1 /* 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/opensslconf.h> 13 #include <openssl/bio.h> 14 #include <openssl/crypto.h> 15 #include <openssl/ssl.h> 16 #include <openssl/ocsp.h> 17 #include <openssl/srp.h> 18 #include <openssl/txt_db.h> 19 #include <openssl/aes.h> 20 21 #include "ssltestlib.h" 22 #include "testutil.h" 23 #include "testutil/output.h" 24 #include "internal/nelem.h" 25 #include "../ssl/ssl_local.h" 26 27 #ifndef OPENSSL_NO_TLS1_3 28 29 static SSL_SESSION *clientpsk = NULL; 30 static SSL_SESSION *serverpsk = NULL; 31 static const char *pskid = "Identity"; 32 static const char *srvid; 33 34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 35 size_t *idlen, SSL_SESSION **sess); 36 static int find_session_cb(SSL *ssl, const unsigned char *identity, 37 size_t identity_len, SSL_SESSION **sess); 38 39 static int use_session_cb_cnt = 0; 40 static int find_session_cb_cnt = 0; 41 42 static SSL_SESSION *create_a_psk(SSL *ssl); 43 #endif 44 45 static char *certsdir = NULL; 46 static char *cert = NULL; 47 static char *privkey = NULL; 48 static char *srpvfile = NULL; 49 static char *tmpfilename = NULL; 50 51 #define LOG_BUFFER_SIZE 2048 52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 53 static size_t server_log_buffer_index = 0; 54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 55 static size_t client_log_buffer_index = 0; 56 static int error_writing_log = 0; 57 58 #ifndef OPENSSL_NO_OCSP 59 static const unsigned char orespder[] = "Dummy OCSP Response"; 60 static int ocsp_server_called = 0; 61 static int ocsp_client_called = 0; 62 63 static int cdummyarg = 1; 64 static X509 *ocspcert = NULL; 65 #endif 66 67 #define NUM_EXTRA_CERTS 40 68 #define CLIENT_VERSION_LEN 2 69 70 /* 71 * This structure is used to validate that the correct number of log messages 72 * of various types are emitted when emitting secret logs. 73 */ 74 struct sslapitest_log_counts { 75 unsigned int rsa_key_exchange_count; 76 unsigned int master_secret_count; 77 unsigned int client_early_secret_count; 78 unsigned int client_handshake_secret_count; 79 unsigned int server_handshake_secret_count; 80 unsigned int client_application_secret_count; 81 unsigned int server_application_secret_count; 82 unsigned int early_exporter_secret_count; 83 unsigned int exporter_secret_count; 84 }; 85 86 87 static unsigned char serverinfov1[] = { 88 0xff, 0xff, /* Dummy extension type */ 89 0x00, 0x01, /* Extension length is 1 byte */ 90 0xff /* Dummy extension data */ 91 }; 92 93 static unsigned char serverinfov2[] = { 94 0x00, 0x00, 0x00, 95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */ 96 0xff, 0xff, /* Dummy extension type */ 97 0x00, 0x01, /* Extension length is 1 byte */ 98 0xff /* Dummy extension data */ 99 }; 100 101 static int hostname_cb(SSL *s, int *al, void *arg) 102 { 103 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 104 105 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 106 || strcmp(hostname, "altgoodhost") == 0)) 107 return SSL_TLSEXT_ERR_OK; 108 109 return SSL_TLSEXT_ERR_NOACK; 110 } 111 112 static void client_keylog_callback(const SSL *ssl, const char *line) 113 { 114 int line_length = strlen(line); 115 116 /* If the log doesn't fit, error out. */ 117 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) { 118 TEST_info("Client log too full"); 119 error_writing_log = 1; 120 return; 121 } 122 123 strcat(client_log_buffer, line); 124 client_log_buffer_index += line_length; 125 client_log_buffer[client_log_buffer_index++] = '\n'; 126 } 127 128 static void server_keylog_callback(const SSL *ssl, const char *line) 129 { 130 int line_length = strlen(line); 131 132 /* If the log doesn't fit, error out. */ 133 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) { 134 TEST_info("Server log too full"); 135 error_writing_log = 1; 136 return; 137 } 138 139 strcat(server_log_buffer, line); 140 server_log_buffer_index += line_length; 141 server_log_buffer[server_log_buffer_index++] = '\n'; 142 } 143 144 static int compare_hex_encoded_buffer(const char *hex_encoded, 145 size_t hex_length, 146 const uint8_t *raw, 147 size_t raw_length) 148 { 149 size_t i, j; 150 char hexed[3]; 151 152 if (!TEST_size_t_eq(raw_length * 2, hex_length)) 153 return 1; 154 155 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { 156 sprintf(hexed, "%02x", raw[i]); 157 if (!TEST_int_eq(hexed[0], hex_encoded[j]) 158 || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) 159 return 1; 160 } 161 162 return 0; 163 } 164 165 static int test_keylog_output(char *buffer, const SSL *ssl, 166 const SSL_SESSION *session, 167 struct sslapitest_log_counts *expected) 168 { 169 char *token = NULL; 170 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0}; 171 size_t client_random_size = SSL3_RANDOM_SIZE; 172 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0}; 173 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH; 174 unsigned int rsa_key_exchange_count = 0; 175 unsigned int master_secret_count = 0; 176 unsigned int client_early_secret_count = 0; 177 unsigned int client_handshake_secret_count = 0; 178 unsigned int server_handshake_secret_count = 0; 179 unsigned int client_application_secret_count = 0; 180 unsigned int server_application_secret_count = 0; 181 unsigned int early_exporter_secret_count = 0; 182 unsigned int exporter_secret_count = 0; 183 184 for (token = strtok(buffer, " \n"); token != NULL; 185 token = strtok(NULL, " \n")) { 186 if (strcmp(token, "RSA") == 0) { 187 /* 188 * Premaster secret. Tokens should be: 16 ASCII bytes of 189 * hex-encoded encrypted secret, then the hex-encoded pre-master 190 * secret. 191 */ 192 if (!TEST_ptr(token = strtok(NULL, " \n"))) 193 return 0; 194 if (!TEST_size_t_eq(strlen(token), 16)) 195 return 0; 196 if (!TEST_ptr(token = strtok(NULL, " \n"))) 197 return 0; 198 /* 199 * We can't sensibly check the log because the premaster secret is 200 * transient, and OpenSSL doesn't keep hold of it once the master 201 * secret is generated. 202 */ 203 rsa_key_exchange_count++; 204 } else if (strcmp(token, "CLIENT_RANDOM") == 0) { 205 /* 206 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded 207 * client random, then the hex-encoded master secret. 208 */ 209 client_random_size = SSL_get_client_random(ssl, 210 actual_client_random, 211 SSL3_RANDOM_SIZE); 212 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 213 return 0; 214 215 if (!TEST_ptr(token = strtok(NULL, " \n"))) 216 return 0; 217 if (!TEST_size_t_eq(strlen(token), 64)) 218 return 0; 219 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 220 actual_client_random, 221 client_random_size))) 222 return 0; 223 224 if (!TEST_ptr(token = strtok(NULL, " \n"))) 225 return 0; 226 master_key_size = SSL_SESSION_get_master_key(session, 227 actual_master_key, 228 master_key_size); 229 if (!TEST_size_t_ne(master_key_size, 0)) 230 return 0; 231 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token), 232 actual_master_key, 233 master_key_size))) 234 return 0; 235 master_secret_count++; 236 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0 237 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 238 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 239 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 240 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 241 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 242 || strcmp(token, "EXPORTER_SECRET") == 0) { 243 /* 244 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded 245 * client random, and then the hex-encoded secret. In this case, 246 * we treat all of these secrets identically and then just 247 * distinguish between them when counting what we saw. 248 */ 249 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0) 250 client_early_secret_count++; 251 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) 252 client_handshake_secret_count++; 253 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0) 254 server_handshake_secret_count++; 255 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0) 256 client_application_secret_count++; 257 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) 258 server_application_secret_count++; 259 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) 260 early_exporter_secret_count++; 261 else if (strcmp(token, "EXPORTER_SECRET") == 0) 262 exporter_secret_count++; 263 264 client_random_size = SSL_get_client_random(ssl, 265 actual_client_random, 266 SSL3_RANDOM_SIZE); 267 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 268 return 0; 269 270 if (!TEST_ptr(token = strtok(NULL, " \n"))) 271 return 0; 272 if (!TEST_size_t_eq(strlen(token), 64)) 273 return 0; 274 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 275 actual_client_random, 276 client_random_size))) 277 return 0; 278 279 if (!TEST_ptr(token = strtok(NULL, " \n"))) 280 return 0; 281 282 /* 283 * TODO(TLS1.3): test that application traffic secrets are what 284 * we expect */ 285 } else { 286 TEST_info("Unexpected token %s\n", token); 287 return 0; 288 } 289 } 290 291 /* Got what we expected? */ 292 if (!TEST_size_t_eq(rsa_key_exchange_count, 293 expected->rsa_key_exchange_count) 294 || !TEST_size_t_eq(master_secret_count, 295 expected->master_secret_count) 296 || !TEST_size_t_eq(client_early_secret_count, 297 expected->client_early_secret_count) 298 || !TEST_size_t_eq(client_handshake_secret_count, 299 expected->client_handshake_secret_count) 300 || !TEST_size_t_eq(server_handshake_secret_count, 301 expected->server_handshake_secret_count) 302 || !TEST_size_t_eq(client_application_secret_count, 303 expected->client_application_secret_count) 304 || !TEST_size_t_eq(server_application_secret_count, 305 expected->server_application_secret_count) 306 || !TEST_size_t_eq(early_exporter_secret_count, 307 expected->early_exporter_secret_count) 308 || !TEST_size_t_eq(exporter_secret_count, 309 expected->exporter_secret_count)) 310 return 0; 311 return 1; 312 } 313 314 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 315 static int test_keylog(void) 316 { 317 SSL_CTX *cctx = NULL, *sctx = NULL; 318 SSL *clientssl = NULL, *serverssl = NULL; 319 int testresult = 0; 320 struct sslapitest_log_counts expected = {0}; 321 322 /* Clean up logging space */ 323 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 324 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 325 client_log_buffer_index = 0; 326 server_log_buffer_index = 0; 327 error_writing_log = 0; 328 329 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 330 TLS_client_method(), 331 TLS1_VERSION, TLS_MAX_VERSION, 332 &sctx, &cctx, cert, privkey))) 333 return 0; 334 335 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */ 336 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 337 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 338 339 /* We also want to ensure that we use RSA-based key exchange. */ 340 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA"))) 341 goto end; 342 343 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 344 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 345 goto end; 346 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 347 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 348 == client_keylog_callback)) 349 goto end; 350 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 351 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 352 == server_keylog_callback)) 353 goto end; 354 355 /* Now do a handshake and check that the logs have been written to. */ 356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 357 &clientssl, NULL, NULL)) 358 || !TEST_true(create_ssl_connection(serverssl, clientssl, 359 SSL_ERROR_NONE)) 360 || !TEST_false(error_writing_log) 361 || !TEST_int_gt(client_log_buffer_index, 0) 362 || !TEST_int_gt(server_log_buffer_index, 0)) 363 goto end; 364 365 /* 366 * Now we want to test that our output data was vaguely sensible. We 367 * do that by using strtok and confirming that we have more or less the 368 * data we expect. For both client and server, we expect to see one master 369 * secret. The client should also see a RSA key exchange. 370 */ 371 expected.rsa_key_exchange_count = 1; 372 expected.master_secret_count = 1; 373 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 374 SSL_get_session(clientssl), &expected))) 375 goto end; 376 377 expected.rsa_key_exchange_count = 0; 378 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl, 379 SSL_get_session(serverssl), &expected))) 380 goto end; 381 382 testresult = 1; 383 384 end: 385 SSL_free(serverssl); 386 SSL_free(clientssl); 387 SSL_CTX_free(sctx); 388 SSL_CTX_free(cctx); 389 390 return testresult; 391 } 392 #endif 393 394 #ifndef OPENSSL_NO_TLS1_3 395 static int test_keylog_no_master_key(void) 396 { 397 SSL_CTX *cctx = NULL, *sctx = NULL; 398 SSL *clientssl = NULL, *serverssl = NULL; 399 SSL_SESSION *sess = NULL; 400 int testresult = 0; 401 struct sslapitest_log_counts expected = {0}; 402 unsigned char buf[1]; 403 size_t readbytes, written; 404 405 /* Clean up logging space */ 406 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 407 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 408 client_log_buffer_index = 0; 409 server_log_buffer_index = 0; 410 error_writing_log = 0; 411 412 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 413 TLS1_VERSION, TLS_MAX_VERSION, 414 &sctx, &cctx, cert, privkey)) 415 || !TEST_true(SSL_CTX_set_max_early_data(sctx, 416 SSL3_RT_MAX_PLAIN_LENGTH))) 417 return 0; 418 419 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 420 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 421 goto end; 422 423 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 424 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 425 == client_keylog_callback)) 426 goto end; 427 428 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 429 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 430 == server_keylog_callback)) 431 goto end; 432 433 /* Now do a handshake and check that the logs have been written to. */ 434 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 435 &clientssl, NULL, NULL)) 436 || !TEST_true(create_ssl_connection(serverssl, clientssl, 437 SSL_ERROR_NONE)) 438 || !TEST_false(error_writing_log)) 439 goto end; 440 441 /* 442 * Now we want to test that our output data was vaguely sensible. For this 443 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for 444 * TLSv1.3, but we do expect both client and server to emit keys. 445 */ 446 expected.client_handshake_secret_count = 1; 447 expected.server_handshake_secret_count = 1; 448 expected.client_application_secret_count = 1; 449 expected.server_application_secret_count = 1; 450 expected.exporter_secret_count = 1; 451 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 452 SSL_get_session(clientssl), &expected)) 453 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 454 SSL_get_session(serverssl), 455 &expected))) 456 goto end; 457 458 /* Terminate old session and resume with early data. */ 459 sess = SSL_get1_session(clientssl); 460 SSL_shutdown(clientssl); 461 SSL_shutdown(serverssl); 462 SSL_free(serverssl); 463 SSL_free(clientssl); 464 serverssl = clientssl = NULL; 465 466 /* Reset key log */ 467 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 468 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 469 client_log_buffer_index = 0; 470 server_log_buffer_index = 0; 471 472 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 473 &clientssl, NULL, NULL)) 474 || !TEST_true(SSL_set_session(clientssl, sess)) 475 /* Here writing 0 length early data is enough. */ 476 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 477 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 478 &readbytes), 479 SSL_READ_EARLY_DATA_ERROR) 480 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 481 SSL_EARLY_DATA_ACCEPTED) 482 || !TEST_true(create_ssl_connection(serverssl, clientssl, 483 SSL_ERROR_NONE)) 484 || !TEST_true(SSL_session_reused(clientssl))) 485 goto end; 486 487 /* In addition to the previous entries, expect early secrets. */ 488 expected.client_early_secret_count = 1; 489 expected.early_exporter_secret_count = 1; 490 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 491 SSL_get_session(clientssl), &expected)) 492 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 493 SSL_get_session(serverssl), 494 &expected))) 495 goto end; 496 497 testresult = 1; 498 499 end: 500 SSL_SESSION_free(sess); 501 SSL_free(serverssl); 502 SSL_free(clientssl); 503 SSL_CTX_free(sctx); 504 SSL_CTX_free(cctx); 505 506 return testresult; 507 } 508 #endif 509 510 #ifndef OPENSSL_NO_TLS1_2 511 static int full_client_hello_callback(SSL *s, int *al, void *arg) 512 { 513 int *ctr = arg; 514 const unsigned char *p; 515 int *exts; 516 /* We only configure two ciphers, but the SCSV is added automatically. */ 517 #ifdef OPENSSL_NO_EC 518 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff}; 519 #else 520 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0, 521 0x2c, 0x00, 0xff}; 522 #endif 523 const int expected_extensions[] = { 524 #ifndef OPENSSL_NO_EC 525 11, 10, 526 #endif 527 35, 22, 23, 13}; 528 size_t len; 529 530 /* Make sure we can defer processing and get called back. */ 531 if ((*ctr)++ == 0) 532 return SSL_CLIENT_HELLO_RETRY; 533 534 len = SSL_client_hello_get0_ciphers(s, &p); 535 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) 536 || !TEST_size_t_eq( 537 SSL_client_hello_get0_compression_methods(s, &p), 1) 538 || !TEST_int_eq(*p, 0)) 539 return SSL_CLIENT_HELLO_ERROR; 540 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) 541 return SSL_CLIENT_HELLO_ERROR; 542 if (len != OSSL_NELEM(expected_extensions) || 543 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { 544 printf("ClientHello callback expected extensions mismatch\n"); 545 OPENSSL_free(exts); 546 return SSL_CLIENT_HELLO_ERROR; 547 } 548 OPENSSL_free(exts); 549 return SSL_CLIENT_HELLO_SUCCESS; 550 } 551 552 static int test_client_hello_cb(void) 553 { 554 SSL_CTX *cctx = NULL, *sctx = NULL; 555 SSL *clientssl = NULL, *serverssl = NULL; 556 int testctr = 0, testresult = 0; 557 558 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 559 TLS1_VERSION, TLS_MAX_VERSION, 560 &sctx, &cctx, cert, privkey))) 561 goto end; 562 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); 563 564 /* The gimpy cipher list we configure can't do TLS 1.3. */ 565 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 566 567 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 568 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")) 569 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 570 &clientssl, NULL, NULL)) 571 || !TEST_false(create_ssl_connection(serverssl, clientssl, 572 SSL_ERROR_WANT_CLIENT_HELLO_CB)) 573 /* 574 * Passing a -1 literal is a hack since 575 * the real value was lost. 576 * */ 577 || !TEST_int_eq(SSL_get_error(serverssl, -1), 578 SSL_ERROR_WANT_CLIENT_HELLO_CB) 579 || !TEST_true(create_ssl_connection(serverssl, clientssl, 580 SSL_ERROR_NONE))) 581 goto end; 582 583 testresult = 1; 584 585 end: 586 SSL_free(serverssl); 587 SSL_free(clientssl); 588 SSL_CTX_free(sctx); 589 SSL_CTX_free(cctx); 590 591 return testresult; 592 } 593 #endif 594 595 /* 596 * Very focused test to exercise a single case in the server-side state 597 * machine, when the ChangeCipherState message needs to actually change 598 * from one cipher to a different cipher (i.e., not changing from null 599 * encryption to real encryption). 600 */ 601 static int test_ccs_change_cipher(void) 602 { 603 SSL_CTX *cctx = NULL, *sctx = NULL; 604 SSL *clientssl = NULL, *serverssl = NULL; 605 SSL_SESSION *sess = NULL, *sesspre, *sesspost; 606 int testresult = 0; 607 int i; 608 unsigned char buf; 609 size_t readbytes; 610 611 /* 612 * Create a conection so we can resume and potentially (but not) use 613 * a different cipher in the second connection. 614 */ 615 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 616 TLS_client_method(), 617 TLS1_VERSION, TLS1_2_VERSION, 618 &sctx, &cctx, cert, privkey)) 619 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)) 620 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 621 NULL, NULL)) 622 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 623 || !TEST_true(create_ssl_connection(serverssl, clientssl, 624 SSL_ERROR_NONE)) 625 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 626 || !TEST_ptr(sess = SSL_get1_session(clientssl))) 627 goto end; 628 629 shutdown_ssl_connection(serverssl, clientssl); 630 serverssl = clientssl = NULL; 631 632 /* Resume, preferring a different cipher. Our server will force the 633 * same cipher to be used as the initial handshake. */ 634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 635 NULL, NULL)) 636 || !TEST_true(SSL_set_session(clientssl, sess)) 637 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256")) 638 || !TEST_true(create_ssl_connection(serverssl, clientssl, 639 SSL_ERROR_NONE)) 640 || !TEST_true(SSL_session_reused(clientssl)) 641 || !TEST_true(SSL_session_reused(serverssl)) 642 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 643 || !TEST_ptr_eq(sesspre, sesspost) 644 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 645 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 646 goto end; 647 shutdown_ssl_connection(serverssl, clientssl); 648 serverssl = clientssl = NULL; 649 650 /* 651 * Now create a fresh connection and try to renegotiate a different 652 * cipher on it. 653 */ 654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 655 NULL, NULL)) 656 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 657 || !TEST_true(create_ssl_connection(serverssl, clientssl, 658 SSL_ERROR_NONE)) 659 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 660 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")) 661 || !TEST_true(SSL_renegotiate(clientssl)) 662 || !TEST_true(SSL_renegotiate_pending(clientssl))) 663 goto end; 664 /* Actually drive the renegotiation. */ 665 for (i = 0; i < 3; i++) { 666 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) { 667 if (!TEST_ulong_eq(readbytes, 0)) 668 goto end; 669 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0), 670 SSL_ERROR_WANT_READ)) { 671 goto end; 672 } 673 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) { 674 if (!TEST_ulong_eq(readbytes, 0)) 675 goto end; 676 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0), 677 SSL_ERROR_WANT_READ)) { 678 goto end; 679 } 680 } 681 /* sesspre and sesspost should be different since the cipher changed. */ 682 if (!TEST_false(SSL_renegotiate_pending(clientssl)) 683 || !TEST_false(SSL_session_reused(clientssl)) 684 || !TEST_false(SSL_session_reused(serverssl)) 685 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 686 || !TEST_ptr_ne(sesspre, sesspost) 687 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 688 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 689 goto end; 690 691 shutdown_ssl_connection(serverssl, clientssl); 692 serverssl = clientssl = NULL; 693 694 testresult = 1; 695 696 end: 697 SSL_free(serverssl); 698 SSL_free(clientssl); 699 SSL_CTX_free(sctx); 700 SSL_CTX_free(cctx); 701 SSL_SESSION_free(sess); 702 703 return testresult; 704 } 705 706 static int execute_test_large_message(const SSL_METHOD *smeth, 707 const SSL_METHOD *cmeth, 708 int min_version, int max_version, 709 int read_ahead) 710 { 711 SSL_CTX *cctx = NULL, *sctx = NULL; 712 SSL *clientssl = NULL, *serverssl = NULL; 713 int testresult = 0; 714 int i; 715 BIO *certbio = NULL; 716 X509 *chaincert = NULL; 717 int certlen; 718 719 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))) 720 goto end; 721 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 722 BIO_free(certbio); 723 certbio = NULL; 724 if (!TEST_ptr(chaincert)) 725 goto end; 726 727 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, 728 &sctx, &cctx, cert, privkey))) 729 goto end; 730 731 if (read_ahead) { 732 /* 733 * Test that read_ahead works correctly when dealing with large 734 * records 735 */ 736 SSL_CTX_set_read_ahead(cctx, 1); 737 } 738 739 /* 740 * We assume the supplied certificate is big enough so that if we add 741 * NUM_EXTRA_CERTS it will make the overall message large enough. The 742 * default buffer size is requested to be 16k, but due to the way BUF_MEM 743 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this 744 * test we need to have a message larger than that. 745 */ 746 certlen = i2d_X509(chaincert, NULL); 747 OPENSSL_assert(certlen * NUM_EXTRA_CERTS > 748 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); 749 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 750 if (!X509_up_ref(chaincert)) 751 goto end; 752 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 753 X509_free(chaincert); 754 goto end; 755 } 756 } 757 758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 759 NULL, NULL)) 760 || !TEST_true(create_ssl_connection(serverssl, clientssl, 761 SSL_ERROR_NONE))) 762 goto end; 763 764 /* 765 * Calling SSL_clear() first is not required but this tests that SSL_clear() 766 * doesn't leak (when using enable-crypto-mdebug). 767 */ 768 if (!TEST_true(SSL_clear(serverssl))) 769 goto end; 770 771 testresult = 1; 772 end: 773 X509_free(chaincert); 774 SSL_free(serverssl); 775 SSL_free(clientssl); 776 SSL_CTX_free(sctx); 777 SSL_CTX_free(cctx); 778 779 return testresult; 780 } 781 782 static int test_large_message_tls(void) 783 { 784 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 785 TLS1_VERSION, TLS_MAX_VERSION, 786 0); 787 } 788 789 static int test_large_message_tls_read_ahead(void) 790 { 791 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 792 TLS1_VERSION, TLS_MAX_VERSION, 793 1); 794 } 795 796 #ifndef OPENSSL_NO_DTLS 797 static int test_large_message_dtls(void) 798 { 799 /* 800 * read_ahead is not relevant to DTLS because DTLS always acts as if 801 * read_ahead is set. 802 */ 803 return execute_test_large_message(DTLS_server_method(), 804 DTLS_client_method(), 805 DTLS1_VERSION, DTLS_MAX_VERSION, 806 0); 807 } 808 #endif 809 810 #ifndef OPENSSL_NO_OCSP 811 static int ocsp_server_cb(SSL *s, void *arg) 812 { 813 int *argi = (int *)arg; 814 unsigned char *copy = NULL; 815 STACK_OF(OCSP_RESPID) *ids = NULL; 816 OCSP_RESPID *id = NULL; 817 818 if (*argi == 2) { 819 /* In this test we are expecting exactly 1 OCSP_RESPID */ 820 SSL_get_tlsext_status_ids(s, &ids); 821 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 822 return SSL_TLSEXT_ERR_ALERT_FATAL; 823 824 id = sk_OCSP_RESPID_value(ids, 0); 825 if (id == NULL || !OCSP_RESPID_match(id, ocspcert)) 826 return SSL_TLSEXT_ERR_ALERT_FATAL; 827 } else if (*argi != 1) { 828 return SSL_TLSEXT_ERR_ALERT_FATAL; 829 } 830 831 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder)))) 832 return SSL_TLSEXT_ERR_ALERT_FATAL; 833 834 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder)); 835 ocsp_server_called = 1; 836 return SSL_TLSEXT_ERR_OK; 837 } 838 839 static int ocsp_client_cb(SSL *s, void *arg) 840 { 841 int *argi = (int *)arg; 842 const unsigned char *respderin; 843 size_t len; 844 845 if (*argi != 1 && *argi != 2) 846 return 0; 847 848 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 849 if (!TEST_mem_eq(orespder, len, respderin, len)) 850 return 0; 851 852 ocsp_client_called = 1; 853 return 1; 854 } 855 856 static int test_tlsext_status_type(void) 857 { 858 SSL_CTX *cctx = NULL, *sctx = NULL; 859 SSL *clientssl = NULL, *serverssl = NULL; 860 int testresult = 0; 861 STACK_OF(OCSP_RESPID) *ids = NULL; 862 OCSP_RESPID *id = NULL; 863 BIO *certbio = NULL; 864 865 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 866 TLS1_VERSION, TLS_MAX_VERSION, 867 &sctx, &cctx, cert, privkey)) 868 return 0; 869 870 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) 871 goto end; 872 873 /* First just do various checks getting and setting tlsext_status_type */ 874 875 clientssl = SSL_new(cctx); 876 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1) 877 || !TEST_true(SSL_set_tlsext_status_type(clientssl, 878 TLSEXT_STATUSTYPE_ocsp)) 879 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl), 880 TLSEXT_STATUSTYPE_ocsp)) 881 goto end; 882 883 SSL_free(clientssl); 884 clientssl = NULL; 885 886 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp) 887 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) 888 goto end; 889 890 clientssl = SSL_new(cctx); 891 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) 892 goto end; 893 SSL_free(clientssl); 894 clientssl = NULL; 895 896 /* 897 * Now actually do a handshake and check OCSP information is exchanged and 898 * the callbacks get called 899 */ 900 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 901 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 902 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 903 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 905 &clientssl, NULL, NULL)) 906 || !TEST_true(create_ssl_connection(serverssl, clientssl, 907 SSL_ERROR_NONE)) 908 || !TEST_true(ocsp_client_called) 909 || !TEST_true(ocsp_server_called)) 910 goto end; 911 SSL_free(serverssl); 912 SSL_free(clientssl); 913 serverssl = NULL; 914 clientssl = NULL; 915 916 /* Try again but this time force the server side callback to fail */ 917 ocsp_client_called = 0; 918 ocsp_server_called = 0; 919 cdummyarg = 0; 920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 921 &clientssl, NULL, NULL)) 922 /* This should fail because the callback will fail */ 923 || !TEST_false(create_ssl_connection(serverssl, clientssl, 924 SSL_ERROR_NONE)) 925 || !TEST_false(ocsp_client_called) 926 || !TEST_false(ocsp_server_called)) 927 goto end; 928 SSL_free(serverssl); 929 SSL_free(clientssl); 930 serverssl = NULL; 931 clientssl = NULL; 932 933 /* 934 * This time we'll get the client to send an OCSP_RESPID that it will 935 * accept. 936 */ 937 ocsp_client_called = 0; 938 ocsp_server_called = 0; 939 cdummyarg = 2; 940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 941 &clientssl, NULL, NULL))) 942 goto end; 943 944 /* 945 * We'll just use any old cert for this test - it doesn't have to be an OCSP 946 * specific one. We'll use the server cert. 947 */ 948 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")) 949 || !TEST_ptr(id = OCSP_RESPID_new()) 950 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) 951 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio, 952 NULL, NULL, NULL)) 953 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert)) 954 || !TEST_true(sk_OCSP_RESPID_push(ids, id))) 955 goto end; 956 id = NULL; 957 SSL_set_tlsext_status_ids(clientssl, ids); 958 /* Control has been transferred */ 959 ids = NULL; 960 961 BIO_free(certbio); 962 certbio = NULL; 963 964 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 965 SSL_ERROR_NONE)) 966 || !TEST_true(ocsp_client_called) 967 || !TEST_true(ocsp_server_called)) 968 goto end; 969 970 testresult = 1; 971 972 end: 973 SSL_free(serverssl); 974 SSL_free(clientssl); 975 SSL_CTX_free(sctx); 976 SSL_CTX_free(cctx); 977 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 978 OCSP_RESPID_free(id); 979 BIO_free(certbio); 980 X509_free(ocspcert); 981 ocspcert = NULL; 982 983 return testresult; 984 } 985 #endif 986 987 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 988 static int new_called, remove_called, get_called; 989 990 static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 991 { 992 new_called++; 993 /* 994 * sess has been up-refed for us, but we don't actually need it so free it 995 * immediately. 996 */ 997 SSL_SESSION_free(sess); 998 return 1; 999 } 1000 1001 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 1002 { 1003 remove_called++; 1004 } 1005 1006 static SSL_SESSION *get_sess_val = NULL; 1007 1008 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len, 1009 int *copy) 1010 { 1011 get_called++; 1012 *copy = 1; 1013 return get_sess_val; 1014 } 1015 1016 static int execute_test_session(int maxprot, int use_int_cache, 1017 int use_ext_cache) 1018 { 1019 SSL_CTX *sctx = NULL, *cctx = NULL; 1020 SSL *serverssl1 = NULL, *clientssl1 = NULL; 1021 SSL *serverssl2 = NULL, *clientssl2 = NULL; 1022 # ifndef OPENSSL_NO_TLS1_1 1023 SSL *serverssl3 = NULL, *clientssl3 = NULL; 1024 # endif 1025 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 1026 int testresult = 0, numnewsesstick = 1; 1027 1028 new_called = remove_called = 0; 1029 1030 /* TLSv1.3 sends 2 NewSessionTickets */ 1031 if (maxprot == TLS1_3_VERSION) 1032 numnewsesstick = 2; 1033 1034 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1035 TLS1_VERSION, TLS_MAX_VERSION, 1036 &sctx, &cctx, cert, privkey))) 1037 return 0; 1038 1039 /* 1040 * Only allow the max protocol version so we can force a connection failure 1041 * later 1042 */ 1043 SSL_CTX_set_min_proto_version(cctx, maxprot); 1044 SSL_CTX_set_max_proto_version(cctx, maxprot); 1045 1046 /* Set up session cache */ 1047 if (use_ext_cache) { 1048 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 1049 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 1050 } 1051 if (use_int_cache) { 1052 /* Also covers instance where both are set */ 1053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 1054 } else { 1055 SSL_CTX_set_session_cache_mode(cctx, 1056 SSL_SESS_CACHE_CLIENT 1057 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1058 } 1059 1060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 1061 NULL, NULL)) 1062 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 1063 SSL_ERROR_NONE)) 1064 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))) 1065 goto end; 1066 1067 /* Should fail because it should already be in the cache */ 1068 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) 1069 goto end; 1070 if (use_ext_cache 1071 && (!TEST_int_eq(new_called, numnewsesstick) 1072 1073 || !TEST_int_eq(remove_called, 0))) 1074 goto end; 1075 1076 new_called = remove_called = 0; 1077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 1078 &clientssl2, NULL, NULL)) 1079 || !TEST_true(SSL_set_session(clientssl2, sess1)) 1080 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 1081 SSL_ERROR_NONE)) 1082 || !TEST_true(SSL_session_reused(clientssl2))) 1083 goto end; 1084 1085 if (maxprot == TLS1_3_VERSION) { 1086 /* 1087 * In TLSv1.3 we should have created a new session even though we have 1088 * resumed. Since we attempted a resume we should also have removed the 1089 * old ticket from the cache so that we try to only use tickets once. 1090 */ 1091 if (use_ext_cache 1092 && (!TEST_int_eq(new_called, 1) 1093 || !TEST_int_eq(remove_called, 1))) 1094 goto end; 1095 } else { 1096 /* 1097 * In TLSv1.2 we expect to have resumed so no sessions added or 1098 * removed. 1099 */ 1100 if (use_ext_cache 1101 && (!TEST_int_eq(new_called, 0) 1102 || !TEST_int_eq(remove_called, 0))) 1103 goto end; 1104 } 1105 1106 SSL_SESSION_free(sess1); 1107 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2))) 1108 goto end; 1109 shutdown_ssl_connection(serverssl2, clientssl2); 1110 serverssl2 = clientssl2 = NULL; 1111 1112 new_called = remove_called = 0; 1113 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 1114 &clientssl2, NULL, NULL)) 1115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 1116 SSL_ERROR_NONE))) 1117 goto end; 1118 1119 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) 1120 goto end; 1121 1122 if (use_ext_cache 1123 && (!TEST_int_eq(new_called, numnewsesstick) 1124 || !TEST_int_eq(remove_called, 0))) 1125 goto end; 1126 1127 new_called = remove_called = 0; 1128 /* 1129 * This should clear sess2 from the cache because it is a "bad" session. 1130 * See SSL_set_session() documentation. 1131 */ 1132 if (!TEST_true(SSL_set_session(clientssl2, sess1))) 1133 goto end; 1134 if (use_ext_cache 1135 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1136 goto end; 1137 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) 1138 goto end; 1139 1140 if (use_int_cache) { 1141 /* Should succeeded because it should not already be in the cache */ 1142 if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) 1143 || !TEST_true(SSL_CTX_remove_session(cctx, sess2))) 1144 goto end; 1145 } 1146 1147 new_called = remove_called = 0; 1148 /* This shouldn't be in the cache so should fail */ 1149 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) 1150 goto end; 1151 1152 if (use_ext_cache 1153 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1154 goto end; 1155 1156 # if !defined(OPENSSL_NO_TLS1_1) 1157 new_called = remove_called = 0; 1158 /* Force a connection failure */ 1159 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 1160 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, 1161 &clientssl3, NULL, NULL)) 1162 || !TEST_true(SSL_set_session(clientssl3, sess1)) 1163 /* This should fail because of the mismatched protocol versions */ 1164 || !TEST_false(create_ssl_connection(serverssl3, clientssl3, 1165 SSL_ERROR_NONE))) 1166 goto end; 1167 1168 /* We should have automatically removed the session from the cache */ 1169 if (use_ext_cache 1170 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1171 goto end; 1172 1173 /* Should succeed because it should not already be in the cache */ 1174 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2))) 1175 goto end; 1176 # endif 1177 1178 /* Now do some tests for server side caching */ 1179 if (use_ext_cache) { 1180 SSL_CTX_sess_set_new_cb(cctx, NULL); 1181 SSL_CTX_sess_set_remove_cb(cctx, NULL); 1182 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 1183 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb); 1184 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 1185 get_sess_val = NULL; 1186 } 1187 1188 SSL_CTX_set_session_cache_mode(cctx, 0); 1189 /* Internal caching is the default on the server side */ 1190 if (!use_int_cache) 1191 SSL_CTX_set_session_cache_mode(sctx, 1192 SSL_SESS_CACHE_SERVER 1193 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1194 1195 SSL_free(serverssl1); 1196 SSL_free(clientssl1); 1197 serverssl1 = clientssl1 = NULL; 1198 SSL_free(serverssl2); 1199 SSL_free(clientssl2); 1200 serverssl2 = clientssl2 = NULL; 1201 SSL_SESSION_free(sess1); 1202 sess1 = NULL; 1203 SSL_SESSION_free(sess2); 1204 sess2 = NULL; 1205 1206 SSL_CTX_set_max_proto_version(sctx, maxprot); 1207 if (maxprot == TLS1_2_VERSION) 1208 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 1209 new_called = remove_called = get_called = 0; 1210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 1211 NULL, NULL)) 1212 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 1213 SSL_ERROR_NONE)) 1214 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)) 1215 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) 1216 goto end; 1217 1218 if (use_int_cache) { 1219 if (maxprot == TLS1_3_VERSION && !use_ext_cache) { 1220 /* 1221 * In TLSv1.3 it should not have been added to the internal cache, 1222 * except in the case where we also have an external cache (in that 1223 * case it gets added to the cache in order to generate remove 1224 * events after timeout). 1225 */ 1226 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2))) 1227 goto end; 1228 } else { 1229 /* Should fail because it should already be in the cache */ 1230 if (!TEST_false(SSL_CTX_add_session(sctx, sess2))) 1231 goto end; 1232 } 1233 } 1234 1235 if (use_ext_cache) { 1236 SSL_SESSION *tmp = sess2; 1237 1238 if (!TEST_int_eq(new_called, numnewsesstick) 1239 || !TEST_int_eq(remove_called, 0) 1240 || !TEST_int_eq(get_called, 0)) 1241 goto end; 1242 /* 1243 * Delete the session from the internal cache to force a lookup from 1244 * the external cache. We take a copy first because 1245 * SSL_CTX_remove_session() also marks the session as non-resumable. 1246 */ 1247 if (use_int_cache && maxprot != TLS1_3_VERSION) { 1248 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) 1249 || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) 1250 goto end; 1251 SSL_SESSION_free(sess2); 1252 } 1253 sess2 = tmp; 1254 } 1255 1256 new_called = remove_called = get_called = 0; 1257 get_sess_val = sess2; 1258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 1259 &clientssl2, NULL, NULL)) 1260 || !TEST_true(SSL_set_session(clientssl2, sess1)) 1261 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 1262 SSL_ERROR_NONE)) 1263 || !TEST_true(SSL_session_reused(clientssl2))) 1264 goto end; 1265 1266 if (use_ext_cache) { 1267 if (!TEST_int_eq(remove_called, 0)) 1268 goto end; 1269 1270 if (maxprot == TLS1_3_VERSION) { 1271 if (!TEST_int_eq(new_called, 1) 1272 || !TEST_int_eq(get_called, 0)) 1273 goto end; 1274 } else { 1275 if (!TEST_int_eq(new_called, 0) 1276 || !TEST_int_eq(get_called, 1)) 1277 goto end; 1278 } 1279 } 1280 1281 testresult = 1; 1282 1283 end: 1284 SSL_free(serverssl1); 1285 SSL_free(clientssl1); 1286 SSL_free(serverssl2); 1287 SSL_free(clientssl2); 1288 # ifndef OPENSSL_NO_TLS1_1 1289 SSL_free(serverssl3); 1290 SSL_free(clientssl3); 1291 # endif 1292 SSL_SESSION_free(sess1); 1293 SSL_SESSION_free(sess2); 1294 SSL_CTX_free(sctx); 1295 SSL_CTX_free(cctx); 1296 1297 return testresult; 1298 } 1299 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 1300 1301 static int test_session_with_only_int_cache(void) 1302 { 1303 #ifndef OPENSSL_NO_TLS1_3 1304 if (!execute_test_session(TLS1_3_VERSION, 1, 0)) 1305 return 0; 1306 #endif 1307 1308 #ifndef OPENSSL_NO_TLS1_2 1309 return execute_test_session(TLS1_2_VERSION, 1, 0); 1310 #else 1311 return 1; 1312 #endif 1313 } 1314 1315 static int test_session_with_only_ext_cache(void) 1316 { 1317 #ifndef OPENSSL_NO_TLS1_3 1318 if (!execute_test_session(TLS1_3_VERSION, 0, 1)) 1319 return 0; 1320 #endif 1321 1322 #ifndef OPENSSL_NO_TLS1_2 1323 return execute_test_session(TLS1_2_VERSION, 0, 1); 1324 #else 1325 return 1; 1326 #endif 1327 } 1328 1329 static int test_session_with_both_cache(void) 1330 { 1331 #ifndef OPENSSL_NO_TLS1_3 1332 if (!execute_test_session(TLS1_3_VERSION, 1, 1)) 1333 return 0; 1334 #endif 1335 1336 #ifndef OPENSSL_NO_TLS1_2 1337 return execute_test_session(TLS1_2_VERSION, 1, 1); 1338 #else 1339 return 1; 1340 #endif 1341 } 1342 1343 #ifndef OPENSSL_NO_TLS1_3 1344 static SSL_SESSION *sesscache[6]; 1345 static int do_cache; 1346 1347 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) 1348 { 1349 if (do_cache) { 1350 sesscache[new_called] = sess; 1351 } else { 1352 /* We don't need the reference to the session, so free it */ 1353 SSL_SESSION_free(sess); 1354 } 1355 new_called++; 1356 1357 return 1; 1358 } 1359 1360 static int post_handshake_verify(SSL *sssl, SSL *cssl) 1361 { 1362 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); 1363 if (!TEST_true(SSL_verify_client_post_handshake(sssl))) 1364 return 0; 1365 1366 /* Start handshake on the server and client */ 1367 if (!TEST_int_eq(SSL_do_handshake(sssl), 1) 1368 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) 1369 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) 1370 || !TEST_true(create_ssl_connection(sssl, cssl, 1371 SSL_ERROR_NONE))) 1372 return 0; 1373 1374 return 1; 1375 } 1376 1377 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, 1378 SSL_CTX **cctx) 1379 { 1380 int sess_id_ctx = 1; 1381 1382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1383 TLS1_VERSION, TLS_MAX_VERSION, sctx, 1384 cctx, cert, privkey)) 1385 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) 1386 || !TEST_true(SSL_CTX_set_session_id_context(*sctx, 1387 (void *)&sess_id_ctx, 1388 sizeof(sess_id_ctx)))) 1389 return 0; 1390 1391 if (stateful) 1392 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET); 1393 1394 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT 1395 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1396 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb); 1397 1398 return 1; 1399 } 1400 1401 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ) 1402 { 1403 SSL *serverssl = NULL, *clientssl = NULL; 1404 int i; 1405 1406 /* Test that we can resume with all the tickets we got given */ 1407 for (i = 0; i < idx * 2; i++) { 1408 new_called = 0; 1409 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1410 &clientssl, NULL, NULL)) 1411 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) 1412 goto end; 1413 1414 SSL_set_post_handshake_auth(clientssl, 1); 1415 1416 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1417 SSL_ERROR_NONE))) 1418 goto end; 1419 1420 /* 1421 * Following a successful resumption we only get 1 ticket. After a 1422 * failed one we should get idx tickets. 1423 */ 1424 if (succ) { 1425 if (!TEST_true(SSL_session_reused(clientssl)) 1426 || !TEST_int_eq(new_called, 1)) 1427 goto end; 1428 } else { 1429 if (!TEST_false(SSL_session_reused(clientssl)) 1430 || !TEST_int_eq(new_called, idx)) 1431 goto end; 1432 } 1433 1434 new_called = 0; 1435 /* After a post-handshake authentication we should get 1 new ticket */ 1436 if (succ 1437 && (!post_handshake_verify(serverssl, clientssl) 1438 || !TEST_int_eq(new_called, 1))) 1439 goto end; 1440 1441 SSL_shutdown(clientssl); 1442 SSL_shutdown(serverssl); 1443 SSL_free(serverssl); 1444 SSL_free(clientssl); 1445 serverssl = clientssl = NULL; 1446 SSL_SESSION_free(sesscache[i]); 1447 sesscache[i] = NULL; 1448 } 1449 1450 return 1; 1451 1452 end: 1453 SSL_free(clientssl); 1454 SSL_free(serverssl); 1455 return 0; 1456 } 1457 1458 static int test_tickets(int stateful, int idx) 1459 { 1460 SSL_CTX *sctx = NULL, *cctx = NULL; 1461 SSL *serverssl = NULL, *clientssl = NULL; 1462 int testresult = 0; 1463 size_t j; 1464 1465 /* idx is the test number, but also the number of tickets we want */ 1466 1467 new_called = 0; 1468 do_cache = 1; 1469 1470 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1471 goto end; 1472 1473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1474 &clientssl, NULL, NULL))) 1475 goto end; 1476 1477 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1478 SSL_ERROR_NONE)) 1479 /* Check we got the number of tickets we were expecting */ 1480 || !TEST_int_eq(idx, new_called)) 1481 goto end; 1482 1483 SSL_shutdown(clientssl); 1484 SSL_shutdown(serverssl); 1485 SSL_free(serverssl); 1486 SSL_free(clientssl); 1487 SSL_CTX_free(sctx); 1488 SSL_CTX_free(cctx); 1489 clientssl = serverssl = NULL; 1490 sctx = cctx = NULL; 1491 1492 /* 1493 * Now we try to resume with the tickets we previously created. The 1494 * resumption attempt is expected to fail (because we're now using a new 1495 * SSL_CTX). We should see idx number of tickets issued again. 1496 */ 1497 1498 /* Stop caching sessions - just count them */ 1499 do_cache = 0; 1500 1501 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1502 goto end; 1503 1504 if (!check_resumption(idx, sctx, cctx, 0)) 1505 goto end; 1506 1507 /* Start again with caching sessions */ 1508 new_called = 0; 1509 do_cache = 1; 1510 SSL_CTX_free(sctx); 1511 SSL_CTX_free(cctx); 1512 sctx = cctx = NULL; 1513 1514 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1515 goto end; 1516 1517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1518 &clientssl, NULL, NULL))) 1519 goto end; 1520 1521 SSL_set_post_handshake_auth(clientssl, 1); 1522 1523 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1524 SSL_ERROR_NONE)) 1525 /* Check we got the number of tickets we were expecting */ 1526 || !TEST_int_eq(idx, new_called)) 1527 goto end; 1528 1529 /* After a post-handshake authentication we should get new tickets issued */ 1530 if (!post_handshake_verify(serverssl, clientssl) 1531 || !TEST_int_eq(idx * 2, new_called)) 1532 goto end; 1533 1534 SSL_shutdown(clientssl); 1535 SSL_shutdown(serverssl); 1536 SSL_free(serverssl); 1537 SSL_free(clientssl); 1538 serverssl = clientssl = NULL; 1539 1540 /* Stop caching sessions - just count them */ 1541 do_cache = 0; 1542 1543 /* 1544 * Check we can resume with all the tickets we created. This time around the 1545 * resumptions should all be successful. 1546 */ 1547 if (!check_resumption(idx, sctx, cctx, 1)) 1548 goto end; 1549 1550 testresult = 1; 1551 1552 end: 1553 SSL_free(serverssl); 1554 SSL_free(clientssl); 1555 for (j = 0; j < OSSL_NELEM(sesscache); j++) { 1556 SSL_SESSION_free(sesscache[j]); 1557 sesscache[j] = NULL; 1558 } 1559 SSL_CTX_free(sctx); 1560 SSL_CTX_free(cctx); 1561 1562 return testresult; 1563 } 1564 1565 static int test_stateless_tickets(int idx) 1566 { 1567 return test_tickets(0, idx); 1568 } 1569 1570 static int test_stateful_tickets(int idx) 1571 { 1572 return test_tickets(1, idx); 1573 } 1574 1575 static int test_psk_tickets(void) 1576 { 1577 SSL_CTX *sctx = NULL, *cctx = NULL; 1578 SSL *serverssl = NULL, *clientssl = NULL; 1579 int testresult = 0; 1580 int sess_id_ctx = 1; 1581 1582 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1583 TLS1_VERSION, TLS_MAX_VERSION, &sctx, 1584 &cctx, NULL, NULL)) 1585 || !TEST_true(SSL_CTX_set_session_id_context(sctx, 1586 (void *)&sess_id_ctx, 1587 sizeof(sess_id_ctx)))) 1588 goto end; 1589 1590 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT 1591 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1592 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 1593 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 1594 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 1595 use_session_cb_cnt = 0; 1596 find_session_cb_cnt = 0; 1597 srvid = pskid; 1598 new_called = 0; 1599 1600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1601 NULL, NULL))) 1602 goto end; 1603 clientpsk = serverpsk = create_a_psk(clientssl); 1604 if (!TEST_ptr(clientpsk)) 1605 goto end; 1606 SSL_SESSION_up_ref(clientpsk); 1607 1608 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1609 SSL_ERROR_NONE)) 1610 || !TEST_int_eq(1, find_session_cb_cnt) 1611 || !TEST_int_eq(1, use_session_cb_cnt) 1612 /* We should always get 1 ticket when using external PSK */ 1613 || !TEST_int_eq(1, new_called)) 1614 goto end; 1615 1616 testresult = 1; 1617 1618 end: 1619 SSL_free(serverssl); 1620 SSL_free(clientssl); 1621 SSL_CTX_free(sctx); 1622 SSL_CTX_free(cctx); 1623 SSL_SESSION_free(clientpsk); 1624 SSL_SESSION_free(serverpsk); 1625 clientpsk = serverpsk = NULL; 1626 1627 return testresult; 1628 } 1629 #endif 1630 1631 #define USE_NULL 0 1632 #define USE_BIO_1 1 1633 #define USE_BIO_2 2 1634 #define USE_DEFAULT 3 1635 1636 #define CONNTYPE_CONNECTION_SUCCESS 0 1637 #define CONNTYPE_CONNECTION_FAIL 1 1638 #define CONNTYPE_NO_CONNECTION 2 1639 1640 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 1641 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) 1642 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) 1643 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) 1644 #else 1645 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 1646 #endif 1647 1648 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \ 1649 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \ 1650 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 1651 1652 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 1653 { 1654 switch (type) { 1655 case USE_NULL: 1656 *res = NULL; 1657 break; 1658 case USE_BIO_1: 1659 *res = bio1; 1660 break; 1661 case USE_BIO_2: 1662 *res = bio2; 1663 break; 1664 } 1665 } 1666 1667 1668 /* 1669 * Tests calls to SSL_set_bio() under various conditions. 1670 * 1671 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with 1672 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We 1673 * then do more tests where we create a successful connection first using our 1674 * standard connection setup functions, and then call SSL_set_bio() with 1675 * various combinations of valid BIOs or NULL. We then repeat these tests 1676 * following a failed connection. In this last case we are looking to check that 1677 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL. 1678 */ 1679 static int test_ssl_set_bio(int idx) 1680 { 1681 SSL_CTX *sctx = NULL, *cctx = NULL; 1682 BIO *bio1 = NULL; 1683 BIO *bio2 = NULL; 1684 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 1685 SSL *serverssl = NULL, *clientssl = NULL; 1686 int initrbio, initwbio, newrbio, newwbio, conntype; 1687 int testresult = 0; 1688 1689 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) { 1690 initrbio = idx % 3; 1691 idx /= 3; 1692 initwbio = idx % 3; 1693 idx /= 3; 1694 newrbio = idx % 3; 1695 idx /= 3; 1696 newwbio = idx % 3; 1697 conntype = CONNTYPE_NO_CONNECTION; 1698 } else { 1699 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS; 1700 initrbio = initwbio = USE_DEFAULT; 1701 newrbio = idx % 2; 1702 idx /= 2; 1703 newwbio = idx % 2; 1704 idx /= 2; 1705 conntype = idx % 2; 1706 } 1707 1708 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1709 TLS1_VERSION, TLS_MAX_VERSION, 1710 &sctx, &cctx, cert, privkey))) 1711 goto end; 1712 1713 if (conntype == CONNTYPE_CONNECTION_FAIL) { 1714 /* 1715 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled 1716 * because we reduced the number of tests in the definition of 1717 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting 1718 * mismatched protocol versions we will force a connection failure. 1719 */ 1720 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION); 1721 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 1722 } 1723 1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1725 NULL, NULL))) 1726 goto end; 1727 1728 if (initrbio == USE_BIO_1 1729 || initwbio == USE_BIO_1 1730 || newrbio == USE_BIO_1 1731 || newwbio == USE_BIO_1) { 1732 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem()))) 1733 goto end; 1734 } 1735 1736 if (initrbio == USE_BIO_2 1737 || initwbio == USE_BIO_2 1738 || newrbio == USE_BIO_2 1739 || newwbio == USE_BIO_2) { 1740 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem()))) 1741 goto end; 1742 } 1743 1744 if (initrbio != USE_DEFAULT) { 1745 setupbio(&irbio, bio1, bio2, initrbio); 1746 setupbio(&iwbio, bio1, bio2, initwbio); 1747 SSL_set_bio(clientssl, irbio, iwbio); 1748 1749 /* 1750 * We want to maintain our own refs to these BIO, so do an up ref for 1751 * each BIO that will have ownership transferred in the SSL_set_bio() 1752 * call 1753 */ 1754 if (irbio != NULL) 1755 BIO_up_ref(irbio); 1756 if (iwbio != NULL && iwbio != irbio) 1757 BIO_up_ref(iwbio); 1758 } 1759 1760 if (conntype != CONNTYPE_NO_CONNECTION 1761 && !TEST_true(create_ssl_connection(serverssl, clientssl, 1762 SSL_ERROR_NONE) 1763 == (conntype == CONNTYPE_CONNECTION_SUCCESS))) 1764 goto end; 1765 1766 setupbio(&nrbio, bio1, bio2, newrbio); 1767 setupbio(&nwbio, bio1, bio2, newwbio); 1768 1769 /* 1770 * We will (maybe) transfer ownership again so do more up refs. 1771 * SSL_set_bio() has some really complicated ownership rules where BIOs have 1772 * already been set! 1773 */ 1774 if (nrbio != NULL 1775 && nrbio != irbio 1776 && (nwbio != iwbio || nrbio != nwbio)) 1777 BIO_up_ref(nrbio); 1778 if (nwbio != NULL 1779 && nwbio != nrbio 1780 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 1781 BIO_up_ref(nwbio); 1782 1783 SSL_set_bio(clientssl, nrbio, nwbio); 1784 1785 testresult = 1; 1786 1787 end: 1788 BIO_free(bio1); 1789 BIO_free(bio2); 1790 1791 /* 1792 * This test is checking that the ref counting for SSL_set_bio is correct. 1793 * If we get here and we did too many frees then we will fail in the above 1794 * functions. If we haven't done enough then this will only be detected in 1795 * a crypto-mdebug build 1796 */ 1797 SSL_free(serverssl); 1798 SSL_free(clientssl); 1799 SSL_CTX_free(sctx); 1800 SSL_CTX_free(cctx); 1801 return testresult; 1802 } 1803 1804 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t; 1805 1806 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) 1807 { 1808 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 1809 SSL_CTX *ctx; 1810 SSL *ssl = NULL; 1811 int testresult = 0; 1812 1813 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())) 1814 || !TEST_ptr(ssl = SSL_new(ctx)) 1815 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl())) 1816 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem()))) 1817 goto end; 1818 1819 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 1820 1821 /* 1822 * If anything goes wrong here then we could leak memory, so this will 1823 * be caught in a crypto-mdebug build 1824 */ 1825 BIO_push(sslbio, membio1); 1826 1827 /* Verify changing the rbio/wbio directly does not cause leaks */ 1828 if (change_bio != NO_BIO_CHANGE) { 1829 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) 1830 goto end; 1831 if (change_bio == CHANGE_RBIO) 1832 SSL_set0_rbio(ssl, membio2); 1833 else 1834 SSL_set0_wbio(ssl, membio2); 1835 } 1836 ssl = NULL; 1837 1838 if (pop_ssl) 1839 BIO_pop(sslbio); 1840 else 1841 BIO_pop(membio1); 1842 1843 testresult = 1; 1844 end: 1845 BIO_free(membio1); 1846 BIO_free(sslbio); 1847 SSL_free(ssl); 1848 SSL_CTX_free(ctx); 1849 1850 return testresult; 1851 } 1852 1853 static int test_ssl_bio_pop_next_bio(void) 1854 { 1855 return execute_test_ssl_bio(0, NO_BIO_CHANGE); 1856 } 1857 1858 static int test_ssl_bio_pop_ssl_bio(void) 1859 { 1860 return execute_test_ssl_bio(1, NO_BIO_CHANGE); 1861 } 1862 1863 static int test_ssl_bio_change_rbio(void) 1864 { 1865 return execute_test_ssl_bio(0, CHANGE_RBIO); 1866 } 1867 1868 static int test_ssl_bio_change_wbio(void) 1869 { 1870 return execute_test_ssl_bio(0, CHANGE_WBIO); 1871 } 1872 1873 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 1874 typedef struct { 1875 /* The list of sig algs */ 1876 const int *list; 1877 /* The length of the list */ 1878 size_t listlen; 1879 /* A sigalgs list in string format */ 1880 const char *liststr; 1881 /* Whether setting the list should succeed */ 1882 int valid; 1883 /* Whether creating a connection with the list should succeed */ 1884 int connsuccess; 1885 } sigalgs_list; 1886 1887 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 1888 # ifndef OPENSSL_NO_EC 1889 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 1890 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 1891 # endif 1892 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 1893 static const int invalidlist2[] = {NID_sha256, NID_undef}; 1894 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 1895 static const int invalidlist4[] = {NID_sha256}; 1896 static const sigalgs_list testsigalgs[] = { 1897 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 1898 # ifndef OPENSSL_NO_EC 1899 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 1900 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 1901 # endif 1902 {NULL, 0, "RSA+SHA256", 1, 1}, 1903 # ifndef OPENSSL_NO_EC 1904 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 1905 {NULL, 0, "ECDSA+SHA512", 1, 0}, 1906 # endif 1907 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 1908 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 1909 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 1910 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 1911 {NULL, 0, "RSA", 0, 0}, 1912 {NULL, 0, "SHA256", 0, 0}, 1913 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 1914 {NULL, 0, "Invalid", 0, 0} 1915 }; 1916 1917 static int test_set_sigalgs(int idx) 1918 { 1919 SSL_CTX *cctx = NULL, *sctx = NULL; 1920 SSL *clientssl = NULL, *serverssl = NULL; 1921 int testresult = 0; 1922 const sigalgs_list *curr; 1923 int testctx; 1924 1925 /* Should never happen */ 1926 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2)) 1927 return 0; 1928 1929 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 1930 curr = testctx ? &testsigalgs[idx] 1931 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 1932 1933 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1934 TLS1_VERSION, TLS_MAX_VERSION, 1935 &sctx, &cctx, cert, privkey))) 1936 return 0; 1937 1938 /* 1939 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it 1940 * for TLSv1.2 for now until we add a new API. 1941 */ 1942 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 1943 1944 if (testctx) { 1945 int ret; 1946 1947 if (curr->list != NULL) 1948 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 1949 else 1950 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 1951 1952 if (!ret) { 1953 if (curr->valid) 1954 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx); 1955 else 1956 testresult = 1; 1957 goto end; 1958 } 1959 if (!curr->valid) { 1960 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx); 1961 goto end; 1962 } 1963 } 1964 1965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1966 &clientssl, NULL, NULL))) 1967 goto end; 1968 1969 if (!testctx) { 1970 int ret; 1971 1972 if (curr->list != NULL) 1973 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 1974 else 1975 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 1976 if (!ret) { 1977 if (curr->valid) 1978 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx); 1979 else 1980 testresult = 1; 1981 goto end; 1982 } 1983 if (!curr->valid) 1984 goto end; 1985 } 1986 1987 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 1988 SSL_ERROR_NONE), 1989 curr->connsuccess)) 1990 goto end; 1991 1992 testresult = 1; 1993 1994 end: 1995 SSL_free(serverssl); 1996 SSL_free(clientssl); 1997 SSL_CTX_free(sctx); 1998 SSL_CTX_free(cctx); 1999 2000 return testresult; 2001 } 2002 #endif 2003 2004 #ifndef OPENSSL_NO_TLS1_3 2005 static int psk_client_cb_cnt = 0; 2006 static int psk_server_cb_cnt = 0; 2007 2008 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 2009 size_t *idlen, SSL_SESSION **sess) 2010 { 2011 switch (++use_session_cb_cnt) { 2012 case 1: 2013 /* The first call should always have a NULL md */ 2014 if (md != NULL) 2015 return 0; 2016 break; 2017 2018 case 2: 2019 /* The second call should always have an md */ 2020 if (md == NULL) 2021 return 0; 2022 break; 2023 2024 default: 2025 /* We should only be called a maximum of twice */ 2026 return 0; 2027 } 2028 2029 if (clientpsk != NULL) 2030 SSL_SESSION_up_ref(clientpsk); 2031 2032 *sess = clientpsk; 2033 *id = (const unsigned char *)pskid; 2034 *idlen = strlen(pskid); 2035 2036 return 1; 2037 } 2038 2039 #ifndef OPENSSL_NO_PSK 2040 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id, 2041 unsigned int max_id_len, 2042 unsigned char *psk, 2043 unsigned int max_psk_len) 2044 { 2045 unsigned int psklen = 0; 2046 2047 psk_client_cb_cnt++; 2048 2049 if (strlen(pskid) + 1 > max_id_len) 2050 return 0; 2051 2052 /* We should only ever be called a maximum of twice per connection */ 2053 if (psk_client_cb_cnt > 2) 2054 return 0; 2055 2056 if (clientpsk == NULL) 2057 return 0; 2058 2059 /* We'll reuse the PSK we set up for TLSv1.3 */ 2060 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len) 2061 return 0; 2062 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len); 2063 strncpy(id, pskid, max_id_len); 2064 2065 return psklen; 2066 } 2067 #endif /* OPENSSL_NO_PSK */ 2068 2069 static int find_session_cb(SSL *ssl, const unsigned char *identity, 2070 size_t identity_len, SSL_SESSION **sess) 2071 { 2072 find_session_cb_cnt++; 2073 2074 /* We should only ever be called a maximum of twice per connection */ 2075 if (find_session_cb_cnt > 2) 2076 return 0; 2077 2078 if (serverpsk == NULL) 2079 return 0; 2080 2081 /* Identity should match that set by the client */ 2082 if (strlen(srvid) != identity_len 2083 || strncmp(srvid, (const char *)identity, identity_len) != 0) { 2084 /* No PSK found, continue but without a PSK */ 2085 *sess = NULL; 2086 return 1; 2087 } 2088 2089 SSL_SESSION_up_ref(serverpsk); 2090 *sess = serverpsk; 2091 2092 return 1; 2093 } 2094 2095 #ifndef OPENSSL_NO_PSK 2096 static unsigned int psk_server_cb(SSL *ssl, const char *identity, 2097 unsigned char *psk, unsigned int max_psk_len) 2098 { 2099 unsigned int psklen = 0; 2100 2101 psk_server_cb_cnt++; 2102 2103 /* We should only ever be called a maximum of twice per connection */ 2104 if (find_session_cb_cnt > 2) 2105 return 0; 2106 2107 if (serverpsk == NULL) 2108 return 0; 2109 2110 /* Identity should match that set by the client */ 2111 if (strcmp(srvid, identity) != 0) { 2112 return 0; 2113 } 2114 2115 /* We'll reuse the PSK we set up for TLSv1.3 */ 2116 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len) 2117 return 0; 2118 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len); 2119 2120 return psklen; 2121 } 2122 #endif /* OPENSSL_NO_PSK */ 2123 2124 #define MSG1 "Hello" 2125 #define MSG2 "World." 2126 #define MSG3 "This" 2127 #define MSG4 "is" 2128 #define MSG5 "a" 2129 #define MSG6 "test" 2130 #define MSG7 "message." 2131 2132 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") 2133 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") 2134 2135 2136 static SSL_SESSION *create_a_psk(SSL *ssl) 2137 { 2138 const SSL_CIPHER *cipher = NULL; 2139 const unsigned char key[] = { 2140 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 2141 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 2142 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 2143 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 2144 0x2c, 0x2d, 0x2e, 0x2f 2145 }; 2146 SSL_SESSION *sess = NULL; 2147 2148 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); 2149 sess = SSL_SESSION_new(); 2150 if (!TEST_ptr(sess) 2151 || !TEST_ptr(cipher) 2152 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, 2153 sizeof(key))) 2154 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) 2155 || !TEST_true( 2156 SSL_SESSION_set_protocol_version(sess, 2157 TLS1_3_VERSION))) { 2158 SSL_SESSION_free(sess); 2159 return NULL; 2160 } 2161 return sess; 2162 } 2163 2164 /* 2165 * Helper method to setup objects for early data test. Caller frees objects on 2166 * error. 2167 */ 2168 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, 2169 SSL **serverssl, SSL_SESSION **sess, int idx) 2170 { 2171 if (*sctx == NULL 2172 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), 2173 TLS_client_method(), 2174 TLS1_VERSION, TLS_MAX_VERSION, 2175 sctx, cctx, cert, privkey))) 2176 return 0; 2177 2178 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH))) 2179 return 0; 2180 2181 if (idx == 1) { 2182 /* When idx == 1 we repeat the tests with read_ahead set */ 2183 SSL_CTX_set_read_ahead(*cctx, 1); 2184 SSL_CTX_set_read_ahead(*sctx, 1); 2185 } else if (idx == 2) { 2186 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */ 2187 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb); 2188 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb); 2189 use_session_cb_cnt = 0; 2190 find_session_cb_cnt = 0; 2191 srvid = pskid; 2192 } 2193 2194 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl, 2195 NULL, NULL))) 2196 return 0; 2197 2198 /* 2199 * For one of the run throughs (doesn't matter which one), we'll try sending 2200 * some SNI data in the initial ClientHello. This will be ignored (because 2201 * there is no SNI cb set up by the server), so it should not impact 2202 * early_data. 2203 */ 2204 if (idx == 1 2205 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost"))) 2206 return 0; 2207 2208 if (idx == 2) { 2209 clientpsk = create_a_psk(*clientssl); 2210 if (!TEST_ptr(clientpsk) 2211 /* 2212 * We just choose an arbitrary value for max_early_data which 2213 * should be big enough for testing purposes. 2214 */ 2215 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk, 2216 0x100)) 2217 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) { 2218 SSL_SESSION_free(clientpsk); 2219 clientpsk = NULL; 2220 return 0; 2221 } 2222 serverpsk = clientpsk; 2223 2224 if (sess != NULL) { 2225 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) { 2226 SSL_SESSION_free(clientpsk); 2227 SSL_SESSION_free(serverpsk); 2228 clientpsk = serverpsk = NULL; 2229 return 0; 2230 } 2231 *sess = clientpsk; 2232 } 2233 return 1; 2234 } 2235 2236 if (sess == NULL) 2237 return 1; 2238 2239 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, 2240 SSL_ERROR_NONE))) 2241 return 0; 2242 2243 *sess = SSL_get1_session(*clientssl); 2244 SSL_shutdown(*clientssl); 2245 SSL_shutdown(*serverssl); 2246 SSL_free(*serverssl); 2247 SSL_free(*clientssl); 2248 *serverssl = *clientssl = NULL; 2249 2250 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, 2251 clientssl, NULL, NULL)) 2252 || !TEST_true(SSL_set_session(*clientssl, *sess))) 2253 return 0; 2254 2255 return 1; 2256 } 2257 2258 static int test_early_data_read_write(int idx) 2259 { 2260 SSL_CTX *cctx = NULL, *sctx = NULL; 2261 SSL *clientssl = NULL, *serverssl = NULL; 2262 int testresult = 0; 2263 SSL_SESSION *sess = NULL; 2264 unsigned char buf[20], data[1024]; 2265 size_t readbytes, written, eoedlen, rawread, rawwritten; 2266 BIO *rbio; 2267 2268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2269 &serverssl, &sess, idx))) 2270 goto end; 2271 2272 /* Write and read some early data */ 2273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2274 &written)) 2275 || !TEST_size_t_eq(written, strlen(MSG1)) 2276 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 2277 sizeof(buf), &readbytes), 2278 SSL_READ_EARLY_DATA_SUCCESS) 2279 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 2280 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2281 SSL_EARLY_DATA_ACCEPTED)) 2282 goto end; 2283 2284 /* 2285 * Server should be able to write data, and client should be able to 2286 * read it. 2287 */ 2288 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2), 2289 &written)) 2290 || !TEST_size_t_eq(written, strlen(MSG2)) 2291 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2292 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2293 goto end; 2294 2295 /* Even after reading normal data, client should be able write early data */ 2296 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3), 2297 &written)) 2298 || !TEST_size_t_eq(written, strlen(MSG3))) 2299 goto end; 2300 2301 /* Server should still be able read early data after writing data */ 2302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2303 &readbytes), 2304 SSL_READ_EARLY_DATA_SUCCESS) 2305 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3))) 2306 goto end; 2307 2308 /* Write more data from server and read it from client */ 2309 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4), 2310 &written)) 2311 || !TEST_size_t_eq(written, strlen(MSG4)) 2312 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2313 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4))) 2314 goto end; 2315 2316 /* 2317 * If client writes normal data it should mean writing early data is no 2318 * longer possible. 2319 */ 2320 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 2321 || !TEST_size_t_eq(written, strlen(MSG5)) 2322 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2323 SSL_EARLY_DATA_ACCEPTED)) 2324 goto end; 2325 2326 /* 2327 * At this point the client has written EndOfEarlyData, ClientFinished and 2328 * normal (fully protected) data. We are going to cause a delay between the 2329 * arrival of EndOfEarlyData and ClientFinished. We read out all the data 2330 * in the read BIO, and then just put back the EndOfEarlyData message. 2331 */ 2332 rbio = SSL_get_rbio(serverssl); 2333 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread)) 2334 || !TEST_size_t_lt(rawread, sizeof(data)) 2335 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH)) 2336 goto end; 2337 2338 /* Record length is in the 4th and 5th bytes of the record header */ 2339 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]); 2340 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten)) 2341 || !TEST_size_t_eq(rawwritten, eoedlen)) 2342 goto end; 2343 2344 /* Server should be told that there is no more early data */ 2345 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2346 &readbytes), 2347 SSL_READ_EARLY_DATA_FINISH) 2348 || !TEST_size_t_eq(readbytes, 0)) 2349 goto end; 2350 2351 /* 2352 * Server has not finished init yet, so should still be able to write early 2353 * data. 2354 */ 2355 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6), 2356 &written)) 2357 || !TEST_size_t_eq(written, strlen(MSG6))) 2358 goto end; 2359 2360 /* Push the ClientFinished and the normal data back into the server rbio */ 2361 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen, 2362 &rawwritten)) 2363 || !TEST_size_t_eq(rawwritten, rawread - eoedlen)) 2364 goto end; 2365 2366 /* Server should be able to read normal data */ 2367 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2368 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 2369 goto end; 2370 2371 /* Client and server should not be able to write/read early data now */ 2372 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 2373 &written))) 2374 goto end; 2375 ERR_clear_error(); 2376 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2377 &readbytes), 2378 SSL_READ_EARLY_DATA_ERROR)) 2379 goto end; 2380 ERR_clear_error(); 2381 2382 /* Client should be able to read the data sent by the server */ 2383 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2384 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6))) 2385 goto end; 2386 2387 /* 2388 * Make sure we process the two NewSessionTickets. These arrive 2389 * post-handshake. We attempt reads which we do not expect to return any 2390 * data. 2391 */ 2392 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2393 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), 2394 &readbytes))) 2395 goto end; 2396 2397 /* Server should be able to write normal data */ 2398 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written)) 2399 || !TEST_size_t_eq(written, strlen(MSG7)) 2400 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2401 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7))) 2402 goto end; 2403 2404 SSL_SESSION_free(sess); 2405 sess = SSL_get1_session(clientssl); 2406 use_session_cb_cnt = 0; 2407 find_session_cb_cnt = 0; 2408 2409 SSL_shutdown(clientssl); 2410 SSL_shutdown(serverssl); 2411 SSL_free(serverssl); 2412 SSL_free(clientssl); 2413 serverssl = clientssl = NULL; 2414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2415 &clientssl, NULL, NULL)) 2416 || !TEST_true(SSL_set_session(clientssl, sess))) 2417 goto end; 2418 2419 /* Write and read some early data */ 2420 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2421 &written)) 2422 || !TEST_size_t_eq(written, strlen(MSG1)) 2423 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2424 &readbytes), 2425 SSL_READ_EARLY_DATA_SUCCESS) 2426 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 2427 goto end; 2428 2429 if (!TEST_int_gt(SSL_connect(clientssl), 0) 2430 || !TEST_int_gt(SSL_accept(serverssl), 0)) 2431 goto end; 2432 2433 /* Client and server should not be able to write/read early data now */ 2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 2435 &written))) 2436 goto end; 2437 ERR_clear_error(); 2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2439 &readbytes), 2440 SSL_READ_EARLY_DATA_ERROR)) 2441 goto end; 2442 ERR_clear_error(); 2443 2444 /* Client and server should be able to write/read normal data */ 2445 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 2446 || !TEST_size_t_eq(written, strlen(MSG5)) 2447 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2448 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 2449 goto end; 2450 2451 testresult = 1; 2452 2453 end: 2454 SSL_SESSION_free(sess); 2455 SSL_SESSION_free(clientpsk); 2456 SSL_SESSION_free(serverpsk); 2457 clientpsk = serverpsk = NULL; 2458 SSL_free(serverssl); 2459 SSL_free(clientssl); 2460 SSL_CTX_free(sctx); 2461 SSL_CTX_free(cctx); 2462 return testresult; 2463 } 2464 2465 static int allow_ed_cb_called = 0; 2466 2467 static int allow_early_data_cb(SSL *s, void *arg) 2468 { 2469 int *usecb = (int *)arg; 2470 2471 allow_ed_cb_called++; 2472 2473 if (*usecb == 1) 2474 return 0; 2475 2476 return 1; 2477 } 2478 2479 /* 2480 * idx == 0: Standard early_data setup 2481 * idx == 1: early_data setup using read_ahead 2482 * usecb == 0: Don't use a custom early data callback 2483 * usecb == 1: Use a custom early data callback and reject the early data 2484 * usecb == 2: Use a custom early data callback and accept the early data 2485 * confopt == 0: Configure anti-replay directly 2486 * confopt == 1: Configure anti-replay using SSL_CONF 2487 */ 2488 static int test_early_data_replay_int(int idx, int usecb, int confopt) 2489 { 2490 SSL_CTX *cctx = NULL, *sctx = NULL; 2491 SSL *clientssl = NULL, *serverssl = NULL; 2492 int testresult = 0; 2493 SSL_SESSION *sess = NULL; 2494 size_t readbytes, written; 2495 unsigned char buf[20]; 2496 2497 allow_ed_cb_called = 0; 2498 2499 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 2500 TLS1_VERSION, TLS_MAX_VERSION, &sctx, 2501 &cctx, cert, privkey))) 2502 return 0; 2503 2504 if (usecb > 0) { 2505 if (confopt == 0) { 2506 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY); 2507 } else { 2508 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new(); 2509 2510 if (!TEST_ptr(confctx)) 2511 goto end; 2512 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE 2513 | SSL_CONF_FLAG_SERVER); 2514 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx); 2515 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"), 2516 2)) { 2517 SSL_CONF_CTX_free(confctx); 2518 goto end; 2519 } 2520 SSL_CONF_CTX_free(confctx); 2521 } 2522 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb); 2523 } 2524 2525 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2526 &serverssl, &sess, idx))) 2527 goto end; 2528 2529 /* 2530 * The server is configured to accept early data. Create a connection to 2531 * "use up" the ticket 2532 */ 2533 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 2534 || !TEST_true(SSL_session_reused(clientssl))) 2535 goto end; 2536 2537 SSL_shutdown(clientssl); 2538 SSL_shutdown(serverssl); 2539 SSL_free(serverssl); 2540 SSL_free(clientssl); 2541 serverssl = clientssl = NULL; 2542 2543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2544 &clientssl, NULL, NULL)) 2545 || !TEST_true(SSL_set_session(clientssl, sess))) 2546 goto end; 2547 2548 /* Write and read some early data */ 2549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2550 &written)) 2551 || !TEST_size_t_eq(written, strlen(MSG1))) 2552 goto end; 2553 2554 if (usecb <= 1) { 2555 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2556 &readbytes), 2557 SSL_READ_EARLY_DATA_FINISH) 2558 /* 2559 * The ticket was reused, so the we should have rejected the 2560 * early data 2561 */ 2562 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2563 SSL_EARLY_DATA_REJECTED)) 2564 goto end; 2565 } else { 2566 /* In this case the callback decides to accept the early data */ 2567 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2568 &readbytes), 2569 SSL_READ_EARLY_DATA_SUCCESS) 2570 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) 2571 /* 2572 * Server will have sent its flight so client can now send 2573 * end of early data and complete its half of the handshake 2574 */ 2575 || !TEST_int_gt(SSL_connect(clientssl), 0) 2576 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2577 &readbytes), 2578 SSL_READ_EARLY_DATA_FINISH) 2579 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2580 SSL_EARLY_DATA_ACCEPTED)) 2581 goto end; 2582 } 2583 2584 /* Complete the connection */ 2585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 2586 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0) 2587 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0)) 2588 goto end; 2589 2590 testresult = 1; 2591 2592 end: 2593 SSL_SESSION_free(sess); 2594 SSL_SESSION_free(clientpsk); 2595 SSL_SESSION_free(serverpsk); 2596 clientpsk = serverpsk = NULL; 2597 SSL_free(serverssl); 2598 SSL_free(clientssl); 2599 SSL_CTX_free(sctx); 2600 SSL_CTX_free(cctx); 2601 return testresult; 2602 } 2603 2604 static int test_early_data_replay(int idx) 2605 { 2606 int ret = 1, usecb, confopt; 2607 2608 for (usecb = 0; usecb < 3; usecb++) { 2609 for (confopt = 0; confopt < 2; confopt++) 2610 ret &= test_early_data_replay_int(idx, usecb, confopt); 2611 } 2612 2613 return ret; 2614 } 2615 2616 /* 2617 * Helper function to test that a server attempting to read early data can 2618 * handle a connection from a client where the early data should be skipped. 2619 * testtype: 0 == No HRR 2620 * testtype: 1 == HRR 2621 * testtype: 2 == HRR, invalid early_data sent after HRR 2622 * testtype: 3 == recv_max_early_data set to 0 2623 */ 2624 static int early_data_skip_helper(int testtype, int idx) 2625 { 2626 SSL_CTX *cctx = NULL, *sctx = NULL; 2627 SSL *clientssl = NULL, *serverssl = NULL; 2628 int testresult = 0; 2629 SSL_SESSION *sess = NULL; 2630 unsigned char buf[20]; 2631 size_t readbytes, written; 2632 2633 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2634 &serverssl, &sess, idx))) 2635 goto end; 2636 2637 if (testtype == 1 || testtype == 2) { 2638 /* Force an HRR to occur */ 2639 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 2640 goto end; 2641 } else if (idx == 2) { 2642 /* 2643 * We force early_data rejection by ensuring the PSK identity is 2644 * unrecognised 2645 */ 2646 srvid = "Dummy Identity"; 2647 } else { 2648 /* 2649 * Deliberately corrupt the creation time. We take 20 seconds off the 2650 * time. It could be any value as long as it is not within tolerance. 2651 * This should mean the ticket is rejected. 2652 */ 2653 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) 2654 goto end; 2655 } 2656 2657 if (testtype == 3 2658 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0))) 2659 goto end; 2660 2661 /* Write some early data */ 2662 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2663 &written)) 2664 || !TEST_size_t_eq(written, strlen(MSG1))) 2665 goto end; 2666 2667 /* Server should reject the early data */ 2668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2669 &readbytes), 2670 SSL_READ_EARLY_DATA_FINISH) 2671 || !TEST_size_t_eq(readbytes, 0) 2672 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2673 SSL_EARLY_DATA_REJECTED)) 2674 goto end; 2675 2676 switch (testtype) { 2677 case 0: 2678 /* Nothing to do */ 2679 break; 2680 2681 case 1: 2682 /* 2683 * Finish off the handshake. We perform the same writes and reads as 2684 * further down but we expect them to fail due to the incomplete 2685 * handshake. 2686 */ 2687 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 2688 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), 2689 &readbytes))) 2690 goto end; 2691 break; 2692 2693 case 2: 2694 { 2695 BIO *wbio = SSL_get_wbio(clientssl); 2696 /* A record that will appear as bad early_data */ 2697 const unsigned char bad_early_data[] = { 2698 0x17, 0x03, 0x03, 0x00, 0x01, 0x00 2699 }; 2700 2701 /* 2702 * We force the client to attempt a write. This will fail because 2703 * we're still in the handshake. It will cause the second 2704 * ClientHello to be sent. 2705 */ 2706 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), 2707 &written))) 2708 goto end; 2709 2710 /* 2711 * Inject some early_data after the second ClientHello. This should 2712 * cause the server to fail 2713 */ 2714 if (!TEST_true(BIO_write_ex(wbio, bad_early_data, 2715 sizeof(bad_early_data), &written))) 2716 goto end; 2717 } 2718 /* fallthrough */ 2719 2720 case 3: 2721 /* 2722 * This client has sent more early_data than we are willing to skip 2723 * (case 3) or sent invalid early_data (case 2) so the connection should 2724 * abort. 2725 */ 2726 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2727 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL)) 2728 goto end; 2729 2730 /* Connection has failed - nothing more to do */ 2731 testresult = 1; 2732 goto end; 2733 2734 default: 2735 TEST_error("Invalid test type"); 2736 goto end; 2737 } 2738 2739 /* 2740 * Should be able to send normal data despite rejection of early data. The 2741 * early_data should be skipped. 2742 */ 2743 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 2744 || !TEST_size_t_eq(written, strlen(MSG2)) 2745 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2746 SSL_EARLY_DATA_REJECTED) 2747 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2748 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2749 goto end; 2750 2751 testresult = 1; 2752 2753 end: 2754 SSL_SESSION_free(clientpsk); 2755 SSL_SESSION_free(serverpsk); 2756 clientpsk = serverpsk = NULL; 2757 SSL_SESSION_free(sess); 2758 SSL_free(serverssl); 2759 SSL_free(clientssl); 2760 SSL_CTX_free(sctx); 2761 SSL_CTX_free(cctx); 2762 return testresult; 2763 } 2764 2765 /* 2766 * Test that a server attempting to read early data can handle a connection 2767 * from a client where the early data is not acceptable. 2768 */ 2769 static int test_early_data_skip(int idx) 2770 { 2771 return early_data_skip_helper(0, idx); 2772 } 2773 2774 /* 2775 * Test that a server attempting to read early data can handle a connection 2776 * from a client where an HRR occurs. 2777 */ 2778 static int test_early_data_skip_hrr(int idx) 2779 { 2780 return early_data_skip_helper(1, idx); 2781 } 2782 2783 /* 2784 * Test that a server attempting to read early data can handle a connection 2785 * from a client where an HRR occurs and correctly fails if early_data is sent 2786 * after the HRR 2787 */ 2788 static int test_early_data_skip_hrr_fail(int idx) 2789 { 2790 return early_data_skip_helper(2, idx); 2791 } 2792 2793 /* 2794 * Test that a server attempting to read early data will abort if it tries to 2795 * skip over too much. 2796 */ 2797 static int test_early_data_skip_abort(int idx) 2798 { 2799 return early_data_skip_helper(3, idx); 2800 } 2801 2802 /* 2803 * Test that a server attempting to read early data can handle a connection 2804 * from a client that doesn't send any. 2805 */ 2806 static int test_early_data_not_sent(int idx) 2807 { 2808 SSL_CTX *cctx = NULL, *sctx = NULL; 2809 SSL *clientssl = NULL, *serverssl = NULL; 2810 int testresult = 0; 2811 SSL_SESSION *sess = NULL; 2812 unsigned char buf[20]; 2813 size_t readbytes, written; 2814 2815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2816 &serverssl, &sess, idx))) 2817 goto end; 2818 2819 /* Write some data - should block due to handshake with server */ 2820 SSL_set_connect_state(clientssl); 2821 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 2822 goto end; 2823 2824 /* Server should detect that early data has not been sent */ 2825 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2826 &readbytes), 2827 SSL_READ_EARLY_DATA_FINISH) 2828 || !TEST_size_t_eq(readbytes, 0) 2829 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2830 SSL_EARLY_DATA_NOT_SENT) 2831 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2832 SSL_EARLY_DATA_NOT_SENT)) 2833 goto end; 2834 2835 /* Continue writing the message we started earlier */ 2836 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 2837 || !TEST_size_t_eq(written, strlen(MSG1)) 2838 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2839 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 2840 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written) 2841 || !TEST_size_t_eq(written, strlen(MSG2))) 2842 goto end; 2843 2844 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2845 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2846 goto end; 2847 2848 testresult = 1; 2849 2850 end: 2851 SSL_SESSION_free(sess); 2852 SSL_SESSION_free(clientpsk); 2853 SSL_SESSION_free(serverpsk); 2854 clientpsk = serverpsk = NULL; 2855 SSL_free(serverssl); 2856 SSL_free(clientssl); 2857 SSL_CTX_free(sctx); 2858 SSL_CTX_free(cctx); 2859 return testresult; 2860 } 2861 2862 static const char *servalpn; 2863 2864 static int alpn_select_cb(SSL *ssl, const unsigned char **out, 2865 unsigned char *outlen, const unsigned char *in, 2866 unsigned int inlen, void *arg) 2867 { 2868 unsigned int protlen = 0; 2869 const unsigned char *prot; 2870 2871 for (prot = in; prot < in + inlen; prot += protlen) { 2872 protlen = *prot++; 2873 if (in + inlen < prot + protlen) 2874 return SSL_TLSEXT_ERR_NOACK; 2875 2876 if (protlen == strlen(servalpn) 2877 && memcmp(prot, servalpn, protlen) == 0) { 2878 *out = prot; 2879 *outlen = protlen; 2880 return SSL_TLSEXT_ERR_OK; 2881 } 2882 } 2883 2884 return SSL_TLSEXT_ERR_NOACK; 2885 } 2886 2887 /* Test that a PSK can be used to send early_data */ 2888 static int test_early_data_psk(int idx) 2889 { 2890 SSL_CTX *cctx = NULL, *sctx = NULL; 2891 SSL *clientssl = NULL, *serverssl = NULL; 2892 int testresult = 0; 2893 SSL_SESSION *sess = NULL; 2894 unsigned char alpnlist[] = { 2895 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a', 2896 'l', 'p', 'n' 2897 }; 2898 #define GOODALPNLEN 9 2899 #define BADALPNLEN 8 2900 #define GOODALPN (alpnlist) 2901 #define BADALPN (alpnlist + GOODALPNLEN) 2902 int err = 0; 2903 unsigned char buf[20]; 2904 size_t readbytes, written; 2905 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1; 2906 int edstatus = SSL_EARLY_DATA_ACCEPTED; 2907 2908 /* We always set this up with a final parameter of "2" for PSK */ 2909 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2910 &serverssl, &sess, 2))) 2911 goto end; 2912 2913 servalpn = "goodalpn"; 2914 2915 /* 2916 * Note: There is no test for inconsistent SNI with late client detection. 2917 * This is because servers do not acknowledge SNI even if they are using 2918 * it in a resumption handshake - so it is not actually possible for a 2919 * client to detect a problem. 2920 */ 2921 switch (idx) { 2922 case 0: 2923 /* Set inconsistent SNI (early client detection) */ 2924 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI; 2925 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 2926 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost"))) 2927 goto end; 2928 break; 2929 2930 case 1: 2931 /* Set inconsistent ALPN (early client detection) */ 2932 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN; 2933 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */ 2934 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN, 2935 GOODALPNLEN)) 2936 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN, 2937 BADALPNLEN))) 2938 goto end; 2939 break; 2940 2941 case 2: 2942 /* 2943 * Set invalid protocol version. Technically this affects PSKs without 2944 * early_data too, but we test it here because it is similar to the 2945 * SNI/ALPN consistency tests. 2946 */ 2947 err = SSL_R_BAD_PSK; 2948 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION))) 2949 goto end; 2950 break; 2951 2952 case 3: 2953 /* 2954 * Set inconsistent SNI (server side). In this case the connection 2955 * will succeed and accept early_data. In TLSv1.3 on the server side SNI 2956 * is associated with each handshake - not the session. Therefore it 2957 * should not matter that we used a different server name last time. 2958 */ 2959 SSL_SESSION_free(serverpsk); 2960 serverpsk = SSL_SESSION_dup(clientpsk); 2961 if (!TEST_ptr(serverpsk) 2962 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost"))) 2963 goto end; 2964 /* Fall through */ 2965 case 4: 2966 /* Set consistent SNI */ 2967 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 2968 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")) 2969 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 2970 hostname_cb))) 2971 goto end; 2972 break; 2973 2974 case 5: 2975 /* 2976 * Set inconsistent ALPN (server detected). In this case the connection 2977 * will succeed but reject early_data. 2978 */ 2979 servalpn = "badalpn"; 2980 edstatus = SSL_EARLY_DATA_REJECTED; 2981 readearlyres = SSL_READ_EARLY_DATA_FINISH; 2982 /* Fall through */ 2983 case 6: 2984 /* 2985 * Set consistent ALPN. 2986 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It 2987 * accepts a list of protos (each one length prefixed). 2988 * SSL_set1_alpn_selected accepts a single protocol (not length 2989 * prefixed) 2990 */ 2991 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1, 2992 GOODALPNLEN - 1)) 2993 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN, 2994 GOODALPNLEN))) 2995 goto end; 2996 2997 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 2998 break; 2999 3000 case 7: 3001 /* Set inconsistent ALPN (late client detection) */ 3002 SSL_SESSION_free(serverpsk); 3003 serverpsk = SSL_SESSION_dup(clientpsk); 3004 if (!TEST_ptr(serverpsk) 3005 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk, 3006 BADALPN + 1, 3007 BADALPNLEN - 1)) 3008 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk, 3009 GOODALPN + 1, 3010 GOODALPNLEN - 1)) 3011 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist, 3012 sizeof(alpnlist)))) 3013 goto end; 3014 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 3015 edstatus = SSL_EARLY_DATA_ACCEPTED; 3016 readearlyres = SSL_READ_EARLY_DATA_SUCCESS; 3017 /* SSL_connect() call should fail */ 3018 connectres = -1; 3019 break; 3020 3021 default: 3022 TEST_error("Bad test index"); 3023 goto end; 3024 } 3025 3026 SSL_set_connect_state(clientssl); 3027 if (err != 0) { 3028 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3029 &written)) 3030 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL) 3031 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err)) 3032 goto end; 3033 } else { 3034 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3035 &written))) 3036 goto end; 3037 3038 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3039 &readbytes), readearlyres) 3040 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS 3041 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 3042 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) 3043 || !TEST_int_eq(SSL_connect(clientssl), connectres)) 3044 goto end; 3045 } 3046 3047 testresult = 1; 3048 3049 end: 3050 SSL_SESSION_free(sess); 3051 SSL_SESSION_free(clientpsk); 3052 SSL_SESSION_free(serverpsk); 3053 clientpsk = serverpsk = NULL; 3054 SSL_free(serverssl); 3055 SSL_free(clientssl); 3056 SSL_CTX_free(sctx); 3057 SSL_CTX_free(cctx); 3058 return testresult; 3059 } 3060 3061 /* 3062 * Test that a server that doesn't try to read early data can handle a 3063 * client sending some. 3064 */ 3065 static int test_early_data_not_expected(int idx) 3066 { 3067 SSL_CTX *cctx = NULL, *sctx = NULL; 3068 SSL *clientssl = NULL, *serverssl = NULL; 3069 int testresult = 0; 3070 SSL_SESSION *sess = NULL; 3071 unsigned char buf[20]; 3072 size_t readbytes, written; 3073 3074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3075 &serverssl, &sess, idx))) 3076 goto end; 3077 3078 /* Write some early data */ 3079 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3080 &written))) 3081 goto end; 3082 3083 /* 3084 * Server should skip over early data and then block waiting for client to 3085 * continue handshake 3086 */ 3087 if (!TEST_int_le(SSL_accept(serverssl), 0) 3088 || !TEST_int_gt(SSL_connect(clientssl), 0) 3089 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3090 SSL_EARLY_DATA_REJECTED) 3091 || !TEST_int_gt(SSL_accept(serverssl), 0) 3092 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 3093 SSL_EARLY_DATA_REJECTED)) 3094 goto end; 3095 3096 /* Send some normal data from client to server */ 3097 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 3098 || !TEST_size_t_eq(written, strlen(MSG2))) 3099 goto end; 3100 3101 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3102 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 3103 goto end; 3104 3105 testresult = 1; 3106 3107 end: 3108 SSL_SESSION_free(sess); 3109 SSL_SESSION_free(clientpsk); 3110 SSL_SESSION_free(serverpsk); 3111 clientpsk = serverpsk = NULL; 3112 SSL_free(serverssl); 3113 SSL_free(clientssl); 3114 SSL_CTX_free(sctx); 3115 SSL_CTX_free(cctx); 3116 return testresult; 3117 } 3118 3119 3120 # ifndef OPENSSL_NO_TLS1_2 3121 /* 3122 * Test that a server attempting to read early data can handle a connection 3123 * from a TLSv1.2 client. 3124 */ 3125 static int test_early_data_tls1_2(int idx) 3126 { 3127 SSL_CTX *cctx = NULL, *sctx = NULL; 3128 SSL *clientssl = NULL, *serverssl = NULL; 3129 int testresult = 0; 3130 unsigned char buf[20]; 3131 size_t readbytes, written; 3132 3133 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3134 &serverssl, NULL, idx))) 3135 goto end; 3136 3137 /* Write some data - should block due to handshake with server */ 3138 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION); 3139 SSL_set_connect_state(clientssl); 3140 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 3141 goto end; 3142 3143 /* 3144 * Server should do TLSv1.2 handshake. First it will block waiting for more 3145 * messages from client after ServerDone. Then SSL_read_early_data should 3146 * finish and detect that early data has not been sent 3147 */ 3148 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3149 &readbytes), 3150 SSL_READ_EARLY_DATA_ERROR)) 3151 goto end; 3152 3153 /* 3154 * Continue writing the message we started earlier. Will still block waiting 3155 * for the CCS/Finished from server 3156 */ 3157 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 3158 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3159 &readbytes), 3160 SSL_READ_EARLY_DATA_FINISH) 3161 || !TEST_size_t_eq(readbytes, 0) 3162 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3163 SSL_EARLY_DATA_NOT_SENT)) 3164 goto end; 3165 3166 /* Continue writing the message we started earlier */ 3167 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 3168 || !TEST_size_t_eq(written, strlen(MSG1)) 3169 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 3170 SSL_EARLY_DATA_NOT_SENT) 3171 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3172 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 3173 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)) 3174 || !TEST_size_t_eq(written, strlen(MSG2)) 3175 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes) 3176 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 3177 goto end; 3178 3179 testresult = 1; 3180 3181 end: 3182 SSL_SESSION_free(clientpsk); 3183 SSL_SESSION_free(serverpsk); 3184 clientpsk = serverpsk = NULL; 3185 SSL_free(serverssl); 3186 SSL_free(clientssl); 3187 SSL_CTX_free(sctx); 3188 SSL_CTX_free(cctx); 3189 3190 return testresult; 3191 } 3192 # endif /* OPENSSL_NO_TLS1_2 */ 3193 3194 /* 3195 * Test configuring the TLSv1.3 ciphersuites 3196 * 3197 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list) 3198 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list) 3199 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list) 3200 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list) 3201 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 3202 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 3203 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list) 3204 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list) 3205 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list) 3206 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list) 3207 */ 3208 static int test_set_ciphersuite(int idx) 3209 { 3210 SSL_CTX *cctx = NULL, *sctx = NULL; 3211 SSL *clientssl = NULL, *serverssl = NULL; 3212 int testresult = 0; 3213 3214 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3215 TLS1_VERSION, TLS_MAX_VERSION, 3216 &sctx, &cctx, cert, privkey)) 3217 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 3218 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) 3219 goto end; 3220 3221 if (idx >=4 && idx <= 7) { 3222 /* SSL_CTX explicit cipher list */ 3223 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384"))) 3224 goto end; 3225 } 3226 3227 if (idx == 0 || idx == 4) { 3228 /* Default ciphersuite */ 3229 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3230 "TLS_AES_128_GCM_SHA256"))) 3231 goto end; 3232 } else if (idx == 1 || idx == 5) { 3233 /* Non default ciphersuite */ 3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3235 "TLS_AES_128_CCM_SHA256"))) 3236 goto end; 3237 } 3238 3239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3240 &clientssl, NULL, NULL))) 3241 goto end; 3242 3243 if (idx == 8 || idx == 9) { 3244 /* SSL explicit cipher list */ 3245 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))) 3246 goto end; 3247 } 3248 3249 if (idx == 2 || idx == 6 || idx == 8) { 3250 /* Default ciphersuite */ 3251 if (!TEST_true(SSL_set_ciphersuites(clientssl, 3252 "TLS_AES_128_GCM_SHA256"))) 3253 goto end; 3254 } else if (idx == 3 || idx == 7 || idx == 9) { 3255 /* Non default ciphersuite */ 3256 if (!TEST_true(SSL_set_ciphersuites(clientssl, 3257 "TLS_AES_128_CCM_SHA256"))) 3258 goto end; 3259 } 3260 3261 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 3262 goto end; 3263 3264 testresult = 1; 3265 3266 end: 3267 SSL_free(serverssl); 3268 SSL_free(clientssl); 3269 SSL_CTX_free(sctx); 3270 SSL_CTX_free(cctx); 3271 3272 return testresult; 3273 } 3274 3275 static int test_ciphersuite_change(void) 3276 { 3277 SSL_CTX *cctx = NULL, *sctx = NULL; 3278 SSL *clientssl = NULL, *serverssl = NULL; 3279 SSL_SESSION *clntsess = NULL; 3280 int testresult = 0; 3281 const SSL_CIPHER *aes_128_gcm_sha256 = NULL; 3282 3283 /* Create a session based on SHA-256 */ 3284 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3285 TLS1_VERSION, TLS_MAX_VERSION, 3286 &sctx, &cctx, cert, privkey)) 3287 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, 3288 "TLS_AES_128_GCM_SHA256")) 3289 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3290 &clientssl, NULL, NULL)) 3291 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3292 SSL_ERROR_NONE))) 3293 goto end; 3294 3295 clntsess = SSL_get1_session(clientssl); 3296 /* Save for later */ 3297 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess); 3298 SSL_shutdown(clientssl); 3299 SSL_shutdown(serverssl); 3300 SSL_free(serverssl); 3301 SSL_free(clientssl); 3302 serverssl = clientssl = NULL; 3303 3304 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 3305 /* Check we can resume a session with a different SHA-256 ciphersuite */ 3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3307 "TLS_CHACHA20_POLY1305_SHA256")) 3308 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3309 NULL, NULL)) 3310 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3311 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3312 SSL_ERROR_NONE)) 3313 || !TEST_true(SSL_session_reused(clientssl))) 3314 goto end; 3315 3316 SSL_SESSION_free(clntsess); 3317 clntsess = SSL_get1_session(clientssl); 3318 SSL_shutdown(clientssl); 3319 SSL_shutdown(serverssl); 3320 SSL_free(serverssl); 3321 SSL_free(clientssl); 3322 serverssl = clientssl = NULL; 3323 # endif 3324 3325 /* 3326 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites 3327 * succeeds but does not resume. 3328 */ 3329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 3330 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3331 NULL, NULL)) 3332 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3333 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3334 SSL_ERROR_SSL)) 3335 || !TEST_false(SSL_session_reused(clientssl))) 3336 goto end; 3337 3338 SSL_SESSION_free(clntsess); 3339 clntsess = NULL; 3340 SSL_shutdown(clientssl); 3341 SSL_shutdown(serverssl); 3342 SSL_free(serverssl); 3343 SSL_free(clientssl); 3344 serverssl = clientssl = NULL; 3345 3346 /* Create a session based on SHA384 */ 3347 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 3348 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3349 &clientssl, NULL, NULL)) 3350 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3351 SSL_ERROR_NONE))) 3352 goto end; 3353 3354 clntsess = SSL_get1_session(clientssl); 3355 SSL_shutdown(clientssl); 3356 SSL_shutdown(serverssl); 3357 SSL_free(serverssl); 3358 SSL_free(clientssl); 3359 serverssl = clientssl = NULL; 3360 3361 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3362 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")) 3363 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 3364 "TLS_AES_256_GCM_SHA384")) 3365 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3366 NULL, NULL)) 3367 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3368 /* 3369 * We use SSL_ERROR_WANT_READ below so that we can pause the 3370 * connection after the initial ClientHello has been sent to 3371 * enable us to make some session changes. 3372 */ 3373 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3374 SSL_ERROR_WANT_READ))) 3375 goto end; 3376 3377 /* Trick the client into thinking this session is for a different digest */ 3378 clntsess->cipher = aes_128_gcm_sha256; 3379 clntsess->cipher_id = clntsess->cipher->id; 3380 3381 /* 3382 * Continue the previously started connection. Server has selected a SHA-384 3383 * ciphersuite, but client thinks the session is for SHA-256, so it should 3384 * bail out. 3385 */ 3386 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 3387 SSL_ERROR_SSL)) 3388 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), 3389 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)) 3390 goto end; 3391 3392 testresult = 1; 3393 3394 end: 3395 SSL_SESSION_free(clntsess); 3396 SSL_free(serverssl); 3397 SSL_free(clientssl); 3398 SSL_CTX_free(sctx); 3399 SSL_CTX_free(cctx); 3400 3401 return testresult; 3402 } 3403 3404 /* 3405 * Test TLSv1.3 Cipher Suite 3406 * Test 0 = Set TLS1.3 cipher on context 3407 * Test 1 = Set TLS1.3 cipher on SSL 3408 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context 3409 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL 3410 */ 3411 static int test_tls13_ciphersuite(int idx) 3412 { 3413 SSL_CTX *sctx = NULL, *cctx = NULL; 3414 SSL *serverssl = NULL, *clientssl = NULL; 3415 static const char *t13_ciphers[] = { 3416 TLS1_3_RFC_AES_128_GCM_SHA256, 3417 TLS1_3_RFC_AES_256_GCM_SHA384, 3418 TLS1_3_RFC_AES_128_CCM_SHA256, 3419 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 3420 TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 3421 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 3422 # endif 3423 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256 3424 }; 3425 const char *t13_cipher = NULL; 3426 const char *t12_cipher = NULL; 3427 const char *negotiated_scipher; 3428 const char *negotiated_ccipher; 3429 int set_at_ctx = 0; 3430 int set_at_ssl = 0; 3431 int testresult = 0; 3432 int max_ver; 3433 size_t i; 3434 3435 switch (idx) { 3436 case 0: 3437 set_at_ctx = 1; 3438 break; 3439 case 1: 3440 set_at_ssl = 1; 3441 break; 3442 case 2: 3443 set_at_ctx = 1; 3444 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256; 3445 break; 3446 case 3: 3447 set_at_ssl = 1; 3448 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256; 3449 break; 3450 } 3451 3452 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) { 3453 # ifdef OPENSSL_NO_TLS1_2 3454 if (max_ver == TLS1_2_VERSION) 3455 continue; 3456 # endif 3457 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) { 3458 t13_cipher = t13_ciphers[i]; 3459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 3460 TLS_client_method(), 3461 TLS1_VERSION, max_ver, 3462 &sctx, &cctx, cert, privkey))) 3463 goto end; 3464 3465 if (set_at_ctx) { 3466 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher)) 3467 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher))) 3468 goto end; 3469 if (t12_cipher != NULL) { 3470 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher)) 3471 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 3472 t12_cipher))) 3473 goto end; 3474 } 3475 } 3476 3477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3478 &clientssl, NULL, NULL))) 3479 goto end; 3480 3481 if (set_at_ssl) { 3482 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher)) 3483 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher))) 3484 goto end; 3485 if (t12_cipher != NULL) { 3486 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher)) 3487 || !TEST_true(SSL_set_cipher_list(clientssl, 3488 t12_cipher))) 3489 goto end; 3490 } 3491 } 3492 3493 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 3494 SSL_ERROR_NONE))) 3495 goto end; 3496 3497 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 3498 serverssl)); 3499 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 3500 clientssl)); 3501 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher)) 3502 goto end; 3503 3504 /* 3505 * TEST_strn_eq is used below because t13_cipher can contain 3506 * multiple ciphersuites 3507 */ 3508 if (max_ver == TLS1_3_VERSION 3509 && !TEST_strn_eq(t13_cipher, negotiated_scipher, 3510 strlen(negotiated_scipher))) 3511 goto end; 3512 3513 # ifndef OPENSSL_NO_TLS1_2 3514 /* Below validation is not done when t12_cipher is NULL */ 3515 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL 3516 && !TEST_str_eq(t12_cipher, negotiated_scipher)) 3517 goto end; 3518 # endif 3519 3520 SSL_free(serverssl); 3521 serverssl = NULL; 3522 SSL_free(clientssl); 3523 clientssl = NULL; 3524 SSL_CTX_free(sctx); 3525 sctx = NULL; 3526 SSL_CTX_free(cctx); 3527 cctx = NULL; 3528 } 3529 } 3530 3531 testresult = 1; 3532 end: 3533 SSL_free(serverssl); 3534 SSL_free(clientssl); 3535 SSL_CTX_free(sctx); 3536 SSL_CTX_free(cctx); 3537 return testresult; 3538 } 3539 3540 /* 3541 * Test TLSv1.3 PSKs 3542 * Test 0 = Test new style callbacks 3543 * Test 1 = Test both new and old style callbacks 3544 * Test 2 = Test old style callbacks 3545 * Test 3 = Test old style callbacks with no certificate 3546 */ 3547 static int test_tls13_psk(int idx) 3548 { 3549 SSL_CTX *sctx = NULL, *cctx = NULL; 3550 SSL *serverssl = NULL, *clientssl = NULL; 3551 const SSL_CIPHER *cipher = NULL; 3552 const unsigned char key[] = { 3553 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 3554 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 3555 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 3556 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f 3557 }; 3558 int testresult = 0; 3559 3560 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3561 TLS1_VERSION, TLS_MAX_VERSION, 3562 &sctx, &cctx, idx == 3 ? NULL : cert, 3563 idx == 3 ? NULL : privkey))) 3564 goto end; 3565 3566 if (idx != 3) { 3567 /* 3568 * We use a ciphersuite with SHA256 to ease testing old style PSK 3569 * callbacks which will always default to SHA256. This should not be 3570 * necessary if we have no cert/priv key. In that case the server should 3571 * prefer SHA256 automatically. 3572 */ 3573 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3574 "TLS_AES_128_GCM_SHA256"))) 3575 goto end; 3576 } 3577 3578 /* 3579 * Test 0: New style callbacks only 3580 * Test 1: New and old style callbacks (only the new ones should be used) 3581 * Test 2: Old style callbacks only 3582 */ 3583 if (idx == 0 || idx == 1) { 3584 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 3585 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 3586 } 3587 #ifndef OPENSSL_NO_PSK 3588 if (idx >= 1) { 3589 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb); 3590 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb); 3591 } 3592 #endif 3593 srvid = pskid; 3594 use_session_cb_cnt = 0; 3595 find_session_cb_cnt = 0; 3596 psk_client_cb_cnt = 0; 3597 psk_server_cb_cnt = 0; 3598 3599 if (idx != 3) { 3600 /* 3601 * Check we can create a connection if callback decides not to send a 3602 * PSK 3603 */ 3604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3605 NULL, NULL)) 3606 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3607 SSL_ERROR_NONE)) 3608 || !TEST_false(SSL_session_reused(clientssl)) 3609 || !TEST_false(SSL_session_reused(serverssl))) 3610 goto end; 3611 3612 if (idx == 0 || idx == 1) { 3613 if (!TEST_true(use_session_cb_cnt == 1) 3614 || !TEST_true(find_session_cb_cnt == 0) 3615 /* 3616 * If no old style callback then below should be 0 3617 * otherwise 1 3618 */ 3619 || !TEST_true(psk_client_cb_cnt == idx) 3620 || !TEST_true(psk_server_cb_cnt == 0)) 3621 goto end; 3622 } else { 3623 if (!TEST_true(use_session_cb_cnt == 0) 3624 || !TEST_true(find_session_cb_cnt == 0) 3625 || !TEST_true(psk_client_cb_cnt == 1) 3626 || !TEST_true(psk_server_cb_cnt == 0)) 3627 goto end; 3628 } 3629 3630 shutdown_ssl_connection(serverssl, clientssl); 3631 serverssl = clientssl = NULL; 3632 use_session_cb_cnt = psk_client_cb_cnt = 0; 3633 } 3634 3635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3636 NULL, NULL))) 3637 goto end; 3638 3639 /* Create the PSK */ 3640 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES); 3641 clientpsk = SSL_SESSION_new(); 3642 if (!TEST_ptr(clientpsk) 3643 || !TEST_ptr(cipher) 3644 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, 3645 sizeof(key))) 3646 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) 3647 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk, 3648 TLS1_3_VERSION)) 3649 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) 3650 goto end; 3651 serverpsk = clientpsk; 3652 3653 /* Check we can create a connection and the PSK is used */ 3654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3655 || !TEST_true(SSL_session_reused(clientssl)) 3656 || !TEST_true(SSL_session_reused(serverssl))) 3657 goto end; 3658 3659 if (idx == 0 || idx == 1) { 3660 if (!TEST_true(use_session_cb_cnt == 1) 3661 || !TEST_true(find_session_cb_cnt == 1) 3662 || !TEST_true(psk_client_cb_cnt == 0) 3663 || !TEST_true(psk_server_cb_cnt == 0)) 3664 goto end; 3665 } else { 3666 if (!TEST_true(use_session_cb_cnt == 0) 3667 || !TEST_true(find_session_cb_cnt == 0) 3668 || !TEST_true(psk_client_cb_cnt == 1) 3669 || !TEST_true(psk_server_cb_cnt == 1)) 3670 goto end; 3671 } 3672 3673 shutdown_ssl_connection(serverssl, clientssl); 3674 serverssl = clientssl = NULL; 3675 use_session_cb_cnt = find_session_cb_cnt = 0; 3676 psk_client_cb_cnt = psk_server_cb_cnt = 0; 3677 3678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3679 NULL, NULL))) 3680 goto end; 3681 3682 /* Force an HRR */ 3683 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 3684 goto end; 3685 3686 /* 3687 * Check we can create a connection, the PSK is used and the callbacks are 3688 * called twice. 3689 */ 3690 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3691 || !TEST_true(SSL_session_reused(clientssl)) 3692 || !TEST_true(SSL_session_reused(serverssl))) 3693 goto end; 3694 3695 if (idx == 0 || idx == 1) { 3696 if (!TEST_true(use_session_cb_cnt == 2) 3697 || !TEST_true(find_session_cb_cnt == 2) 3698 || !TEST_true(psk_client_cb_cnt == 0) 3699 || !TEST_true(psk_server_cb_cnt == 0)) 3700 goto end; 3701 } else { 3702 if (!TEST_true(use_session_cb_cnt == 0) 3703 || !TEST_true(find_session_cb_cnt == 0) 3704 || !TEST_true(psk_client_cb_cnt == 2) 3705 || !TEST_true(psk_server_cb_cnt == 2)) 3706 goto end; 3707 } 3708 3709 shutdown_ssl_connection(serverssl, clientssl); 3710 serverssl = clientssl = NULL; 3711 use_session_cb_cnt = find_session_cb_cnt = 0; 3712 psk_client_cb_cnt = psk_server_cb_cnt = 0; 3713 3714 if (idx != 3) { 3715 /* 3716 * Check that if the server rejects the PSK we can still connect, but with 3717 * a full handshake 3718 */ 3719 srvid = "Dummy Identity"; 3720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3721 NULL, NULL)) 3722 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3723 SSL_ERROR_NONE)) 3724 || !TEST_false(SSL_session_reused(clientssl)) 3725 || !TEST_false(SSL_session_reused(serverssl))) 3726 goto end; 3727 3728 if (idx == 0 || idx == 1) { 3729 if (!TEST_true(use_session_cb_cnt == 1) 3730 || !TEST_true(find_session_cb_cnt == 1) 3731 || !TEST_true(psk_client_cb_cnt == 0) 3732 /* 3733 * If no old style callback then below should be 0 3734 * otherwise 1 3735 */ 3736 || !TEST_true(psk_server_cb_cnt == idx)) 3737 goto end; 3738 } else { 3739 if (!TEST_true(use_session_cb_cnt == 0) 3740 || !TEST_true(find_session_cb_cnt == 0) 3741 || !TEST_true(psk_client_cb_cnt == 1) 3742 || !TEST_true(psk_server_cb_cnt == 1)) 3743 goto end; 3744 } 3745 3746 shutdown_ssl_connection(serverssl, clientssl); 3747 serverssl = clientssl = NULL; 3748 } 3749 testresult = 1; 3750 3751 end: 3752 SSL_SESSION_free(clientpsk); 3753 SSL_SESSION_free(serverpsk); 3754 clientpsk = serverpsk = NULL; 3755 SSL_free(serverssl); 3756 SSL_free(clientssl); 3757 SSL_CTX_free(sctx); 3758 SSL_CTX_free(cctx); 3759 return testresult; 3760 } 3761 3762 static unsigned char cookie_magic_value[] = "cookie magic"; 3763 3764 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie, 3765 unsigned int *cookie_len) 3766 { 3767 /* 3768 * Not suitable as a real cookie generation function but good enough for 3769 * testing! 3770 */ 3771 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1); 3772 *cookie_len = sizeof(cookie_magic_value) - 1; 3773 3774 return 1; 3775 } 3776 3777 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, 3778 unsigned int cookie_len) 3779 { 3780 if (cookie_len == sizeof(cookie_magic_value) - 1 3781 && memcmp(cookie, cookie_magic_value, cookie_len) == 0) 3782 return 1; 3783 3784 return 0; 3785 } 3786 3787 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, 3788 size_t *cookie_len) 3789 { 3790 unsigned int temp; 3791 int res = generate_cookie_callback(ssl, cookie, &temp); 3792 *cookie_len = temp; 3793 return res; 3794 } 3795 3796 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, 3797 size_t cookie_len) 3798 { 3799 return verify_cookie_callback(ssl, cookie, cookie_len); 3800 } 3801 3802 static int test_stateless(void) 3803 { 3804 SSL_CTX *sctx = NULL, *cctx = NULL; 3805 SSL *serverssl = NULL, *clientssl = NULL; 3806 int testresult = 0; 3807 3808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3809 TLS1_VERSION, TLS_MAX_VERSION, 3810 &sctx, &cctx, cert, privkey))) 3811 goto end; 3812 3813 /* The arrival of CCS messages can confuse the test */ 3814 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); 3815 3816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3817 NULL, NULL)) 3818 /* Send the first ClientHello */ 3819 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3820 SSL_ERROR_WANT_READ)) 3821 /* 3822 * This should fail with a -1 return because we have no callbacks 3823 * set up 3824 */ 3825 || !TEST_int_eq(SSL_stateless(serverssl), -1)) 3826 goto end; 3827 3828 /* Fatal error so abandon the connection from this client */ 3829 SSL_free(clientssl); 3830 clientssl = NULL; 3831 3832 /* Set up the cookie generation and verification callbacks */ 3833 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback); 3834 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback); 3835 3836 /* 3837 * Create a new connection from the client (we can reuse the server SSL 3838 * object). 3839 */ 3840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3841 NULL, NULL)) 3842 /* Send the first ClientHello */ 3843 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3844 SSL_ERROR_WANT_READ)) 3845 /* This should fail because there is no cookie */ 3846 || !TEST_int_eq(SSL_stateless(serverssl), 0)) 3847 goto end; 3848 3849 /* Abandon the connection from this client */ 3850 SSL_free(clientssl); 3851 clientssl = NULL; 3852 3853 /* 3854 * Now create a connection from a new client but with the same server SSL 3855 * object 3856 */ 3857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3858 NULL, NULL)) 3859 /* Send the first ClientHello */ 3860 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3861 SSL_ERROR_WANT_READ)) 3862 /* This should fail because there is no cookie */ 3863 || !TEST_int_eq(SSL_stateless(serverssl), 0) 3864 /* Send the second ClientHello */ 3865 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3866 SSL_ERROR_WANT_READ)) 3867 /* This should succeed because a cookie is now present */ 3868 || !TEST_int_eq(SSL_stateless(serverssl), 1) 3869 /* Complete the connection */ 3870 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3871 SSL_ERROR_NONE))) 3872 goto end; 3873 3874 shutdown_ssl_connection(serverssl, clientssl); 3875 serverssl = clientssl = NULL; 3876 testresult = 1; 3877 3878 end: 3879 SSL_free(serverssl); 3880 SSL_free(clientssl); 3881 SSL_CTX_free(sctx); 3882 SSL_CTX_free(cctx); 3883 return testresult; 3884 3885 } 3886 #endif /* OPENSSL_NO_TLS1_3 */ 3887 3888 static int clntaddoldcb = 0; 3889 static int clntparseoldcb = 0; 3890 static int srvaddoldcb = 0; 3891 static int srvparseoldcb = 0; 3892 static int clntaddnewcb = 0; 3893 static int clntparsenewcb = 0; 3894 static int srvaddnewcb = 0; 3895 static int srvparsenewcb = 0; 3896 static int snicb = 0; 3897 3898 #define TEST_EXT_TYPE1 0xff00 3899 3900 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 3901 size_t *outlen, int *al, void *add_arg) 3902 { 3903 int *server = (int *)add_arg; 3904 unsigned char *data; 3905 3906 if (SSL_is_server(s)) 3907 srvaddoldcb++; 3908 else 3909 clntaddoldcb++; 3910 3911 if (*server != SSL_is_server(s) 3912 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 3913 return -1; 3914 3915 *data = 1; 3916 *out = data; 3917 *outlen = sizeof(char); 3918 return 1; 3919 } 3920 3921 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 3922 void *add_arg) 3923 { 3924 OPENSSL_free((unsigned char *)out); 3925 } 3926 3927 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 3928 size_t inlen, int *al, void *parse_arg) 3929 { 3930 int *server = (int *)parse_arg; 3931 3932 if (SSL_is_server(s)) 3933 srvparseoldcb++; 3934 else 3935 clntparseoldcb++; 3936 3937 if (*server != SSL_is_server(s) 3938 || inlen != sizeof(char) 3939 || *in != 1) 3940 return -1; 3941 3942 return 1; 3943 } 3944 3945 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context, 3946 const unsigned char **out, size_t *outlen, X509 *x, 3947 size_t chainidx, int *al, void *add_arg) 3948 { 3949 int *server = (int *)add_arg; 3950 unsigned char *data; 3951 3952 if (SSL_is_server(s)) 3953 srvaddnewcb++; 3954 else 3955 clntaddnewcb++; 3956 3957 if (*server != SSL_is_server(s) 3958 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 3959 return -1; 3960 3961 *data = 1; 3962 *out = data; 3963 *outlen = sizeof(*data); 3964 return 1; 3965 } 3966 3967 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context, 3968 const unsigned char *out, void *add_arg) 3969 { 3970 OPENSSL_free((unsigned char *)out); 3971 } 3972 3973 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context, 3974 const unsigned char *in, size_t inlen, X509 *x, 3975 size_t chainidx, int *al, void *parse_arg) 3976 { 3977 int *server = (int *)parse_arg; 3978 3979 if (SSL_is_server(s)) 3980 srvparsenewcb++; 3981 else 3982 clntparsenewcb++; 3983 3984 if (*server != SSL_is_server(s) 3985 || inlen != sizeof(char) || *in != 1) 3986 return -1; 3987 3988 return 1; 3989 } 3990 3991 static int sni_cb(SSL *s, int *al, void *arg) 3992 { 3993 SSL_CTX *ctx = (SSL_CTX *)arg; 3994 3995 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 3996 *al = SSL_AD_INTERNAL_ERROR; 3997 return SSL_TLSEXT_ERR_ALERT_FATAL; 3998 } 3999 snicb++; 4000 return SSL_TLSEXT_ERR_OK; 4001 } 4002 4003 /* 4004 * Custom call back tests. 4005 * Test 0: Old style callbacks in TLSv1.2 4006 * Test 1: New style callbacks in TLSv1.2 4007 * Test 2: New style callbacks in TLSv1.2 with SNI 4008 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE 4009 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST 4010 */ 4011 static int test_custom_exts(int tst) 4012 { 4013 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 4014 SSL *clientssl = NULL, *serverssl = NULL; 4015 int testresult = 0; 4016 static int server = 1; 4017 static int client = 0; 4018 SSL_SESSION *sess = NULL; 4019 unsigned int context; 4020 4021 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) 4022 /* Skip tests for TLSv1.2 and below in this case */ 4023 if (tst < 3) 4024 return 1; 4025 #endif 4026 4027 /* Reset callback counters */ 4028 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0; 4029 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; 4030 snicb = 0; 4031 4032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4033 TLS1_VERSION, TLS_MAX_VERSION, 4034 &sctx, &cctx, cert, privkey))) 4035 goto end; 4036 4037 if (tst == 2 4038 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, 4039 TLS1_VERSION, TLS_MAX_VERSION, 4040 &sctx2, NULL, cert, privkey))) 4041 goto end; 4042 4043 4044 if (tst < 3) { 4045 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 4046 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 4047 if (sctx2 != NULL) 4048 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3); 4049 } 4050 4051 if (tst == 4) { 4052 context = SSL_EXT_CLIENT_HELLO 4053 | SSL_EXT_TLS1_2_SERVER_HELLO 4054 | SSL_EXT_TLS1_3_SERVER_HELLO 4055 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 4056 | SSL_EXT_TLS1_3_CERTIFICATE 4057 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET; 4058 } else { 4059 context = SSL_EXT_CLIENT_HELLO 4060 | SSL_EXT_TLS1_2_SERVER_HELLO 4061 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; 4062 } 4063 4064 /* Create a client side custom extension */ 4065 if (tst == 0) { 4066 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 4067 old_add_cb, old_free_cb, 4068 &client, old_parse_cb, 4069 &client))) 4070 goto end; 4071 } else { 4072 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context, 4073 new_add_cb, new_free_cb, 4074 &client, new_parse_cb, &client))) 4075 goto end; 4076 } 4077 4078 /* Should not be able to add duplicates */ 4079 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 4080 old_add_cb, old_free_cb, 4081 &client, old_parse_cb, 4082 &client)) 4083 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, 4084 context, new_add_cb, 4085 new_free_cb, &client, 4086 new_parse_cb, &client))) 4087 goto end; 4088 4089 /* Create a server side custom extension */ 4090 if (tst == 0) { 4091 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 4092 old_add_cb, old_free_cb, 4093 &server, old_parse_cb, 4094 &server))) 4095 goto end; 4096 } else { 4097 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context, 4098 new_add_cb, new_free_cb, 4099 &server, new_parse_cb, &server))) 4100 goto end; 4101 if (sctx2 != NULL 4102 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1, 4103 context, new_add_cb, 4104 new_free_cb, &server, 4105 new_parse_cb, &server))) 4106 goto end; 4107 } 4108 4109 /* Should not be able to add duplicates */ 4110 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 4111 old_add_cb, old_free_cb, 4112 &server, old_parse_cb, 4113 &server)) 4114 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, 4115 context, new_add_cb, 4116 new_free_cb, &server, 4117 new_parse_cb, &server))) 4118 goto end; 4119 4120 if (tst == 2) { 4121 /* Set up SNI */ 4122 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 4123 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 4124 goto end; 4125 } 4126 4127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4128 &clientssl, NULL, NULL)) 4129 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4130 SSL_ERROR_NONE))) 4131 goto end; 4132 4133 if (tst == 0) { 4134 if (clntaddoldcb != 1 4135 || clntparseoldcb != 1 4136 || srvaddoldcb != 1 4137 || srvparseoldcb != 1) 4138 goto end; 4139 } else if (tst == 1 || tst == 2 || tst == 3) { 4140 if (clntaddnewcb != 1 4141 || clntparsenewcb != 1 4142 || srvaddnewcb != 1 4143 || srvparsenewcb != 1 4144 || (tst != 2 && snicb != 0) 4145 || (tst == 2 && snicb != 1)) 4146 goto end; 4147 } else { 4148 /* In this case there 2 NewSessionTicket messages created */ 4149 if (clntaddnewcb != 1 4150 || clntparsenewcb != 5 4151 || srvaddnewcb != 5 4152 || srvparsenewcb != 1) 4153 goto end; 4154 } 4155 4156 sess = SSL_get1_session(clientssl); 4157 SSL_shutdown(clientssl); 4158 SSL_shutdown(serverssl); 4159 SSL_free(serverssl); 4160 SSL_free(clientssl); 4161 serverssl = clientssl = NULL; 4162 4163 if (tst == 3) { 4164 /* We don't bother with the resumption aspects for this test */ 4165 testresult = 1; 4166 goto end; 4167 } 4168 4169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4170 NULL, NULL)) 4171 || !TEST_true(SSL_set_session(clientssl, sess)) 4172 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4173 SSL_ERROR_NONE))) 4174 goto end; 4175 4176 /* 4177 * For a resumed session we expect to add the ClientHello extension. For the 4178 * old style callbacks we ignore it on the server side because they set 4179 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore 4180 * them. 4181 */ 4182 if (tst == 0) { 4183 if (clntaddoldcb != 2 4184 || clntparseoldcb != 1 4185 || srvaddoldcb != 1 4186 || srvparseoldcb != 1) 4187 goto end; 4188 } else if (tst == 1 || tst == 2 || tst == 3) { 4189 if (clntaddnewcb != 2 4190 || clntparsenewcb != 2 4191 || srvaddnewcb != 2 4192 || srvparsenewcb != 2) 4193 goto end; 4194 } else { 4195 /* 4196 * No Certificate message extensions in the resumption handshake, 4197 * 2 NewSessionTickets in the initial handshake, 1 in the resumption 4198 */ 4199 if (clntaddnewcb != 2 4200 || clntparsenewcb != 8 4201 || srvaddnewcb != 8 4202 || srvparsenewcb != 2) 4203 goto end; 4204 } 4205 4206 testresult = 1; 4207 4208 end: 4209 SSL_SESSION_free(sess); 4210 SSL_free(serverssl); 4211 SSL_free(clientssl); 4212 SSL_CTX_free(sctx2); 4213 SSL_CTX_free(sctx); 4214 SSL_CTX_free(cctx); 4215 return testresult; 4216 } 4217 4218 /* 4219 * Test loading of serverinfo data in various formats. test_sslmessages actually 4220 * tests to make sure the extensions appear in the handshake 4221 */ 4222 static int test_serverinfo(int tst) 4223 { 4224 unsigned int version; 4225 unsigned char *sibuf; 4226 size_t sibuflen; 4227 int ret, expected, testresult = 0; 4228 SSL_CTX *ctx; 4229 4230 ctx = SSL_CTX_new(TLS_method()); 4231 if (!TEST_ptr(ctx)) 4232 goto end; 4233 4234 if ((tst & 0x01) == 0x01) 4235 version = SSL_SERVERINFOV2; 4236 else 4237 version = SSL_SERVERINFOV1; 4238 4239 if ((tst & 0x02) == 0x02) { 4240 sibuf = serverinfov2; 4241 sibuflen = sizeof(serverinfov2); 4242 expected = (version == SSL_SERVERINFOV2); 4243 } else { 4244 sibuf = serverinfov1; 4245 sibuflen = sizeof(serverinfov1); 4246 expected = (version == SSL_SERVERINFOV1); 4247 } 4248 4249 if ((tst & 0x04) == 0x04) { 4250 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen); 4251 } else { 4252 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen); 4253 4254 /* 4255 * The version variable is irrelevant in this case - it's what is in the 4256 * buffer that matters 4257 */ 4258 if ((tst & 0x02) == 0x02) 4259 expected = 0; 4260 else 4261 expected = 1; 4262 } 4263 4264 if (!TEST_true(ret == expected)) 4265 goto end; 4266 4267 testresult = 1; 4268 4269 end: 4270 SSL_CTX_free(ctx); 4271 4272 return testresult; 4273 } 4274 4275 /* 4276 * Test that SSL_export_keying_material() produces expected results. There are 4277 * no test vectors so all we do is test that both sides of the communication 4278 * produce the same results for different protocol versions. 4279 */ 4280 #define SMALL_LABEL_LEN 10 4281 #define LONG_LABEL_LEN 249 4282 static int test_export_key_mat(int tst) 4283 { 4284 int testresult = 0; 4285 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 4286 SSL *clientssl = NULL, *serverssl = NULL; 4287 const char label[LONG_LABEL_LEN + 1] = "test label"; 4288 const unsigned char context[] = "context"; 4289 const unsigned char *emptycontext = NULL; 4290 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; 4291 unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; 4292 size_t labellen; 4293 const int protocols[] = { 4294 TLS1_VERSION, 4295 TLS1_1_VERSION, 4296 TLS1_2_VERSION, 4297 TLS1_3_VERSION, 4298 TLS1_3_VERSION, 4299 TLS1_3_VERSION 4300 }; 4301 4302 #ifdef OPENSSL_NO_TLS1 4303 if (tst == 0) 4304 return 1; 4305 #endif 4306 #ifdef OPENSSL_NO_TLS1_1 4307 if (tst == 1) 4308 return 1; 4309 #endif 4310 #ifdef OPENSSL_NO_TLS1_2 4311 if (tst == 2) 4312 return 1; 4313 #endif 4314 #ifdef OPENSSL_NO_TLS1_3 4315 if (tst >= 3) 4316 return 1; 4317 #endif 4318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4319 TLS1_VERSION, TLS_MAX_VERSION, 4320 &sctx, &cctx, cert, privkey))) 4321 goto end; 4322 4323 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); 4324 SSL_CTX_set_max_proto_version(cctx, protocols[tst]); 4325 SSL_CTX_set_min_proto_version(cctx, protocols[tst]); 4326 4327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 4328 NULL)) 4329 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4330 SSL_ERROR_NONE))) 4331 goto end; 4332 4333 if (tst == 5) { 4334 /* 4335 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we 4336 * go over that. 4337 */ 4338 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 4339 sizeof(ckeymat1), label, 4340 LONG_LABEL_LEN + 1, context, 4341 sizeof(context) - 1, 1), 0)) 4342 goto end; 4343 4344 testresult = 1; 4345 goto end; 4346 } else if (tst == 4) { 4347 labellen = LONG_LABEL_LEN; 4348 } else { 4349 labellen = SMALL_LABEL_LEN; 4350 } 4351 4352 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, 4353 sizeof(ckeymat1), label, 4354 labellen, context, 4355 sizeof(context) - 1, 1), 1) 4356 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, 4357 sizeof(ckeymat2), label, 4358 labellen, 4359 emptycontext, 4360 0, 1), 1) 4361 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, 4362 sizeof(ckeymat3), label, 4363 labellen, 4364 NULL, 0, 0), 1) 4365 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, 4366 sizeof(skeymat1), label, 4367 labellen, 4368 context, 4369 sizeof(context) -1, 1), 4370 1) 4371 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, 4372 sizeof(skeymat2), label, 4373 labellen, 4374 emptycontext, 4375 0, 1), 1) 4376 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, 4377 sizeof(skeymat3), label, 4378 labellen, 4379 NULL, 0, 0), 1) 4380 /* 4381 * Check that both sides created the same key material with the 4382 * same context. 4383 */ 4384 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 4385 sizeof(skeymat1)) 4386 /* 4387 * Check that both sides created the same key material with an 4388 * empty context. 4389 */ 4390 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 4391 sizeof(skeymat2)) 4392 /* 4393 * Check that both sides created the same key material without a 4394 * context. 4395 */ 4396 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3, 4397 sizeof(skeymat3)) 4398 /* Different contexts should produce different results */ 4399 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 4400 sizeof(ckeymat2))) 4401 goto end; 4402 4403 /* 4404 * Check that an empty context and no context produce different results in 4405 * protocols less than TLSv1.3. In TLSv1.3 they should be the same. 4406 */ 4407 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, 4408 sizeof(ckeymat3))) 4409 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, 4410 sizeof(ckeymat3)))) 4411 goto end; 4412 4413 testresult = 1; 4414 4415 end: 4416 SSL_free(serverssl); 4417 SSL_free(clientssl); 4418 SSL_CTX_free(sctx2); 4419 SSL_CTX_free(sctx); 4420 SSL_CTX_free(cctx); 4421 4422 return testresult; 4423 } 4424 4425 #ifndef OPENSSL_NO_TLS1_3 4426 /* 4427 * Test that SSL_export_keying_material_early() produces expected 4428 * results. There are no test vectors so all we do is test that both 4429 * sides of the communication produce the same results for different 4430 * protocol versions. 4431 */ 4432 static int test_export_key_mat_early(int idx) 4433 { 4434 static const char label[] = "test label"; 4435 static const unsigned char context[] = "context"; 4436 int testresult = 0; 4437 SSL_CTX *cctx = NULL, *sctx = NULL; 4438 SSL *clientssl = NULL, *serverssl = NULL; 4439 SSL_SESSION *sess = NULL; 4440 const unsigned char *emptycontext = NULL; 4441 unsigned char ckeymat1[80], ckeymat2[80]; 4442 unsigned char skeymat1[80], skeymat2[80]; 4443 unsigned char buf[1]; 4444 size_t readbytes, written; 4445 4446 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, 4447 &sess, idx))) 4448 goto end; 4449 4450 /* Here writing 0 length early data is enough. */ 4451 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 4452 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4453 &readbytes), 4454 SSL_READ_EARLY_DATA_ERROR) 4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4456 SSL_EARLY_DATA_ACCEPTED)) 4457 goto end; 4458 4459 if (!TEST_int_eq(SSL_export_keying_material_early( 4460 clientssl, ckeymat1, sizeof(ckeymat1), label, 4461 sizeof(label) - 1, context, sizeof(context) - 1), 1) 4462 || !TEST_int_eq(SSL_export_keying_material_early( 4463 clientssl, ckeymat2, sizeof(ckeymat2), label, 4464 sizeof(label) - 1, emptycontext, 0), 1) 4465 || !TEST_int_eq(SSL_export_keying_material_early( 4466 serverssl, skeymat1, sizeof(skeymat1), label, 4467 sizeof(label) - 1, context, sizeof(context) - 1), 1) 4468 || !TEST_int_eq(SSL_export_keying_material_early( 4469 serverssl, skeymat2, sizeof(skeymat2), label, 4470 sizeof(label) - 1, emptycontext, 0), 1) 4471 /* 4472 * Check that both sides created the same key material with the 4473 * same context. 4474 */ 4475 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 4476 sizeof(skeymat1)) 4477 /* 4478 * Check that both sides created the same key material with an 4479 * empty context. 4480 */ 4481 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 4482 sizeof(skeymat2)) 4483 /* Different contexts should produce different results */ 4484 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 4485 sizeof(ckeymat2))) 4486 goto end; 4487 4488 testresult = 1; 4489 4490 end: 4491 SSL_SESSION_free(sess); 4492 SSL_SESSION_free(clientpsk); 4493 SSL_SESSION_free(serverpsk); 4494 clientpsk = serverpsk = NULL; 4495 SSL_free(serverssl); 4496 SSL_free(clientssl); 4497 SSL_CTX_free(sctx); 4498 SSL_CTX_free(cctx); 4499 4500 return testresult; 4501 } 4502 4503 #define NUM_KEY_UPDATE_MESSAGES 40 4504 /* 4505 * Test KeyUpdate. 4506 */ 4507 static int test_key_update(void) 4508 { 4509 SSL_CTX *cctx = NULL, *sctx = NULL; 4510 SSL *clientssl = NULL, *serverssl = NULL; 4511 int testresult = 0, i, j; 4512 char buf[20]; 4513 static char *mess = "A test message"; 4514 4515 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 4516 TLS_client_method(), 4517 TLS1_3_VERSION, 4518 0, 4519 &sctx, &cctx, cert, privkey)) 4520 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4521 NULL, NULL)) 4522 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4523 SSL_ERROR_NONE))) 4524 goto end; 4525 4526 for (j = 0; j < 2; j++) { 4527 /* Send lots of KeyUpdate messages */ 4528 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) { 4529 if (!TEST_true(SSL_key_update(clientssl, 4530 (j == 0) 4531 ? SSL_KEY_UPDATE_NOT_REQUESTED 4532 : SSL_KEY_UPDATE_REQUESTED)) 4533 || !TEST_true(SSL_do_handshake(clientssl))) 4534 goto end; 4535 } 4536 4537 /* Check that sending and receiving app data is ok */ 4538 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess)) 4539 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), 4540 strlen(mess))) 4541 goto end; 4542 4543 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess)) 4544 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)), 4545 strlen(mess))) 4546 goto end; 4547 } 4548 4549 testresult = 1; 4550 4551 end: 4552 SSL_free(serverssl); 4553 SSL_free(clientssl); 4554 SSL_CTX_free(sctx); 4555 SSL_CTX_free(cctx); 4556 4557 return testresult; 4558 } 4559 4560 /* 4561 * Test we can handle a KeyUpdate (update requested) message while write data 4562 * is pending. 4563 * Test 0: Client sends KeyUpdate while Server is writing 4564 * Test 1: Server sends KeyUpdate while Client is writing 4565 */ 4566 static int test_key_update_in_write(int tst) 4567 { 4568 SSL_CTX *cctx = NULL, *sctx = NULL; 4569 SSL *clientssl = NULL, *serverssl = NULL; 4570 int testresult = 0; 4571 char buf[20]; 4572 static char *mess = "A test message"; 4573 BIO *bretry = BIO_new(bio_s_always_retry()); 4574 BIO *tmp = NULL; 4575 SSL *peerupdate = NULL, *peerwrite = NULL; 4576 4577 if (!TEST_ptr(bretry) 4578 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(), 4579 TLS_client_method(), 4580 TLS1_3_VERSION, 4581 0, 4582 &sctx, &cctx, cert, privkey)) 4583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4584 NULL, NULL)) 4585 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4586 SSL_ERROR_NONE))) 4587 goto end; 4588 4589 peerupdate = tst == 0 ? clientssl : serverssl; 4590 peerwrite = tst == 0 ? serverssl : clientssl; 4591 4592 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) 4593 || !TEST_true(SSL_do_handshake(peerupdate))) 4594 goto end; 4595 4596 /* Swap the writing endpoint's write BIO to force a retry */ 4597 tmp = SSL_get_wbio(peerwrite); 4598 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 4599 tmp = NULL; 4600 goto end; 4601 } 4602 SSL_set0_wbio(peerwrite, bretry); 4603 bretry = NULL; 4604 4605 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ 4606 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) 4607 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) 4608 goto end; 4609 4610 /* Reinstate the original writing endpoint's write BIO */ 4611 SSL_set0_wbio(peerwrite, tmp); 4612 tmp = NULL; 4613 4614 /* Now read some data - we will read the key update */ 4615 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) 4616 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) 4617 goto end; 4618 4619 /* 4620 * Complete the write we started previously and read it from the other 4621 * endpoint 4622 */ 4623 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 4624 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 4625 goto end; 4626 4627 /* Write more data to ensure we send the KeyUpdate message back */ 4628 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 4629 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 4630 goto end; 4631 4632 testresult = 1; 4633 4634 end: 4635 SSL_free(serverssl); 4636 SSL_free(clientssl); 4637 SSL_CTX_free(sctx); 4638 SSL_CTX_free(cctx); 4639 BIO_free(bretry); 4640 BIO_free(tmp); 4641 4642 return testresult; 4643 } 4644 #endif /* OPENSSL_NO_TLS1_3 */ 4645 4646 static int test_ssl_clear(int idx) 4647 { 4648 SSL_CTX *cctx = NULL, *sctx = NULL; 4649 SSL *clientssl = NULL, *serverssl = NULL; 4650 int testresult = 0; 4651 4652 #ifdef OPENSSL_NO_TLS1_2 4653 if (idx == 1) 4654 return 1; 4655 #endif 4656 4657 /* Create an initial connection */ 4658 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4659 TLS1_VERSION, TLS_MAX_VERSION, 4660 &sctx, &cctx, cert, privkey)) 4661 || (idx == 1 4662 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, 4663 TLS1_2_VERSION))) 4664 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4665 &clientssl, NULL, NULL)) 4666 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4667 SSL_ERROR_NONE))) 4668 goto end; 4669 4670 SSL_shutdown(clientssl); 4671 SSL_shutdown(serverssl); 4672 SSL_free(serverssl); 4673 serverssl = NULL; 4674 4675 /* Clear clientssl - we're going to reuse the object */ 4676 if (!TEST_true(SSL_clear(clientssl))) 4677 goto end; 4678 4679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4680 NULL, NULL)) 4681 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4682 SSL_ERROR_NONE)) 4683 || !TEST_true(SSL_session_reused(clientssl))) 4684 goto end; 4685 4686 SSL_shutdown(clientssl); 4687 SSL_shutdown(serverssl); 4688 4689 testresult = 1; 4690 4691 end: 4692 SSL_free(serverssl); 4693 SSL_free(clientssl); 4694 SSL_CTX_free(sctx); 4695 SSL_CTX_free(cctx); 4696 4697 return testresult; 4698 } 4699 4700 /* Parse CH and retrieve any MFL extension value if present */ 4701 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code) 4702 { 4703 long len; 4704 unsigned char *data; 4705 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0}; 4706 unsigned int MFL_code = 0, type = 0; 4707 4708 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) ) 4709 goto end; 4710 4711 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) ) 4712 /* Skip the record header */ 4713 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH) 4714 /* Skip the handshake message header */ 4715 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH)) 4716 /* Skip client version and random */ 4717 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN 4718 + SSL3_RANDOM_SIZE)) 4719 /* Skip session id */ 4720 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 4721 /* Skip ciphers */ 4722 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2)) 4723 /* Skip compression */ 4724 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 4725 /* Extensions len */ 4726 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2))) 4727 goto end; 4728 4729 /* Loop through all extensions */ 4730 while (PACKET_remaining(&pkt2)) { 4731 if (!TEST_true(PACKET_get_net_2(&pkt2, &type)) 4732 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3))) 4733 goto end; 4734 4735 if (type == TLSEXT_TYPE_max_fragment_length) { 4736 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0) 4737 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code))) 4738 goto end; 4739 4740 *mfl_codemfl_code = MFL_code; 4741 return 1; 4742 } 4743 } 4744 4745 end: 4746 return 0; 4747 } 4748 4749 /* Maximum-Fragment-Length TLS extension mode to test */ 4750 static const unsigned char max_fragment_len_test[] = { 4751 TLSEXT_max_fragment_length_512, 4752 TLSEXT_max_fragment_length_1024, 4753 TLSEXT_max_fragment_length_2048, 4754 TLSEXT_max_fragment_length_4096 4755 }; 4756 4757 static int test_max_fragment_len_ext(int idx_tst) 4758 { 4759 SSL_CTX *ctx; 4760 SSL *con = NULL; 4761 int testresult = 0, MFL_mode = 0; 4762 BIO *rbio, *wbio; 4763 4764 ctx = SSL_CTX_new(TLS_method()); 4765 if (!TEST_ptr(ctx)) 4766 goto end; 4767 4768 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( 4769 ctx, max_fragment_len_test[idx_tst]))) 4770 goto end; 4771 4772 con = SSL_new(ctx); 4773 if (!TEST_ptr(con)) 4774 goto end; 4775 4776 rbio = BIO_new(BIO_s_mem()); 4777 wbio = BIO_new(BIO_s_mem()); 4778 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { 4779 BIO_free(rbio); 4780 BIO_free(wbio); 4781 goto end; 4782 } 4783 4784 SSL_set_bio(con, rbio, wbio); 4785 SSL_set_connect_state(con); 4786 4787 if (!TEST_int_le(SSL_connect(con), 0)) { 4788 /* This shouldn't succeed because we don't have a server! */ 4789 goto end; 4790 } 4791 4792 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode))) 4793 /* no MFL in client hello */ 4794 goto end; 4795 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode)) 4796 goto end; 4797 4798 testresult = 1; 4799 4800 end: 4801 SSL_free(con); 4802 SSL_CTX_free(ctx); 4803 4804 return testresult; 4805 } 4806 4807 #ifndef OPENSSL_NO_TLS1_3 4808 static int test_pha_key_update(void) 4809 { 4810 SSL_CTX *cctx = NULL, *sctx = NULL; 4811 SSL *clientssl = NULL, *serverssl = NULL; 4812 int testresult = 0; 4813 4814 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4815 TLS1_VERSION, TLS_MAX_VERSION, 4816 &sctx, &cctx, cert, privkey))) 4817 return 0; 4818 4819 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION)) 4820 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION)) 4821 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION)) 4822 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) 4823 goto end; 4824 4825 SSL_CTX_set_post_handshake_auth(cctx, 1); 4826 4827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4828 NULL, NULL))) 4829 goto end; 4830 4831 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 4832 SSL_ERROR_NONE))) 4833 goto end; 4834 4835 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 4836 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 4837 goto end; 4838 4839 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) 4840 goto end; 4841 4842 /* Start handshake on the server */ 4843 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)) 4844 goto end; 4845 4846 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */ 4847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 4848 SSL_ERROR_NONE))) 4849 goto end; 4850 4851 SSL_shutdown(clientssl); 4852 SSL_shutdown(serverssl); 4853 4854 testresult = 1; 4855 4856 end: 4857 SSL_free(serverssl); 4858 SSL_free(clientssl); 4859 SSL_CTX_free(sctx); 4860 SSL_CTX_free(cctx); 4861 return testresult; 4862 } 4863 #endif 4864 4865 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 4866 4867 static SRP_VBASE *vbase = NULL; 4868 4869 static int ssl_srp_cb(SSL *s, int *ad, void *arg) 4870 { 4871 int ret = SSL3_AL_FATAL; 4872 char *username; 4873 SRP_user_pwd *user = NULL; 4874 4875 username = SSL_get_srp_username(s); 4876 if (username == NULL) { 4877 *ad = SSL_AD_INTERNAL_ERROR; 4878 goto err; 4879 } 4880 4881 user = SRP_VBASE_get1_by_user(vbase, username); 4882 if (user == NULL) { 4883 *ad = SSL_AD_INTERNAL_ERROR; 4884 goto err; 4885 } 4886 4887 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v, 4888 user->info) <= 0) { 4889 *ad = SSL_AD_INTERNAL_ERROR; 4890 goto err; 4891 } 4892 4893 ret = 0; 4894 4895 err: 4896 SRP_user_pwd_free(user); 4897 return ret; 4898 } 4899 4900 static int create_new_vfile(char *userid, char *password, const char *filename) 4901 { 4902 char *gNid = NULL; 4903 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1)); 4904 TXT_DB *db = NULL; 4905 int ret = 0; 4906 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0); 4907 size_t i; 4908 4909 if (!TEST_ptr(dummy) || !TEST_ptr(row)) 4910 goto end; 4911 4912 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt], 4913 &row[DB_srpverifier], NULL, NULL); 4914 if (!TEST_ptr(gNid)) 4915 goto end; 4916 4917 /* 4918 * The only way to create an empty TXT_DB is to provide a BIO with no data 4919 * in it! 4920 */ 4921 db = TXT_DB_read(dummy, DB_NUMBER); 4922 if (!TEST_ptr(db)) 4923 goto end; 4924 4925 out = BIO_new_file(filename, "w"); 4926 if (!TEST_ptr(out)) 4927 goto end; 4928 4929 row[DB_srpid] = OPENSSL_strdup(userid); 4930 row[DB_srptype] = OPENSSL_strdup("V"); 4931 row[DB_srpgN] = OPENSSL_strdup(gNid); 4932 4933 if (!TEST_ptr(row[DB_srpid]) 4934 || !TEST_ptr(row[DB_srptype]) 4935 || !TEST_ptr(row[DB_srpgN]) 4936 || !TEST_true(TXT_DB_insert(db, row))) 4937 goto end; 4938 4939 row = NULL; 4940 4941 if (!TXT_DB_write(out, db)) 4942 goto end; 4943 4944 ret = 1; 4945 end: 4946 if (row != NULL) { 4947 for (i = 0; i < DB_NUMBER; i++) 4948 OPENSSL_free(row[i]); 4949 } 4950 OPENSSL_free(row); 4951 BIO_free(dummy); 4952 BIO_free(out); 4953 TXT_DB_free(db); 4954 4955 return ret; 4956 } 4957 4958 static int create_new_vbase(char *userid, char *password) 4959 { 4960 BIGNUM *verifier = NULL, *salt = NULL; 4961 const SRP_gN *lgN = NULL; 4962 SRP_user_pwd *user_pwd = NULL; 4963 int ret = 0; 4964 4965 lgN = SRP_get_default_gN(NULL); 4966 if (!TEST_ptr(lgN)) 4967 goto end; 4968 4969 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier, 4970 lgN->N, lgN->g))) 4971 goto end; 4972 4973 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd)); 4974 if (!TEST_ptr(user_pwd)) 4975 goto end; 4976 4977 user_pwd->N = lgN->N; 4978 user_pwd->g = lgN->g; 4979 user_pwd->id = OPENSSL_strdup(userid); 4980 if (!TEST_ptr(user_pwd->id)) 4981 goto end; 4982 4983 user_pwd->v = verifier; 4984 user_pwd->s = salt; 4985 verifier = salt = NULL; 4986 4987 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0) 4988 goto end; 4989 user_pwd = NULL; 4990 4991 ret = 1; 4992 end: 4993 SRP_user_pwd_free(user_pwd); 4994 BN_free(salt); 4995 BN_free(verifier); 4996 4997 return ret; 4998 } 4999 5000 /* 5001 * SRP tests 5002 * 5003 * Test 0: Simple successful SRP connection, new vbase 5004 * Test 1: Connection failure due to bad password, new vbase 5005 * Test 2: Simple successful SRP connection, vbase loaded from existing file 5006 * Test 3: Connection failure due to bad password, vbase loaded from existing 5007 * file 5008 * Test 4: Simple successful SRP connection, vbase loaded from new file 5009 * Test 5: Connection failure due to bad password, vbase loaded from new file 5010 */ 5011 static int test_srp(int tst) 5012 { 5013 char *userid = "test", *password = "password", *tstsrpfile; 5014 SSL_CTX *cctx = NULL, *sctx = NULL; 5015 SSL *clientssl = NULL, *serverssl = NULL; 5016 int ret, testresult = 0; 5017 5018 vbase = SRP_VBASE_new(NULL); 5019 if (!TEST_ptr(vbase)) 5020 goto end; 5021 5022 if (tst == 0 || tst == 1) { 5023 if (!TEST_true(create_new_vbase(userid, password))) 5024 goto end; 5025 } else { 5026 if (tst == 4 || tst == 5) { 5027 if (!TEST_true(create_new_vfile(userid, password, tmpfilename))) 5028 goto end; 5029 tstsrpfile = tmpfilename; 5030 } else { 5031 tstsrpfile = srpvfile; 5032 } 5033 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR)) 5034 goto end; 5035 } 5036 5037 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 5038 TLS1_VERSION, TLS_MAX_VERSION, 5039 &sctx, &cctx, cert, privkey))) 5040 goto end; 5041 5042 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0) 5043 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA")) 5044 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION)) 5045 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) 5046 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0)) 5047 goto end; 5048 5049 if (tst % 2 == 1) { 5050 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0)) 5051 goto end; 5052 } else { 5053 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0)) 5054 goto end; 5055 } 5056 5057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5058 NULL, NULL))) 5059 goto end; 5060 5061 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 5062 if (ret) { 5063 if (!TEST_true(tst % 2 == 0)) 5064 goto end; 5065 } else { 5066 if (!TEST_true(tst % 2 == 1)) 5067 goto end; 5068 } 5069 5070 testresult = 1; 5071 5072 end: 5073 SRP_VBASE_free(vbase); 5074 vbase = NULL; 5075 SSL_free(serverssl); 5076 SSL_free(clientssl); 5077 SSL_CTX_free(sctx); 5078 SSL_CTX_free(cctx); 5079 5080 return testresult; 5081 } 5082 #endif 5083 5084 static int info_cb_failed = 0; 5085 static int info_cb_offset = 0; 5086 static int info_cb_this_state = -1; 5087 5088 static struct info_cb_states_st { 5089 int where; 5090 const char *statestr; 5091 } info_cb_states[][60] = { 5092 { 5093 /* TLSv1.2 server followed by resumption */ 5094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5095 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 5096 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"}, 5097 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"}, 5098 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"}, 5099 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 5100 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 5101 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 5102 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, 5103 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 5104 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"}, 5105 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 5106 {SSL_CB_EXIT, NULL}, {0, NULL}, 5107 }, { 5108 /* TLSv1.2 client followed by resumption */ 5109 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5110 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 5111 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"}, 5112 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"}, 5113 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, 5114 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 5115 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 5116 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5117 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 5118 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 5119 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 5120 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, 5121 }, { 5122 /* TLSv1.3 server followed by resumption */ 5123 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5124 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 5125 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, 5126 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, 5127 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, 5128 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 5129 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 5130 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5131 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 5132 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 5133 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, 5134 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 5135 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 5136 }, { 5137 /* TLSv1.3 client followed by resumption */ 5138 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5139 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 5140 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, 5141 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, 5142 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 5143 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, 5144 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, 5145 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, 5146 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 5147 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, 5148 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 5149 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 5150 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 5151 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, 5152 {SSL_CB_EXIT, NULL}, {0, NULL}, 5153 }, { 5154 /* TLSv1.3 server, early_data */ 5155 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5156 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 5157 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 5158 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 5159 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 5160 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, 5161 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 5162 {SSL_CB_EXIT, NULL}, {0, NULL}, 5163 }, { 5164 /* TLSv1.3 client, early_data */ 5165 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 5166 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"}, 5167 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 5168 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 5169 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 5170 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, 5171 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 5172 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, 5173 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 5174 }, { 5175 {0, NULL}, 5176 } 5177 }; 5178 5179 static void sslapi_info_callback(const SSL *s, int where, int ret) 5180 { 5181 struct info_cb_states_st *state = info_cb_states[info_cb_offset]; 5182 5183 /* We do not ever expect a connection to fail in this test */ 5184 if (!TEST_false(ret == 0)) { 5185 info_cb_failed = 1; 5186 return; 5187 } 5188 5189 /* 5190 * Do some sanity checks. We never expect these things to happen in this 5191 * test 5192 */ 5193 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0)) 5194 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0) 5195 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) { 5196 info_cb_failed = 1; 5197 return; 5198 } 5199 5200 /* Now check we're in the right state */ 5201 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) { 5202 info_cb_failed = 1; 5203 return; 5204 } 5205 if ((where & SSL_CB_LOOP) != 0 5206 && !TEST_int_eq(strcmp(SSL_state_string(s), 5207 state[info_cb_this_state].statestr), 0)) { 5208 info_cb_failed = 1; 5209 return; 5210 } 5211 5212 /* 5213 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init 5214 */ 5215 if ((where & SSL_CB_HANDSHAKE_DONE) 5216 && SSL_in_init((SSL *)s) != 0) { 5217 info_cb_failed = 1; 5218 return; 5219 } 5220 } 5221 5222 /* 5223 * Test the info callback gets called when we expect it to. 5224 * 5225 * Test 0: TLSv1.2, server 5226 * Test 1: TLSv1.2, client 5227 * Test 2: TLSv1.3, server 5228 * Test 3: TLSv1.3, client 5229 * Test 4: TLSv1.3, server, early_data 5230 * Test 5: TLSv1.3, client, early_data 5231 */ 5232 static int test_info_callback(int tst) 5233 { 5234 SSL_CTX *cctx = NULL, *sctx = NULL; 5235 SSL *clientssl = NULL, *serverssl = NULL; 5236 SSL_SESSION *clntsess = NULL; 5237 int testresult = 0; 5238 int tlsvers; 5239 5240 if (tst < 2) { 5241 /* We need either ECDHE or DHE for the TLSv1.2 test to work */ 5242 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \ 5243 || !defined(OPENSSL_NO_DH)) 5244 tlsvers = TLS1_2_VERSION; 5245 #else 5246 return 1; 5247 #endif 5248 } else { 5249 #ifndef OPENSSL_NO_TLS1_3 5250 tlsvers = TLS1_3_VERSION; 5251 #else 5252 return 1; 5253 #endif 5254 } 5255 5256 /* Reset globals */ 5257 info_cb_failed = 0; 5258 info_cb_this_state = -1; 5259 info_cb_offset = tst; 5260 5261 #ifndef OPENSSL_NO_TLS1_3 5262 if (tst >= 4) { 5263 SSL_SESSION *sess = NULL; 5264 size_t written, readbytes; 5265 unsigned char buf[80]; 5266 5267 /* early_data tests */ 5268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 5269 &serverssl, &sess, 0))) 5270 goto end; 5271 5272 /* We don't actually need this reference */ 5273 SSL_SESSION_free(sess); 5274 5275 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl, 5276 sslapi_info_callback); 5277 5278 /* Write and read some early data and then complete the connection */ 5279 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 5280 &written)) 5281 || !TEST_size_t_eq(written, strlen(MSG1)) 5282 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 5283 sizeof(buf), &readbytes), 5284 SSL_READ_EARLY_DATA_SUCCESS) 5285 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 5286 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 5287 SSL_EARLY_DATA_ACCEPTED) 5288 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5289 SSL_ERROR_NONE)) 5290 || !TEST_false(info_cb_failed)) 5291 goto end; 5292 5293 testresult = 1; 5294 goto end; 5295 } 5296 #endif 5297 5298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5299 TLS_client_method(), 5300 tlsvers, tlsvers, &sctx, &cctx, cert, 5301 privkey))) 5302 goto end; 5303 5304 /* 5305 * For even numbered tests we check the server callbacks. For odd numbers we 5306 * check the client. 5307 */ 5308 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx, 5309 sslapi_info_callback); 5310 5311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 5312 &clientssl, NULL, NULL)) 5313 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5314 SSL_ERROR_NONE)) 5315 || !TEST_false(info_cb_failed)) 5316 goto end; 5317 5318 5319 5320 clntsess = SSL_get1_session(clientssl); 5321 SSL_shutdown(clientssl); 5322 SSL_shutdown(serverssl); 5323 SSL_free(serverssl); 5324 SSL_free(clientssl); 5325 serverssl = clientssl = NULL; 5326 5327 /* Now do a resumption */ 5328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 5329 NULL)) 5330 || !TEST_true(SSL_set_session(clientssl, clntsess)) 5331 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5332 SSL_ERROR_NONE)) 5333 || !TEST_true(SSL_session_reused(clientssl)) 5334 || !TEST_false(info_cb_failed)) 5335 goto end; 5336 5337 testresult = 1; 5338 5339 end: 5340 SSL_free(serverssl); 5341 SSL_free(clientssl); 5342 SSL_SESSION_free(clntsess); 5343 SSL_CTX_free(sctx); 5344 SSL_CTX_free(cctx); 5345 return testresult; 5346 } 5347 5348 static int test_ssl_pending(int tst) 5349 { 5350 SSL_CTX *cctx = NULL, *sctx = NULL; 5351 SSL *clientssl = NULL, *serverssl = NULL; 5352 int testresult = 0; 5353 char msg[] = "A test message"; 5354 char buf[5]; 5355 size_t written, readbytes; 5356 5357 if (tst == 0) { 5358 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5359 TLS_client_method(), 5360 TLS1_VERSION, TLS_MAX_VERSION, 5361 &sctx, &cctx, cert, privkey))) 5362 goto end; 5363 } else { 5364 #ifndef OPENSSL_NO_DTLS 5365 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), 5366 DTLS_client_method(), 5367 DTLS1_VERSION, DTLS_MAX_VERSION, 5368 &sctx, &cctx, cert, privkey))) 5369 goto end; 5370 #else 5371 return 1; 5372 #endif 5373 } 5374 5375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5376 NULL, NULL)) 5377 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5378 SSL_ERROR_NONE))) 5379 goto end; 5380 5381 if (!TEST_int_eq(SSL_pending(clientssl), 0) 5382 || !TEST_false(SSL_has_pending(clientssl)) 5383 || !TEST_int_eq(SSL_pending(serverssl), 0) 5384 || !TEST_false(SSL_has_pending(serverssl)) 5385 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 5386 || !TEST_size_t_eq(written, sizeof(msg)) 5387 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 5388 || !TEST_size_t_eq(readbytes, sizeof(buf)) 5389 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes)) 5390 || !TEST_true(SSL_has_pending(clientssl))) 5391 goto end; 5392 5393 testresult = 1; 5394 5395 end: 5396 SSL_free(serverssl); 5397 SSL_free(clientssl); 5398 SSL_CTX_free(sctx); 5399 SSL_CTX_free(cctx); 5400 5401 return testresult; 5402 } 5403 5404 static struct { 5405 unsigned int maxprot; 5406 const char *clntciphers; 5407 const char *clnttls13ciphers; 5408 const char *srvrciphers; 5409 const char *srvrtls13ciphers; 5410 const char *shared; 5411 } shared_ciphers_data[] = { 5412 /* 5413 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if 5414 * TLSv1.3 is enabled but TLSv1.2 is disabled. 5415 */ 5416 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 5417 { 5418 TLS1_2_VERSION, 5419 "AES128-SHA:AES256-SHA", 5420 NULL, 5421 "AES256-SHA:DHE-RSA-AES128-SHA", 5422 NULL, 5423 "AES256-SHA" 5424 }, 5425 { 5426 TLS1_2_VERSION, 5427 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA", 5428 NULL, 5429 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA", 5430 NULL, 5431 "AES128-SHA:AES256-SHA" 5432 }, 5433 { 5434 TLS1_2_VERSION, 5435 "AES128-SHA:AES256-SHA", 5436 NULL, 5437 "AES128-SHA:DHE-RSA-AES128-SHA", 5438 NULL, 5439 "AES128-SHA" 5440 }, 5441 #endif 5442 /* 5443 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be 5444 * enabled. 5445 */ 5446 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ 5447 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 5448 { 5449 TLS1_3_VERSION, 5450 "AES128-SHA:AES256-SHA", 5451 NULL, 5452 "AES256-SHA:AES128-SHA256", 5453 NULL, 5454 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" 5455 "TLS_AES_128_GCM_SHA256:AES256-SHA" 5456 }, 5457 #endif 5458 #ifndef OPENSSL_NO_TLS1_3 5459 { 5460 TLS1_3_VERSION, 5461 "AES128-SHA", 5462 "TLS_AES_256_GCM_SHA384", 5463 "AES256-SHA", 5464 "TLS_AES_256_GCM_SHA384", 5465 "TLS_AES_256_GCM_SHA384" 5466 }, 5467 #endif 5468 }; 5469 5470 static int test_ssl_get_shared_ciphers(int tst) 5471 { 5472 SSL_CTX *cctx = NULL, *sctx = NULL; 5473 SSL *clientssl = NULL, *serverssl = NULL; 5474 int testresult = 0; 5475 char buf[1024]; 5476 5477 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5478 TLS_client_method(), 5479 TLS1_VERSION, 5480 shared_ciphers_data[tst].maxprot, 5481 &sctx, &cctx, cert, privkey))) 5482 goto end; 5483 5484 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 5485 shared_ciphers_data[tst].clntciphers)) 5486 || (shared_ciphers_data[tst].clnttls13ciphers != NULL 5487 && !TEST_true(SSL_CTX_set_ciphersuites(cctx, 5488 shared_ciphers_data[tst].clnttls13ciphers))) 5489 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 5490 shared_ciphers_data[tst].srvrciphers)) 5491 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL 5492 && !TEST_true(SSL_CTX_set_ciphersuites(sctx, 5493 shared_ciphers_data[tst].srvrtls13ciphers)))) 5494 goto end; 5495 5496 5497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5498 NULL, NULL)) 5499 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5500 SSL_ERROR_NONE))) 5501 goto end; 5502 5503 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf))) 5504 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) { 5505 TEST_info("Shared ciphers are: %s\n", buf); 5506 goto end; 5507 } 5508 5509 testresult = 1; 5510 5511 end: 5512 SSL_free(serverssl); 5513 SSL_free(clientssl); 5514 SSL_CTX_free(sctx); 5515 SSL_CTX_free(cctx); 5516 5517 return testresult; 5518 } 5519 5520 static const char *appdata = "Hello World"; 5521 static int gen_tick_called, dec_tick_called, tick_key_cb_called; 5522 static int tick_key_renew = 0; 5523 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT; 5524 5525 static int gen_tick_cb(SSL *s, void *arg) 5526 { 5527 gen_tick_called = 1; 5528 5529 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata, 5530 strlen(appdata)); 5531 } 5532 5533 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss, 5534 const unsigned char *keyname, 5535 size_t keyname_length, 5536 SSL_TICKET_STATUS status, 5537 void *arg) 5538 { 5539 void *tickdata; 5540 size_t tickdlen; 5541 5542 dec_tick_called = 1; 5543 5544 if (status == SSL_TICKET_EMPTY) 5545 return SSL_TICKET_RETURN_IGNORE_RENEW; 5546 5547 if (!TEST_true(status == SSL_TICKET_SUCCESS 5548 || status == SSL_TICKET_SUCCESS_RENEW)) 5549 return SSL_TICKET_RETURN_ABORT; 5550 5551 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata, 5552 &tickdlen)) 5553 || !TEST_size_t_eq(tickdlen, strlen(appdata)) 5554 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0)) 5555 return SSL_TICKET_RETURN_ABORT; 5556 5557 if (tick_key_cb_called) { 5558 /* Don't change what the ticket key callback wanted to do */ 5559 switch (status) { 5560 case SSL_TICKET_NO_DECRYPT: 5561 return SSL_TICKET_RETURN_IGNORE_RENEW; 5562 5563 case SSL_TICKET_SUCCESS: 5564 return SSL_TICKET_RETURN_USE; 5565 5566 case SSL_TICKET_SUCCESS_RENEW: 5567 return SSL_TICKET_RETURN_USE_RENEW; 5568 5569 default: 5570 return SSL_TICKET_RETURN_ABORT; 5571 } 5572 } 5573 return tick_dec_ret; 5574 5575 } 5576 5577 static int tick_key_cb(SSL *s, unsigned char key_name[16], 5578 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx, 5579 HMAC_CTX *hctx, int enc) 5580 { 5581 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 5582 const unsigned char tick_hmac_key[16] = "0123456789abcdef"; 5583 5584 tick_key_cb_called = 1; 5585 memset(iv, 0, AES_BLOCK_SIZE); 5586 memset(key_name, 0, 16); 5587 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc) 5588 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), 5589 EVP_sha256(), NULL)) 5590 return -1; 5591 5592 return tick_key_renew ? 2 : 1; 5593 } 5594 5595 /* 5596 * Test the various ticket callbacks 5597 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal 5598 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal 5599 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal 5600 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal 5601 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal 5602 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal 5603 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal 5604 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal 5605 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal 5606 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal 5607 * Test 10: TLSv1.2, ticket key callback, ticket, renewal 5608 * Test 11: TLSv1.3, ticket key callback, ticket, renewal 5609 */ 5610 static int test_ticket_callbacks(int tst) 5611 { 5612 SSL_CTX *cctx = NULL, *sctx = NULL; 5613 SSL *clientssl = NULL, *serverssl = NULL; 5614 SSL_SESSION *clntsess = NULL; 5615 int testresult = 0; 5616 5617 #ifdef OPENSSL_NO_TLS1_2 5618 if (tst % 2 == 0) 5619 return 1; 5620 #endif 5621 #ifdef OPENSSL_NO_TLS1_3 5622 if (tst % 2 == 1) 5623 return 1; 5624 #endif 5625 5626 gen_tick_called = dec_tick_called = tick_key_cb_called = 0; 5627 5628 /* Which tests the ticket key callback should request renewal for */ 5629 if (tst == 10 || tst == 11) 5630 tick_key_renew = 1; 5631 else 5632 tick_key_renew = 0; 5633 5634 /* Which tests the decrypt ticket callback should request renewal for */ 5635 switch (tst) { 5636 case 0: 5637 case 1: 5638 tick_dec_ret = SSL_TICKET_RETURN_IGNORE; 5639 break; 5640 5641 case 2: 5642 case 3: 5643 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW; 5644 break; 5645 5646 case 4: 5647 case 5: 5648 tick_dec_ret = SSL_TICKET_RETURN_USE; 5649 break; 5650 5651 case 6: 5652 case 7: 5653 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW; 5654 break; 5655 5656 default: 5657 tick_dec_ret = SSL_TICKET_RETURN_ABORT; 5658 } 5659 5660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5661 TLS_client_method(), 5662 TLS1_VERSION, 5663 ((tst % 2) == 0) ? TLS1_2_VERSION 5664 : TLS1_3_VERSION, 5665 &sctx, &cctx, cert, privkey))) 5666 goto end; 5667 5668 /* 5669 * We only want sessions to resume from tickets - not the session cache. So 5670 * switch the cache off. 5671 */ 5672 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF))) 5673 goto end; 5674 5675 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb, 5676 NULL))) 5677 goto end; 5678 5679 if (tst >= 8 5680 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb))) 5681 goto end; 5682 5683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5684 NULL, NULL)) 5685 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5686 SSL_ERROR_NONE))) 5687 goto end; 5688 5689 /* 5690 * The decrypt ticket key callback in TLSv1.2 should be called even though 5691 * we have no ticket yet, because it gets called with a status of 5692 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not 5693 * actually send any ticket data). This does not happen in TLSv1.3 because 5694 * it is not valid to send empty ticket data in TLSv1.3. 5695 */ 5696 if (!TEST_int_eq(gen_tick_called, 1) 5697 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0)) 5698 goto end; 5699 5700 gen_tick_called = dec_tick_called = 0; 5701 5702 clntsess = SSL_get1_session(clientssl); 5703 SSL_shutdown(clientssl); 5704 SSL_shutdown(serverssl); 5705 SSL_free(serverssl); 5706 SSL_free(clientssl); 5707 serverssl = clientssl = NULL; 5708 5709 /* Now do a resumption */ 5710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 5711 NULL)) 5712 || !TEST_true(SSL_set_session(clientssl, clntsess)) 5713 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5714 SSL_ERROR_NONE))) 5715 goto end; 5716 5717 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE 5718 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) { 5719 if (!TEST_false(SSL_session_reused(clientssl))) 5720 goto end; 5721 } else { 5722 if (!TEST_true(SSL_session_reused(clientssl))) 5723 goto end; 5724 } 5725 5726 if (!TEST_int_eq(gen_tick_called, 5727 (tick_key_renew 5728 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 5729 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW) 5730 ? 1 : 0) 5731 || !TEST_int_eq(dec_tick_called, 1)) 5732 goto end; 5733 5734 testresult = 1; 5735 5736 end: 5737 SSL_SESSION_free(clntsess); 5738 SSL_free(serverssl); 5739 SSL_free(clientssl); 5740 SSL_CTX_free(sctx); 5741 SSL_CTX_free(cctx); 5742 5743 return testresult; 5744 } 5745 5746 /* 5747 * Test bi-directional shutdown. 5748 * Test 0: TLSv1.2 5749 * Test 1: TLSv1.2, server continues to read/write after client shutdown 5750 * Test 2: TLSv1.3, no pending NewSessionTicket messages 5751 * Test 3: TLSv1.3, pending NewSessionTicket messages 5752 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server 5753 * sends key update, client reads it 5754 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server 5755 * sends CertificateRequest, client reads and ignores it 5756 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client 5757 * doesn't read it 5758 */ 5759 static int test_shutdown(int tst) 5760 { 5761 SSL_CTX *cctx = NULL, *sctx = NULL; 5762 SSL *clientssl = NULL, *serverssl = NULL; 5763 int testresult = 0; 5764 char msg[] = "A test message"; 5765 char buf[80]; 5766 size_t written, readbytes; 5767 SSL_SESSION *sess; 5768 5769 #ifdef OPENSSL_NO_TLS1_2 5770 if (tst <= 1) 5771 return 1; 5772 #endif 5773 #ifdef OPENSSL_NO_TLS1_3 5774 if (tst >= 2) 5775 return 1; 5776 #endif 5777 5778 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5779 TLS_client_method(), 5780 TLS1_VERSION, 5781 (tst <= 1) ? TLS1_2_VERSION 5782 : TLS1_3_VERSION, 5783 &sctx, &cctx, cert, privkey))) 5784 goto end; 5785 5786 if (tst == 5) 5787 SSL_CTX_set_post_handshake_auth(cctx, 1); 5788 5789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5790 NULL, NULL))) 5791 goto end; 5792 5793 if (tst == 3) { 5794 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, 5795 SSL_ERROR_NONE, 1)) 5796 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5797 || !TEST_false(SSL_SESSION_is_resumable(sess))) 5798 goto end; 5799 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl, 5800 SSL_ERROR_NONE)) 5801 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5802 || !TEST_true(SSL_SESSION_is_resumable(sess))) { 5803 goto end; 5804 } 5805 5806 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)) 5807 goto end; 5808 5809 if (tst >= 4) { 5810 /* 5811 * Reading on the server after the client has sent close_notify should 5812 * fail and provide SSL_ERROR_ZERO_RETURN 5813 */ 5814 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 5815 || !TEST_int_eq(SSL_get_error(serverssl, 0), 5816 SSL_ERROR_ZERO_RETURN) 5817 || !TEST_int_eq(SSL_get_shutdown(serverssl), 5818 SSL_RECEIVED_SHUTDOWN) 5819 /* 5820 * Even though we're shutdown on receive we should still be 5821 * able to write. 5822 */ 5823 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 5824 goto end; 5825 if (tst == 4 5826 && !TEST_true(SSL_key_update(serverssl, 5827 SSL_KEY_UPDATE_REQUESTED))) 5828 goto end; 5829 if (tst == 5) { 5830 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 5831 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 5832 goto end; 5833 } 5834 if ((tst == 4 || tst == 5) 5835 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 5836 goto end; 5837 if (!TEST_int_eq(SSL_shutdown(serverssl), 1)) 5838 goto end; 5839 if (tst == 4 || tst == 5) { 5840 /* Should still be able to read data from server */ 5841 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 5842 &readbytes)) 5843 || !TEST_size_t_eq(readbytes, sizeof(msg)) 5844 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0) 5845 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 5846 &readbytes)) 5847 || !TEST_size_t_eq(readbytes, sizeof(msg)) 5848 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)) 5849 goto end; 5850 } 5851 } 5852 5853 /* Writing on the client after sending close_notify shouldn't be possible */ 5854 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written))) 5855 goto end; 5856 5857 if (tst < 4) { 5858 /* 5859 * For these tests the client has sent close_notify but it has not yet 5860 * been received by the server. The server has not sent close_notify 5861 * yet. 5862 */ 5863 if (!TEST_int_eq(SSL_shutdown(serverssl), 0) 5864 /* 5865 * Writing on the server after sending close_notify shouldn't 5866 * be possible. 5867 */ 5868 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 5869 || !TEST_int_eq(SSL_shutdown(clientssl), 1) 5870 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5871 || !TEST_true(SSL_SESSION_is_resumable(sess)) 5872 || !TEST_int_eq(SSL_shutdown(serverssl), 1)) 5873 goto end; 5874 } else if (tst == 4 || tst == 5) { 5875 /* 5876 * In this test the client has sent close_notify and it has been 5877 * received by the server which has responded with a close_notify. The 5878 * client needs to read the close_notify sent by the server. 5879 */ 5880 if (!TEST_int_eq(SSL_shutdown(clientssl), 1) 5881 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5882 || !TEST_true(SSL_SESSION_is_resumable(sess))) 5883 goto end; 5884 } else { 5885 /* 5886 * tst == 6 5887 * 5888 * The client has sent close_notify and is expecting a close_notify 5889 * back, but instead there is application data first. The shutdown 5890 * should fail with a fatal error. 5891 */ 5892 if (!TEST_int_eq(SSL_shutdown(clientssl), -1) 5893 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL)) 5894 goto end; 5895 } 5896 5897 testresult = 1; 5898 5899 end: 5900 SSL_free(serverssl); 5901 SSL_free(clientssl); 5902 SSL_CTX_free(sctx); 5903 SSL_CTX_free(cctx); 5904 5905 return testresult; 5906 } 5907 5908 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) 5909 static int cert_cb_cnt; 5910 5911 static int cert_cb(SSL *s, void *arg) 5912 { 5913 SSL_CTX *ctx = (SSL_CTX *)arg; 5914 BIO *in = NULL; 5915 EVP_PKEY *pkey = NULL; 5916 X509 *x509 = NULL, *rootx = NULL; 5917 STACK_OF(X509) *chain = NULL; 5918 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL; 5919 int ret = 0; 5920 5921 if (cert_cb_cnt == 0) { 5922 /* Suspend the handshake */ 5923 cert_cb_cnt++; 5924 return -1; 5925 } else if (cert_cb_cnt == 1) { 5926 /* 5927 * Update the SSL_CTX, set the certificate and private key and then 5928 * continue the handshake normally. 5929 */ 5930 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx))) 5931 return 0; 5932 5933 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM)) 5934 || !TEST_true(SSL_use_PrivateKey_file(s, privkey, 5935 SSL_FILETYPE_PEM)) 5936 || !TEST_true(SSL_check_private_key(s))) 5937 return 0; 5938 cert_cb_cnt++; 5939 return 1; 5940 } else if (cert_cb_cnt == 3) { 5941 int rv; 5942 5943 rootfile = test_mk_file_path(certsdir, "rootcert.pem"); 5944 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 5945 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 5946 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey)) 5947 goto out; 5948 chain = sk_X509_new_null(); 5949 if (!TEST_ptr(chain)) 5950 goto out; 5951 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 5952 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0) 5953 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL)) 5954 || !TEST_true(sk_X509_push(chain, rootx))) 5955 goto out; 5956 rootx = NULL; 5957 BIO_free(in); 5958 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 5959 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0) 5960 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 5961 goto out; 5962 BIO_free(in); 5963 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 5964 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0) 5965 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL))) 5966 goto out; 5967 rv = SSL_check_chain(s, x509, pkey, chain); 5968 /* 5969 * If the cert doesn't show as valid here (e.g., because we don't 5970 * have any shared sigalgs), then we will not set it, and there will 5971 * be no certificate at all on the SSL or SSL_CTX. This, in turn, 5972 * will cause tls_choose_sigalgs() to fail the connection. 5973 */ 5974 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) 5975 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) { 5976 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1)) 5977 goto out; 5978 } 5979 5980 ret = 1; 5981 } 5982 5983 /* Abort the handshake */ 5984 out: 5985 OPENSSL_free(ecdsacert); 5986 OPENSSL_free(ecdsakey); 5987 OPENSSL_free(rootfile); 5988 BIO_free(in); 5989 EVP_PKEY_free(pkey); 5990 X509_free(x509); 5991 X509_free(rootx); 5992 sk_X509_pop_free(chain, X509_free); 5993 return ret; 5994 } 5995 5996 /* 5997 * Test the certificate callback. 5998 * Test 0: Callback fails 5999 * Test 1: Success - no SSL_set_SSL_CTX() in the callback 6000 * Test 2: Success - SSL_set_SSL_CTX() in the callback 6001 * Test 3: Success - Call SSL_check_chain from the callback 6002 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the 6003 * chain 6004 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert 6005 */ 6006 static int test_cert_cb_int(int prot, int tst) 6007 { 6008 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL; 6009 SSL *clientssl = NULL, *serverssl = NULL; 6010 int testresult = 0, ret; 6011 6012 #ifdef OPENSSL_NO_EC 6013 /* We use an EC cert in these tests, so we skip in a no-ec build */ 6014 if (tst >= 3) 6015 return 1; 6016 #endif 6017 6018 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 6019 TLS_client_method(), 6020 TLS1_VERSION, 6021 prot, 6022 &sctx, &cctx, NULL, NULL))) 6023 goto end; 6024 6025 if (tst == 0) 6026 cert_cb_cnt = -1; 6027 else if (tst >= 3) 6028 cert_cb_cnt = 3; 6029 else 6030 cert_cb_cnt = 0; 6031 6032 if (tst == 2) 6033 snictx = SSL_CTX_new(TLS_server_method()); 6034 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); 6035 6036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6037 NULL, NULL))) 6038 goto end; 6039 6040 if (tst == 4) { 6041 /* 6042 * We cause SSL_check_chain() to fail by specifying sig_algs that 6043 * the chain doesn't meet (the root uses an RSA cert) 6044 */ 6045 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 6046 "ecdsa_secp256r1_sha256"))) 6047 goto end; 6048 } else if (tst == 5) { 6049 /* 6050 * We cause SSL_check_chain() to fail by specifying sig_algs that 6051 * the ee cert doesn't meet (the ee uses an ECDSA cert) 6052 */ 6053 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 6054 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))) 6055 goto end; 6056 } 6057 6058 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 6059 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret) 6060 || (tst > 0 6061 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) { 6062 goto end; 6063 } 6064 6065 testresult = 1; 6066 6067 end: 6068 SSL_free(serverssl); 6069 SSL_free(clientssl); 6070 SSL_CTX_free(sctx); 6071 SSL_CTX_free(cctx); 6072 SSL_CTX_free(snictx); 6073 6074 return testresult; 6075 } 6076 #endif 6077 6078 static int test_cert_cb(int tst) 6079 { 6080 int testresult = 1; 6081 6082 #ifndef OPENSSL_NO_TLS1_2 6083 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); 6084 #endif 6085 #ifndef OPENSSL_NO_TLS1_3 6086 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); 6087 #endif 6088 6089 return testresult; 6090 } 6091 6092 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 6093 { 6094 X509 *xcert, *peer; 6095 EVP_PKEY *privpkey; 6096 BIO *in = NULL; 6097 6098 /* Check that SSL_get_peer_certificate() returns something sensible */ 6099 peer = SSL_get_peer_certificate(ssl); 6100 if (!TEST_ptr(peer)) 6101 return 0; 6102 X509_free(peer); 6103 6104 in = BIO_new_file(cert, "r"); 6105 if (!TEST_ptr(in)) 6106 return 0; 6107 6108 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL); 6109 BIO_free(in); 6110 if (!TEST_ptr(xcert)) 6111 return 0; 6112 6113 in = BIO_new_file(privkey, "r"); 6114 if (!TEST_ptr(in)) { 6115 X509_free(xcert); 6116 return 0; 6117 } 6118 6119 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); 6120 BIO_free(in); 6121 if (!TEST_ptr(privpkey)) { 6122 X509_free(xcert); 6123 return 0; 6124 } 6125 6126 *x509 = xcert; 6127 *pkey = privpkey; 6128 6129 return 1; 6130 } 6131 6132 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) 6133 { 6134 return 1; 6135 } 6136 6137 static int test_client_cert_cb(int tst) 6138 { 6139 SSL_CTX *cctx = NULL, *sctx = NULL; 6140 SSL *clientssl = NULL, *serverssl = NULL; 6141 int testresult = 0; 6142 6143 #ifdef OPENSSL_NO_TLS1_2 6144 if (tst == 0) 6145 return 1; 6146 #endif 6147 #ifdef OPENSSL_NO_TLS1_3 6148 if (tst == 1) 6149 return 1; 6150 #endif 6151 6152 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 6153 TLS_client_method(), 6154 TLS1_VERSION, 6155 tst == 0 ? TLS1_2_VERSION 6156 : TLS1_3_VERSION, 6157 &sctx, &cctx, cert, privkey))) 6158 goto end; 6159 6160 /* 6161 * Test that setting a client_cert_cb results in a client certificate being 6162 * sent. 6163 */ 6164 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb); 6165 SSL_CTX_set_verify(sctx, 6166 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 6167 verify_cb); 6168 6169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6170 NULL, NULL)) 6171 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6172 SSL_ERROR_NONE))) 6173 goto end; 6174 6175 testresult = 1; 6176 6177 end: 6178 SSL_free(serverssl); 6179 SSL_free(clientssl); 6180 SSL_CTX_free(sctx); 6181 SSL_CTX_free(cctx); 6182 6183 return testresult; 6184 } 6185 6186 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) 6187 /* 6188 * Test setting certificate authorities on both client and server. 6189 * 6190 * Test 0: SSL_CTX_set0_CA_list() only 6191 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list() 6192 * Test 2: Only SSL_CTX_set_client_CA_list() 6193 */ 6194 static int test_ca_names_int(int prot, int tst) 6195 { 6196 SSL_CTX *cctx = NULL, *sctx = NULL; 6197 SSL *clientssl = NULL, *serverssl = NULL; 6198 int testresult = 0; 6199 size_t i; 6200 X509_NAME *name[] = { NULL, NULL, NULL, NULL }; 6201 char *strnames[] = { "Jack", "Jill", "John", "Joanne" }; 6202 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL; 6203 const STACK_OF(X509_NAME) *sktmp = NULL; 6204 6205 for (i = 0; i < OSSL_NELEM(name); i++) { 6206 name[i] = X509_NAME_new(); 6207 if (!TEST_ptr(name[i]) 6208 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN", 6209 MBSTRING_ASC, 6210 (unsigned char *) 6211 strnames[i], 6212 -1, -1, 0))) 6213 goto end; 6214 } 6215 6216 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 6217 TLS_client_method(), 6218 TLS1_VERSION, 6219 prot, 6220 &sctx, &cctx, cert, privkey))) 6221 goto end; 6222 6223 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL); 6224 6225 if (tst == 0 || tst == 1) { 6226 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 6227 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0]))) 6228 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1]))) 6229 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 6230 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0]))) 6231 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1])))) 6232 goto end; 6233 6234 SSL_CTX_set0_CA_list(sctx, sk1); 6235 SSL_CTX_set0_CA_list(cctx, sk2); 6236 sk1 = sk2 = NULL; 6237 } 6238 if (tst == 1 || tst == 2) { 6239 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 6240 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2]))) 6241 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3]))) 6242 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 6243 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2]))) 6244 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3])))) 6245 goto end; 6246 6247 SSL_CTX_set_client_CA_list(sctx, sk1); 6248 SSL_CTX_set_client_CA_list(cctx, sk2); 6249 sk1 = sk2 = NULL; 6250 } 6251 6252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6253 NULL, NULL)) 6254 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6255 SSL_ERROR_NONE))) 6256 goto end; 6257 6258 /* 6259 * We only expect certificate authorities to have been sent to the server 6260 * if we are using TLSv1.3 and SSL_set0_CA_list() was used 6261 */ 6262 sktmp = SSL_get0_peer_CA_list(serverssl); 6263 if (prot == TLS1_3_VERSION 6264 && (tst == 0 || tst == 1)) { 6265 if (!TEST_ptr(sktmp) 6266 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 6267 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 6268 name[0]), 0) 6269 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 6270 name[1]), 0)) 6271 goto end; 6272 } else if (!TEST_ptr_null(sktmp)) { 6273 goto end; 6274 } 6275 6276 /* 6277 * In all tests we expect certificate authorities to have been sent to the 6278 * client. However, SSL_set_client_CA_list() should override 6279 * SSL_set0_CA_list() 6280 */ 6281 sktmp = SSL_get0_peer_CA_list(clientssl); 6282 if (!TEST_ptr(sktmp) 6283 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 6284 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 6285 name[tst == 0 ? 0 : 2]), 0) 6286 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 6287 name[tst == 0 ? 1 : 3]), 0)) 6288 goto end; 6289 6290 testresult = 1; 6291 6292 end: 6293 SSL_free(serverssl); 6294 SSL_free(clientssl); 6295 SSL_CTX_free(sctx); 6296 SSL_CTX_free(cctx); 6297 for (i = 0; i < OSSL_NELEM(name); i++) 6298 X509_NAME_free(name[i]); 6299 sk_X509_NAME_pop_free(sk1, X509_NAME_free); 6300 sk_X509_NAME_pop_free(sk2, X509_NAME_free); 6301 6302 return testresult; 6303 } 6304 #endif 6305 6306 static int test_ca_names(int tst) 6307 { 6308 int testresult = 1; 6309 6310 #ifndef OPENSSL_NO_TLS1_2 6311 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); 6312 #endif 6313 #ifndef OPENSSL_NO_TLS1_3 6314 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); 6315 #endif 6316 6317 return testresult; 6318 } 6319 6320 /* 6321 * Test 0: Client sets servername and server acknowledges it (TLSv1.2) 6322 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) 6323 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2) 6324 * Test 3: Client does not set servername on initial handshake (TLSv1.2) 6325 * Test 4: Client does not set servername on resumption handshake (TLSv1.2) 6326 * Test 5: Client sets servername and server acknowledges it (TLSv1.3) 6327 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3) 6328 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3) 6329 * Test 8: Client does not set servername on initial handshake(TLSv1.3) 6330 * Test 9: Client does not set servername on resumption handshake (TLSv1.3) 6331 */ 6332 static int test_servername(int tst) 6333 { 6334 SSL_CTX *cctx = NULL, *sctx = NULL; 6335 SSL *clientssl = NULL, *serverssl = NULL; 6336 int testresult = 0; 6337 SSL_SESSION *sess = NULL; 6338 const char *sexpectedhost = NULL, *cexpectedhost = NULL; 6339 6340 #ifdef OPENSSL_NO_TLS1_2 6341 if (tst <= 4) 6342 return 1; 6343 #endif 6344 #ifdef OPENSSL_NO_TLS1_3 6345 if (tst >= 5) 6346 return 1; 6347 #endif 6348 6349 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 6350 TLS_client_method(), 6351 TLS1_VERSION, 6352 (tst <= 4) ? TLS1_2_VERSION 6353 : TLS1_3_VERSION, 6354 &sctx, &cctx, cert, privkey)) 6355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6356 NULL, NULL))) 6357 goto end; 6358 6359 if (tst != 1 && tst != 6) { 6360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 6361 hostname_cb))) 6362 goto end; 6363 } 6364 6365 if (tst != 3 && tst != 8) { 6366 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 6367 goto end; 6368 sexpectedhost = cexpectedhost = "goodhost"; 6369 } 6370 6371 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 6372 goto end; 6373 6374 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name), 6375 cexpectedhost) 6376 || !TEST_str_eq(SSL_get_servername(serverssl, 6377 TLSEXT_NAMETYPE_host_name), 6378 sexpectedhost)) 6379 goto end; 6380 6381 /* Now repeat with a resumption handshake */ 6382 6383 if (!TEST_int_eq(SSL_shutdown(clientssl), 0) 6384 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL) 6385 || !TEST_true(SSL_SESSION_is_resumable(sess)) 6386 || !TEST_int_eq(SSL_shutdown(serverssl), 0)) 6387 goto end; 6388 6389 SSL_free(clientssl); 6390 SSL_free(serverssl); 6391 clientssl = serverssl = NULL; 6392 6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 6394 NULL))) 6395 goto end; 6396 6397 if (!TEST_true(SSL_set_session(clientssl, sess))) 6398 goto end; 6399 6400 sexpectedhost = cexpectedhost = "goodhost"; 6401 if (tst == 2 || tst == 7) { 6402 /* Set an inconsistent hostname */ 6403 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost"))) 6404 goto end; 6405 /* 6406 * In TLSv1.2 we expect the hostname from the original handshake, in 6407 * TLSv1.3 we expect the hostname from this handshake 6408 */ 6409 if (tst == 7) 6410 sexpectedhost = cexpectedhost = "altgoodhost"; 6411 6412 if (!TEST_str_eq(SSL_get_servername(clientssl, 6413 TLSEXT_NAMETYPE_host_name), 6414 "altgoodhost")) 6415 goto end; 6416 } else if (tst == 4 || tst == 9) { 6417 /* 6418 * A TLSv1.3 session does not associate a session with a servername, 6419 * but a TLSv1.2 session does. 6420 */ 6421 if (tst == 9) 6422 sexpectedhost = cexpectedhost = NULL; 6423 6424 if (!TEST_str_eq(SSL_get_servername(clientssl, 6425 TLSEXT_NAMETYPE_host_name), 6426 cexpectedhost)) 6427 goto end; 6428 } else { 6429 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 6430 goto end; 6431 /* 6432 * In a TLSv1.2 resumption where the hostname was not acknowledged 6433 * we expect the hostname on the server to be empty. On the client we 6434 * return what was requested in this case. 6435 * 6436 * Similarly if the client didn't set a hostname on an original TLSv1.2 6437 * session but is now, the server hostname will be empty, but the client 6438 * is as we set it. 6439 */ 6440 if (tst == 1 || tst == 3) 6441 sexpectedhost = NULL; 6442 6443 if (!TEST_str_eq(SSL_get_servername(clientssl, 6444 TLSEXT_NAMETYPE_host_name), 6445 "goodhost")) 6446 goto end; 6447 } 6448 6449 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 6450 goto end; 6451 6452 if (!TEST_true(SSL_session_reused(clientssl)) 6453 || !TEST_true(SSL_session_reused(serverssl)) 6454 || !TEST_str_eq(SSL_get_servername(clientssl, 6455 TLSEXT_NAMETYPE_host_name), 6456 cexpectedhost) 6457 || !TEST_str_eq(SSL_get_servername(serverssl, 6458 TLSEXT_NAMETYPE_host_name), 6459 sexpectedhost)) 6460 goto end; 6461 6462 testresult = 1; 6463 6464 end: 6465 SSL_SESSION_free(sess); 6466 SSL_free(serverssl); 6467 SSL_free(clientssl); 6468 SSL_CTX_free(sctx); 6469 SSL_CTX_free(cctx); 6470 6471 return testresult; 6472 } 6473 6474 int setup_tests(void) 6475 { 6476 if (!TEST_ptr(certsdir = test_get_argument(0)) 6477 || !TEST_ptr(srpvfile = test_get_argument(1)) 6478 || !TEST_ptr(tmpfilename = test_get_argument(2))) 6479 return 0; 6480 6481 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { 6482 #ifdef OPENSSL_NO_CRYPTO_MDEBUG 6483 TEST_error("not supported in this build"); 6484 return 0; 6485 #else 6486 int i, mcount, rcount, fcount; 6487 6488 for (i = 0; i < 4; i++) 6489 test_export_key_mat(i); 6490 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount); 6491 test_printf_stdout("malloc %d realloc %d free %d\n", 6492 mcount, rcount, fcount); 6493 return 1; 6494 #endif 6495 } 6496 6497 cert = test_mk_file_path(certsdir, "servercert.pem"); 6498 if (cert == NULL) 6499 return 0; 6500 6501 privkey = test_mk_file_path(certsdir, "serverkey.pem"); 6502 if (privkey == NULL) { 6503 OPENSSL_free(cert); 6504 return 0; 6505 } 6506 6507 ADD_TEST(test_large_message_tls); 6508 ADD_TEST(test_large_message_tls_read_ahead); 6509 #ifndef OPENSSL_NO_DTLS 6510 ADD_TEST(test_large_message_dtls); 6511 #endif 6512 #ifndef OPENSSL_NO_OCSP 6513 ADD_TEST(test_tlsext_status_type); 6514 #endif 6515 ADD_TEST(test_session_with_only_int_cache); 6516 ADD_TEST(test_session_with_only_ext_cache); 6517 ADD_TEST(test_session_with_both_cache); 6518 #ifndef OPENSSL_NO_TLS1_3 6519 ADD_ALL_TESTS(test_stateful_tickets, 3); 6520 ADD_ALL_TESTS(test_stateless_tickets, 3); 6521 ADD_TEST(test_psk_tickets); 6522 #endif 6523 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 6524 ADD_TEST(test_ssl_bio_pop_next_bio); 6525 ADD_TEST(test_ssl_bio_pop_ssl_bio); 6526 ADD_TEST(test_ssl_bio_change_rbio); 6527 ADD_TEST(test_ssl_bio_change_wbio); 6528 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 6529 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 6530 ADD_TEST(test_keylog); 6531 #endif 6532 #ifndef OPENSSL_NO_TLS1_3 6533 ADD_TEST(test_keylog_no_master_key); 6534 #endif 6535 #ifndef OPENSSL_NO_TLS1_2 6536 ADD_TEST(test_client_hello_cb); 6537 ADD_TEST(test_ccs_change_cipher); 6538 #endif 6539 #ifndef OPENSSL_NO_TLS1_3 6540 ADD_ALL_TESTS(test_early_data_read_write, 3); 6541 /* 6542 * We don't do replay tests for external PSK. Replay protection isn't used 6543 * in that scenario. 6544 */ 6545 ADD_ALL_TESTS(test_early_data_replay, 2); 6546 ADD_ALL_TESTS(test_early_data_skip, 3); 6547 ADD_ALL_TESTS(test_early_data_skip_hrr, 3); 6548 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3); 6549 ADD_ALL_TESTS(test_early_data_skip_abort, 3); 6550 ADD_ALL_TESTS(test_early_data_not_sent, 3); 6551 ADD_ALL_TESTS(test_early_data_psk, 8); 6552 ADD_ALL_TESTS(test_early_data_not_expected, 3); 6553 # ifndef OPENSSL_NO_TLS1_2 6554 ADD_ALL_TESTS(test_early_data_tls1_2, 3); 6555 # endif 6556 #endif 6557 #ifndef OPENSSL_NO_TLS1_3 6558 ADD_ALL_TESTS(test_set_ciphersuite, 10); 6559 ADD_TEST(test_ciphersuite_change); 6560 ADD_ALL_TESTS(test_tls13_ciphersuite, 4); 6561 #ifdef OPENSSL_NO_PSK 6562 ADD_ALL_TESTS(test_tls13_psk, 1); 6563 #else 6564 ADD_ALL_TESTS(test_tls13_psk, 4); 6565 #endif /* OPENSSL_NO_PSK */ 6566 ADD_ALL_TESTS(test_custom_exts, 5); 6567 ADD_TEST(test_stateless); 6568 ADD_TEST(test_pha_key_update); 6569 #else 6570 ADD_ALL_TESTS(test_custom_exts, 3); 6571 #endif 6572 ADD_ALL_TESTS(test_serverinfo, 8); 6573 ADD_ALL_TESTS(test_export_key_mat, 6); 6574 #ifndef OPENSSL_NO_TLS1_3 6575 ADD_ALL_TESTS(test_export_key_mat_early, 3); 6576 ADD_TEST(test_key_update); 6577 ADD_ALL_TESTS(test_key_update_in_write, 2); 6578 #endif 6579 ADD_ALL_TESTS(test_ssl_clear, 2); 6580 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); 6581 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 6582 ADD_ALL_TESTS(test_srp, 6); 6583 #endif 6584 ADD_ALL_TESTS(test_info_callback, 6); 6585 ADD_ALL_TESTS(test_ssl_pending, 2); 6586 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); 6587 ADD_ALL_TESTS(test_ticket_callbacks, 12); 6588 ADD_ALL_TESTS(test_shutdown, 7); 6589 ADD_ALL_TESTS(test_cert_cb, 6); 6590 ADD_ALL_TESTS(test_client_cert_cb, 2); 6591 ADD_ALL_TESTS(test_ca_names, 3); 6592 ADD_ALL_TESTS(test_servername, 10); 6593 return 1; 6594 } 6595 6596 void cleanup_tests(void) 6597 { 6598 OPENSSL_free(cert); 6599 OPENSSL_free(privkey); 6600 bio_s_mempacket_test_free(); 6601 bio_s_always_retry_free(); 6602 } 6603