SSL_free(clientssl);
3434 SSL_CTX_free(sctx);
3435 SSL_CTX_free(cctx);
3436
3437 return testresult;
3438 }
3439 # endif /* OPENSSL_NO_TLS1_2 */
3440
3441 /*
3442 * Test configuring the TLSv1.3 ciphersuites
3443 *
3444 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3445 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3446 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3447 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3448 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3449 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3450 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3451 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3452 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3453 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3454 */
test_set_ciphersuite(int idx)3455 static int test_set_ciphersuite(int idx)
3456 {
3457 SSL_CTX *cctx = NULL, *sctx = NULL;
3458 SSL *clientssl = NULL, *serverssl = NULL;
3459 int testresult = 0;
3460
3461 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3462 TLS1_VERSION, TLS_MAX_VERSION,
3463 &sctx, &cctx, cert, privkey))
3464 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3465 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3466 goto end;
3467
3468 if (idx >=4 && idx <= 7) {
3469 /* SSL_CTX explicit cipher list */
3470 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3471 goto end;
3472 }
3473
3474 if (idx == 0 || idx == 4) {
3475 /* Default ciphersuite */
3476 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3477 "TLS_AES_128_GCM_SHA256")))
3478 goto end;
3479 } else if (idx == 1 || idx == 5) {
3480 /* Non default ciphersuite */
3481 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3482 "TLS_AES_128_CCM_SHA256")))
3483 goto end;
3484 }
3485
3486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3487 &clientssl, NULL, NULL)))
3488 goto end;
3489
3490 if (idx == 8 || idx == 9) {
3491 /* SSL explicit cipher list */
3492 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3493 goto end;
3494 }
3495
3496 if (idx == 2 || idx == 6 || idx == 8) {
3497 /* Default ciphersuite */
3498 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3499 "TLS_AES_128_GCM_SHA256")))
3500 goto end;
3501 } else if (idx == 3 || idx == 7 || idx == 9) {
3502 /* Non default ciphersuite */
3503 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3504 "TLS_AES_128_CCM_SHA256")))
3505 goto end;
3506 }
3507
3508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3509 goto end;
3510
3511 testresult = 1;
3512
3513 end:
3514 SSL_free(serverssl);
3515 SSL_free(clientssl);
3516 SSL_CTX_free(sctx);
3517 SSL_CTX_free(cctx);
3518
3519 return testresult;
3520 }
3521
test_ciphersuite_change(void)3522 static int test_ciphersuite_change(void)
3523 {
3524 SSL_CTX *cctx = NULL, *sctx = NULL;
3525 SSL *clientssl = NULL, *serverssl = NULL;
3526 SSL_SESSION *clntsess = NULL;
3527 int testresult = 0;
3528 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3529
3530 /* Create a session based on SHA-256 */
3531 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3532 TLS1_VERSION, TLS_MAX_VERSION,
3533 &sctx, &cctx, cert, privkey))
3534 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3535 "TLS_AES_128_GCM_SHA256"))
3536 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3537 &clientssl, NULL, NULL))
3538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3539 SSL_ERROR_NONE)))
3540 goto end;
3541
3542 clntsess = SSL_get1_session(clientssl);
3543 /* Save for later */
3544 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3545 SSL_shutdown(clientssl);
3546 SSL_shutdown(serverssl);
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 serverssl = clientssl = NULL;
3550
3551 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3552 /* Check we can resume a session with a different SHA-256 ciphersuite */
3553 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3554 "TLS_CHACHA20_POLY1305_SHA256"))
3555 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3556 NULL, NULL))
3557 || !TEST_true(SSL_set_session(clientssl, clntsess))
3558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3559 SSL_ERROR_NONE))
3560 || !TEST_true(SSL_session_reused(clientssl)))
3561 goto end;
3562
3563 SSL_SESSION_free(clntsess);
3564 clntsess = SSL_get1_session(clientssl);
3565 SSL_shutdown(clientssl);
3566 SSL_shutdown(serverssl);
3567 SSL_free(serverssl);
3568 SSL_free(clientssl);
3569 serverssl = clientssl = NULL;
3570 # endif
3571
3572 /*
3573 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3574 * succeeds but does not resume.
3575 */
3576 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3577 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3578 NULL, NULL))
3579 || !TEST_true(SSL_set_session(clientssl, clntsess))
3580 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3581 SSL_ERROR_SSL))
3582 || !TEST_false(SSL_session_reused(clientssl)))
3583 goto end;
3584
3585 SSL_SESSION_free(clntsess);
3586 clntsess = NULL;
3587 SSL_shutdown(clientssl);
3588 SSL_shutdown(serverssl);
3589 SSL_free(serverssl);
3590 SSL_free(clientssl);
3591 serverssl = clientssl = NULL;
3592
3593 /* Create a session based on SHA384 */
3594 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3595 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3596 &clientssl, NULL, NULL))
3597 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3598 SSL_ERROR_NONE)))
3599 goto end;
3600
3601 clntsess = SSL_get1_session(clientssl);
3602 SSL_shutdown(clientssl);
3603 SSL_shutdown(serverssl);
3604 SSL_free(serverssl);
3605 SSL_free(clientssl);
3606 serverssl = clientssl = NULL;
3607
3608 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3609 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3610 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3611 "TLS_AES_256_GCM_SHA384"))
3612 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3613 NULL, NULL))
3614 || !TEST_true(SSL_set_session(clientssl, clntsess))
3615 /*
3616 * We use SSL_ERROR_WANT_READ below so that we can pause the
3617 * connection after the initial ClientHello has been sent to
3618 * enable us to make some session changes.
3619 */
3620 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3621 SSL_ERROR_WANT_READ)))
3622 goto end;
3623
3624 /* Trick the client into thinking this session is for a different digest */
3625 clntsess->cipher = aes_128_gcm_sha256;
3626 clntsess->cipher_id = clntsess->cipher->id;
3627
3628 /*
3629 * Continue the previously started connection. Server has selected a SHA-384
3630 * ciphersuite, but client thinks the session is for SHA-256, so it should
3631 * bail out.
3632 */
3633 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3634 SSL_ERROR_SSL))
3635 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3636 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3637 goto end;
3638
3639 testresult = 1;
3640
3641 end:
3642 SSL_SESSION_free(clntsess);
3643 SSL_free(serverssl);
3644 SSL_free(clientssl);
3645 SSL_CTX_free(sctx);
3646 SSL_CTX_free(cctx);
3647
3648 return testresult;
3649 }
3650
3651 /*
3652 * Test TLSv1.3 Cipher Suite
3653 * Test 0 = Set TLS1.3 cipher on context
3654 * Test 1 = Set TLS1.3 cipher on SSL
3655 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3656 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3657 */
test_tls13_ciphersuite(int idx)3658 static int test_tls13_ciphersuite(int idx)
3659 {
3660 SSL_CTX *sctx = NULL, *cctx = NULL;
3661 SSL *serverssl = NULL, *clientssl = NULL;
3662 static const char *t13_ciphers[] = {
3663 TLS1_3_RFC_AES_128_GCM_SHA256,
3664 TLS1_3_RFC_AES_256_GCM_SHA384,
3665 TLS1_3_RFC_AES_128_CCM_SHA256,
3666 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3667 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3668 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3669 # endif
3670 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3671 };
3672 const char *t13_cipher = NULL;
3673 const char *t12_cipher = NULL;
3674 const char *negotiated_scipher;
3675 const char *negotiated_ccipher;
3676 int set_at_ctx = 0;
3677 int set_at_ssl = 0;
3678 int testresult = 0;
3679 int max_ver;
3680 size_t i;
3681
3682 switch (idx) {
3683 case 0:
3684 set_at_ctx = 1;
3685 break;
3686 case 1:
3687 set_at_ssl = 1;
3688 break;
3689 case 2:
3690 set_at_ctx = 1;
3691 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3692 break;
3693 case 3:
3694 set_at_ssl = 1;
3695 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3696 break;
3697 }
3698
3699 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3700 # ifdef OPENSSL_NO_TLS1_2
3701 if (max_ver == TLS1_2_VERSION)
3702 continue;
3703 # endif
3704 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3705 t13_cipher = t13_ciphers[i];
3706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3707 TLS_client_method(),
3708 TLS1_VERSION, max_ver,
3709 &sctx, &cctx, cert, privkey)))
3710 goto end;
3711
3712 if (set_at_ctx) {
3713 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3714 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3715 goto end;
3716 if (t12_cipher != NULL) {
3717 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3718 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3719 t12_cipher)))
3720 goto end;
3721 }
3722 }
3723
3724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3725 &clientssl, NULL, NULL)))
3726 goto end;
3727
3728 if (set_at_ssl) {
3729 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3730 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3731 goto end;
3732 if (t12_cipher != NULL) {
3733 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3734 || !TEST_true(SSL_set_cipher_list(clientssl,
3735 t12_cipher)))
3736 goto end;
3737 }
3738 }
3739
3740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3741 SSL_ERROR_NONE)))
3742 goto end;
3743
3744 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3745 serverssl));
3746 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3747 clientssl));
3748 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3749 goto end;
3750
3751 /*
3752 * TEST_strn_eq is used below because t13_cipher can contain
3753 * multiple ciphersuites
3754 */
3755 if (max_ver == TLS1_3_VERSION
3756 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
3757 strlen(negotiated_scipher)))
3758 goto end;
3759
3760 # ifndef OPENSSL_NO_TLS1_2
3761 /* Below validation is not done when t12_cipher is NULL */
3762 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
3763 && !TEST_str_eq(t12_cipher, negotiated_scipher))
3764 goto end;
3765 # endif
3766
3767 SSL_free(serverssl);
3768 serverssl = NULL;
3769 SSL_free(clientssl);
3770 clientssl = NULL;
3771 SSL_CTX_free(sctx);
3772 sctx = NULL;
3773 SSL_CTX_free(cctx);
3774 cctx = NULL;
3775 }
3776 }
3777
3778 testresult = 1;
3779 end:
3780 SSL_free(serverssl);
3781 SSL_free(clientssl);
3782 SSL_CTX_free(sctx);
3783 SSL_CTX_free(cctx);
3784 return testresult;
3785 }
3786
3787 /*
3788 * Test TLSv1.3 PSKs
3789 * Test 0 = Test new style callbacks
3790 * Test 1 = Test both new and old style callbacks
3791 * Test 2 = Test old style callbacks
3792 * Test 3 = Test old style callbacks with no certificate
3793 */
test_tls13_psk(int idx)3794 static int test_tls13_psk(int idx)
3795 {
3796 SSL_CTX *sctx = NULL, *cctx = NULL;
3797 SSL *serverssl = NULL, *clientssl = NULL;
3798 const SSL_CIPHER *cipher = NULL;
3799 const unsigned char key[] = {
3800 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3801 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3802 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3803 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3804 };
3805 int testresult = 0;
3806
3807 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3808 TLS1_VERSION, TLS_MAX_VERSION,
3809 &sctx, &cctx, idx == 3 ? NULL : cert,
3810 idx == 3 ? NULL : privkey)))
3811 goto end;
3812
3813 if (idx != 3) {
3814 /*
3815 * We use a ciphersuite with SHA256 to ease testing old style PSK
3816 * callbacks which will always default to SHA256. This should not be
3817 * necessary if we have no cert/priv key. In that case the server should
3818 * prefer SHA256 automatically.
3819 */
3820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3821 "TLS_AES_128_GCM_SHA256")))
3822 goto end;
3823 }
3824
3825 /*
3826 * Test 0: New style callbacks only
3827 * Test 1: New and old style callbacks (only the new ones should be used)
3828 * Test 2: Old style callbacks only
3829 */
3830 if (idx == 0 || idx == 1) {
3831 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3832 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3833 }
3834 #ifndef OPENSSL_NO_PSK
3835 if (idx >= 1) {
3836 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3837 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3838 }
3839 #endif
3840 srvid = pskid;
3841 use_session_cb_cnt = 0;
3842 find_session_cb_cnt = 0;
3843 psk_client_cb_cnt = 0;
3844 psk_server_cb_cnt = 0;
3845
3846 if (idx != 3) {
3847 /*
3848 * Check we can create a connection if callback decides not to send a
3849 * PSK
3850 */
3851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3852 NULL, NULL))
3853 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3854 SSL_ERROR_NONE))
3855 || !TEST_false(SSL_session_reused(clientssl))
3856 || !TEST_false(SSL_session_reused(serverssl)))
3857 goto end;
3858
3859 if (idx == 0 || idx == 1) {
3860 if (!TEST_true(use_session_cb_cnt == 1)
3861 || !TEST_true(find_session_cb_cnt == 0)
3862 /*
3863 * If no old style callback then below should be 0
3864 * otherwise 1
3865 */
3866 || !TEST_true(psk_client_cb_cnt == idx)
3867 || !TEST_true(psk_server_cb_cnt == 0))
3868 goto end;
3869 } else {
3870 if (!TEST_true(use_session_cb_cnt == 0)
3871 || !TEST_true(find_session_cb_cnt == 0)
3872 || !TEST_true(psk_client_cb_cnt == 1)
3873 || !TEST_true(psk_server_cb_cnt == 0))
3874 goto end;
3875 }
3876
3877 shutdown_ssl_connection(serverssl, clientssl);
3878 serverssl = clientssl = NULL;
3879 use_session_cb_cnt = psk_client_cb_cnt = 0;
3880 }
3881
3882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3883 NULL, NULL)))
3884 goto end;
3885
3886 /* Create the PSK */
3887 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3888 clientpsk = SSL_SESSION_new();
3889 if (!TEST_ptr(clientpsk)
3890 || !TEST_ptr(cipher)
3891 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3892 sizeof(key)))
3893 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3894 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3895 TLS1_3_VERSION))
3896 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3897 goto end;
3898 serverpsk = clientpsk;
3899
3900 /* Check we can create a connection and the PSK is used */
3901 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3902 || !TEST_true(SSL_session_reused(clientssl))
3903 || !TEST_true(SSL_session_reused(serverssl)))
3904 goto end;
3905
3906 if (idx == 0 || idx == 1) {
3907 if (!TEST_true(use_session_cb_cnt == 1)
3908 || !TEST_true(find_session_cb_cnt == 1)
3909 || !TEST_true(psk_client_cb_cnt == 0)
3910 || !TEST_true(psk_server_cb_cnt == 0))
3911 goto end;
3912 } else {
3913 if (!TEST_true(use_session_cb_cnt == 0)
3914 || !TEST_true(find_session_cb_cnt == 0)
3915 || !TEST_true(psk_client_cb_cnt == 1)
3916 || !TEST_true(psk_server_cb_cnt == 1))
3917 goto end;
3918 }
3919
3920 shutdown_ssl_connection(serverssl, clientssl);
3921 serverssl = clientssl = NULL;
3922 use_session_cb_cnt = find_session_cb_cnt = 0;
3923 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3924
3925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3926 NULL, NULL)))
3927 goto end;
3928
3929 /* Force an HRR */
3930 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3931 goto end;
3932
3933 /*
3934 * Check we can create a connection, the PSK is used and the callbacks are
3935 * called twice.
3936 */
3937 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3938 || !TEST_true(SSL_session_reused(clientssl))
3939 || !TEST_true(SSL_session_reused(serverssl)))
3940 goto end;
3941
3942 if (idx == 0 || idx == 1) {
3943 if (!TEST_true(use_session_cb_cnt == 2)
3944 || !TEST_true(find_session_cb_cnt == 2)
3945 || !TEST_true(psk_client_cb_cnt == 0)
3946 || !TEST_true(psk_server_cb_cnt == 0))
3947 goto end;
3948 } else {
3949 if (!TEST_true(use_session_cb_cnt == 0)
3950 || !TEST_true(find_session_cb_cnt == 0)
3951 || !TEST_true(psk_client_cb_cnt == 2)
3952 || !TEST_true(psk_server_cb_cnt == 2))
3953 goto end;
3954 }
3955
3956 shutdown_ssl_connection(serverssl, clientssl);
3957 serverssl = clientssl = NULL;
3958 use_session_cb_cnt = find_session_cb_cnt = 0;
3959 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3960
3961 if (idx != 3) {
3962 /*
3963 * Check that if the server rejects the PSK we can still connect, but with
3964 * a full handshake
3965 */
3966 srvid = "Dummy Identity";
3967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3968 NULL, NULL))
3969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3970 SSL_ERROR_NONE))
3971 || !TEST_false(SSL_session_reused(clientssl))
3972 || !TEST_false(SSL_session_reused(serverssl)))
3973 goto end;
3974
3975 if (idx == 0 || idx == 1) {
3976 if (!TEST_true(use_session_cb_cnt == 1)
3977 || !TEST_true(find_session_cb_cnt == 1)
3978 || !TEST_true(psk_client_cb_cnt == 0)
3979 /*
3980 * If no old style callback then below should be 0
3981 * otherwise 1
3982 */
3983 || !TEST_true(psk_server_cb_cnt == idx))
3984 goto end;
3985 } else {
3986 if (!TEST_true(use_session_cb_cnt == 0)
3987 || !TEST_true(find_session_cb_cnt == 0)
3988 || !TEST_true(psk_client_cb_cnt == 1)
3989 || !TEST_true(psk_server_cb_cnt == 1))
3990 goto end;
3991 }
3992
3993 shutdown_ssl_connection(serverssl, clientssl);
3994 serverssl = clientssl = NULL;
3995 }
3996 testresult = 1;
3997
3998 end:
3999 SSL_SESSION_free(clientpsk);
4000 SSL_SESSION_free(serverpsk);
4001 clientpsk = serverpsk = NULL;
4002 SSL_free(serverssl);
4003 SSL_free(clientssl);
4004 SSL_CTX_free(sctx);
4005 SSL_CTX_free(cctx);
4006 return testresult;
4007 }
4008
4009 static unsigned char cookie_magic_value[] = "cookie magic";
4010
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)4011 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4012 unsigned int *cookie_len)
4013 {
4014 /*
4015 * Not suitable as a real cookie generation function but good enough for
4016 * testing!
4017 */
4018 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4019 *cookie_len = sizeof(cookie_magic_value) - 1;
4020
4021 return 1;
4022 }
4023
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)4024 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4025 unsigned int cookie_len)
4026 {
4027 if (cookie_len == sizeof(cookie_magic_value) - 1
4028 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4029 return 1;
4030
4031 return 0;
4032 }
4033
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)4034 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4035 size_t *cookie_len)
4036 {
4037 unsigned int temp;
4038 int res = generate_cookie_callback(ssl, cookie, &temp);
4039 *cookie_len = temp;
4040 return res;
4041 }
4042
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)4043 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4044 size_t cookie_len)
4045 {
4046 return verify_cookie_callback(ssl, cookie, cookie_len);
4047 }
4048
test_stateless(void)4049 static int test_stateless(void)
4050 {
4051 SSL_CTX *sctx = NULL, *cctx = NULL;
4052 SSL *serverssl = NULL, *clientssl = NULL;
4053 int testresult = 0;
4054
4055 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4056 TLS1_VERSION, TLS_MAX_VERSION,
4057 &sctx, &cctx, cert, privkey)))
4058 goto end;
4059
4060 /* The arrival of CCS messages can confuse the test */
4061 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4062
4063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4064 NULL, NULL))
4065 /* Send the first ClientHello */
4066 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4067 SSL_ERROR_WANT_READ))
4068 /*
4069 * This should fail with a -1 return because we have no callbacks
4070 * set up
4071 */
4072 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4073 goto end;
4074
4075 /* Fatal error so abandon the connection from this client */
4076 SSL_free(clientssl);
4077 clientssl = NULL;
4078
4079 /* Set up the cookie generation and verification callbacks */
4080 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4081 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4082
4083 /*
4084 * Create a new connection from the client (we can reuse the server SSL
4085 * object).
4086 */
4087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4088 NULL, NULL))
4089 /* Send the first ClientHello */
4090 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4091 SSL_ERROR_WANT_READ))
4092 /* This should fail because there is no cookie */
4093 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4094 goto end;
4095
4096 /* Abandon the connection from this client */
4097 SSL_free(clientssl);
4098 clientssl = NULL;
4099
4100 /*
4101 * Now create a connection from a new client but with the same server SSL
4102 * object
4103 */
4104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4105 NULL, NULL))
4106 /* Send the first ClientHello */
4107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4108 SSL_ERROR_WANT_READ))
4109 /* This should fail because there is no cookie */
4110 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4111 /* Send the second ClientHello */
4112 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4113 SSL_ERROR_WANT_READ))
4114 /* This should succeed because a cookie is now present */
4115 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4116 /* Complete the connection */
4117 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4118 SSL_ERROR_NONE)))
4119 goto end;
4120
4121 shutdown_ssl_connection(serverssl, clientssl);
4122 serverssl = clientssl = NULL;
4123 testresult = 1;
4124
4125 end:
4126 SSL_free(serverssl);
4127 SSL_free(clientssl);
4128 SSL_CTX_free(sctx);
4129 SSL_CTX_free(cctx);
4130 return testresult;
4131
4132 }
4133 #endif /* OPENSSL_NO_TLS1_3 */
4134
4135 static int clntaddoldcb = 0;
4136 static int clntparseoldcb = 0;
4137 static int srvaddoldcb = 0;
4138 static int srvparseoldcb = 0;
4139 static int clntaddnewcb = 0;
4140 static int clntparsenewcb = 0;
4141 static int srvaddnewcb = 0;
4142 static int srvparsenewcb = 0;
4143 static int snicb = 0;
4144
4145 #define TEST_EXT_TYPE1 0xff00
4146
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)4147 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4148 size_t *outlen, int *al, void *add_arg)
4149 {
4150 int *server = (int *)add_arg;
4151 unsigned char *data;
4152
4153 if (SSL_is_server(s))
4154 srvaddoldcb++;
4155 else
4156 clntaddoldcb++;
4157
4158 if (*server != SSL_is_server(s)
4159 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4160 return -1;
4161
4162 *data = 1;
4163 *out = data;
4164 *outlen = sizeof(char);
4165 return 1;
4166 }
4167
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)4168 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4169 void *add_arg)
4170 {
4171 OPENSSL_free((unsigned char *)out);
4172 }
4173
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)4174 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4175 size_t inlen, int *al, void *parse_arg)
4176 {
4177 int *server = (int *)parse_arg;
4178
4179 if (SSL_is_server(s))
4180 srvparseoldcb++;
4181 else
4182 clntparseoldcb++;
4183
4184 if (*server != SSL_is_server(s)
4185 || inlen != sizeof(char)
4186 || *in != 1)
4187 return -1;
4188
4189 return 1;
4190 }
4191
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)4192 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4193 const unsigned char **out, size_t *outlen, X509 *x,
4194 size_t chainidx, int *al, void *add_arg)
4195 {
4196 int *server = (int *)add_arg;
4197 unsigned char *data;
4198
4199 if (SSL_is_server(s))
4200 srvaddnewcb++;
4201 else
4202 clntaddnewcb++;
4203
4204 if (*server != SSL_is_server(s)
4205 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4206 return -1;
4207
4208 *data = 1;
4209 *out = data;
4210 *outlen = sizeof(*data);
4211 return 1;
4212 }
4213
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)4214 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4215 const unsigned char *out, void *add_arg)
4216 {
4217 OPENSSL_free((unsigned char *)out);
4218 }
4219
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)4220 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4221 const unsigned char *in, size_t inlen, X509 *x,
4222 size_t chainidx, int *al, void *parse_arg)
4223 {
4224 int *server = (int *)parse_arg;
4225
4226 if (SSL_is_server(s))
4227 srvparsenewcb++;
4228 else
4229 clntparsenewcb++;
4230
4231 if (*server != SSL_is_server(s)
4232 || inlen != sizeof(char) || *in != 1)
4233 return -1;
4234
4235 return 1;
4236 }
4237
sni_cb(SSL * s,int * al,void * arg)4238 static int sni_cb(SSL *s, int *al, void *arg)
4239 {
4240 SSL_CTX *ctx = (SSL_CTX *)arg;
4241
4242 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4243 *al = SSL_AD_INTERNAL_ERROR;
4244 return SSL_TLSEXT_ERR_ALERT_FATAL;
4245 }
4246 snicb++;
4247 return SSL_TLSEXT_ERR_OK;
4248 }
4249
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)4250 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
4251 {
4252 return 1;
4253 }
4254
4255 /*
4256 * Custom call back tests.
4257 * Test 0: Old style callbacks in TLSv1.2
4258 * Test 1: New style callbacks in TLSv1.2
4259 * Test 2: New style callbacks in TLSv1.2 with SNI
4260 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4261 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4262 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
4263 */
test_custom_exts(int tst)4264 static int test_custom_exts(int tst)
4265 {
4266 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4267 SSL *clientssl = NULL, *serverssl = NULL;
4268 int testresult = 0;
4269 static int server = 1;
4270 static int client = 0;
4271 SSL_SESSION *sess = NULL;
4272 unsigned int context;
4273
4274 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4275 /* Skip tests for TLSv1.2 and below in this case */
4276 if (tst < 3)
4277 return 1;
4278 #endif
4279
4280 /* Reset callback counters */
4281 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4282 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4283 snicb = 0;
4284
4285 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4286 TLS1_VERSION, TLS_MAX_VERSION,
4287 &sctx, &cctx, cert, privkey)))
4288 goto end;
4289
4290 if (tst == 2
4291 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4292 TLS1_VERSION, TLS_MAX_VERSION,
4293 &sctx2, NULL, cert, privkey)))
4294 goto end;
4295
4296
4297 if (tst < 3) {
4298 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4299 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4300 if (sctx2 != NULL)
4301 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4302 }
4303
4304 if (tst == 5) {
4305 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
4306 | SSL_EXT_TLS1_3_CERTIFICATE;
4307 SSL_CTX_set_verify(sctx,
4308 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4309 verify_cb);
4310 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
4311 SSL_FILETYPE_PEM), 1)
4312 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
4313 SSL_FILETYPE_PEM), 1)
4314 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
4315 goto end;
4316 } else if (tst == 4) {
4317 context = SSL_EXT_CLIENT_HELLO
4318 | SSL_EXT_TLS1_2_SERVER_HELLO
4319 | SSL_EXT_TLS1_3_SERVER_HELLO
4320 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4321 | SSL_EXT_TLS1_3_CERTIFICATE
4322 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4323 } else {
4324 context = SSL_EXT_CLIENT_HELLO
4325 | SSL_EXT_TLS1_2_SERVER_HELLO
4326 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4327 }
4328
4329 /* Create a client side custom extension */
4330 if (tst == 0) {
4331 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4332 old_add_cb, old_free_cb,
4333 &client, old_parse_cb,
4334 &client)))
4335 goto end;
4336 } else {
4337 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4338 new_add_cb, new_free_cb,
4339 &client, new_parse_cb, &client)))
4340 goto end;
4341 }
4342
4343 /* Should not be able to add duplicates */
4344 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4345 old_add_cb, old_free_cb,
4346 &client, old_parse_cb,
4347 &client))
4348 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4349 context, new_add_cb,
4350 new_free_cb, &client,
4351 new_parse_cb, &client)))
4352 goto end;
4353
4354 /* Create a server side custom extension */
4355 if (tst == 0) {
4356 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4357 old_add_cb, old_free_cb,
4358 &server, old_parse_cb,
4359 &server)))
4360 goto end;
4361 } else {
4362 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4363 new_add_cb, new_free_cb,
4364 &server, new_parse_cb, &server)))
4365 goto end;
4366 if (sctx2 != NULL
4367 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4368 context, new_add_cb,
4369 new_free_cb, &server,
4370 new_parse_cb, &server)))
4371 goto end;
4372 }
4373
4374 /* Should not be able to add duplicates */
4375 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4376 old_add_cb, old_free_cb,
4377 &server, old_parse_cb,
4378 &server))
4379 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4380 context, new_add_cb,
4381 new_free_cb, &server,
4382 new_parse_cb, &server)))
4383 goto end;
4384
4385 if (tst == 2) {
4386 /* Set up SNI */
4387 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4388 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4389 goto end;
4390 }
4391
4392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4393 &clientssl, NULL, NULL))
4394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4395 SSL_ERROR_NONE)))
4396 goto end;
4397
4398 if (tst == 0) {
4399 if (clntaddoldcb != 1
4400 || clntparseoldcb != 1
4401 || srvaddoldcb != 1
4402 || srvparseoldcb != 1)
4403 goto end;
4404 } else if (tst == 1 || tst == 2 || tst == 3) {
4405 if (clntaddnewcb != 1
4406 || clntparsenewcb != 1
4407 || srvaddnewcb != 1
4408 || srvparsenewcb != 1
4409 || (tst != 2 && snicb != 0)
4410 || (tst == 2 && snicb != 1))
4411 goto end;
4412 } else if (tst == 5) {
4413 if (clntaddnewcb != 1
4414 || clntparsenewcb != 1
4415 || srvaddnewcb != 1
4416 || srvparsenewcb != 1)
4417 goto end;
4418 } else {
4419 /* In this case there 2 NewSessionTicket messages created */
4420 if (clntaddnewcb != 1
4421 || clntparsenewcb != 5
4422 || srvaddnewcb != 5
4423 || srvparsenewcb != 1)
4424 goto end;
4425 }
4426
4427 sess = SSL_get1_session(clientssl);
4428 SSL_shutdown(clientssl);
4429 SSL_shutdown(serverssl);
4430 SSL_free(serverssl);
4431 SSL_free(clientssl);
4432 serverssl = clientssl = NULL;
4433
4434 if (tst == 3 || tst == 5) {
4435 /* We don't bother with the resumption aspects for these tests */
4436 testresult = 1;
4437 goto end;
4438 }
4439
4440 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4441 NULL, NULL))
4442 || !TEST_true(SSL_set_session(clientssl, sess))
4443 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4444 SSL_ERROR_NONE)))
4445 goto end;
4446
4447 /*
4448 * For a resumed session we expect to add the ClientHello extension. For the
4449 * old style callbacks we ignore it on the server side because they set
4450 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4451 * them.
4452 */
4453 if (tst == 0) {
4454 if (clntaddoldcb != 2
4455 || clntparseoldcb != 1
4456 || srvaddoldcb != 1
4457 || srvparseoldcb != 1)
4458 goto end;
4459 } else if (tst == 1 || tst == 2 || tst == 3) {
4460 if (clntaddnewcb != 2
4461 || clntparsenewcb != 2
4462 || srvaddnewcb != 2
4463 || srvparsenewcb != 2)
4464 goto end;
4465 } else {
4466 /*
4467 * No Certificate message extensions in the resumption handshake,
4468 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4469 */
4470 if (clntaddnewcb != 2
4471 || clntparsenewcb != 8
4472 || srvaddnewcb != 8
4473 || srvparsenewcb != 2)
4474 goto end;
4475 }
4476
4477 testresult = 1;
4478
4479 end:
4480 SSL_SESSION_free(sess);
4481 SSL_free(serverssl);
4482 SSL_free(clientssl);
4483 SSL_CTX_free(sctx2);
4484 SSL_CTX_free(sctx);
4485 SSL_CTX_free(cctx);
4486 return testresult;
4487 }
4488
4489 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4490
4491 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
4492 | SSL_EXT_CLIENT_HELLO \
4493 | SSL_EXT_TLS1_2_SERVER_HELLO \
4494 | SSL_EXT_IGNORE_ON_RESUMPTION)
4495
4496 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
4497 | SSL_EXT_TLS1_2_SERVER_HELLO \
4498 | SSL_EXT_CLIENT_HELLO)
4499
4500 #define SERVERINFO_CUSTOM \
4501 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
4502 0x00, 0x03, \
4503 0x04, 0x05, 0x06 \
4504
4505 static const unsigned char serverinfo_custom_tls13[] = {
4506 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
4507 SERVERINFO_CUSTOM
4508 };
4509 static const unsigned char serverinfo_custom_v2[] = {
4510 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
4511 SERVERINFO_CUSTOM
4512 };
4513 static const unsigned char serverinfo_custom_v1[] = {
4514 SERVERINFO_CUSTOM
4515 };
4516 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
4517 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
4518 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
4519
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)4520 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
4521 unsigned int context,
4522 const unsigned char *in,
4523 size_t inlen, X509 *x,
4524 size_t chainidx, int *al,
4525 void *parse_arg)
4526 {
4527 const size_t len = serverinfo_custom_v1_len;
4528 const unsigned char *si = &serverinfo_custom_v1[len - 3];
4529 int *p_cb_result = (int*)parse_arg;
4530 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
4531 return 1;
4532 }
4533
test_serverinfo_custom(const int idx)4534 static int test_serverinfo_custom(const int idx)
4535 {
4536 SSL_CTX *sctx = NULL, *cctx = NULL;
4537 SSL *clientssl = NULL, *serverssl = NULL;
4538 int testresult = 0;
4539 int cb_result = 0;
4540
4541 /*
4542 * Following variables are set in the switch statement
4543 * according to the test iteration.
4544 * Default values do not make much sense: test would fail with them.
4545 */
4546 int serverinfo_version = 0;
4547 int protocol_version = 0;
4548 unsigned int extension_context = 0;
4549 const unsigned char *si = NULL;
4550 size_t si_len = 0;
4551
4552 const int call_use_serverinfo_ex = idx > 0;
4553 switch (idx) {
4554 case 0: /* FALLTHROUGH */
4555 case 1:
4556 serverinfo_version = SSL_SERVERINFOV1;
4557 protocol_version = TLS1_2_VERSION;
4558 extension_context = SYNTHV1CONTEXT;
4559 si = serverinfo_custom_v1;
4560 si_len = serverinfo_custom_v1_len;
4561 break;
4562 case 2:
4563 serverinfo_version = SSL_SERVERINFOV2;
4564 protocol_version = TLS1_2_VERSION;
4565 extension_context = SYNTHV1CONTEXT;
4566 si = serverinfo_custom_v2;
4567 si_len = serverinfo_custom_v2_len;
4568 break;
4569 case 3:
4570 serverinfo_version = SSL_SERVERINFOV2;
4571 protocol_version = TLS1_3_VERSION;
4572 extension_context = TLS13CONTEXT;
4573 si = serverinfo_custom_tls13;
4574 si_len = serverinfo_custom_tls13_len;
4575 break;
4576 }
4577
4578 if (!TEST_true(create_ssl_ctx_pair(TLS_method(),
4579 TLS_method(),
4580 protocol_version,
4581 protocol_version,
4582 &sctx, &cctx, cert, privkey)))
4583 goto end;
4584
4585 if (call_use_serverinfo_ex) {
4586 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
4587 si, si_len)))
4588 goto end;
4589 } else {
4590 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
4591 goto end;
4592 }
4593
4594 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
4595 extension_context,
4596 NULL, NULL, NULL,
4597 serverinfo_custom_parse_cb,
4598 &cb_result))
4599 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4600 NULL, NULL))
4601 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4602 SSL_ERROR_NONE))
4603 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
4604 goto end;
4605
4606 if (!TEST_true(cb_result))
4607 goto end;
4608
4609 testresult = 1;
4610
4611 end:
4612 SSL_free(serverssl);
4613 SSL_free(clientssl);
4614 SSL_CTX_free(sctx);
4615 SSL_CTX_free(cctx);
4616
4617 return testresult;
4618 }
4619 #endif
4620
4621 /*
4622 * Test that SSL_export_keying_material() produces expected results. There are
4623 * no test vectors so all we do is test that both sides of the communication
4624 * produce the same results for different protocol versions.
4625 */
4626 #define SMALL_LABEL_LEN 10
4627 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)4628 static int test_export_key_mat(int tst)
4629 {
4630 int testresult = 0;
4631 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4632 SSL *clientssl = NULL, *serverssl = NULL;
4633 const char label[LONG_LABEL_LEN + 1] = "test label";
4634 const unsigned char context[] = "context";
4635 const unsigned char *emptycontext = NULL;
4636 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4637 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4638 size_t labellen;
4639 const int protocols[] = {
4640 TLS1_VERSION,
4641 TLS1_1_VERSION,
4642 TLS1_2_VERSION,
4643 TLS1_3_VERSION,
4644 TLS1_3_VERSION,
4645 TLS1_3_VERSION
4646 };
4647
4648 #ifdef OPENSSL_NO_TLS1
4649 if (tst == 0)
4650 return 1;
4651 #endif
4652 #ifdef OPENSSL_NO_TLS1_1
4653 if (tst == 1)
4654 return 1;
4655 #endif
4656 #ifdef OPENSSL_NO_TLS1_2
4657 if (tst == 2)
4658 return 1;
4659 #endif
4660 #ifdef OPENSSL_NO_TLS1_3
4661 if (tst >= 3)
4662 return 1;
4663 #endif
4664 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4665 TLS1_VERSION, TLS_MAX_VERSION,
4666 &sctx, &cctx, cert, privkey)))
4667 goto end;
4668
4669 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4670 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4671 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4672
4673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4674 NULL)))
4675 goto end;
4676
4677 /*
4678 * Premature call of SSL_export_keying_material should just fail.
4679 */
4680 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4681 sizeof(ckeymat1), label,
4682 SMALL_LABEL_LEN + 1, context,
4683 sizeof(context) - 1, 1), 0))
4684 goto end;
4685
4686 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4687 SSL_ERROR_NONE)))
4688 goto end;
4689
4690 if (tst == 5) {
4691 /*
4692 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4693 * go over that.
4694 */
4695 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4696 sizeof(ckeymat1), label,
4697 LONG_LABEL_LEN + 1, context,
4698 sizeof(context) - 1, 1), 0))
4699 goto end;
4700
4701 testresult = 1;
4702 goto end;
4703 } else if (tst == 4) {
4704 labellen = LONG_LABEL_LEN;
4705 } else {
4706 labellen = SMALL_LABEL_LEN;
4707 }
4708
4709 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4710 sizeof(ckeymat1), label,
4711 labellen, context,
4712 sizeof(context) - 1, 1), 1)
4713 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4714 sizeof(ckeymat2), label,
4715 labellen,
4716 emptycontext,
4717 0, 1), 1)
4718 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4719 sizeof(ckeymat3), label,
4720 labellen,
4721 NULL, 0, 0), 1)
4722 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4723 sizeof(skeymat1), label,
4724 labellen,
4725 context,
4726 sizeof(context) -1, 1),
4727 1)
4728 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4729 sizeof(skeymat2), label,
4730 labellen,
4731 emptycontext,
4732 0, 1), 1)
4733 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4734 sizeof(skeymat3), label,
4735 labellen,
4736 NULL, 0, 0), 1)
4737 /*
4738 * Check that both sides created the same key material with the
4739 * same context.
4740 */
4741 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4742 sizeof(skeymat1))
4743 /*
4744 * Check that both sides created the same key material with an
4745 * empty context.
4746 */
4747 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4748 sizeof(skeymat2))
4749 /*
4750 * Check that both sides created the same key material without a
4751 * context.
4752 */
4753 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4754 sizeof(skeymat3))
4755 /* Different contexts should produce different results */
4756 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4757 sizeof(ckeymat2)))
4758 goto end;
4759
4760 /*
4761 * Check that an empty context and no context produce different results in
4762 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4763 */
4764 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4765 sizeof(ckeymat3)))
4766 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4767 sizeof(ckeymat3))))
4768 goto end;
4769
4770 testresult = 1;
4771
4772 end:
4773 SSL_free(serverssl);
4774 SSL_free(clientssl);
4775 SSL_CTX_free(sctx2);
4776 SSL_CTX_free(sctx);
4777 SSL_CTX_free(cctx);
4778
4779 return testresult;
4780 }
4781
4782 #ifndef OPENSSL_NO_TLS1_3
4783 /*
4784 * Test that SSL_export_keying_material_early() produces expected
4785 * results. There are no test vectors so all we do is test that both
4786 * sides of the communication produce the same results for different
4787 * protocol versions.
4788 */
test_export_key_mat_early(int idx)4789 static int test_export_key_mat_early(int idx)
4790 {
4791 static const char label[] = "test label";
4792 static const unsigned char context[] = "context";
4793 int testresult = 0;
4794 SSL_CTX *cctx = NULL, *sctx = NULL;
4795 SSL *clientssl = NULL, *serverssl = NULL;
4796 SSL_SESSION *sess = NULL;
4797 const unsigned char *emptycontext = NULL;
4798 unsigned char ckeymat1[80], ckeymat2[80];
4799 unsigned char skeymat1[80], skeymat2[80];
4800 unsigned char buf[1];
4801 size_t readbytes, written;
4802
4803 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4804 &sess, idx)))
4805 goto end;
4806
4807 /* Here writing 0 length early data is enough. */
4808 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4809 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4810 &readbytes),
4811 SSL_READ_EARLY_DATA_ERROR)
4812 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4813 SSL_EARLY_DATA_ACCEPTED))
4814 goto end;
4815
4816 if (!TEST_int_eq(SSL_export_keying_material_early(
4817 clientssl, ckeymat1, sizeof(ckeymat1), label,
4818 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4819 || !TEST_int_eq(SSL_export_keying_material_early(
4820 clientssl, ckeymat2, sizeof(ckeymat2), label,
4821 sizeof(label) - 1, emptycontext, 0), 1)
4822 || !TEST_int_eq(SSL_export_keying_material_early(
4823 serverssl, skeymat1, sizeof(skeymat1), label,
4824 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4825 || !TEST_int_eq(SSL_export_keying_material_early(
4826 serverssl, skeymat2, sizeof(skeymat2), label,
4827 sizeof(label) - 1, emptycontext, 0), 1)
4828 /*
4829 * Check that both sides created the same key material with the
4830 * same context.
4831 */
4832 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4833 sizeof(skeymat1))
4834 /*
4835 * Check that both sides created the same key material with an
4836 * empty context.
4837 */
4838 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4839 sizeof(skeymat2))
4840 /* Different contexts should produce different results */
4841 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4842 sizeof(ckeymat2)))
4843 goto end;
4844
4845 testresult = 1;
4846
4847 end:
4848 SSL_SESSION_free(sess);
4849 SSL_SESSION_free(clientpsk);
4850 SSL_SESSION_free(serverpsk);
4851 clientpsk = serverpsk = NULL;
4852 SSL_free(serverssl);
4853 SSL_free(clientssl);
4854 SSL_CTX_free(sctx);
4855 SSL_CTX_free(cctx);
4856
4857 return testresult;
4858 }
4859
4860 #define NUM_KEY_UPDATE_MESSAGES 40
4861 /*
4862 * Test KeyUpdate.
4863 */
test_key_update(void)4864 static int test_key_update(void)
4865 {
4866 SSL_CTX *cctx = NULL, *sctx = NULL;
4867 SSL *clientssl = NULL, *serverssl = NULL;
4868 int testresult = 0, i, j;
4869 char buf[20];
4870 static char *mess = "A test message";
4871
4872 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4873 TLS_client_method(),
4874 TLS1_3_VERSION,
4875 0,
4876 &sctx, &cctx, cert, privkey))
4877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4878 NULL, NULL))
4879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4880 SSL_ERROR_NONE)))
4881 goto end;
4882
4883 for (j = 0; j < 2; j++) {
4884 /* Send lots of KeyUpdate messages */
4885 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4886 if (!TEST_true(SSL_key_update(clientssl,
4887 (j == 0)
4888 ? SSL_KEY_UPDATE_NOT_REQUESTED
4889 : SSL_KEY_UPDATE_REQUESTED))
4890 || !TEST_true(SSL_do_handshake(clientssl)))
4891 goto end;
4892 }
4893
4894 /* Check that sending and receiving app data is ok */
4895 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4896 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4897 strlen(mess)))
4898 goto end;
4899
4900 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4901 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4902 strlen(mess)))
4903 goto end;
4904 }
4905
4906 testresult = 1;
4907
4908 end:
4909 SSL_free(serverssl);
4910 SSL_free(clientssl);
4911 SSL_CTX_free(sctx);
4912 SSL_CTX_free(cctx);
4913
4914 return testresult;
4915 }
4916
4917 /*
4918 * Test we can handle a KeyUpdate (update requested) message while write data
4919 * is pending.
4920 * Test 0: Client sends KeyUpdate while Server is writing
4921 * Test 1: Server sends KeyUpdate while Client is writing
4922 */
test_key_update_in_write(int tst)4923 static int test_key_update_in_write(int tst)
4924 {
4925 SSL_CTX *cctx = NULL, *sctx = NULL;
4926 SSL *clientssl = NULL, *serverssl = NULL;
4927 int testresult = 0;
4928 char buf[20];
4929 static char *mess = "A test message";
4930 BIO *bretry = BIO_new(bio_s_always_retry());
4931 BIO *tmp = NULL;
4932 SSL *peerupdate = NULL, *peerwrite = NULL;
4933
4934 if (!TEST_ptr(bretry)
4935 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4936 TLS_client_method(),
4937 TLS1_3_VERSION,
4938 0,
4939 &sctx, &cctx, cert, privkey))
4940 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4941 NULL, NULL))
4942 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4943 SSL_ERROR_NONE)))
4944 goto end;
4945
4946 peerupdate = tst == 0 ? clientssl : serverssl;
4947 peerwrite = tst == 0 ? serverssl : clientssl;
4948
4949 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4950 || !TEST_true(SSL_do_handshake(peerupdate)))
4951 goto end;
4952
4953 /* Swap the writing endpoint's write BIO to force a retry */
4954 tmp = SSL_get_wbio(peerwrite);
4955 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4956 tmp = NULL;
4957 goto end;
4958 }
4959 SSL_set0_wbio(peerwrite, bretry);
4960 bretry = NULL;
4961
4962 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4963 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4964 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4965 goto end;
4966
4967 /* Reinstate the original writing endpoint's write BIO */
4968 SSL_set0_wbio(peerwrite, tmp);
4969 tmp = NULL;
4970
4971 /* Now read some data - we will read the key update */
4972 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4973 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4974 goto end;
4975
4976 /*
4977 * Complete the write we started previously and read it from the other
4978 * endpoint
4979 */
4980 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4981 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4982 goto end;
4983
4984 /* Write more data to ensure we send the KeyUpdate message back */
4985 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4986 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4987 goto end;
4988
4989 testresult = 1;
4990
4991 end:
4992 SSL_free(serverssl);
4993 SSL_free(clientssl);
4994 SSL_CTX_free(sctx);
4995 SSL_CTX_free(cctx);
4996 BIO_free(bretry);
4997 BIO_free(tmp);
4998
4999 return testresult;
5000 }
5001 #endif /* OPENSSL_NO_TLS1_3 */
5002
test_ssl_clear(int idx)5003 static int test_ssl_clear(int idx)
5004 {
5005 SSL_CTX *cctx = NULL, *sctx = NULL;
5006 SSL *clientssl = NULL, *serverssl = NULL;
5007 int testresult = 0;
5008
5009 #ifdef OPENSSL_NO_TLS1_2
5010 if (idx == 1)
5011 return 1;
5012 #endif
5013
5014 /* Create an initial connection */
5015 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5016 TLS1_VERSION, TLS_MAX_VERSION,
5017 &sctx, &cctx, cert, privkey))
5018 || (idx == 1
5019 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5020 TLS1_2_VERSION)))
5021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5022 &clientssl, NULL, NULL))
5023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5024 SSL_ERROR_NONE)))
5025 goto end;
5026
5027 SSL_shutdown(clientssl);
5028 SSL_shutdown(serverssl);
5029 SSL_free(serverssl);
5030 serverssl = NULL;
5031
5032 /* Clear clientssl - we're going to reuse the object */
5033 if (!TEST_true(SSL_clear(clientssl)))
5034 goto end;
5035
5036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5037 NULL, NULL))
5038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5039 SSL_ERROR_NONE))
5040 || !TEST_true(SSL_session_reused(clientssl)))
5041 goto end;
5042
5043 SSL_shutdown(clientssl);
5044 SSL_shutdown(serverssl);
5045
5046 testresult = 1;
5047
5048 end:
5049 SSL_free(serverssl);
5050 SSL_free(clientssl);
5051 SSL_CTX_free(sctx);
5052 SSL_CTX_free(cctx);
5053
5054 return testresult;
5055 }
5056
5057 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)5058 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5059 {
5060 long len;
5061 unsigned char *data;
5062 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
5063 unsigned int MFL_code = 0, type = 0;
5064
5065 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5066 goto end;
5067
5068 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5069 /* Skip the record header */
5070 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5071 /* Skip the handshake message header */
5072 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5073 /* Skip client version and random */
5074 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5075 + SSL3_RANDOM_SIZE))
5076 /* Skip session id */
5077 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5078 /* Skip ciphers */
5079 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5080 /* Skip compression */
5081 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5082 /* Extensions len */
5083 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5084 goto end;
5085
5086 /* Loop through all extensions */
5087 while (PACKET_remaining(&pkt2)) {
5088 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5089 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5090 goto end;
5091
5092 if (type == TLSEXT_TYPE_max_fragment_length) {
5093 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5094 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5095 goto end;
5096
5097 *mfl_codemfl_code = MFL_code;
5098 return 1;
5099 }
5100 }
5101
5102 end:
5103 return 0;
5104 }
5105
5106 /* Maximum-Fragment-Length TLS extension mode to test */
5107 static const unsigned char max_fragment_len_test[] = {
5108 TLSEXT_max_fragment_length_512,
5109 TLSEXT_max_fragment_length_1024,
5110 TLSEXT_max_fragment_length_2048,
5111 TLSEXT_max_fragment_length_4096
5112 };
5113
test_max_fragment_len_ext(int idx_tst)5114 static int test_max_fragment_len_ext(int idx_tst)
5115 {
5116 SSL_CTX *ctx;
5117 SSL *con = NULL;
5118 int testresult = 0, MFL_mode = 0;
5119 BIO *rbio, *wbio;
5120
5121 ctx = SSL_CTX_new(TLS_method());
5122 if (!TEST_ptr(ctx))
5123 goto end;
5124
5125 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5126 ctx, max_fragment_len_test[idx_tst])))
5127 goto end;
5128
5129 con = SSL_new(ctx);
5130 if (!TEST_ptr(con))
5131 goto end;
5132
5133 rbio = BIO_new(BIO_s_mem());
5134 wbio = BIO_new(BIO_s_mem());
5135 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5136 BIO_free(rbio);
5137 BIO_free(wbio);
5138 goto end;
5139 }
5140
5141 SSL_set_bio(con, rbio, wbio);
5142 SSL_set_connect_state(con);
5143
5144 if (!TEST_int_le(SSL_connect(con), 0)) {
5145 /* This shouldn't succeed because we don't have a server! */
5146 goto end;
5147 }
5148
5149 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5150 /* no MFL in client hello */
5151 goto end;
5152 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5153 goto end;
5154
5155 testresult = 1;
5156
5157 end:
5158 SSL_free(con);
5159 SSL_CTX_free(ctx);
5160
5161 return testresult;
5162 }
5163
5164 #ifndef OPENSSL_NO_TLS1_3
test_pha_key_update(void)5165 static int test_pha_key_update(void)
5166 {
5167 SSL_CTX *cctx = NULL, *sctx = NULL;
5168 SSL *clientssl = NULL, *serverssl = NULL;
5169 int testresult = 0;
5170
5171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5172 TLS1_VERSION, TLS_MAX_VERSION,
5173 &sctx, &cctx, cert, privkey)))
5174 return 0;
5175
5176 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5177 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5178 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5179 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5180 goto end;
5181
5182 SSL_CTX_set_post_handshake_auth(cctx, 1);
5183
5184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5185 NULL, NULL)))
5186 goto end;
5187
5188 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5189 SSL_ERROR_NONE)))
5190 goto end;
5191
5192 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5193 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5194 goto end;
5195
5196 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5197 goto end;
5198
5199 /* Start handshake on the server */
5200 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5201 goto end;
5202
5203 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5204 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5205 SSL_ERROR_NONE)))
5206 goto end;
5207
5208 SSL_shutdown(clientssl);
5209 SSL_shutdown(serverssl);
5210
5211 testresult = 1;
5212
5213 end:
5214 SSL_free(serverssl);
5215 SSL_free(clientssl);
5216 SSL_CTX_free(sctx);
5217 SSL_CTX_free(cctx);
5218 return testresult;
5219 }
5220 #endif
5221
5222 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5223
5224 static SRP_VBASE *vbase = NULL;
5225
ssl_srp_cb(SSL * s,int * ad,void * arg)5226 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5227 {
5228 int ret = SSL3_AL_FATAL;
5229 char *username;
5230 SRP_user_pwd *user = NULL;
5231
5232 username = SSL_get_srp_username(s);
5233 if (username == NULL) {
5234 *ad = SSL_AD_INTERNAL_ERROR;
5235 goto err;
5236 }
5237
5238 user = SRP_VBASE_get1_by_user(vbase, username);
5239 if (user == NULL) {
5240 *ad = SSL_AD_INTERNAL_ERROR;
5241 goto err;
5242 }
5243
5244 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5245 user->info) <= 0) {
5246 *ad = SSL_AD_INTERNAL_ERROR;
5247 goto err;
5248 }
5249
5250 ret = 0;
5251
5252 err:
5253 SRP_user_pwd_free(user);
5254 return ret;
5255 }
5256
create_new_vfile(char * userid,char * password,const char * filename)5257 static int create_new_vfile(char *userid, char *password, const char *filename)
5258 {
5259 char *gNid = NULL;
5260 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5261 TXT_DB *db = NULL;
5262 int ret = 0;
5263 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5264 size_t i;
5265
5266 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5267 goto end;
5268
5269 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5270 &row[DB_srpverifier], NULL, NULL);
5271 if (!TEST_ptr(gNid))
5272 goto end;
5273
5274 /*
5275 * The only way to create an empty TXT_DB is to provide a BIO with no data
5276 * in it!
5277 */
5278 db = TXT_DB_read(dummy, DB_NUMBER);
5279 if (!TEST_ptr(db))
5280 goto end;
5281
5282 out = BIO_new_file(filename, "w");
5283 if (!TEST_ptr(out))
5284 goto end;
5285
5286 row[DB_srpid] = OPENSSL_strdup(userid);
5287 row[DB_srptype] = OPENSSL_strdup("V");
5288 row[DB_srpgN] = OPENSSL_strdup(gNid);
5289
5290 if (!TEST_ptr(row[DB_srpid])
5291 || !TEST_ptr(row[DB_srptype])
5292 || !TEST_ptr(row[DB_srpgN])
5293 || !TEST_true(TXT_DB_insert(db, row)))
5294 goto end;
5295
5296 row = NULL;
5297
5298 if (!TXT_DB_write(out, db))
5299 goto end;
5300
5301 ret = 1;
5302 end:
5303 if (row != NULL) {
5304 for (i = 0; i < DB_NUMBER; i++)
5305 OPENSSL_free(row[i]);
5306 }
5307 OPENSSL_free(row);
5308 BIO_free(dummy);
5309 BIO_free(out);
5310 TXT_DB_free(db);
5311
5312 return ret;
5313 }
5314
create_new_vbase(char * userid,char * password)5315 static int create_new_vbase(char *userid, char *password)
5316 {
5317 BIGNUM *verifier = NULL, *salt = NULL;
5318 const SRP_gN *lgN = NULL;
5319 SRP_user_pwd *user_pwd = NULL;
5320 int ret = 0;
5321
5322 lgN = SRP_get_default_gN(NULL);
5323 if (!TEST_ptr(lgN))
5324 goto end;
5325
5326 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5327 lgN->N, lgN->g)))
5328 goto end;
5329
5330 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5331 if (!TEST_ptr(user_pwd))
5332 goto end;
5333
5334 user_pwd->N = lgN->N;
5335 user_pwd->g = lgN->g;
5336 user_pwd->id = OPENSSL_strdup(userid);
5337 if (!TEST_ptr(user_pwd->id))
5338 goto end;
5339
5340 user_pwd->v = verifier;
5341 user_pwd->s = salt;
5342 verifier = salt = NULL;
5343
5344 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5345 goto end;
5346 user_pwd = NULL;
5347
5348 ret = 1;
5349 end:
5350 SRP_user_pwd_free(user_pwd);
5351 BN_free(salt);
5352 BN_free(verifier);
5353
5354 return ret;
5355 }
5356
5357 /*
5358 * SRP tests
5359 *
5360 * Test 0: Simple successful SRP connection, new vbase
5361 * Test 1: Connection failure due to bad password, new vbase
5362 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5363 * Test 3: Connection failure due to bad password, vbase loaded from existing
5364 * file
5365 * Test 4: Simple successful SRP connection, vbase loaded from new file
5366 * Test 5: Connection failure due to bad password, vbase loaded from new file
5367 */
test_srp(int tst)5368 static int test_srp(int tst)
5369 {
5370 char *userid = "test", *password = "password", *tstsrpfile;
5371 SSL_CTX *cctx = NULL, *sctx = NULL;
5372 SSL *clientssl = NULL, *serverssl = NULL;
5373 int ret, testresult = 0;
5374
5375 vbase = SRP_VBASE_new(NULL);
5376 if (!TEST_ptr(vbase))
5377 goto end;
5378
5379 if (tst == 0 || tst == 1) {
5380 if (!TEST_true(create_new_vbase(userid, password)))
5381 goto end;
5382 } else {
5383 if (tst == 4 || tst == 5) {
5384 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5385 goto end;
5386 tstsrpfile = tmpfilename;
5387 } else {
5388 tstsrpfile = srpvfile;
5389 }
5390 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5391 goto end;
5392 }
5393
5394 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5395 TLS1_VERSION, TLS_MAX_VERSION,
5396 &sctx, &cctx, cert, privkey)))
5397 goto end;
5398
5399 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5400 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5401 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5402 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5403 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5404 goto end;
5405
5406 if (tst % 2 == 1) {
5407 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5408 goto end;
5409 } else {
5410 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5411 goto end;
5412 }
5413
5414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5415 NULL, NULL)))
5416 goto end;
5417
5418 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5419 if (ret) {
5420 if (!TEST_true(tst % 2 == 0))
5421 goto end;
5422 } else {
5423 if (!TEST_true(tst % 2 == 1))
5424 goto end;
5425 }
5426
5427 testresult = 1;
5428
5429 end:
5430 SRP_VBASE_free(vbase);
5431 vbase = NULL;
5432 SSL_free(serverssl);
5433 SSL_free(clientssl);
5434 SSL_CTX_free(sctx);
5435 SSL_CTX_free(cctx);
5436
5437 return testresult;
5438 }
5439 #endif
5440
5441 static int info_cb_failed = 0;
5442 static int info_cb_offset = 0;
5443 static int info_cb_this_state = -1;
5444
5445 static struct info_cb_states_st {
5446 int where;
5447 const char *statestr;
5448 } info_cb_states[][60] = {
5449 {
5450 /* TLSv1.2 server followed by resumption */
5451 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5452 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5453 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5454 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5455 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5456 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5457 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5458 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5459 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5460 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5461 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5462 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5463 {SSL_CB_EXIT, NULL}, {0, NULL},
5464 }, {
5465 /* TLSv1.2 client followed by resumption */
5466 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5467 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5468 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5469 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5470 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5471 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5472 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5473 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5474 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5475 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5476 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5477 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5478 }, {
5479 /* TLSv1.3 server followed by resumption */
5480 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5481 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5482 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5483 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5484 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5485 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5486 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5487 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5488 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5489 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5490 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5491 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5492 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5493 }, {
5494 /* TLSv1.3 client followed by resumption */
5495 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5496 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5497 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5498 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5499 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5500 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5501 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5502 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5503 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5504 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5505 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5506 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5507 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5508 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5509 {SSL_CB_EXIT, NULL}, {0, NULL},
5510 }, {
5511 /* TLSv1.3 server, early_data */
5512 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5513 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5514 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5515 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5516 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5517 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5518 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5519 {SSL_CB_EXIT, NULL}, {0, NULL},
5520 }, {
5521 /* TLSv1.3 client, early_data */
5522 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5523 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5524 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5525 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5526 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5527 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5528 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5529 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5530 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5531 }, {
5532 {0, NULL},
5533 }
5534 };
5535
sslapi_info_callback(const SSL * s,int where,int ret)5536 static void sslapi_info_callback(const SSL *s, int where, int ret)
5537 {
5538 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5539
5540 /* We do not ever expect a connection to fail in this test */
5541 if (!TEST_false(ret == 0)) {
5542 info_cb_failed = 1;
5543 return;
5544 }
5545
5546 /*
5547 * Do some sanity checks. We never expect these things to happen in this
5548 * test
5549 */
5550 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5551 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5552 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5553 info_cb_failed = 1;
5554 return;
5555 }
5556
5557 /* Now check we're in the right state */
5558 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5559 info_cb_failed = 1;
5560 return;
5561 }
5562 if ((where & SSL_CB_LOOP) != 0
5563 && !TEST_int_eq(strcmp(SSL_state_string(s),
5564 state[info_cb_this_state].statestr), 0)) {
5565 info_cb_failed = 1;
5566 return;
5567 }
5568
5569 /*
5570 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5571 */
5572 if ((where & SSL_CB_HANDSHAKE_DONE)
5573 && SSL_in_init((SSL *)s) != 0) {
5574 info_cb_failed = 1;
5575 return;
5576 }
5577 }
5578
5579 /*
5580 * Test the info callback gets called when we expect it to.
5581 *
5582 * Test 0: TLSv1.2, server
5583 * Test 1: TLSv1.2, client
5584 * Test 2: TLSv1.3, server
5585 * Test 3: TLSv1.3, client
5586 * Test 4: TLSv1.3, server, early_data
5587 * Test 5: TLSv1.3, client, early_data
5588 */
test_info_callback(int tst)5589 static int test_info_callback(int tst)
5590 {
5591 SSL_CTX *cctx = NULL, *sctx = NULL;
5592 SSL *clientssl = NULL, *serverssl = NULL;
5593 SSL_SESSION *clntsess = NULL;
5594 int testresult = 0;
5595 int tlsvers;
5596
5597 if (tst < 2) {
5598 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5599 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5600 || !defined(OPENSSL_NO_DH))
5601 tlsvers = TLS1_2_VERSION;
5602 #else
5603 return 1;
5604 #endif
5605 } else {
5606 #ifndef OPENSSL_NO_TLS1_3
5607 tlsvers = TLS1_3_VERSION;
5608 #else
5609 return 1;
5610 #endif
5611 }
5612
5613 /* Reset globals */
5614 info_cb_failed = 0;
5615 info_cb_this_state = -1;
5616 info_cb_offset = tst;
5617
5618 #ifndef OPENSSL_NO_TLS1_3
5619 if (tst >= 4) {
5620 SSL_SESSION *sess = NULL;
5621 size_t written, readbytes;
5622 unsigned char buf[80];
5623
5624 /* early_data tests */
5625 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5626 &serverssl, &sess, 0)))
5627 goto end;
5628
5629 /* We don't actually need this reference */
5630 SSL_SESSION_free(sess);
5631
5632 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5633 sslapi_info_callback);
5634
5635 /* Write and read some early data and then complete the connection */
5636 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5637 &written))
5638 || !TEST_size_t_eq(written, strlen(MSG1))
5639 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5640 sizeof(buf), &readbytes),
5641 SSL_READ_EARLY_DATA_SUCCESS)
5642 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5643 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5644 SSL_EARLY_DATA_ACCEPTED)
5645 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5646 SSL_ERROR_NONE))
5647 || !TEST_false(info_cb_failed))
5648 goto end;
5649
5650 testresult = 1;
5651 goto end;
5652 }
5653 #endif
5654
5655 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5656 TLS_client_method(),
5657 tlsvers, tlsvers, &sctx, &cctx, cert,
5658 privkey)))
5659 goto end;
5660
5661 /*
5662 * For even numbered tests we check the server callbacks. For odd numbers we
5663 * check the client.
5664 */
5665 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5666 sslapi_info_callback);
5667
5668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5669 &clientssl, NULL, NULL))
5670 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5671 SSL_ERROR_NONE))
5672 || !TEST_false(info_cb_failed))
5673 goto end;
5674
5675
5676
5677 clntsess = SSL_get1_session(clientssl);
5678 SSL_shutdown(clientssl);
5679 SSL_shutdown(serverssl);
5680 SSL_free(serverssl);
5681 SSL_free(clientssl);
5682 serverssl = clientssl = NULL;
5683
5684 /* Now do a resumption */
5685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5686 NULL))
5687 || !TEST_true(SSL_set_session(clientssl, clntsess))
5688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5689 SSL_ERROR_NONE))
5690 || !TEST_true(SSL_session_reused(clientssl))
5691 || !TEST_false(info_cb_failed))
5692 goto end;
5693
5694 testresult = 1;
5695
5696 end:
5697 SSL_free(serverssl);
5698 SSL_free(clientssl);
5699 SSL_SESSION_free(clntsess);
5700 SSL_CTX_free(sctx);
5701 SSL_CTX_free(cctx);
5702 return testresult;
5703 }
5704
test_ssl_pending(int tst)5705 static int test_ssl_pending(int tst)
5706 {
5707 SSL_CTX *cctx = NULL, *sctx = NULL;
5708 SSL *clientssl = NULL, *serverssl = NULL;
5709 int testresult = 0;
5710 char msg[] = "A test message";
5711 char buf[5];
5712 size_t written, readbytes;
5713
5714 if (tst == 0) {
5715 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5716 TLS_client_method(),
5717 TLS1_VERSION, TLS_MAX_VERSION,
5718 &sctx, &cctx, cert, privkey)))
5719 goto end;
5720 } else {
5721 #ifndef OPENSSL_NO_DTLS
5722 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5723 DTLS_client_method(),
5724 DTLS1_VERSION, DTLS_MAX_VERSION,
5725 &sctx, &cctx, cert, privkey)))
5726 goto end;
5727 #else
5728 return 1;
5729 #endif
5730 }
5731
5732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5733 NULL, NULL))
5734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5735 SSL_ERROR_NONE)))
5736 goto end;
5737
5738 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5739 || !TEST_false(SSL_has_pending(clientssl))
5740 || !TEST_int_eq(SSL_pending(serverssl), 0)
5741 || !TEST_false(SSL_has_pending(serverssl))
5742 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5743 || !TEST_size_t_eq(written, sizeof(msg))
5744 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5745 || !TEST_size_t_eq(readbytes, sizeof(buf))
5746 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5747 || !TEST_true(SSL_has_pending(clientssl)))
5748 goto end;
5749
5750 testresult = 1;
5751
5752 end:
5753 SSL_free(serverssl);
5754 SSL_free(clientssl);
5755 SSL_CTX_free(sctx);
5756 SSL_CTX_free(cctx);
5757
5758 return testresult;
5759 }
5760
5761 static struct {
5762 unsigned int maxprot;
5763 const char *clntciphers;
5764 const char *clnttls13ciphers;
5765 const char *srvrciphers;
5766 const char *srvrtls13ciphers;
5767 const char *shared;
5768 } shared_ciphers_data[] = {
5769 /*
5770 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5771 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5772 */
5773 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5774 {
5775 TLS1_2_VERSION,
5776 "AES128-SHA:AES256-SHA",
5777 NULL,
5778 "AES256-SHA:DHE-RSA-AES128-SHA",
5779 NULL,
5780 "AES256-SHA"
5781 },
5782 {
5783 TLS1_2_VERSION,
5784 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5785 NULL,
5786 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5787 NULL,
5788 "AES128-SHA:AES256-SHA"
5789 },
5790 {
5791 TLS1_2_VERSION,
5792 "AES128-SHA:AES256-SHA",
5793 NULL,
5794 "AES128-SHA:DHE-RSA-AES128-SHA",
5795 NULL,
5796 "AES128-SHA"
5797 },
5798 #endif
5799 /*
5800 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5801 * enabled.
5802 */
5803 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5804 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5805 {
5806 TLS1_3_VERSION,
5807 "AES128-SHA:AES256-SHA",
5808 NULL,
5809 "AES256-SHA:AES128-SHA256",
5810 NULL,
5811 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5812 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5813 },
5814 #endif
5815 #ifndef OPENSSL_NO_TLS1_3
5816 {
5817 TLS1_3_VERSION,
5818 "AES128-SHA",
5819 "TLS_AES_256_GCM_SHA384",
5820 "AES256-SHA",
5821 "TLS_AES_256_GCM_SHA384",
5822 "TLS_AES_256_GCM_SHA384"
5823 },
5824 #endif
5825 };
5826
test_ssl_get_shared_ciphers(int tst)5827 static int test_ssl_get_shared_ciphers(int tst)
5828 {
5829 SSL_CTX *cctx = NULL, *sctx = NULL;
5830 SSL *clientssl = NULL, *serverssl = NULL;
5831 int testresult = 0;
5832 char buf[1024];
5833
5834 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5835 TLS_client_method(),
5836 TLS1_VERSION,
5837 shared_ciphers_data[tst].maxprot,
5838 &sctx, &cctx, cert, privkey)))
5839 goto end;
5840
5841 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5842 shared_ciphers_data[tst].clntciphers))
5843 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5844 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5845 shared_ciphers_data[tst].clnttls13ciphers)))
5846 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5847 shared_ciphers_data[tst].srvrciphers))
5848 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5849 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5850 shared_ciphers_data[tst].srvrtls13ciphers))))
5851 goto end;
5852
5853
5854 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5855 NULL, NULL))
5856 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5857 SSL_ERROR_NONE)))
5858 goto end;
5859
5860 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5861 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5862 TEST_info("Shared ciphers are: %s\n", buf);
5863 goto end;
5864 }
5865
5866 testresult = 1;
5867
5868 end:
5869 SSL_free(serverssl);
5870 SSL_free(clientssl);
5871 SSL_CTX_free(sctx);
5872 SSL_CTX_free(cctx);
5873
5874 return testresult;
5875 }
5876
5877 static const char *appdata = "Hello World";
5878 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5879 static int tick_key_renew = 0;
5880 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5881
gen_tick_cb(SSL * s,void * arg)5882 static int gen_tick_cb(SSL *s, void *arg)
5883 {
5884 gen_tick_called = 1;
5885
5886 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5887 strlen(appdata));
5888 }
5889
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)5890 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5891 const unsigned char *keyname,
5892 size_t keyname_length,
5893 SSL_TICKET_STATUS status,
5894 void *arg)
5895 {
5896 void *tickdata;
5897 size_t tickdlen;
5898
5899 dec_tick_called = 1;
5900
5901 if (status == SSL_TICKET_EMPTY)
5902 return SSL_TICKET_RETURN_IGNORE_RENEW;
5903
5904 if (!TEST_true(status == SSL_TICKET_SUCCESS
5905 || status == SSL_TICKET_SUCCESS_RENEW))
5906 return SSL_TICKET_RETURN_ABORT;
5907
5908 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5909 &tickdlen))
5910 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5911 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5912 return SSL_TICKET_RETURN_ABORT;
5913
5914 if (tick_key_cb_called) {
5915 /* Don't change what the ticket key callback wanted to do */
5916 switch (status) {
5917 case SSL_TICKET_NO_DECRYPT:
5918 return SSL_TICKET_RETURN_IGNORE_RENEW;
5919
5920 case SSL_TICKET_SUCCESS:
5921 return SSL_TICKET_RETURN_USE;
5922
5923 case SSL_TICKET_SUCCESS_RENEW:
5924 return SSL_TICKET_RETURN_USE_RENEW;
5925
5926 default:
5927 return SSL_TICKET_RETURN_ABORT;
5928 }
5929 }
5930 return tick_dec_ret;
5931
5932 }
5933
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)5934 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5935 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5936 HMAC_CTX *hctx, int enc)
5937 {
5938 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5939 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5940
5941 tick_key_cb_called = 1;
5942 memset(iv, 0, AES_BLOCK_SIZE);
5943 memset(key_name, 0, 16);
5944 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5945 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5946 EVP_sha256(), NULL))
5947 return -1;
5948
5949 return tick_key_renew ? 2 : 1;
5950 }
5951
5952 /*
5953 * Test the various ticket callbacks
5954 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5955 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5956 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5957 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5958 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5959 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5960 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5961 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5962 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5963 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5964 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5965 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5966 */
test_ticket_callbacks(int tst)5967 static int test_ticket_callbacks(int tst)
5968 {
5969 SSL_CTX *cctx = NULL, *sctx = NULL;
5970 SSL *clientssl = NULL, *serverssl = NULL;
5971 SSL_SESSION *clntsess = NULL;
5972 int testresult = 0;
5973
5974 #ifdef OPENSSL_NO_TLS1_2
5975 if (tst % 2 == 0)
5976 return 1;
5977 #endif
5978 #ifdef OPENSSL_NO_TLS1_3
5979 if (tst % 2 == 1)
5980 return 1;
5981 #endif
5982
5983 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5984
5985 /* Which tests the ticket key callback should request renewal for */
5986 if (tst == 10 || tst == 11)
5987 tick_key_renew = 1;
5988 else
5989 tick_key_renew = 0;
5990
5991 /* Which tests the decrypt ticket callback should request renewal for */
5992 switch (tst) {
5993 case 0:
5994 case 1:
5995 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5996 break;
5997
5998 case 2:
5999 case 3:
6000 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6001 break;
6002
6003 case 4:
6004 case 5:
6005 tick_dec_ret = SSL_TICKET_RETURN_USE;
6006 break;
6007
6008 case 6:
6009 case 7:
6010 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6011 break;
6012
6013 default:
6014 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6015 }
6016
6017 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6018 TLS_client_method(),
6019 TLS1_VERSION,
6020 ((tst % 2) == 0) ? TLS1_2_VERSION
6021 : TLS1_3_VERSION,
6022 &sctx, &cctx, cert, privkey)))
6023 goto end;
6024
6025 /*
6026 * We only want sessions to resume from tickets - not the session cache. So
6027 * switch the cache off.
6028 */
6029 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6030 goto end;
6031
6032 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6033 NULL)))
6034 goto end;
6035
6036 if (tst >= 8
6037 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6038 goto end;
6039
6040 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6041 NULL, NULL))
6042 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6043 SSL_ERROR_NONE)))
6044 goto end;
6045
6046 /*
6047 * The decrypt ticket key callback in TLSv1.2 should be called even though
6048 * we have no ticket yet, because it gets called with a status of
6049 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6050 * actually send any ticket data). This does not happen in TLSv1.3 because
6051 * it is not valid to send empty ticket data in TLSv1.3.
6052 */
6053 if (!TEST_int_eq(gen_tick_called, 1)
6054 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6055 goto end;
6056
6057 gen_tick_called = dec_tick_called = 0;
6058
6059 clntsess = SSL_get1_session(clientssl);
6060 SSL_shutdown(clientssl);
6061 SSL_shutdown(serverssl);
6062 SSL_free(serverssl);
6063 SSL_free(clientssl);
6064 serverssl = clientssl = NULL;
6065
6066 /* Now do a resumption */
6067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6068 NULL))
6069 || !TEST_true(SSL_set_session(clientssl, clntsess))
6070 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6071 SSL_ERROR_NONE)))
6072 goto end;
6073
6074 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6075 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6076 if (!TEST_false(SSL_session_reused(clientssl)))
6077 goto end;
6078 } else {
6079 if (!TEST_true(SSL_session_reused(clientssl)))
6080 goto end;
6081 }
6082
6083 if (!TEST_int_eq(gen_tick_called,
6084 (tick_key_renew
6085 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6086 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6087 ? 1 : 0)
6088 || !TEST_int_eq(dec_tick_called, 1))
6089 goto end;
6090
6091 testresult = 1;
6092
6093 end:
6094 SSL_SESSION_free(clntsess);
6095 SSL_free(serverssl);
6096 SSL_free(clientssl);
6097 SSL_CTX_free(sctx);
6098 SSL_CTX_free(cctx);
6099
6100 return testresult;
6101 }
6102
6103 /*
6104 * Test bi-directional shutdown.
6105 * Test 0: TLSv1.2
6106 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6107 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6108 * Test 3: TLSv1.3, pending NewSessionTicket messages
6109 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6110 * sends key update, client reads it
6111 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6112 * sends CertificateRequest, client reads and ignores it
6113 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6114 * doesn't read it
6115 */
test_shutdown(int tst)6116 static int test_shutdown(int tst)
6117 {
6118 SSL_CTX *cctx = NULL, *sctx = NULL;
6119 SSL *clientssl = NULL, *serverssl = NULL;
6120 int testresult = 0;
6121 char msg[] = "A test message";
6122 char buf[80];
6123 size_t written, readbytes;
6124 SSL_SESSION *sess;
6125
6126 #ifdef OPENSSL_NO_TLS1_2
6127 if (tst <= 1)
6128 return 1;
6129 #endif
6130 #ifdef OPENSSL_NO_TLS1_3
6131 if (tst >= 2)
6132 return 1;
6133 #endif
6134
6135 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6136 TLS_client_method(),
6137 TLS1_VERSION,
6138 (tst <= 1) ? TLS1_2_VERSION
6139 : TLS1_3_VERSION,
6140 &sctx, &cctx, cert, privkey)))
6141 goto end;
6142
6143 if (tst == 5)
6144 SSL_CTX_set_post_handshake_auth(cctx, 1);
6145
6146 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6147 NULL, NULL)))
6148 goto end;
6149
6150 if (tst == 3) {
6151 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6152 SSL_ERROR_NONE, 1))
6153 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6154 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6155 goto end;
6156 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6157 SSL_ERROR_NONE))
6158 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6159 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6160 goto end;
6161 }
6162
6163 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6164 goto end;
6165
6166 if (tst >= 4) {
6167 /*
6168 * Reading on the server after the client has sent close_notify should
6169 * fail and provide SSL_ERROR_ZERO_RETURN
6170 */
6171 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6172 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6173 SSL_ERROR_ZERO_RETURN)
6174 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6175 SSL_RECEIVED_SHUTDOWN)
6176 /*
6177 * Even though we're shutdown on receive we should still be
6178 * able to write.
6179 */
6180 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6181 goto end;
6182 if (tst == 4
6183 && !TEST_true(SSL_key_update(serverssl,
6184 SSL_KEY_UPDATE_REQUESTED)))
6185 goto end;
6186 if (tst == 5) {
6187 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6188 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6189 goto end;
6190 }
6191 if ((tst == 4 || tst == 5)
6192 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6193 goto end;
6194 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6195 goto end;
6196 if (tst == 4 || tst == 5) {
6197 /* Should still be able to read data from server */
6198 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6199 &readbytes))
6200 || !TEST_size_t_eq(readbytes, sizeof(msg))
6201 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6202 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6203 &readbytes))
6204 || !TEST_size_t_eq(readbytes, sizeof(msg))
6205 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6206 goto end;
6207 }
6208 }
6209
6210 /* Writing on the client after sending close_notify shouldn't be possible */
6211 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6212 goto end;
6213
6214 if (tst < 4) {
6215 /*
6216 * For these tests the client has sent close_notify but it has not yet
6217 * been received by the server. The server has not sent close_notify
6218 * yet.
6219 */
6220 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6221 /*
6222 * Writing on the server after sending close_notify shouldn't
6223 * be possible.
6224 */
6225 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6226 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6227 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6228 || !TEST_true(SSL_SESSION_is_resumable(sess))
6229 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6230 goto end;
6231 } else if (tst == 4 || tst == 5) {
6232 /*
6233 * In this test the client has sent close_notify and it has been
6234 * received by the server which has responded with a close_notify. The
6235 * client needs to read the close_notify sent by the server.
6236 */
6237 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6238 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6239 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6240 goto end;
6241 } else {
6242 /*
6243 * tst == 6
6244 *
6245 * The client has sent close_notify and is expecting a close_notify
6246 * back, but instead there is application data first. The shutdown
6247 * should fail with a fatal error.
6248 */
6249 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6250 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6251 goto end;
6252 }
6253
6254 testresult = 1;
6255
6256 end:
6257 SSL_free(serverssl);
6258 SSL_free(clientssl);
6259 SSL_CTX_free(sctx);
6260 SSL_CTX_free(cctx);
6261
6262 return testresult;
6263 }
6264
6265 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6266 static int cert_cb_cnt;
6267
cert_cb(SSL * s,void * arg)6268 static int cert_cb(SSL *s, void *arg)
6269 {
6270 SSL_CTX *ctx = (SSL_CTX *)arg;
6271 BIO *in = NULL;
6272 EVP_PKEY *pkey = NULL;
6273 X509 *x509 = NULL, *rootx = NULL;
6274 STACK_OF(X509) *chain = NULL;
6275 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6276 int ret = 0;
6277
6278 if (cert_cb_cnt == 0) {
6279 /* Suspend the handshake */
6280 cert_cb_cnt++;
6281 return -1;
6282 } else if (cert_cb_cnt == 1) {
6283 /*
6284 * Update the SSL_CTX, set the certificate and private key and then
6285 * continue the handshake normally.
6286 */
6287 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6288 return 0;
6289
6290 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6291 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6292 SSL_FILETYPE_PEM))
6293 || !TEST_true(SSL_check_private_key(s)))
6294 return 0;
6295 cert_cb_cnt++;
6296 return 1;
6297 } else if (cert_cb_cnt == 3) {
6298 int rv;
6299
6300 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6301 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6302 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6303 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6304 goto out;
6305 chain = sk_X509_new_null();
6306 if (!TEST_ptr(chain))
6307 goto out;
6308 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6309 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6310 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6311 || !TEST_true(sk_X509_push(chain, rootx)))
6312 goto out;
6313 rootx = NULL;
6314 BIO_free(in);
6315 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6316 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6317 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6318 goto out;
6319 BIO_free(in);
6320 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6321 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6322 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6323 goto out;
6324 rv = SSL_check_chain(s, x509, pkey, chain);
6325 /*
6326 * If the cert doesn't show as valid here (e.g., because we don't
6327 * have any shared sigalgs), then we will not set it, and there will
6328 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6329 * will cause tls_choose_sigalgs() to fail the connection.
6330 */
6331 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6332 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6333 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6334 goto out;
6335 }
6336
6337 ret = 1;
6338 }
6339
6340 /* Abort the handshake */
6341 out:
6342 OPENSSL_free(ecdsacert);
6343 OPENSSL_free(ecdsakey);
6344 OPENSSL_free(rootfile);
6345 BIO_free(in);
6346 EVP_PKEY_free(pkey);
6347 X509_free(x509);
6348 X509_free(rootx);
6349 sk_X509_pop_free(chain, X509_free);
6350 return ret;
6351 }
6352
6353 /*
6354 * Test the certificate callback.
6355 * Test 0: Callback fails
6356 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6357 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6358 * Test 3: Success - Call SSL_check_chain from the callback
6359 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6360 * chain
6361 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6362 */
test_cert_cb_int(int prot,int tst)6363 static int test_cert_cb_int(int prot, int tst)
6364 {
6365 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6366 SSL *clientssl = NULL, *serverssl = NULL;
6367 int testresult = 0, ret;
6368
6369 #ifdef OPENSSL_NO_EC
6370 /* We use an EC cert in these tests, so we skip in a no-ec build */
6371 if (tst >= 3)
6372 return 1;
6373 #endif
6374
6375 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6376 TLS_client_method(),
6377 TLS1_VERSION,
6378 prot,
6379 &sctx, &cctx, NULL, NULL)))
6380 goto end;
6381
6382 if (tst == 0)
6383 cert_cb_cnt = -1;
6384 else if (tst >= 3)
6385 cert_cb_cnt = 3;
6386 else
6387 cert_cb_cnt = 0;
6388
6389 if (tst == 2)
6390 snictx = SSL_CTX_new(TLS_server_method());
6391 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6392
6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6394 NULL, NULL)))
6395 goto end;
6396
6397 if (tst == 4) {
6398 /*
6399 * We cause SSL_check_chain() to fail by specifying sig_algs that
6400 * the chain doesn't meet (the root uses an RSA cert)
6401 */
6402 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6403 "ecdsa_secp256r1_sha256")))
6404 goto end;
6405 } else if (tst == 5) {
6406 /*
6407 * We cause SSL_check_chain() to fail by specifying sig_algs that
6408 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6409 */
6410 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6411 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6412 goto end;
6413 }
6414
6415 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6416 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6417 || (tst > 0
6418 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6419 goto end;
6420 }
6421
6422 testresult = 1;
6423
6424 end:
6425 SSL_free(serverssl);
6426 SSL_free(clientssl);
6427 SSL_CTX_free(sctx);
6428 SSL_CTX_free(cctx);
6429 SSL_CTX_free(snictx);
6430
6431 return testresult;
6432 }
6433 #endif
6434
test_cert_cb(int tst)6435 static int test_cert_cb(int tst)
6436 {
6437 int testresult = 1;
6438
6439 #ifndef OPENSSL_NO_TLS1_2
6440 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6441 #endif
6442 #ifndef OPENSSL_NO_TLS1_3
6443 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6444 #endif
6445
6446 return testresult;
6447 }
6448
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)6449 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6450 {
6451 X509 *xcert, *peer;
6452 EVP_PKEY *privpkey;
6453 BIO *in = NULL;
6454
6455 /* Check that SSL_get_peer_certificate() returns something sensible */
6456 peer = SSL_get_peer_certificate(ssl);
6457 if (!TEST_ptr(peer))
6458 return 0;
6459 X509_free(peer);
6460
6461 in = BIO_new_file(cert, "r");
6462 if (!TEST_ptr(in))
6463 return 0;
6464
6465 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6466 BIO_free(in);
6467 if (!TEST_ptr(xcert))
6468 return 0;
6469
6470 in = BIO_new_file(privkey, "r");
6471 if (!TEST_ptr(in)) {
6472 X509_free(xcert);
6473 return 0;
6474 }
6475
6476 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6477 BIO_free(in);
6478 if (!TEST_ptr(privpkey)) {
6479 X509_free(xcert);
6480 return 0;
6481 }
6482
6483 *x509 = xcert;
6484 *pkey = privpkey;
6485
6486 return 1;
6487 }
6488
test_client_cert_cb(int tst)6489 static int test_client_cert_cb(int tst)
6490 {
6491 SSL_CTX *cctx = NULL, *sctx = NULL;
6492 SSL *clientssl = NULL, *serverssl = NULL;
6493 int testresult = 0;
6494
6495 #ifdef OPENSSL_NO_TLS1_2
6496 if (tst == 0)
6497 return 1;
6498 #endif
6499 #ifdef OPENSSL_NO_TLS1_3
6500 if (tst == 1)
6501 return 1;
6502 #endif
6503
6504 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6505 TLS_client_method(),
6506 TLS1_VERSION,
6507 tst == 0 ? TLS1_2_VERSION
6508 : TLS1_3_VERSION,
6509 &sctx, &cctx, cert, privkey)))
6510 goto end;
6511
6512 /*
6513 * Test that setting a client_cert_cb results in a client certificate being
6514 * sent.
6515 */
6516 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6517 SSL_CTX_set_verify(sctx,
6518 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6519 verify_cb);
6520
6521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6522 NULL, NULL))
6523 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6524 SSL_ERROR_NONE)))
6525 goto end;
6526
6527 testresult = 1;
6528
6529 end:
6530 SSL_free(serverssl);
6531 SSL_free(clientssl);
6532 SSL_CTX_free(sctx);
6533 SSL_CTX_free(cctx);
6534
6535 return testresult;
6536 }
6537
6538 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6539 /*
6540 * Test setting certificate authorities on both client and server.
6541 *
6542 * Test 0: SSL_CTX_set0_CA_list() only
6543 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6544 * Test 2: Only SSL_CTX_set_client_CA_list()
6545 */
test_ca_names_int(int prot,int tst)6546 static int test_ca_names_int(int prot, int tst)
6547 {
6548 SSL_CTX *cctx = NULL, *sctx = NULL;
6549 SSL *clientssl = NULL, *serverssl = NULL;
6550 int testresult = 0;
6551 size_t i;
6552 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6553 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6554 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6555 const STACK_OF(X509_NAME) *sktmp = NULL;
6556
6557 for (i = 0; i < OSSL_NELEM(name); i++) {
6558 name[i] = X509_NAME_new();
6559 if (!TEST_ptr(name[i])
6560 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6561 MBSTRING_ASC,
6562 (unsigned char *)
6563 strnames[i],
6564 -1, -1, 0)))
6565 goto end;
6566 }
6567
6568 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6569 TLS_client_method(),
6570 TLS1_VERSION,
6571 prot,
6572 &sctx, &cctx, cert, privkey)))
6573 goto end;
6574
6575 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6576
6577 if (tst == 0 || tst == 1) {
6578 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6579 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6580 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6581 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6582 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6583 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6584 goto end;
6585
6586 SSL_CTX_set0_CA_list(sctx, sk1);
6587 SSL_CTX_set0_CA_list(cctx, sk2);
6588 sk1 = sk2 = NULL;
6589 }
6590 if (tst == 1 || tst == 2) {
6591 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6592 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6593 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6594 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6595 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6596 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6597 goto end;
6598
6599 SSL_CTX_set_client_CA_list(sctx, sk1);
6600 SSL_CTX_set_client_CA_list(cctx, sk2);
6601 sk1 = sk2 = NULL;
6602 }
6603
6604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6605 NULL, NULL))
6606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6607 SSL_ERROR_NONE)))
6608 goto end;
6609
6610 /*
6611 * We only expect certificate authorities to have been sent to the server
6612 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6613 */
6614 sktmp = SSL_get0_peer_CA_list(serverssl);
6615 if (prot == TLS1_3_VERSION
6616 && (tst == 0 || tst == 1)) {
6617 if (!TEST_ptr(sktmp)
6618 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6619 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6620 name[0]), 0)
6621 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6622 name[1]), 0))
6623 goto end;
6624 } else if (!TEST_ptr_null(sktmp)) {
6625 goto end;
6626 }
6627
6628 /*
6629 * In all tests we expect certificate authorities to have been sent to the
6630 * client. However, SSL_set_client_CA_list() should override
6631 * SSL_set0_CA_list()
6632 */
6633 sktmp = SSL_get0_peer_CA_list(clientssl);
6634 if (!TEST_ptr(sktmp)
6635 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6636 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6637 name[tst == 0 ? 0 : 2]), 0)
6638 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6639 name[tst == 0 ? 1 : 3]), 0))
6640 goto end;
6641
6642 testresult = 1;
6643
6644 end:
6645 SSL_free(serverssl);
6646 SSL_free(clientssl);
6647 SSL_CTX_free(sctx);
6648 SSL_CTX_free(cctx);
6649 for (i = 0; i < OSSL_NELEM(name); i++)
6650 X509_NAME_free(name[i]);
6651 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6652 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6653
6654 return testresult;
6655 }
6656 #endif
6657
test_ca_names(int tst)6658 static int test_ca_names(int tst)
6659 {
6660 int testresult = 1;
6661
6662 #ifndef OPENSSL_NO_TLS1_2
6663 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6664 #endif
6665 #ifndef OPENSSL_NO_TLS1_3
6666 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6667 #endif
6668
6669 return testresult;
6670 }
6671
6672 /*
6673 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6674 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6675 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6676 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6677 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6678 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6679 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6680 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6681 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6682 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6683 */
test_servername(int tst)6684 static int test_servername(int tst)
6685 {
6686 SSL_CTX *cctx = NULL, *sctx = NULL;
6687 SSL *clientssl = NULL, *serverssl = NULL;
6688 int testresult = 0;
6689 SSL_SESSION *sess = NULL;
6690 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6691
6692 #ifdef OPENSSL_NO_TLS1_2
6693 if (tst <= 4)
6694 return 1;
6695 #endif
6696 #ifdef OPENSSL_NO_TLS1_3
6697 if (tst >= 5)
6698 return 1;
6699 #endif
6700
6701 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6702 TLS_client_method(),
6703 TLS1_VERSION,
6704 (tst <= 4) ? TLS1_2_VERSION
6705 : TLS1_3_VERSION,
6706 &sctx, &cctx, cert, privkey))
6707 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6708 NULL, NULL)))
6709 goto end;
6710
6711 if (tst != 1 && tst != 6) {
6712 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
6713 hostname_cb)))
6714 goto end;
6715 }
6716
6717 if (tst != 3 && tst != 8) {
6718 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6719 goto end;
6720 sexpectedhost = cexpectedhost = "goodhost";
6721 }
6722
6723 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6724 goto end;
6725
6726 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
6727 cexpectedhost)
6728 || !TEST_str_eq(SSL_get_servername(serverssl,
6729 TLSEXT_NAMETYPE_host_name),
6730 sexpectedhost))
6731 goto end;
6732
6733 /* Now repeat with a resumption handshake */
6734
6735 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
6736 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
6737 || !TEST_true(SSL_SESSION_is_resumable(sess))
6738 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
6739 goto end;
6740
6741 SSL_free(clientssl);
6742 SSL_free(serverssl);
6743 clientssl = serverssl = NULL;
6744
6745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6746 NULL)))
6747 goto end;
6748
6749 if (!TEST_true(SSL_set_session(clientssl, sess)))
6750 goto end;
6751
6752 sexpectedhost = cexpectedhost = "goodhost";
6753 if (tst == 2 || tst == 7) {
6754 /* Set an inconsistent hostname */
6755 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
6756 goto end;
6757 /*
6758 * In TLSv1.2 we expect the hostname from the original handshake, in
6759 * TLSv1.3 we expect the hostname from this handshake
6760 */
6761 if (tst == 7)
6762 sexpectedhost = cexpectedhost = "altgoodhost";
6763
6764 if (!TEST_str_eq(SSL_get_servername(clientssl,
6765 TLSEXT_NAMETYPE_host_name),
6766 "altgoodhost"))
6767 goto end;
6768 } else if (tst == 4 || tst == 9) {
6769 /*
6770 * A TLSv1.3 session does not associate a session with a servername,
6771 * but a TLSv1.2 session does.
6772 */
6773 if (tst == 9)
6774 sexpectedhost = cexpectedhost = NULL;
6775
6776 if (!TEST_str_eq(SSL_get_servername(clientssl,
6777 TLSEXT_NAMETYPE_host_name),
6778 cexpectedhost))
6779 goto end;
6780 } else {
6781 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6782 goto end;
6783 /*
6784 * In a TLSv1.2 resumption where the hostname was not acknowledged
6785 * we expect the hostname on the server to be empty. On the client we
6786 * return what was requested in this case.
6787 *
6788 * Similarly if the client didn't set a hostname on an original TLSv1.2
6789 * session but is now, the server hostname will be empty, but the client
6790 * is as we set it.
6791 */
6792 if (tst == 1 || tst == 3)
6793 sexpectedhost = NULL;
6794
6795 if (!TEST_str_eq(SSL_get_servername(clientssl,
6796 TLSEXT_NAMETYPE_host_name),
6797 "goodhost"))
6798 goto end;
6799 }
6800
6801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6802 goto end;
6803
6804 if (!TEST_true(SSL_session_reused(clientssl))
6805 || !TEST_true(SSL_session_reused(serverssl))
6806 || !TEST_str_eq(SSL_get_servername(clientssl,
6807 TLSEXT_NAMETYPE_host_name),
6808 cexpectedhost)
6809 || !TEST_str_eq(SSL_get_servername(serverssl,
6810 TLSEXT_NAMETYPE_host_name),
6811 sexpectedhost))
6812 goto end;
6813
6814 testresult = 1;
6815
6816 end:
6817 SSL_SESSION_free(sess);
6818 SSL_free(serverssl);
6819 SSL_free(clientssl);
6820 SSL_CTX_free(sctx);
6821 SSL_CTX_free(cctx);
6822
6823 return testresult;
6824 }
6825
6826 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)6827 static int test_ssl_dup(void)
6828 {
6829 SSL_CTX *cctx = NULL, *sctx = NULL;
6830 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
6831 int testresult = 0;
6832 BIO *rbio = NULL, *wbio = NULL;
6833
6834 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6835 TLS_client_method(),
6836 0,
6837 0,
6838 &sctx, &cctx, cert, privkey)))
6839 goto end;
6840
6841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6842 NULL, NULL)))
6843 goto end;
6844
6845 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
6846 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
6847 goto end;
6848
6849 client2ssl = SSL_dup(clientssl);
6850 rbio = SSL_get_rbio(clientssl);
6851 if (!TEST_ptr(rbio)
6852 || !TEST_true(BIO_up_ref(rbio)))
6853 goto end;
6854 SSL_set0_rbio(client2ssl, rbio);
6855 rbio = NULL;
6856
6857 wbio = SSL_get_wbio(clientssl);
6858 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
6859 goto end;
6860 SSL_set0_wbio(client2ssl, wbio);
6861 rbio = NULL;
6862
6863 if (!TEST_ptr(client2ssl)
6864 /* Handshake not started so pointers should be different */
6865 || !TEST_ptr_ne(clientssl, client2ssl))
6866 goto end;
6867
6868 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
6869 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
6870 goto end;
6871
6872 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
6873 goto end;
6874
6875 SSL_free(clientssl);
6876 clientssl = SSL_dup(client2ssl);
6877 if (!TEST_ptr(clientssl)
6878 /* Handshake has finished so pointers should be the same */
6879 || !TEST_ptr_eq(clientssl, client2ssl))
6880 goto end;
6881
6882 testresult = 1;
6883
6884 end:
6885 SSL_free(serverssl);
6886 SSL_free(clientssl);
6887 SSL_free(client2ssl);
6888 SSL_CTX_free(sctx);
6889 SSL_CTX_free(cctx);
6890
6891 return testresult;
6892 }
6893 #endif
6894
6895 #ifndef OPENSSL_NO_TLS1_3
6896 /*
6897 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
6898 * that it works even without a certificate configured for the original
6899 * SSL_CTX
6900 */
test_sni_tls13(void)6901 static int test_sni_tls13(void)
6902 {
6903 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6904 SSL *clientssl = NULL, *serverssl = NULL;
6905 int testresult = 0;
6906
6907 /* Reset callback counter */
6908 snicb = 0;
6909
6910 /* Create an initial SSL_CTX with no certificate configured */
6911 sctx = SSL_CTX_new(TLS_server_method());
6912 if (!TEST_ptr(sctx))
6913 goto end;
6914 /* Require TLSv1.3 as a minimum */
6915 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
6916 TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
6917 privkey)))
6918 goto end;
6919
6920 /* Set up SNI */
6921 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6922 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6923 goto end;
6924
6925 /*
6926 * Connection should still succeed because the final SSL_CTX has the right
6927 * certificates configured.
6928 */
6929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6930 &clientssl, NULL, NULL))
6931 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6932 SSL_ERROR_NONE)))
6933 goto end;
6934
6935 /* We should have had the SNI callback called exactly once */
6936 if (!TEST_int_eq(snicb, 1))
6937 goto end;
6938
6939 testresult = 1;
6940
6941 end:
6942 SSL_free(serverssl);
6943 SSL_free(clientssl);
6944 SSL_CTX_free(sctx2);
6945 SSL_CTX_free(sctx);
6946 SSL_CTX_free(cctx);
6947 return testresult;
6948 }
6949
6950 /*
6951 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
6952 * 0 = TLSv1.2
6953 * 1 = TLSv1.3
6954 */
test_ticket_lifetime(int idx)6955 static int test_ticket_lifetime(int idx)
6956 {
6957 SSL_CTX *cctx = NULL, *sctx = NULL;
6958 SSL *clientssl = NULL, *serverssl = NULL;
6959 int testresult = 0;
6960 int version = TLS1_3_VERSION;
6961
6962 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
6963 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
6964
6965 if (idx == 0) {
6966 #ifdef OPENSSL_NO_TLS1_2
6967 TEST_info("Skipping: TLS 1.2 is disabled.");
6968 return 1;
6969 #else
6970 version = TLS1_2_VERSION;
6971 #endif
6972 }
6973
6974 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6975 TLS_client_method(), version, version,
6976 &sctx, &cctx, cert, privkey)))
6977 goto end;
6978
6979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6980 &clientssl, NULL, NULL)))
6981 goto end;
6982
6983 /*
6984 * Set the timeout to be more than 1 week
6985 * make sure the returned value is the default
6986 */
6987 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
6988 SSL_get_default_timeout(serverssl)))
6989 goto end;
6990
6991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6992 goto end;
6993
6994 if (idx == 0) {
6995 /* TLSv1.2 uses the set value */
6996 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
6997 goto end;
6998 } else {
6999 /* TLSv1.3 uses the limited value */
7000 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
7001 goto end;
7002 }
7003 testresult = 1;
7004
7005 end:
7006 SSL_free(serverssl);
7007 SSL_free(clientssl);
7008 SSL_CTX_free(sctx);
7009 SSL_CTX_free(cctx);
7010 return testresult;
7011 }
7012 #endif
7013 /*
7014 * Test that setting an ALPN does not violate RFC
7015 */
test_set_alpn(void)7016 static int test_set_alpn(void)
7017 {
7018 SSL_CTX *ctx = NULL;
7019 SSL *ssl = NULL;
7020 int testresult = 0;
7021
7022 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
7023 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
7024 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
7025 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
7026 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
7027 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
7028
7029 /* Create an initial SSL_CTX with no certificate configured */
7030 ctx = SSL_CTX_new(TLS_server_method());
7031 if (!TEST_ptr(ctx))
7032 goto end;
7033
7034 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
7035 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
7036 goto end;
7037 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
7038 goto end;
7039 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
7040 goto end;
7041 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
7042 goto end;
7043 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
7044 goto end;
7045 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
7046 goto end;
7047 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
7048 goto end;
7049 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
7050 goto end;
7051 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
7052 goto end;
7053
7054 ssl = SSL_new(ctx);
7055 if (!TEST_ptr(ssl))
7056 goto end;
7057
7058 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
7059 goto end;
7060 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
7061 goto end;
7062 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
7063 goto end;
7064 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
7065 goto end;
7066 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
7067 goto end;
7068 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
7069 goto end;
7070 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
7071 goto end;
7072 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
7073 goto end;
7074 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
7075 goto end;
7076
7077 testresult = 1;
7078
7079 end:
7080 SSL_free(ssl);
7081 SSL_CTX_free(ctx);
7082 return testresult;
7083 }
7084
7085 /*
7086 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
7087 */
test_set_verify_cert_store_ssl_ctx(void)7088 static int test_set_verify_cert_store_ssl_ctx(void)
7089 {
7090 SSL_CTX *ctx = NULL;
7091 int testresult = 0;
7092 X509_STORE *store = NULL, *new_store = NULL,
7093 *cstore = NULL, *new_cstore = NULL;
7094
7095 /* Create an initial SSL_CTX. */
7096 ctx = SSL_CTX_new(TLS_server_method());
7097 if (!TEST_ptr(ctx))
7098 goto end;
7099
7100 /* Retrieve verify store pointer. */
7101 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
7102 goto end;
7103
7104 /* Retrieve chain store pointer. */
7105 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
7106 goto end;
7107
7108 /* We haven't set any yet, so this should be NULL. */
7109 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
7110 goto end;
7111
7112 /* Create stores. We use separate stores so pointers are different. */
7113 new_store = X509_STORE_new();
7114 if (!TEST_ptr(new_store))
7115 goto end;
7116
7117 new_cstore = X509_STORE_new();
7118 if (!TEST_ptr(new_cstore))
7119 goto end;
7120
7121 /* Set stores. */
7122 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
7123 goto end;
7124
7125 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
7126 goto end;
7127
7128 /* Should be able to retrieve the same pointer. */
7129 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
7130 goto end;
7131
7132 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
7133 goto end;
7134
7135 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
7136 goto end;
7137
7138 /* Should be able to unset again. */
7139 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
7140 goto end;
7141
7142 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
7143 goto end;
7144
7145 /* Should now be NULL. */
7146 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
7147 goto end;
7148
7149 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
7150 goto end;
7151
7152 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
7153 goto end;
7154
7155 testresult = 1;
7156
7157 end:
7158 X509_STORE_free(new_store);
7159 X509_STORE_free(new_cstore);
7160 SSL_CTX_free(ctx);
7161 return testresult;
7162 }
7163
7164 /*
7165 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
7166 */
test_set_verify_cert_store_ssl(void)7167 static int test_set_verify_cert_store_ssl(void)
7168 {
7169 SSL_CTX *ctx = NULL;
7170 SSL *ssl = NULL;
7171 int testresult = 0;
7172 X509_STORE *store = NULL, *new_store = NULL,
7173 *cstore = NULL, *new_cstore = NULL;
7174
7175 /* Create an initial SSL_CTX. */
7176 ctx = SSL_CTX_new(TLS_server_method());
7177 if (!TEST_ptr(ctx))
7178 goto end;
7179
7180 /* Create an SSL object. */
7181 ssl = SSL_new(ctx);
7182 if (!TEST_ptr(ssl))
7183 goto end;
7184
7185 /* Retrieve verify store pointer. */
7186 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
7187 goto end;
7188
7189 /* Retrieve chain store pointer. */
7190 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
7191 goto end;
7192
7193 /* We haven't set any yet, so this should be NULL. */
7194 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
7195 goto end;
7196
7197 /* Create stores. We use separate stores so pointers are different. */
7198 new_store = X509_STORE_new();
7199 if (!TEST_ptr(new_store))
7200 goto end;
7201
7202 new_cstore = X509_STORE_new();
7203 if (!TEST_ptr(new_cstore))
7204 goto end;
7205
7206 /* Set stores. */
7207 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
7208 goto end;
7209
7210 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
7211 goto end;
7212
7213 /* Should be able to retrieve the same pointer. */
7214 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
7215 goto end;
7216
7217 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
7218 goto end;
7219
7220 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
7221 goto end;
7222
7223 /* Should be able to unset again. */
7224 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
7225 goto end;
7226
7227 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
7228 goto end;
7229
7230 /* Should now be NULL. */
7231 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
7232 goto end;
7233
7234 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
7235 goto end;
7236
7237 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
7238 goto end;
7239
7240 testresult = 1;
7241
7242 end:
7243 X509_STORE_free(new_store);
7244 X509_STORE_free(new_cstore);
7245 SSL_free(ssl);
7246 SSL_CTX_free(ctx);
7247 return testresult;
7248 }
7249
test_inherit_verify_param(void)7250 static int test_inherit_verify_param(void)
7251 {
7252 int testresult = 0;
7253
7254 SSL_CTX *ctx = NULL;
7255 X509_VERIFY_PARAM *cp = NULL;
7256 SSL *ssl = NULL;
7257 X509_VERIFY_PARAM *sp = NULL;
7258 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
7259
7260 ctx = SSL_CTX_new(TLS_server_method());
7261 if (!TEST_ptr(ctx))
7262 goto end;
7263
7264 cp = SSL_CTX_get0_param(ctx);
7265 if (!TEST_ptr(cp))
7266 goto end;
7267 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
7268 goto end;
7269
7270 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
7271
7272 ssl = SSL_new(ctx);
7273 if (!TEST_ptr(ssl))
7274 goto end;
7275
7276 sp = SSL_get0_param(ssl);
7277 if (!TEST_ptr(sp))
7278 goto end;
7279 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
7280 goto end;
7281
7282 testresult = 1;
7283
7284 end:
7285 SSL_free(ssl);
7286 SSL_CTX_free(ctx);
7287
7288 return testresult;
7289 }
7290
setup_tests(void)7291 int setup_tests(void)
7292 {
7293 if (!TEST_ptr(certsdir = test_get_argument(0))
7294 || !TEST_ptr(srpvfile = test_get_argument(1))
7295 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7296 return 0;
7297
7298 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7299 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7300 TEST_error("not supported in this build");
7301 return 0;
7302 #else
7303 int i, mcount, rcount, fcount;
7304
7305 for (i = 0; i < 4; i++)
7306 test_export_key_mat(i);
7307 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7308 test_printf_stdout("malloc %d realloc %d free %d\n",
7309 mcount, rcount, fcount);
7310 return 1;
7311 #endif
7312 }
7313
7314 cert = test_mk_file_path(certsdir, "servercert.pem");
7315 if (cert == NULL)
7316 return 0;
7317
7318 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7319 if (privkey == NULL) {
7320 OPENSSL_free(cert);
7321 return 0;
7322 }
7323
7324 ADD_TEST(test_large_message_tls);
7325 ADD_TEST(test_large_message_tls_read_ahead);
7326 #ifndef OPENSSL_NO_DTLS
7327 ADD_TEST(test_large_message_dtls);
7328 #endif
7329 ADD_ALL_TESTS(test_large_app_data, 28);
7330 #ifndef OPENSSL_NO_OCSP
7331 ADD_TEST(test_tlsext_status_type);
7332 #endif
7333 ADD_TEST(test_session_with_only_int_cache);
7334 ADD_TEST(test_session_with_only_ext_cache);
7335 ADD_TEST(test_session_with_both_cache);
7336 #ifndef OPENSSL_NO_TLS1_3
7337 ADD_ALL_TESTS(test_stateful_tickets, 3);
7338 ADD_ALL_TESTS(test_stateless_tickets, 3);
7339 ADD_TEST(test_psk_tickets);
7340 #endif
7341 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7342 ADD_TEST(test_ssl_bio_pop_next_bio);
7343 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7344 ADD_TEST(test_ssl_bio_change_rbio);
7345 ADD_TEST(test_ssl_bio_change_wbio);
7346 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7347 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7348 ADD_TEST(test_keylog);
7349 #endif
7350 #ifndef OPENSSL_NO_TLS1_3
7351 ADD_TEST(test_keylog_no_master_key);
7352 #endif
7353 #ifndef OPENSSL_NO_TLS1_2
7354 ADD_TEST(test_client_hello_cb);
7355 ADD_TEST(test_ccs_change_cipher);
7356 #endif
7357 #ifndef OPENSSL_NO_TLS1_3
7358 ADD_ALL_TESTS(test_early_data_read_write, 3);
7359 /*
7360 * We don't do replay tests for external PSK. Replay protection isn't used
7361 * in that scenario.
7362 */
7363 ADD_ALL_TESTS(test_early_data_replay, 2);
7364 ADD_ALL_TESTS(test_early_data_skip, 3);
7365 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7366 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7367 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7368 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7369 ADD_ALL_TESTS(test_early_data_psk, 8);
7370 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
7371 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7372 # ifndef OPENSSL_NO_TLS1_2
7373 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7374 # endif
7375 #endif
7376 #ifndef OPENSSL_NO_TLS1_3
7377 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7378 ADD_TEST(test_ciphersuite_change);
7379 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7380 #ifdef OPENSSL_NO_PSK
7381 ADD_ALL_TESTS(test_tls13_psk, 1);
7382 #else
7383 ADD_ALL_TESTS(test_tls13_psk, 4);
7384 #endif /* OPENSSL_NO_PSK */
7385 ADD_ALL_TESTS(test_custom_exts, 6);
7386 ADD_TEST(test_stateless);
7387 ADD_TEST(test_pha_key_update);
7388 #else
7389 ADD_ALL_TESTS(test_custom_exts, 3);
7390 #endif
7391 ADD_ALL_TESTS(test_export_key_mat, 6);
7392 #ifndef OPENSSL_NO_TLS1_3
7393 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7394 ADD_TEST(test_key_update);
7395 ADD_ALL_TESTS(test_key_update_in_write, 2);
7396 #endif
7397 ADD_ALL_TESTS(test_ssl_clear, 2);
7398 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7399 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7400 ADD_ALL_TESTS(test_srp, 6);
7401 #endif
7402 ADD_ALL_TESTS(test_info_callback, 6);
7403 ADD_ALL_TESTS(test_ssl_pending, 2);
7404 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7405 ADD_ALL_TESTS(test_ticket_callbacks, 12);
7406 ADD_ALL_TESTS(test_shutdown, 7);
7407 ADD_ALL_TESTS(test_cert_cb, 6);
7408 ADD_ALL_TESTS(test_client_cert_cb, 2);
7409 ADD_ALL_TESTS(test_ca_names, 3);
7410 ADD_ALL_TESTS(test_servername, 10);
7411 #ifndef OPENSSL_NO_TLS1_2
7412 ADD_TEST(test_ssl_dup);
7413 #endif
7414 #ifndef OPENSSL_NO_TLS1_3
7415 ADD_TEST(test_sni_tls13);
7416 ADD_ALL_TESTS(test_ticket_lifetime, 2);
7417 #endif
7418 ADD_TEST(test_set_alpn);
7419 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
7420 ADD_TEST(test_set_verify_cert_store_ssl);
7421 ADD_TEST(test_inherit_verify_param);
7422 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
7423 ADD_ALL_TESTS(test_serverinfo_custom, 4);
7424 #endif
7425 return 1;
7426 }
7427
cleanup_tests(void)7428 void cleanup_tests(void)
7429 {
7430 OPENSSL_free(cert);
7431 OPENSSL_free(privkey);
7432 bio_s_mempacket_test_free();
7433 bio_s_always_retry_free();
7434 }
7435