1 /* 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/opensslconf.h> 13 #include <openssl/bio.h> 14 #include <openssl/crypto.h> 15 #include <openssl/ssl.h> 16 #include <openssl/ocsp.h> 17 18 #include "ssltestlib.h" 19 #include "testutil.h" 20 #include "e_os.h" 21 22 static char *cert = NULL; 23 static char *privkey = NULL; 24 25 #ifndef OPENSSL_NO_OCSP 26 static const unsigned char orespder[] = "Dummy OCSP Response"; 27 static int ocsp_server_called = 0; 28 static int ocsp_client_called = 0; 29 30 static int cdummyarg = 1; 31 static X509 *ocspcert = NULL; 32 #endif 33 34 #define NUM_EXTRA_CERTS 40 35 36 static int execute_test_large_message(const SSL_METHOD *smeth, 37 const SSL_METHOD *cmeth, 38 int min_version, int max_version, 39 int read_ahead) 40 { 41 SSL_CTX *cctx = NULL, *sctx = NULL; 42 SSL *clientssl = NULL, *serverssl = NULL; 43 int testresult = 0; 44 int i; 45 BIO *certbio = BIO_new_file(cert, "r"); 46 X509 *chaincert = NULL; 47 int certlen; 48 49 if (certbio == NULL) { 50 printf("Can't load the certificate file\n"); 51 goto end; 52 } 53 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 54 BIO_free(certbio); 55 certbio = NULL; 56 if (chaincert == NULL) { 57 printf("Unable to load certificate for chain\n"); 58 goto end; 59 } 60 61 if (!create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, &sctx, 62 &cctx, cert, privkey)) { 63 printf("Unable to create SSL_CTX pair\n"); 64 goto end; 65 } 66 67 if(read_ahead) { 68 /* 69 * Test that read_ahead works correctly when dealing with large 70 * records 71 */ 72 SSL_CTX_set_read_ahead(cctx, 1); 73 } 74 75 /* 76 * We assume the supplied certificate is big enough so that if we add 77 * NUM_EXTRA_CERTS it will make the overall message large enough. The 78 * default buffer size is requested to be 16k, but due to the way BUF_MEM 79 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this test 80 * we need to have a message larger than that. 81 */ 82 certlen = i2d_X509(chaincert, NULL); 83 OPENSSL_assert((certlen * NUM_EXTRA_CERTS) 84 > ((SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3)); 85 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 86 if (!X509_up_ref(chaincert)) { 87 printf("Unable to up ref cert\n"); 88 goto end; 89 } 90 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 91 printf("Unable to add extra chain cert %d\n", i); 92 X509_free(chaincert); 93 goto end; 94 } 95 } 96 97 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 98 printf("Unable to create SSL objects\n"); 99 goto end; 100 } 101 102 if (!create_ssl_connection(serverssl, clientssl)) { 103 printf("Unable to create SSL connection\n"); 104 goto end; 105 } 106 107 /* 108 * Calling SSL_clear() first is not required but this tests that SSL_clear() 109 * doesn't leak (when using enable-crypto-mdebug). 110 */ 111 if (!SSL_clear(serverssl)) { 112 printf("Unexpected failure from SSL_clear()\n"); 113 goto end; 114 } 115 116 testresult = 1; 117 end: 118 X509_free(chaincert); 119 SSL_free(serverssl); 120 SSL_free(clientssl); 121 SSL_CTX_free(sctx); 122 SSL_CTX_free(cctx); 123 124 return testresult; 125 } 126 127 static int test_large_message_tls(void) 128 { 129 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 130 TLS1_VERSION, TLS_MAX_VERSION, 131 0); 132 } 133 134 static int test_large_message_tls_read_ahead(void) 135 { 136 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 137 TLS1_VERSION, TLS_MAX_VERSION, 138 1); 139 } 140 141 #ifndef OPENSSL_NO_DTLS 142 static int test_large_message_dtls(void) 143 { 144 /* 145 * read_ahead is not relevant to DTLS because DTLS always acts as if 146 * read_ahead is set. 147 */ 148 return execute_test_large_message(DTLS_server_method(), 149 DTLS_client_method(), 150 DTLS1_VERSION, DTLS_MAX_VERSION, 151 0); 152 } 153 #endif 154 155 #ifndef OPENSSL_NO_OCSP 156 static int ocsp_server_cb(SSL *s, void *arg) 157 { 158 int *argi = (int *)arg; 159 unsigned char *orespdercopy = NULL; 160 STACK_OF(OCSP_RESPID) *ids = NULL; 161 OCSP_RESPID *id = NULL; 162 163 if (*argi == 2) { 164 /* In this test we are expecting exactly 1 OCSP_RESPID */ 165 SSL_get_tlsext_status_ids(s, &ids); 166 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 167 return SSL_TLSEXT_ERR_ALERT_FATAL; 168 169 id = sk_OCSP_RESPID_value(ids, 0); 170 if (id == NULL || !OCSP_RESPID_match(id, ocspcert)) 171 return SSL_TLSEXT_ERR_ALERT_FATAL; 172 } else if (*argi != 1) { 173 return SSL_TLSEXT_ERR_ALERT_FATAL; 174 } 175 176 177 orespdercopy = OPENSSL_memdup(orespder, sizeof(orespder)); 178 if (orespdercopy == NULL) 179 return SSL_TLSEXT_ERR_ALERT_FATAL; 180 181 SSL_set_tlsext_status_ocsp_resp(s, orespdercopy, sizeof(orespder)); 182 183 ocsp_server_called = 1; 184 185 return SSL_TLSEXT_ERR_OK; 186 } 187 188 static int ocsp_client_cb(SSL *s, void *arg) 189 { 190 int *argi = (int *)arg; 191 const unsigned char *respderin; 192 size_t len; 193 194 if (*argi != 1 && *argi != 2) 195 return 0; 196 197 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 198 199 if (memcmp(orespder, respderin, len) != 0) 200 return 0; 201 202 ocsp_client_called = 1; 203 204 return 1; 205 } 206 207 static int test_tlsext_status_type(void) 208 { 209 SSL_CTX *cctx = NULL, *sctx = NULL; 210 SSL *clientssl = NULL, *serverssl = NULL; 211 int testresult = 0; 212 STACK_OF(OCSP_RESPID) *ids = NULL; 213 OCSP_RESPID *id = NULL; 214 BIO *certbio = NULL; 215 216 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 217 TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, 218 cert, privkey)) { 219 printf("Unable to create SSL_CTX pair\n"); 220 return 0; 221 } 222 223 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) { 224 printf("Unexpected initial value for " 225 "SSL_CTX_get_tlsext_status_type()\n"); 226 goto end; 227 } 228 229 /* First just do various checks getting and setting tlsext_status_type */ 230 231 clientssl = SSL_new(cctx); 232 if (SSL_get_tlsext_status_type(clientssl) != -1) { 233 printf("Unexpected initial value for SSL_get_tlsext_status_type()\n"); 234 goto end; 235 } 236 237 if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) { 238 printf("Unexpected fail for SSL_set_tlsext_status_type()\n"); 239 goto end; 240 } 241 242 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { 243 printf("Unexpected result for SSL_get_tlsext_status_type()\n"); 244 goto end; 245 } 246 247 SSL_free(clientssl); 248 clientssl = NULL; 249 250 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) { 251 printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n"); 252 goto end; 253 } 254 255 if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) { 256 printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n"); 257 goto end; 258 } 259 260 clientssl = SSL_new(cctx); 261 262 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { 263 printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n"); 264 goto end; 265 } 266 267 SSL_free(clientssl); 268 clientssl = NULL; 269 270 /* 271 * Now actually do a handshake and check OCSP information is exchanged and 272 * the callbacks get called 273 */ 274 275 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 276 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 277 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 278 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 279 280 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 281 printf("Unable to create SSL objects\n"); 282 goto end; 283 } 284 285 if (!create_ssl_connection(serverssl, clientssl)) { 286 printf("Unable to create SSL connection\n"); 287 goto end; 288 } 289 290 if (!ocsp_client_called || !ocsp_server_called) { 291 printf("OCSP callbacks not called\n"); 292 goto end; 293 } 294 295 SSL_free(serverssl); 296 SSL_free(clientssl); 297 serverssl = NULL; 298 clientssl = NULL; 299 300 /* Try again but this time force the server side callback to fail */ 301 ocsp_client_called = 0; 302 ocsp_server_called = 0; 303 cdummyarg = 0; 304 305 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 306 printf("Unable to create SSL objects\n"); 307 goto end; 308 } 309 310 /* This should fail because the callback will fail */ 311 if (create_ssl_connection(serverssl, clientssl)) { 312 printf("Unexpected success creating the connection\n"); 313 goto end; 314 } 315 316 if (ocsp_client_called || ocsp_server_called) { 317 printf("OCSP callbacks successfully called unexpectedly\n"); 318 goto end; 319 } 320 321 SSL_free(serverssl); 322 SSL_free(clientssl); 323 serverssl = NULL; 324 clientssl = NULL; 325 326 /* 327 * This time we'll get the client to send an OCSP_RESPID that it will 328 * accept. 329 */ 330 ocsp_client_called = 0; 331 ocsp_server_called = 0; 332 cdummyarg = 2; 333 334 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 335 printf("Unable to create SSL objects\n"); 336 goto end; 337 } 338 339 /* 340 * We'll just use any old cert for this test - it doesn't have to be an OCSP 341 * specific one. We'll use the server cert. 342 */ 343 certbio = BIO_new_file(cert, "r"); 344 if (certbio == NULL) { 345 printf("Can't load the certificate file\n"); 346 goto end; 347 } 348 id = OCSP_RESPID_new(); 349 ids = sk_OCSP_RESPID_new_null(); 350 ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 351 if (id == NULL || ids == NULL || ocspcert == NULL 352 || !OCSP_RESPID_set_by_key(id, ocspcert) 353 || !sk_OCSP_RESPID_push(ids, id)) { 354 printf("Unable to set OCSP_RESPIDs\n"); 355 goto end; 356 } 357 id = NULL; 358 SSL_set_tlsext_status_ids(clientssl, ids); 359 /* Control has been transferred */ 360 ids = NULL; 361 362 BIO_free(certbio); 363 certbio = NULL; 364 365 if (!create_ssl_connection(serverssl, clientssl)) { 366 printf("Unable to create SSL connection\n"); 367 goto end; 368 } 369 370 if (!ocsp_client_called || !ocsp_server_called) { 371 printf("OCSP callbacks not called\n"); 372 goto end; 373 } 374 375 testresult = 1; 376 377 end: 378 SSL_free(serverssl); 379 SSL_free(clientssl); 380 SSL_CTX_free(sctx); 381 SSL_CTX_free(cctx); 382 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 383 OCSP_RESPID_free(id); 384 BIO_free(certbio); 385 X509_free(ocspcert); 386 ocspcert = NULL; 387 388 return testresult; 389 } 390 #endif /* ndef OPENSSL_NO_OCSP */ 391 392 typedef struct ssl_session_test_fixture { 393 const char *test_case_name; 394 int use_ext_cache; 395 int use_int_cache; 396 } SSL_SESSION_TEST_FIXTURE; 397 398 static int new_called = 0, remove_called = 0; 399 400 static SSL_SESSION_TEST_FIXTURE 401 ssl_session_set_up(const char *const test_case_name) 402 { 403 SSL_SESSION_TEST_FIXTURE fixture; 404 405 fixture.test_case_name = test_case_name; 406 fixture.use_ext_cache = 1; 407 fixture.use_int_cache = 1; 408 409 new_called = remove_called = 0; 410 411 return fixture; 412 } 413 414 static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture) 415 { 416 } 417 418 static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 419 { 420 new_called++; 421 422 return 1; 423 } 424 425 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 426 { 427 remove_called++; 428 } 429 430 static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) 431 { 432 SSL_CTX *sctx = NULL, *cctx = NULL; 433 SSL *serverssl1 = NULL, *clientssl1 = NULL; 434 SSL *serverssl2 = NULL, *clientssl2 = NULL; 435 #ifndef OPENSSL_NO_TLS1_1 436 SSL *serverssl3 = NULL, *clientssl3 = NULL; 437 #endif 438 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 439 int testresult = 0; 440 441 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 442 TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, 443 cert, privkey)) { 444 printf("Unable to create SSL_CTX pair\n"); 445 return 0; 446 } 447 448 #ifndef OPENSSL_NO_TLS1_2 449 /* Only allow TLS1.2 so we can force a connection failure later */ 450 SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION); 451 #endif 452 453 /* Set up session cache */ 454 if (fix.use_ext_cache) { 455 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 456 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 457 } 458 if (fix.use_int_cache) { 459 /* Also covers instance where both are set */ 460 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 461 } else { 462 SSL_CTX_set_session_cache_mode(cctx, 463 SSL_SESS_CACHE_CLIENT 464 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 465 } 466 467 if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL, 468 NULL)) { 469 printf("Unable to create SSL objects\n"); 470 goto end; 471 } 472 473 if (!create_ssl_connection(serverssl1, clientssl1)) { 474 printf("Unable to create SSL connection\n"); 475 goto end; 476 } 477 sess1 = SSL_get1_session(clientssl1); 478 if (sess1 == NULL) { 479 printf("Unexpected NULL session\n"); 480 goto end; 481 } 482 483 if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) { 484 /* Should have failed because it should already be in the cache */ 485 printf("Unexpected success adding session to cache\n"); 486 goto end; 487 } 488 489 if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) { 490 printf("Session not added to cache\n"); 491 goto end; 492 } 493 494 if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) { 495 printf("Unable to create second SSL objects\n"); 496 goto end; 497 } 498 499 if (!create_ssl_connection(serverssl2, clientssl2)) { 500 printf("Unable to create second SSL connection\n"); 501 goto end; 502 } 503 504 sess2 = SSL_get1_session(clientssl2); 505 if (sess2 == NULL) { 506 printf("Unexpected NULL session from clientssl2\n"); 507 goto end; 508 } 509 510 if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) { 511 printf("Remove session callback unexpectedly called\n"); 512 goto end; 513 } 514 515 /* 516 * This should clear sess2 from the cache because it is a "bad" session. See 517 * SSL_set_session() documentation. 518 */ 519 if (!SSL_set_session(clientssl2, sess1)) { 520 printf("Unexpected failure setting session\n"); 521 goto end; 522 } 523 524 if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) { 525 printf("Failed to call callback to remove session\n"); 526 goto end; 527 } 528 529 530 if (SSL_get_session(clientssl2) != sess1) { 531 printf("Unexpected session found\n"); 532 goto end; 533 } 534 535 if (fix.use_int_cache) { 536 if (!SSL_CTX_add_session(cctx, sess2)) { 537 /* 538 * Should have succeeded because it should not already be in the cache 539 */ 540 printf("Unexpected failure adding session to cache\n"); 541 goto end; 542 } 543 544 if (!SSL_CTX_remove_session(cctx, sess2)) { 545 printf("Unexpected failure removing session from cache\n"); 546 goto end; 547 } 548 549 /* This is for the purposes of internal cache testing...ignore the 550 * counter for external cache 551 */ 552 if (fix.use_ext_cache) 553 remove_called--; 554 } 555 556 /* This shouldn't be in the cache so should fail */ 557 if (SSL_CTX_remove_session(cctx, sess2)) { 558 printf("Unexpected success removing session from cache\n"); 559 goto end; 560 } 561 562 if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) { 563 printf("Failed to call callback to remove session #2\n"); 564 goto end; 565 } 566 567 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2) 568 /* Force a connection failure */ 569 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 570 571 if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) { 572 printf("Unable to create third SSL objects\n"); 573 goto end; 574 } 575 576 if (!SSL_set_session(clientssl3, sess1)) { 577 printf("Unable to set session for third connection\n"); 578 goto end; 579 } 580 581 /* This should fail because of the mismatched protocol versions */ 582 if (create_ssl_connection(serverssl3, clientssl3)) { 583 printf("Unable to create third SSL connection\n"); 584 goto end; 585 } 586 587 588 /* We should have automatically removed the session from the cache */ 589 if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) { 590 printf("Failed to call callback to remove session #2\n"); 591 goto end; 592 } 593 594 if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) { 595 /* 596 * Should have succeeded because it should not already be in the cache 597 */ 598 printf("Unexpected failure adding session to cache #2\n"); 599 goto end; 600 } 601 #endif 602 603 testresult = 1; 604 605 end: 606 SSL_free(serverssl1); 607 SSL_free(clientssl1); 608 SSL_free(serverssl2); 609 SSL_free(clientssl2); 610 #ifndef OPENSSL_NO_TLS1_1 611 SSL_free(serverssl3); 612 SSL_free(clientssl3); 613 #endif 614 SSL_SESSION_free(sess1); 615 SSL_SESSION_free(sess2); 616 /* 617 * Check if we need to remove any sessions up-refed for the external cache 618 */ 619 if (new_called >= 1) 620 SSL_SESSION_free(sess1); 621 if (new_called >= 2) 622 SSL_SESSION_free(sess2); 623 SSL_CTX_free(sctx); 624 SSL_CTX_free(cctx); 625 626 return testresult; 627 } 628 629 static int test_session_with_only_int_cache(void) 630 { 631 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 632 633 fixture.use_ext_cache = 0; 634 635 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 636 } 637 638 static int test_session_with_only_ext_cache(void) 639 { 640 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 641 642 fixture.use_int_cache = 0; 643 644 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 645 } 646 647 static int test_session_with_both_cache(void) 648 { 649 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 650 651 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 652 } 653 654 #define USE_NULL 0 655 #define USE_BIO_1 1 656 #define USE_BIO_2 2 657 658 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 659 660 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 661 { 662 switch (type) { 663 case USE_NULL: 664 *res = NULL; 665 break; 666 case USE_BIO_1: 667 *res = bio1; 668 break; 669 case USE_BIO_2: 670 *res = bio2; 671 break; 672 } 673 } 674 675 static int test_ssl_set_bio(int idx) 676 { 677 SSL_CTX *ctx = SSL_CTX_new(TLS_method()); 678 BIO *bio1 = NULL; 679 BIO *bio2 = NULL; 680 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 681 SSL *ssl = NULL; 682 int initrbio, initwbio, newrbio, newwbio; 683 int testresult = 0; 684 685 if (ctx == NULL) { 686 printf("Failed to allocate SSL_CTX\n"); 687 goto end; 688 } 689 690 ssl = SSL_new(ctx); 691 if (ssl == NULL) { 692 printf("Failed to allocate SSL object\n"); 693 goto end; 694 } 695 696 initrbio = idx % 3; 697 idx /= 3; 698 initwbio = idx % 3; 699 idx /= 3; 700 newrbio = idx % 3; 701 idx /= 3; 702 newwbio = idx; 703 OPENSSL_assert(newwbio <= 2); 704 705 if (initrbio == USE_BIO_1 || initwbio == USE_BIO_1 || newrbio == USE_BIO_1 706 || newwbio == USE_BIO_1) { 707 bio1 = BIO_new(BIO_s_mem()); 708 if (bio1 == NULL) { 709 printf("Failed to allocate bio1\n"); 710 goto end; 711 } 712 } 713 714 if (initrbio == USE_BIO_2 || initwbio == USE_BIO_2 || newrbio == USE_BIO_2 715 || newwbio == USE_BIO_2) { 716 bio2 = BIO_new(BIO_s_mem()); 717 if (bio2 == NULL) { 718 printf("Failed to allocate bio2\n"); 719 goto end; 720 } 721 } 722 723 setupbio(&irbio, bio1, bio2, initrbio); 724 setupbio(&iwbio, bio1, bio2, initwbio); 725 726 /* 727 * We want to maintain our own refs to these BIO, so do an up ref for each 728 * BIO that will have ownership transferred in the SSL_set_bio() call 729 */ 730 if (irbio != NULL) 731 BIO_up_ref(irbio); 732 if (iwbio != NULL && iwbio != irbio) 733 BIO_up_ref(iwbio); 734 735 SSL_set_bio(ssl, irbio, iwbio); 736 737 setupbio(&nrbio, bio1, bio2, newrbio); 738 setupbio(&nwbio, bio1, bio2, newwbio); 739 740 /* 741 * We will (maybe) transfer ownership again so do more up refs. 742 * SSL_set_bio() has some really complicated ownership rules where BIOs have 743 * already been set! 744 */ 745 if (nrbio != NULL && nrbio != irbio && (nwbio != iwbio || nrbio != nwbio)) 746 BIO_up_ref(nrbio); 747 if (nwbio != NULL && nwbio != nrbio && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 748 BIO_up_ref(nwbio); 749 750 SSL_set_bio(ssl, nrbio, nwbio); 751 752 testresult = 1; 753 754 end: 755 SSL_free(ssl); 756 BIO_free(bio1); 757 BIO_free(bio2); 758 /* 759 * This test is checking that the ref counting for SSL_set_bio is correct. 760 * If we get here and we did too many frees then we will fail in the above 761 * functions. If we haven't done enough then this will only be detected in 762 * a crypto-mdebug build 763 */ 764 SSL_CTX_free(ctx); 765 766 return testresult; 767 } 768 769 typedef struct ssl_bio_test_fixture { 770 const char *test_case_name; 771 int pop_ssl; 772 enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio; 773 } SSL_BIO_TEST_FIXTURE; 774 775 static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name) 776 { 777 SSL_BIO_TEST_FIXTURE fixture; 778 779 fixture.test_case_name = test_case_name; 780 fixture.pop_ssl = 0; 781 fixture.change_bio = NO_BIO_CHANGE; 782 783 return fixture; 784 } 785 786 static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture) 787 { 788 } 789 790 static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix) 791 { 792 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 793 SSL_CTX *ctx = SSL_CTX_new(TLS_method()); 794 SSL *ssl = NULL; 795 int testresult = 0; 796 797 if (ctx == NULL) { 798 printf("Failed to allocate SSL_CTX\n"); 799 return 0; 800 } 801 802 ssl = SSL_new(ctx); 803 if (ssl == NULL) { 804 printf("Failed to allocate SSL object\n"); 805 goto end; 806 } 807 808 sslbio = BIO_new(BIO_f_ssl()); 809 membio1 = BIO_new(BIO_s_mem()); 810 811 if (sslbio == NULL || membio1 == NULL) { 812 printf("Malloc failure creating BIOs\n"); 813 goto end; 814 } 815 816 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 817 818 /* 819 * If anything goes wrong here then we could leak memory, so this will 820 * be caught in a crypto-mdebug build 821 */ 822 BIO_push(sslbio, membio1); 823 824 /* Verify changing the rbio/wbio directly does not cause leaks */ 825 if (fix.change_bio != NO_BIO_CHANGE) { 826 membio2 = BIO_new(BIO_s_mem()); 827 if (membio2 == NULL) { 828 printf("Malloc failure creating membio2\n"); 829 goto end; 830 } 831 if (fix.change_bio == CHANGE_RBIO) 832 SSL_set0_rbio(ssl, membio2); 833 else 834 SSL_set0_wbio(ssl, membio2); 835 } 836 ssl = NULL; 837 838 if (fix.pop_ssl) 839 BIO_pop(sslbio); 840 else 841 BIO_pop(membio1); 842 843 testresult = 1; 844 end: 845 BIO_free(membio1); 846 BIO_free(sslbio); 847 SSL_free(ssl); 848 SSL_CTX_free(ctx); 849 850 return testresult; 851 } 852 853 static int test_ssl_bio_pop_next_bio(void) 854 { 855 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 856 857 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 858 } 859 860 static int test_ssl_bio_pop_ssl_bio(void) 861 { 862 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 863 864 fixture.pop_ssl = 1; 865 866 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 867 } 868 869 static int test_ssl_bio_change_rbio(void) 870 { 871 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 872 873 fixture.change_bio = CHANGE_RBIO; 874 875 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 876 } 877 878 static int test_ssl_bio_change_wbio(void) 879 { 880 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 881 882 fixture.change_bio = CHANGE_WBIO; 883 884 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 885 } 886 887 typedef struct { 888 /* The list of sig algs */ 889 const int *list; 890 /* The length of the list */ 891 size_t listlen; 892 /* A sigalgs list in string format */ 893 const char *liststr; 894 /* Whether setting the list should succeed */ 895 int valid; 896 /* Whether creating a connection with the list should succeed */ 897 int connsuccess; 898 } sigalgs_list; 899 900 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 901 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 902 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 903 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 904 static const int invalidlist2[] = {NID_sha256, NID_undef}; 905 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 906 static const int invalidlist4[] = {NID_sha256}; 907 static const sigalgs_list testsigalgs[] = { 908 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 909 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 910 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 911 {NULL, 0, "RSA+SHA256", 1, 1}, 912 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 913 {NULL, 0, "ECDSA+SHA512", 1, 0}, 914 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 915 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 916 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 917 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 918 {NULL, 0, "RSA", 0, 0}, 919 {NULL, 0, "SHA256", 0, 0}, 920 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 921 {NULL, 0, "Invalid", 0, 0}}; 922 923 static int test_set_sigalgs(int idx) 924 { 925 SSL_CTX *cctx = NULL, *sctx = NULL; 926 SSL *clientssl = NULL, *serverssl = NULL; 927 int testresult = 0; 928 const sigalgs_list *curr; 929 int testctx; 930 931 /* Should never happen */ 932 if ((size_t)idx >= OSSL_NELEM(testsigalgs) * 2) 933 return 0; 934 935 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 936 curr = testctx ? &testsigalgs[idx] 937 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 938 939 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 940 TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, 941 cert, privkey)) { 942 printf("Unable to create SSL_CTX pair\n"); 943 return 0; 944 } 945 946 if (testctx) { 947 int ret; 948 if (curr->list != NULL) 949 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 950 else 951 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 952 953 if (!ret) { 954 if (curr->valid) 955 printf("Unexpected failure setting sigalgs in SSL_CTX (%d)\n", 956 idx); 957 else 958 testresult = 1; 959 goto end; 960 } 961 if (!curr->valid) { 962 printf("Unexpected success setting sigalgs in SSL_CTX (%d)\n", idx); 963 goto end; 964 } 965 } 966 967 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 968 printf("Unable to create SSL objects\n"); 969 goto end; 970 } 971 972 if (!testctx) { 973 int ret; 974 975 if (curr->list != NULL) 976 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 977 else 978 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 979 if (!ret) { 980 if (curr->valid) 981 printf("Unexpected failure setting sigalgs in SSL (%d)\n", idx); 982 else 983 testresult = 1; 984 goto end; 985 } 986 if (!curr->valid) { 987 printf("Unexpected success setting sigalgs in SSL (%d)\n", idx); 988 goto end; 989 } 990 } 991 992 if (curr->connsuccess != create_ssl_connection(serverssl, clientssl)) { 993 printf("Unexpected return value creating SSL connection (%d)\n", idx); 994 goto end; 995 } 996 997 testresult = 1; 998 999 end: 1000 SSL_free(serverssl); 1001 SSL_free(clientssl); 1002 SSL_CTX_free(sctx); 1003 SSL_CTX_free(cctx); 1004 1005 return testresult; 1006 } 1007 1008 static int clntaddcb = 0; 1009 static int clntparsecb = 0; 1010 static int srvaddcb = 0; 1011 static int srvparsecb = 0; 1012 static int snicb = 0; 1013 1014 #define TEST_EXT_TYPE1 0xff00 1015 1016 static int add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 1017 size_t *outlen, int *al, void *add_arg) 1018 { 1019 int *server = (int *)add_arg; 1020 unsigned char *data; 1021 1022 if (SSL_is_server(s)) 1023 srvaddcb++; 1024 else 1025 clntaddcb++; 1026 1027 if (*server != SSL_is_server(s) 1028 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 1029 return -1; 1030 1031 *data = 1; 1032 *out = data; 1033 *outlen = sizeof(char); 1034 return 1; 1035 } 1036 1037 static void free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 1038 void *add_arg) 1039 { 1040 OPENSSL_free((unsigned char *)out); 1041 } 1042 1043 static int parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 1044 size_t inlen, int *al, void *parse_arg) 1045 { 1046 int *server = (int *)parse_arg; 1047 1048 if (SSL_is_server(s)) 1049 srvparsecb++; 1050 else 1051 clntparsecb++; 1052 1053 if (*server != SSL_is_server(s) 1054 || inlen != sizeof(char) 1055 || *in != 1) 1056 return -1; 1057 1058 return 1; 1059 } 1060 1061 static int sni_cb(SSL *s, int *al, void *arg) 1062 { 1063 SSL_CTX *ctx = (SSL_CTX *)arg; 1064 1065 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 1066 *al = SSL_AD_INTERNAL_ERROR; 1067 return SSL_TLSEXT_ERR_ALERT_FATAL; 1068 } 1069 snicb++; 1070 return SSL_TLSEXT_ERR_OK; 1071 } 1072 1073 /* 1074 * Custom call back tests. 1075 * Test 0: callbacks in TLSv1.2 1076 * Test 1: callbacks in TLSv1.2 with SNI 1077 */ 1078 static int test_custom_exts(int tst) 1079 { 1080 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 1081 SSL *clientssl = NULL, *serverssl = NULL; 1082 int testresult = 0; 1083 static int server = 1; 1084 static int client = 0; 1085 SSL_SESSION *sess = NULL; 1086 1087 /* Reset callback counters */ 1088 clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0; 1089 snicb = 0; 1090 1091 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1092 TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, 1093 cert, privkey)) { 1094 printf("Unable to create SSL_CTX pair\n"); 1095 goto end; 1096 } 1097 1098 if (tst == 1 1099 && !create_ssl_ctx_pair(TLS_server_method(), NULL, 1100 TLS1_VERSION, TLS_MAX_VERSION, &sctx2, NULL, 1101 cert, privkey)) { 1102 printf("Unable to create SSL_CTX pair (2)\n"); 1103 goto end; 1104 } 1105 1106 /* Create a client side custom extension */ 1107 if (!SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, 1108 &client, parse_cb, &client)) { 1109 printf("Unable to add client custom extension\n"); 1110 goto end; 1111 } 1112 1113 /* Should not be able to add duplicates */ 1114 if (SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, 1115 &client, parse_cb, &client)) { 1116 printf("Unexpected success adding duplicate extension\n"); 1117 goto end; 1118 } 1119 1120 /* Create a server side custom extension */ 1121 if (!SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, 1122 &server, parse_cb, &server)) { 1123 printf("Unable to add server custom extension\n"); 1124 goto end; 1125 } 1126 if (sctx2 != NULL 1127 && !SSL_CTX_add_server_custom_ext(sctx2, TEST_EXT_TYPE1, 1128 add_cb, free_cb, 1129 &server, parse_cb, 1130 &server)) { 1131 printf("Unable to add server custom extension for SNI\n"); 1132 goto end; 1133 } 1134 1135 /* Should not be able to add duplicates */ 1136 if (SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, 1137 &server, parse_cb, &server)) { 1138 printf("Unexpected success adding duplicate extension (2)\n"); 1139 goto end; 1140 } 1141 1142 if (tst == 1) { 1143 /* Set up SNI */ 1144 if (!SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb) 1145 || !SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)) { 1146 printf("Cannot set SNI callbacks\n"); 1147 goto end; 1148 } 1149 } 1150 1151 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) 1152 || !create_ssl_connection(serverssl, clientssl)) { 1153 printf("Cannot create SSL connection\n"); 1154 goto end; 1155 } 1156 1157 if (clntaddcb != 1 1158 || clntparsecb != 1 1159 || srvaddcb != 1 1160 || srvparsecb != 1 1161 || (tst != 1 && snicb != 0) 1162 || (tst == 1 && snicb != 1)) { 1163 printf("Incorrect callback counts\n"); 1164 goto end; 1165 } 1166 1167 sess = SSL_get1_session(clientssl); 1168 SSL_shutdown(clientssl); 1169 SSL_shutdown(serverssl); 1170 SSL_free(serverssl); 1171 SSL_free(clientssl); 1172 serverssl = clientssl = NULL; 1173 1174 if (tst == 1) { 1175 /* We don't bother with the resumption aspects for this test */ 1176 testresult = 1; 1177 goto end; 1178 } 1179 1180 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) 1181 || !SSL_set_session(clientssl, sess) 1182 || !create_ssl_connection(serverssl, clientssl)) { 1183 printf("Cannot create resumption connection\n"); 1184 goto end; 1185 } 1186 1187 /* 1188 * For a resumed session we expect to add the ClientHello extension but we 1189 * should ignore it on the server side. 1190 */ 1191 if (clntaddcb != 2 1192 || clntparsecb != 1 1193 || srvaddcb != 1 1194 || srvparsecb != 1) { 1195 printf("Incorrect resumption callback counts\n"); 1196 goto end; 1197 } 1198 1199 testresult = 1; 1200 1201 end: 1202 SSL_SESSION_free(sess); 1203 SSL_free(serverssl); 1204 SSL_free(clientssl); 1205 SSL_CTX_free(sctx2); 1206 SSL_CTX_free(sctx); 1207 SSL_CTX_free(cctx); 1208 return testresult; 1209 } 1210 1211 int main(int argc, char *argv[]) 1212 { 1213 BIO *err = NULL; 1214 int testresult = 1; 1215 1216 if (argc != 3) { 1217 printf("Invalid argument count\n"); 1218 return 1; 1219 } 1220 1221 cert = argv[1]; 1222 privkey = argv[2]; 1223 1224 err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); 1225 1226 CRYPTO_set_mem_debug(1); 1227 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 1228 1229 ADD_TEST(test_large_message_tls); 1230 ADD_TEST(test_large_message_tls_read_ahead); 1231 #ifndef OPENSSL_NO_DTLS 1232 ADD_TEST(test_large_message_dtls); 1233 #endif 1234 #ifndef OPENSSL_NO_OCSP 1235 ADD_TEST(test_tlsext_status_type); 1236 #endif 1237 ADD_TEST(test_session_with_only_int_cache); 1238 ADD_TEST(test_session_with_only_ext_cache); 1239 ADD_TEST(test_session_with_both_cache); 1240 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 1241 ADD_TEST(test_ssl_bio_pop_next_bio); 1242 ADD_TEST(test_ssl_bio_pop_ssl_bio); 1243 ADD_TEST(test_ssl_bio_change_rbio); 1244 ADD_TEST(test_ssl_bio_change_wbio); 1245 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 1246 ADD_ALL_TESTS(test_custom_exts, 2); 1247 1248 testresult = run_tests(argv[0]); 1249 1250 bio_s_mempacket_test_free(); 1251 1252 #ifndef OPENSSL_NO_CRYPTO_MDEBUG 1253 if (CRYPTO_mem_leaks(err) <= 0) 1254 testresult = 1; 1255 #endif 1256 BIO_free(err); 1257 1258 if (!testresult) 1259 printf("PASS\n"); 1260 1261 return testresult; 1262 } 1263