2
0

sslapitest.c 224 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <string.h>
  11. #include <openssl/opensslconf.h>
  12. #include <openssl/bio.h>
  13. #include <openssl/crypto.h>
  14. #include <openssl/ssl.h>
  15. #include <openssl/ocsp.h>
  16. #include <openssl/srp.h>
  17. #include <openssl/txt_db.h>
  18. #include <openssl/aes.h>
  19. #include <openssl/rand.h>
  20. #include "ssltestlib.h"
  21. #include "testutil.h"
  22. #include "testutil/output.h"
  23. #include "internal/nelem.h"
  24. #include "internal/ktls.h"
  25. #include "../ssl/ssl_locl.h"
  26. #ifndef OPENSSL_NO_TLS1_3
  27. static SSL_SESSION *clientpsk = NULL;
  28. static SSL_SESSION *serverpsk = NULL;
  29. static const char *pskid = "Identity";
  30. static const char *srvid;
  31. static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
  32. size_t *idlen, SSL_SESSION **sess);
  33. static int find_session_cb(SSL *ssl, const unsigned char *identity,
  34. size_t identity_len, SSL_SESSION **sess);
  35. static int use_session_cb_cnt = 0;
  36. static int find_session_cb_cnt = 0;
  37. static SSL_SESSION *create_a_psk(SSL *ssl);
  38. #endif
  39. static char *cert = NULL;
  40. static char *privkey = NULL;
  41. static char *srpvfile = NULL;
  42. static char *tmpfilename = NULL;
  43. #define LOG_BUFFER_SIZE 2048
  44. static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
  45. static size_t server_log_buffer_index = 0;
  46. static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
  47. static size_t client_log_buffer_index = 0;
  48. static int error_writing_log = 0;
  49. #ifndef OPENSSL_NO_OCSP
  50. static const unsigned char orespder[] = "Dummy OCSP Response";
  51. static int ocsp_server_called = 0;
  52. static int ocsp_client_called = 0;
  53. static int cdummyarg = 1;
  54. static X509 *ocspcert = NULL;
  55. #endif
  56. #define NUM_EXTRA_CERTS 40
  57. #define CLIENT_VERSION_LEN 2
  58. /*
  59. * This structure is used to validate that the correct number of log messages
  60. * of various types are emitted when emitting secret logs.
  61. */
  62. struct sslapitest_log_counts {
  63. unsigned int rsa_key_exchange_count;
  64. unsigned int master_secret_count;
  65. unsigned int client_early_secret_count;
  66. unsigned int client_handshake_secret_count;
  67. unsigned int server_handshake_secret_count;
  68. unsigned int client_application_secret_count;
  69. unsigned int server_application_secret_count;
  70. unsigned int early_exporter_secret_count;
  71. unsigned int exporter_secret_count;
  72. };
  73. static unsigned char serverinfov1[] = {
  74. 0xff, 0xff, /* Dummy extension type */
  75. 0x00, 0x01, /* Extension length is 1 byte */
  76. 0xff /* Dummy extension data */
  77. };
  78. static unsigned char serverinfov2[] = {
  79. 0x00, 0x00, 0x00,
  80. (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
  81. 0xff, 0xff, /* Dummy extension type */
  82. 0x00, 0x01, /* Extension length is 1 byte */
  83. 0xff /* Dummy extension data */
  84. };
  85. static void client_keylog_callback(const SSL *ssl, const char *line)
  86. {
  87. int line_length = strlen(line);
  88. /* If the log doesn't fit, error out. */
  89. if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
  90. TEST_info("Client log too full");
  91. error_writing_log = 1;
  92. return;
  93. }
  94. strcat(client_log_buffer, line);
  95. client_log_buffer_index += line_length;
  96. client_log_buffer[client_log_buffer_index++] = '\n';
  97. }
  98. static void server_keylog_callback(const SSL *ssl, const char *line)
  99. {
  100. int line_length = strlen(line);
  101. /* If the log doesn't fit, error out. */
  102. if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
  103. TEST_info("Server log too full");
  104. error_writing_log = 1;
  105. return;
  106. }
  107. strcat(server_log_buffer, line);
  108. server_log_buffer_index += line_length;
  109. server_log_buffer[server_log_buffer_index++] = '\n';
  110. }
  111. static int compare_hex_encoded_buffer(const char *hex_encoded,
  112. size_t hex_length,
  113. const uint8_t *raw,
  114. size_t raw_length)
  115. {
  116. size_t i, j;
  117. char hexed[3];
  118. if (!TEST_size_t_eq(raw_length * 2, hex_length))
  119. return 1;
  120. for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
  121. sprintf(hexed, "%02x", raw[i]);
  122. if (!TEST_int_eq(hexed[0], hex_encoded[j])
  123. || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
  124. return 1;
  125. }
  126. return 0;
  127. }
  128. static int test_keylog_output(char *buffer, const SSL *ssl,
  129. const SSL_SESSION *session,
  130. struct sslapitest_log_counts *expected)
  131. {
  132. char *token = NULL;
  133. unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
  134. size_t client_random_size = SSL3_RANDOM_SIZE;
  135. unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
  136. size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
  137. unsigned int rsa_key_exchange_count = 0;
  138. unsigned int master_secret_count = 0;
  139. unsigned int client_early_secret_count = 0;
  140. unsigned int client_handshake_secret_count = 0;
  141. unsigned int server_handshake_secret_count = 0;
  142. unsigned int client_application_secret_count = 0;
  143. unsigned int server_application_secret_count = 0;
  144. unsigned int early_exporter_secret_count = 0;
  145. unsigned int exporter_secret_count = 0;
  146. for (token = strtok(buffer, " \n"); token != NULL;
  147. token = strtok(NULL, " \n")) {
  148. if (strcmp(token, "RSA") == 0) {
  149. /*
  150. * Premaster secret. Tokens should be: 16 ASCII bytes of
  151. * hex-encoded encrypted secret, then the hex-encoded pre-master
  152. * secret.
  153. */
  154. if (!TEST_ptr(token = strtok(NULL, " \n")))
  155. return 0;
  156. if (!TEST_size_t_eq(strlen(token), 16))
  157. return 0;
  158. if (!TEST_ptr(token = strtok(NULL, " \n")))
  159. return 0;
  160. /*
  161. * We can't sensibly check the log because the premaster secret is
  162. * transient, and OpenSSL doesn't keep hold of it once the master
  163. * secret is generated.
  164. */
  165. rsa_key_exchange_count++;
  166. } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
  167. /*
  168. * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
  169. * client random, then the hex-encoded master secret.
  170. */
  171. client_random_size = SSL_get_client_random(ssl,
  172. actual_client_random,
  173. SSL3_RANDOM_SIZE);
  174. if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
  175. return 0;
  176. if (!TEST_ptr(token = strtok(NULL, " \n")))
  177. return 0;
  178. if (!TEST_size_t_eq(strlen(token), 64))
  179. return 0;
  180. if (!TEST_false(compare_hex_encoded_buffer(token, 64,
  181. actual_client_random,
  182. client_random_size)))
  183. return 0;
  184. if (!TEST_ptr(token = strtok(NULL, " \n")))
  185. return 0;
  186. master_key_size = SSL_SESSION_get_master_key(session,
  187. actual_master_key,
  188. master_key_size);
  189. if (!TEST_size_t_ne(master_key_size, 0))
  190. return 0;
  191. if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
  192. actual_master_key,
  193. master_key_size)))
  194. return 0;
  195. master_secret_count++;
  196. } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
  197. || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
  198. || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
  199. || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
  200. || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
  201. || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
  202. || strcmp(token, "EXPORTER_SECRET") == 0) {
  203. /*
  204. * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
  205. * client random, and then the hex-encoded secret. In this case,
  206. * we treat all of these secrets identically and then just
  207. * distinguish between them when counting what we saw.
  208. */
  209. if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
  210. client_early_secret_count++;
  211. else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
  212. client_handshake_secret_count++;
  213. else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
  214. server_handshake_secret_count++;
  215. else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
  216. client_application_secret_count++;
  217. else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
  218. server_application_secret_count++;
  219. else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
  220. early_exporter_secret_count++;
  221. else if (strcmp(token, "EXPORTER_SECRET") == 0)
  222. exporter_secret_count++;
  223. client_random_size = SSL_get_client_random(ssl,
  224. actual_client_random,
  225. SSL3_RANDOM_SIZE);
  226. if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
  227. return 0;
  228. if (!TEST_ptr(token = strtok(NULL, " \n")))
  229. return 0;
  230. if (!TEST_size_t_eq(strlen(token), 64))
  231. return 0;
  232. if (!TEST_false(compare_hex_encoded_buffer(token, 64,
  233. actual_client_random,
  234. client_random_size)))
  235. return 0;
  236. if (!TEST_ptr(token = strtok(NULL, " \n")))
  237. return 0;
  238. /*
  239. * TODO(TLS1.3): test that application traffic secrets are what
  240. * we expect */
  241. } else {
  242. TEST_info("Unexpected token %s\n", token);
  243. return 0;
  244. }
  245. }
  246. /* Got what we expected? */
  247. if (!TEST_size_t_eq(rsa_key_exchange_count,
  248. expected->rsa_key_exchange_count)
  249. || !TEST_size_t_eq(master_secret_count,
  250. expected->master_secret_count)
  251. || !TEST_size_t_eq(client_early_secret_count,
  252. expected->client_early_secret_count)
  253. || !TEST_size_t_eq(client_handshake_secret_count,
  254. expected->client_handshake_secret_count)
  255. || !TEST_size_t_eq(server_handshake_secret_count,
  256. expected->server_handshake_secret_count)
  257. || !TEST_size_t_eq(client_application_secret_count,
  258. expected->client_application_secret_count)
  259. || !TEST_size_t_eq(server_application_secret_count,
  260. expected->server_application_secret_count)
  261. || !TEST_size_t_eq(early_exporter_secret_count,
  262. expected->early_exporter_secret_count)
  263. || !TEST_size_t_eq(exporter_secret_count,
  264. expected->exporter_secret_count))
  265. return 0;
  266. return 1;
  267. }
  268. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  269. static int test_keylog(void)
  270. {
  271. SSL_CTX *cctx = NULL, *sctx = NULL;
  272. SSL *clientssl = NULL, *serverssl = NULL;
  273. int testresult = 0;
  274. struct sslapitest_log_counts expected;
  275. /* Clean up logging space */
  276. memset(&expected, 0, sizeof(expected));
  277. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  278. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  279. client_log_buffer_index = 0;
  280. server_log_buffer_index = 0;
  281. error_writing_log = 0;
  282. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  283. TLS_client_method(),
  284. TLS1_VERSION, 0,
  285. &sctx, &cctx, cert, privkey)))
  286. return 0;
  287. /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
  288. SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
  289. SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
  290. /* We also want to ensure that we use RSA-based key exchange. */
  291. if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
  292. goto end;
  293. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
  294. || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
  295. goto end;
  296. SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
  297. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
  298. == client_keylog_callback))
  299. goto end;
  300. SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
  301. if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
  302. == server_keylog_callback))
  303. goto end;
  304. /* Now do a handshake and check that the logs have been written to. */
  305. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  306. &clientssl, NULL, NULL))
  307. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  308. SSL_ERROR_NONE))
  309. || !TEST_false(error_writing_log)
  310. || !TEST_int_gt(client_log_buffer_index, 0)
  311. || !TEST_int_gt(server_log_buffer_index, 0))
  312. goto end;
  313. /*
  314. * Now we want to test that our output data was vaguely sensible. We
  315. * do that by using strtok and confirming that we have more or less the
  316. * data we expect. For both client and server, we expect to see one master
  317. * secret. The client should also see a RSA key exchange.
  318. */
  319. expected.rsa_key_exchange_count = 1;
  320. expected.master_secret_count = 1;
  321. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  322. SSL_get_session(clientssl), &expected)))
  323. goto end;
  324. expected.rsa_key_exchange_count = 0;
  325. if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
  326. SSL_get_session(serverssl), &expected)))
  327. goto end;
  328. testresult = 1;
  329. end:
  330. SSL_free(serverssl);
  331. SSL_free(clientssl);
  332. SSL_CTX_free(sctx);
  333. SSL_CTX_free(cctx);
  334. return testresult;
  335. }
  336. #endif
  337. #ifndef OPENSSL_NO_TLS1_3
  338. static int test_keylog_no_master_key(void)
  339. {
  340. SSL_CTX *cctx = NULL, *sctx = NULL;
  341. SSL *clientssl = NULL, *serverssl = NULL;
  342. SSL_SESSION *sess = NULL;
  343. int testresult = 0;
  344. struct sslapitest_log_counts expected;
  345. unsigned char buf[1];
  346. size_t readbytes, written;
  347. /* Clean up logging space */
  348. memset(&expected, 0, sizeof(expected));
  349. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  350. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  351. client_log_buffer_index = 0;
  352. server_log_buffer_index = 0;
  353. error_writing_log = 0;
  354. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  355. TLS1_VERSION, 0,
  356. &sctx, &cctx, cert, privkey))
  357. || !TEST_true(SSL_CTX_set_max_early_data(sctx,
  358. SSL3_RT_MAX_PLAIN_LENGTH)))
  359. return 0;
  360. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
  361. || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
  362. goto end;
  363. SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
  364. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
  365. == client_keylog_callback))
  366. goto end;
  367. SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
  368. if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
  369. == server_keylog_callback))
  370. goto end;
  371. /* Now do a handshake and check that the logs have been written to. */
  372. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  373. &clientssl, NULL, NULL))
  374. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  375. SSL_ERROR_NONE))
  376. || !TEST_false(error_writing_log))
  377. goto end;
  378. /*
  379. * Now we want to test that our output data was vaguely sensible. For this
  380. * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
  381. * TLSv1.3, but we do expect both client and server to emit keys.
  382. */
  383. expected.client_handshake_secret_count = 1;
  384. expected.server_handshake_secret_count = 1;
  385. expected.client_application_secret_count = 1;
  386. expected.server_application_secret_count = 1;
  387. expected.exporter_secret_count = 1;
  388. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  389. SSL_get_session(clientssl), &expected))
  390. || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
  391. SSL_get_session(serverssl),
  392. &expected)))
  393. goto end;
  394. /* Terminate old session and resume with early data. */
  395. sess = SSL_get1_session(clientssl);
  396. SSL_shutdown(clientssl);
  397. SSL_shutdown(serverssl);
  398. SSL_free(serverssl);
  399. SSL_free(clientssl);
  400. serverssl = clientssl = NULL;
  401. /* Reset key log */
  402. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  403. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  404. client_log_buffer_index = 0;
  405. server_log_buffer_index = 0;
  406. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  407. &clientssl, NULL, NULL))
  408. || !TEST_true(SSL_set_session(clientssl, sess))
  409. /* Here writing 0 length early data is enough. */
  410. || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
  411. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  412. &readbytes),
  413. SSL_READ_EARLY_DATA_ERROR)
  414. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  415. SSL_EARLY_DATA_ACCEPTED)
  416. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  417. SSL_ERROR_NONE))
  418. || !TEST_true(SSL_session_reused(clientssl)))
  419. goto end;
  420. /* In addition to the previous entries, expect early secrets. */
  421. expected.client_early_secret_count = 1;
  422. expected.early_exporter_secret_count = 1;
  423. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  424. SSL_get_session(clientssl), &expected))
  425. || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
  426. SSL_get_session(serverssl),
  427. &expected)))
  428. goto end;
  429. testresult = 1;
  430. end:
  431. SSL_SESSION_free(sess);
  432. SSL_free(serverssl);
  433. SSL_free(clientssl);
  434. SSL_CTX_free(sctx);
  435. SSL_CTX_free(cctx);
  436. return testresult;
  437. }
  438. #endif
  439. #ifndef OPENSSL_NO_TLS1_2
  440. static int full_client_hello_callback(SSL *s, int *al, void *arg)
  441. {
  442. int *ctr = arg;
  443. const unsigned char *p;
  444. int *exts;
  445. /* We only configure two ciphers, but the SCSV is added automatically. */
  446. #ifdef OPENSSL_NO_EC
  447. const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
  448. #else
  449. const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
  450. 0x2c, 0x00, 0xff};
  451. #endif
  452. const int expected_extensions[] = {
  453. #ifndef OPENSSL_NO_EC
  454. 11, 10,
  455. #endif
  456. 35, 22, 23, 13};
  457. size_t len;
  458. /* Make sure we can defer processing and get called back. */
  459. if ((*ctr)++ == 0)
  460. return SSL_CLIENT_HELLO_RETRY;
  461. len = SSL_client_hello_get0_ciphers(s, &p);
  462. if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
  463. || !TEST_size_t_eq(
  464. SSL_client_hello_get0_compression_methods(s, &p), 1)
  465. || !TEST_int_eq(*p, 0))
  466. return SSL_CLIENT_HELLO_ERROR;
  467. if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
  468. return SSL_CLIENT_HELLO_ERROR;
  469. if (len != OSSL_NELEM(expected_extensions) ||
  470. memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
  471. printf("ClientHello callback expected extensions mismatch\n");
  472. OPENSSL_free(exts);
  473. return SSL_CLIENT_HELLO_ERROR;
  474. }
  475. OPENSSL_free(exts);
  476. return SSL_CLIENT_HELLO_SUCCESS;
  477. }
  478. static int test_client_hello_cb(void)
  479. {
  480. SSL_CTX *cctx = NULL, *sctx = NULL;
  481. SSL *clientssl = NULL, *serverssl = NULL;
  482. int testctr = 0, testresult = 0;
  483. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  484. TLS1_VERSION, 0,
  485. &sctx, &cctx, cert, privkey)))
  486. goto end;
  487. SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
  488. /* The gimpy cipher list we configure can't do TLS 1.3. */
  489. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  490. if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
  491. "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
  492. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  493. &clientssl, NULL, NULL))
  494. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  495. SSL_ERROR_WANT_CLIENT_HELLO_CB))
  496. /*
  497. * Passing a -1 literal is a hack since
  498. * the real value was lost.
  499. * */
  500. || !TEST_int_eq(SSL_get_error(serverssl, -1),
  501. SSL_ERROR_WANT_CLIENT_HELLO_CB)
  502. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  503. SSL_ERROR_NONE)))
  504. goto end;
  505. testresult = 1;
  506. end:
  507. SSL_free(serverssl);
  508. SSL_free(clientssl);
  509. SSL_CTX_free(sctx);
  510. SSL_CTX_free(cctx);
  511. return testresult;
  512. }
  513. static int test_no_ems(void)
  514. {
  515. SSL_CTX *cctx = NULL, *sctx = NULL;
  516. SSL *clientssl = NULL, *serverssl = NULL;
  517. int testresult = 0;
  518. if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  519. TLS1_VERSION, TLS1_2_VERSION,
  520. &sctx, &cctx, cert, privkey)) {
  521. printf("Unable to create SSL_CTX pair\n");
  522. goto end;
  523. }
  524. SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
  525. if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
  526. printf("Unable to create SSL objects\n");
  527. goto end;
  528. }
  529. if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
  530. printf("Creating SSL connection failed\n");
  531. goto end;
  532. }
  533. if (SSL_get_extms_support(serverssl)) {
  534. printf("Server reports Extended Master Secret support\n");
  535. goto end;
  536. }
  537. if (SSL_get_extms_support(clientssl)) {
  538. printf("Client reports Extended Master Secret support\n");
  539. goto end;
  540. }
  541. testresult = 1;
  542. end:
  543. SSL_free(serverssl);
  544. SSL_free(clientssl);
  545. SSL_CTX_free(sctx);
  546. SSL_CTX_free(cctx);
  547. return testresult;
  548. }
  549. #endif
  550. static int execute_test_large_message(const SSL_METHOD *smeth,
  551. const SSL_METHOD *cmeth,
  552. int min_version, int max_version,
  553. int read_ahead)
  554. {
  555. SSL_CTX *cctx = NULL, *sctx = NULL;
  556. SSL *clientssl = NULL, *serverssl = NULL;
  557. int testresult = 0;
  558. int i;
  559. BIO *certbio = NULL;
  560. X509 *chaincert = NULL;
  561. int certlen;
  562. if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
  563. goto end;
  564. chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  565. BIO_free(certbio);
  566. certbio = NULL;
  567. if (!TEST_ptr(chaincert))
  568. goto end;
  569. if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
  570. &sctx, &cctx, cert, privkey)))
  571. goto end;
  572. if (read_ahead) {
  573. /*
  574. * Test that read_ahead works correctly when dealing with large
  575. * records
  576. */
  577. SSL_CTX_set_read_ahead(cctx, 1);
  578. }
  579. /*
  580. * We assume the supplied certificate is big enough so that if we add
  581. * NUM_EXTRA_CERTS it will make the overall message large enough. The
  582. * default buffer size is requested to be 16k, but due to the way BUF_MEM
  583. * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
  584. * test we need to have a message larger than that.
  585. */
  586. certlen = i2d_X509(chaincert, NULL);
  587. OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
  588. (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
  589. for (i = 0; i < NUM_EXTRA_CERTS; i++) {
  590. if (!X509_up_ref(chaincert))
  591. goto end;
  592. if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
  593. X509_free(chaincert);
  594. goto end;
  595. }
  596. }
  597. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  598. NULL, NULL))
  599. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  600. SSL_ERROR_NONE)))
  601. goto end;
  602. /*
  603. * Calling SSL_clear() first is not required but this tests that SSL_clear()
  604. * doesn't leak (when using enable-crypto-mdebug).
  605. */
  606. if (!TEST_true(SSL_clear(serverssl)))
  607. goto end;
  608. testresult = 1;
  609. end:
  610. X509_free(chaincert);
  611. SSL_free(serverssl);
  612. SSL_free(clientssl);
  613. SSL_CTX_free(sctx);
  614. SSL_CTX_free(cctx);
  615. return testresult;
  616. }
  617. #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
  618. && !defined(OPENSSL_NO_SOCK)
  619. /* sock must be connected */
  620. static int ktls_chk_platform(int sock)
  621. {
  622. if (!ktls_enable(sock))
  623. return 0;
  624. return 1;
  625. }
  626. static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
  627. {
  628. static char count = 1;
  629. unsigned char cbuf[16000] = {0};
  630. unsigned char sbuf[16000];
  631. size_t err = 0;
  632. char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  633. char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  634. char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  635. char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  636. char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  637. char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  638. char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  639. char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  640. cbuf[0] = count++;
  641. memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
  642. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  643. memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
  644. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  645. memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
  646. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  647. memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
  648. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  649. if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
  650. goto end;
  651. while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
  652. if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
  653. goto end;
  654. }
  655. }
  656. if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
  657. goto end;
  658. while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
  659. if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
  660. goto end;
  661. }
  662. }
  663. memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
  664. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  665. memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
  666. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  667. memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
  668. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  669. memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
  670. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  671. /* verify the payload */
  672. if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
  673. goto end;
  674. /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
  675. if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
  676. if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  677. crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  678. goto end;
  679. } else {
  680. if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  681. crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  682. goto end;
  683. }
  684. if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
  685. if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  686. srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  687. goto end;
  688. } else {
  689. if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  690. srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  691. goto end;
  692. }
  693. if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
  694. if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  695. crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  696. goto end;
  697. } else {
  698. if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  699. crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  700. goto end;
  701. }
  702. if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
  703. if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  704. srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  705. goto end;
  706. } else {
  707. if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  708. srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  709. goto end;
  710. }
  711. return 1;
  712. end:
  713. return 0;
  714. }
  715. static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
  716. int sis_ktls_tx, int sis_ktls_rx)
  717. {
  718. SSL_CTX *cctx = NULL, *sctx = NULL;
  719. SSL *clientssl = NULL, *serverssl = NULL;
  720. int testresult = 0;
  721. int cfd, sfd;
  722. if (!TEST_true(create_test_sockets(&cfd, &sfd)))
  723. goto end;
  724. /* Skip this test if the platform does not support ktls */
  725. if (!ktls_chk_platform(cfd))
  726. return 1;
  727. /* Create a session based on SHA-256 */
  728. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  729. TLS_client_method(),
  730. TLS1_2_VERSION, TLS1_2_VERSION,
  731. &sctx, &cctx, cert, privkey))
  732. || !TEST_true(SSL_CTX_set_cipher_list(cctx,
  733. "AES128-GCM-SHA256"))
  734. || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
  735. &clientssl, sfd, cfd)))
  736. goto end;
  737. if (!cis_ktls_tx) {
  738. if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
  739. goto end;
  740. }
  741. if (!sis_ktls_tx) {
  742. if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
  743. goto end;
  744. }
  745. if (!cis_ktls_rx) {
  746. if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
  747. goto end;
  748. }
  749. if (!sis_ktls_rx) {
  750. if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
  751. goto end;
  752. }
  753. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  754. SSL_ERROR_NONE)))
  755. goto end;
  756. if (!cis_ktls_tx) {
  757. if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
  758. goto end;
  759. } else {
  760. if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
  761. goto end;
  762. }
  763. if (!sis_ktls_tx) {
  764. if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
  765. goto end;
  766. } else {
  767. if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
  768. goto end;
  769. }
  770. if (!cis_ktls_rx) {
  771. if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
  772. goto end;
  773. } else {
  774. if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
  775. goto end;
  776. }
  777. if (!sis_ktls_rx) {
  778. if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
  779. goto end;
  780. } else {
  781. if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
  782. goto end;
  783. }
  784. if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
  785. goto end;
  786. testresult = 1;
  787. end:
  788. if (clientssl) {
  789. SSL_shutdown(clientssl);
  790. SSL_free(clientssl);
  791. }
  792. if (serverssl) {
  793. SSL_shutdown(serverssl);
  794. SSL_free(serverssl);
  795. }
  796. SSL_CTX_free(sctx);
  797. SSL_CTX_free(cctx);
  798. serverssl = clientssl = NULL;
  799. return testresult;
  800. }
  801. #define SENDFILE_SZ (16 * 4096)
  802. #define SENDFILE_CHUNK (4 * 4096)
  803. #define min(a,b) ((a) > (b) ? (b) : (a))
  804. static int test_ktls_sendfile(void)
  805. {
  806. SSL_CTX *cctx = NULL, *sctx = NULL;
  807. SSL *clientssl = NULL, *serverssl = NULL;
  808. unsigned char *buf, *buf_dst;
  809. BIO *out = NULL, *in = NULL;
  810. int cfd, sfd, ffd, err;
  811. ssize_t chunk_size = 0;
  812. off_t chunk_off = 0;
  813. int testresult = 0;
  814. FILE *ffdp;
  815. buf = OPENSSL_zalloc(SENDFILE_SZ);
  816. buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
  817. if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
  818. || !TEST_true(create_test_sockets(&cfd, &sfd)))
  819. goto end;
  820. /* Skip this test if the platform does not support ktls */
  821. if (!ktls_chk_platform(sfd)) {
  822. testresult = 1;
  823. goto end;
  824. }
  825. /* Create a session based on SHA-256 */
  826. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  827. TLS_client_method(),
  828. TLS1_2_VERSION, TLS1_2_VERSION,
  829. &sctx, &cctx, cert, privkey))
  830. || !TEST_true(SSL_CTX_set_cipher_list(cctx,
  831. "AES128-GCM-SHA256"))
  832. || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
  833. &clientssl, sfd, cfd)))
  834. goto end;
  835. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  836. SSL_ERROR_NONE))
  837. || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
  838. goto end;
  839. RAND_bytes(buf, SENDFILE_SZ);
  840. out = BIO_new_file(tmpfilename, "wb");
  841. if (!TEST_ptr(out))
  842. goto end;
  843. if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
  844. goto end;
  845. BIO_free(out);
  846. out = NULL;
  847. in = BIO_new_file(tmpfilename, "rb");
  848. BIO_get_fp(in, &ffdp);
  849. ffd = fileno(ffdp);
  850. while (chunk_off < SENDFILE_SZ) {
  851. chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
  852. while ((err = SSL_sendfile(serverssl,
  853. ffd,
  854. chunk_off,
  855. chunk_size,
  856. 0)) != chunk_size) {
  857. if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
  858. goto end;
  859. }
  860. while ((err = SSL_read(clientssl,
  861. buf_dst + chunk_off,
  862. chunk_size)) != chunk_size) {
  863. if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
  864. goto end;
  865. }
  866. /* verify the payload */
  867. if (!TEST_mem_eq(buf_dst + chunk_off,
  868. chunk_size,
  869. buf + chunk_off,
  870. chunk_size))
  871. goto end;
  872. chunk_off += chunk_size;
  873. }
  874. testresult = 1;
  875. end:
  876. if (clientssl) {
  877. SSL_shutdown(clientssl);
  878. SSL_free(clientssl);
  879. }
  880. if (serverssl) {
  881. SSL_shutdown(serverssl);
  882. SSL_free(serverssl);
  883. }
  884. SSL_CTX_free(sctx);
  885. SSL_CTX_free(cctx);
  886. serverssl = clientssl = NULL;
  887. BIO_free(out);
  888. BIO_free(in);
  889. OPENSSL_free(buf);
  890. OPENSSL_free(buf_dst);
  891. return testresult;
  892. }
  893. static int test_ktls_no_txrx_client_no_txrx_server(void)
  894. {
  895. return execute_test_ktls(0, 0, 0, 0);
  896. }
  897. static int test_ktls_no_rx_client_no_txrx_server(void)
  898. {
  899. return execute_test_ktls(1, 0, 0, 0);
  900. }
  901. static int test_ktls_no_tx_client_no_txrx_server(void)
  902. {
  903. return execute_test_ktls(0, 1, 0, 0);
  904. }
  905. static int test_ktls_client_no_txrx_server(void)
  906. {
  907. return execute_test_ktls(1, 1, 0, 0);
  908. }
  909. static int test_ktls_no_txrx_client_no_rx_server(void)
  910. {
  911. return execute_test_ktls(0, 0, 1, 0);
  912. }
  913. static int test_ktls_no_rx_client_no_rx_server(void)
  914. {
  915. return execute_test_ktls(1, 0, 1, 0);
  916. }
  917. static int test_ktls_no_tx_client_no_rx_server(void)
  918. {
  919. return execute_test_ktls(0, 1, 1, 0);
  920. }
  921. static int test_ktls_client_no_rx_server(void)
  922. {
  923. return execute_test_ktls(1, 1, 1, 0);
  924. }
  925. static int test_ktls_no_txrx_client_no_tx_server(void)
  926. {
  927. return execute_test_ktls(0, 0, 0, 1);
  928. }
  929. static int test_ktls_no_rx_client_no_tx_server(void)
  930. {
  931. return execute_test_ktls(1, 0, 0, 1);
  932. }
  933. static int test_ktls_no_tx_client_no_tx_server(void)
  934. {
  935. return execute_test_ktls(0, 1, 0, 1);
  936. }
  937. static int test_ktls_client_no_tx_server(void)
  938. {
  939. return execute_test_ktls(1, 1, 0, 1);
  940. }
  941. static int test_ktls_no_txrx_client_server(void)
  942. {
  943. return execute_test_ktls(0, 0, 1, 1);
  944. }
  945. static int test_ktls_no_rx_client_server(void)
  946. {
  947. return execute_test_ktls(1, 0, 1, 1);
  948. }
  949. static int test_ktls_no_tx_client_server(void)
  950. {
  951. return execute_test_ktls(0, 1, 1, 1);
  952. }
  953. static int test_ktls_client_server(void)
  954. {
  955. return execute_test_ktls(1, 1, 1, 1);
  956. }
  957. #endif
  958. static int test_large_message_tls(void)
  959. {
  960. return execute_test_large_message(TLS_server_method(), TLS_client_method(),
  961. TLS1_VERSION, 0, 0);
  962. }
  963. static int test_large_message_tls_read_ahead(void)
  964. {
  965. return execute_test_large_message(TLS_server_method(), TLS_client_method(),
  966. TLS1_VERSION, 0, 1);
  967. }
  968. #ifndef OPENSSL_NO_DTLS
  969. static int test_large_message_dtls(void)
  970. {
  971. /*
  972. * read_ahead is not relevant to DTLS because DTLS always acts as if
  973. * read_ahead is set.
  974. */
  975. return execute_test_large_message(DTLS_server_method(),
  976. DTLS_client_method(),
  977. DTLS1_VERSION, 0, 0);
  978. }
  979. #endif
  980. #ifndef OPENSSL_NO_OCSP
  981. static int ocsp_server_cb(SSL *s, void *arg)
  982. {
  983. int *argi = (int *)arg;
  984. unsigned char *copy = NULL;
  985. STACK_OF(OCSP_RESPID) *ids = NULL;
  986. OCSP_RESPID *id = NULL;
  987. if (*argi == 2) {
  988. /* In this test we are expecting exactly 1 OCSP_RESPID */
  989. SSL_get_tlsext_status_ids(s, &ids);
  990. if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
  991. return SSL_TLSEXT_ERR_ALERT_FATAL;
  992. id = sk_OCSP_RESPID_value(ids, 0);
  993. if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
  994. return SSL_TLSEXT_ERR_ALERT_FATAL;
  995. } else if (*argi != 1) {
  996. return SSL_TLSEXT_ERR_ALERT_FATAL;
  997. }
  998. if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
  999. return SSL_TLSEXT_ERR_ALERT_FATAL;
  1000. SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
  1001. ocsp_server_called = 1;
  1002. return SSL_TLSEXT_ERR_OK;
  1003. }
  1004. static int ocsp_client_cb(SSL *s, void *arg)
  1005. {
  1006. int *argi = (int *)arg;
  1007. const unsigned char *respderin;
  1008. size_t len;
  1009. if (*argi != 1 && *argi != 2)
  1010. return 0;
  1011. len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
  1012. if (!TEST_mem_eq(orespder, len, respderin, len))
  1013. return 0;
  1014. ocsp_client_called = 1;
  1015. return 1;
  1016. }
  1017. static int test_tlsext_status_type(void)
  1018. {
  1019. SSL_CTX *cctx = NULL, *sctx = NULL;
  1020. SSL *clientssl = NULL, *serverssl = NULL;
  1021. int testresult = 0;
  1022. STACK_OF(OCSP_RESPID) *ids = NULL;
  1023. OCSP_RESPID *id = NULL;
  1024. BIO *certbio = NULL;
  1025. if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1026. TLS1_VERSION, 0,
  1027. &sctx, &cctx, cert, privkey))
  1028. return 0;
  1029. if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
  1030. goto end;
  1031. /* First just do various checks getting and setting tlsext_status_type */
  1032. clientssl = SSL_new(cctx);
  1033. if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
  1034. || !TEST_true(SSL_set_tlsext_status_type(clientssl,
  1035. TLSEXT_STATUSTYPE_ocsp))
  1036. || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
  1037. TLSEXT_STATUSTYPE_ocsp))
  1038. goto end;
  1039. SSL_free(clientssl);
  1040. clientssl = NULL;
  1041. if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
  1042. || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
  1043. goto end;
  1044. clientssl = SSL_new(cctx);
  1045. if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
  1046. goto end;
  1047. SSL_free(clientssl);
  1048. clientssl = NULL;
  1049. /*
  1050. * Now actually do a handshake and check OCSP information is exchanged and
  1051. * the callbacks get called
  1052. */
  1053. SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
  1054. SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
  1055. SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
  1056. SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
  1057. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1058. &clientssl, NULL, NULL))
  1059. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  1060. SSL_ERROR_NONE))
  1061. || !TEST_true(ocsp_client_called)
  1062. || !TEST_true(ocsp_server_called))
  1063. goto end;
  1064. SSL_free(serverssl);
  1065. SSL_free(clientssl);
  1066. serverssl = NULL;
  1067. clientssl = NULL;
  1068. /* Try again but this time force the server side callback to fail */
  1069. ocsp_client_called = 0;
  1070. ocsp_server_called = 0;
  1071. cdummyarg = 0;
  1072. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1073. &clientssl, NULL, NULL))
  1074. /* This should fail because the callback will fail */
  1075. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  1076. SSL_ERROR_NONE))
  1077. || !TEST_false(ocsp_client_called)
  1078. || !TEST_false(ocsp_server_called))
  1079. goto end;
  1080. SSL_free(serverssl);
  1081. SSL_free(clientssl);
  1082. serverssl = NULL;
  1083. clientssl = NULL;
  1084. /*
  1085. * This time we'll get the client to send an OCSP_RESPID that it will
  1086. * accept.
  1087. */
  1088. ocsp_client_called = 0;
  1089. ocsp_server_called = 0;
  1090. cdummyarg = 2;
  1091. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1092. &clientssl, NULL, NULL)))
  1093. goto end;
  1094. /*
  1095. * We'll just use any old cert for this test - it doesn't have to be an OCSP
  1096. * specific one. We'll use the server cert.
  1097. */
  1098. if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
  1099. || !TEST_ptr(id = OCSP_RESPID_new())
  1100. || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
  1101. || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
  1102. NULL, NULL, NULL))
  1103. || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
  1104. || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
  1105. goto end;
  1106. id = NULL;
  1107. SSL_set_tlsext_status_ids(clientssl, ids);
  1108. /* Control has been transferred */
  1109. ids = NULL;
  1110. BIO_free(certbio);
  1111. certbio = NULL;
  1112. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1113. SSL_ERROR_NONE))
  1114. || !TEST_true(ocsp_client_called)
  1115. || !TEST_true(ocsp_server_called))
  1116. goto end;
  1117. testresult = 1;
  1118. end:
  1119. SSL_free(serverssl);
  1120. SSL_free(clientssl);
  1121. SSL_CTX_free(sctx);
  1122. SSL_CTX_free(cctx);
  1123. sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
  1124. OCSP_RESPID_free(id);
  1125. BIO_free(certbio);
  1126. X509_free(ocspcert);
  1127. ocspcert = NULL;
  1128. return testresult;
  1129. }
  1130. #endif
  1131. #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
  1132. static int new_called, remove_called, get_called;
  1133. static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
  1134. {
  1135. new_called++;
  1136. /*
  1137. * sess has been up-refed for us, but we don't actually need it so free it
  1138. * immediately.
  1139. */
  1140. SSL_SESSION_free(sess);
  1141. return 1;
  1142. }
  1143. static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
  1144. {
  1145. remove_called++;
  1146. }
  1147. static SSL_SESSION *get_sess_val = NULL;
  1148. static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
  1149. int *copy)
  1150. {
  1151. get_called++;
  1152. *copy = 1;
  1153. return get_sess_val;
  1154. }
  1155. static int execute_test_session(int maxprot, int use_int_cache,
  1156. int use_ext_cache)
  1157. {
  1158. SSL_CTX *sctx = NULL, *cctx = NULL;
  1159. SSL *serverssl1 = NULL, *clientssl1 = NULL;
  1160. SSL *serverssl2 = NULL, *clientssl2 = NULL;
  1161. # ifndef OPENSSL_NO_TLS1_1
  1162. SSL *serverssl3 = NULL, *clientssl3 = NULL;
  1163. # endif
  1164. SSL_SESSION *sess1 = NULL, *sess2 = NULL;
  1165. int testresult = 0, numnewsesstick = 1;
  1166. new_called = remove_called = 0;
  1167. /* TLSv1.3 sends 2 NewSessionTickets */
  1168. if (maxprot == TLS1_3_VERSION)
  1169. numnewsesstick = 2;
  1170. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1171. TLS1_VERSION, 0,
  1172. &sctx, &cctx, cert, privkey)))
  1173. return 0;
  1174. /*
  1175. * Only allow the max protocol version so we can force a connection failure
  1176. * later
  1177. */
  1178. SSL_CTX_set_min_proto_version(cctx, maxprot);
  1179. SSL_CTX_set_max_proto_version(cctx, maxprot);
  1180. /* Set up session cache */
  1181. if (use_ext_cache) {
  1182. SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
  1183. SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
  1184. }
  1185. if (use_int_cache) {
  1186. /* Also covers instance where both are set */
  1187. SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
  1188. } else {
  1189. SSL_CTX_set_session_cache_mode(cctx,
  1190. SSL_SESS_CACHE_CLIENT
  1191. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1192. }
  1193. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
  1194. NULL, NULL))
  1195. || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
  1196. SSL_ERROR_NONE))
  1197. || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
  1198. goto end;
  1199. /* Should fail because it should already be in the cache */
  1200. if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
  1201. goto end;
  1202. if (use_ext_cache
  1203. && (!TEST_int_eq(new_called, numnewsesstick)
  1204. || !TEST_int_eq(remove_called, 0)))
  1205. goto end;
  1206. new_called = remove_called = 0;
  1207. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1208. &clientssl2, NULL, NULL))
  1209. || !TEST_true(SSL_set_session(clientssl2, sess1))
  1210. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1211. SSL_ERROR_NONE))
  1212. || !TEST_true(SSL_session_reused(clientssl2)))
  1213. goto end;
  1214. if (maxprot == TLS1_3_VERSION) {
  1215. /*
  1216. * In TLSv1.3 we should have created a new session even though we have
  1217. * resumed. Since we attempted a resume we should also have removed the
  1218. * old ticket from the cache so that we try to only use tickets once.
  1219. */
  1220. if (use_ext_cache
  1221. && (!TEST_int_eq(new_called, 1)
  1222. || !TEST_int_eq(remove_called, 1)))
  1223. goto end;
  1224. } else {
  1225. /*
  1226. * In TLSv1.2 we expect to have resumed so no sessions added or
  1227. * removed.
  1228. */
  1229. if (use_ext_cache
  1230. && (!TEST_int_eq(new_called, 0)
  1231. || !TEST_int_eq(remove_called, 0)))
  1232. goto end;
  1233. }
  1234. SSL_SESSION_free(sess1);
  1235. if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
  1236. goto end;
  1237. shutdown_ssl_connection(serverssl2, clientssl2);
  1238. serverssl2 = clientssl2 = NULL;
  1239. new_called = remove_called = 0;
  1240. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1241. &clientssl2, NULL, NULL))
  1242. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1243. SSL_ERROR_NONE)))
  1244. goto end;
  1245. if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
  1246. goto end;
  1247. if (use_ext_cache
  1248. && (!TEST_int_eq(new_called, numnewsesstick)
  1249. || !TEST_int_eq(remove_called, 0)))
  1250. goto end;
  1251. new_called = remove_called = 0;
  1252. /*
  1253. * This should clear sess2 from the cache because it is a "bad" session.
  1254. * See SSL_set_session() documentation.
  1255. */
  1256. if (!TEST_true(SSL_set_session(clientssl2, sess1)))
  1257. goto end;
  1258. if (use_ext_cache
  1259. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1260. goto end;
  1261. if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
  1262. goto end;
  1263. if (use_int_cache) {
  1264. /* Should succeeded because it should not already be in the cache */
  1265. if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
  1266. || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
  1267. goto end;
  1268. }
  1269. new_called = remove_called = 0;
  1270. /* This shouldn't be in the cache so should fail */
  1271. if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
  1272. goto end;
  1273. if (use_ext_cache
  1274. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1275. goto end;
  1276. # if !defined(OPENSSL_NO_TLS1_1)
  1277. new_called = remove_called = 0;
  1278. /* Force a connection failure */
  1279. SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
  1280. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
  1281. &clientssl3, NULL, NULL))
  1282. || !TEST_true(SSL_set_session(clientssl3, sess1))
  1283. /* This should fail because of the mismatched protocol versions */
  1284. || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
  1285. SSL_ERROR_NONE)))
  1286. goto end;
  1287. /* We should have automatically removed the session from the cache */
  1288. if (use_ext_cache
  1289. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1290. goto end;
  1291. /* Should succeed because it should not already be in the cache */
  1292. if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
  1293. goto end;
  1294. # endif
  1295. /* Now do some tests for server side caching */
  1296. if (use_ext_cache) {
  1297. SSL_CTX_sess_set_new_cb(cctx, NULL);
  1298. SSL_CTX_sess_set_remove_cb(cctx, NULL);
  1299. SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
  1300. SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
  1301. SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
  1302. get_sess_val = NULL;
  1303. }
  1304. SSL_CTX_set_session_cache_mode(cctx, 0);
  1305. /* Internal caching is the default on the server side */
  1306. if (!use_int_cache)
  1307. SSL_CTX_set_session_cache_mode(sctx,
  1308. SSL_SESS_CACHE_SERVER
  1309. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1310. SSL_free(serverssl1);
  1311. SSL_free(clientssl1);
  1312. serverssl1 = clientssl1 = NULL;
  1313. SSL_free(serverssl2);
  1314. SSL_free(clientssl2);
  1315. serverssl2 = clientssl2 = NULL;
  1316. SSL_SESSION_free(sess1);
  1317. sess1 = NULL;
  1318. SSL_SESSION_free(sess2);
  1319. sess2 = NULL;
  1320. SSL_CTX_set_max_proto_version(sctx, maxprot);
  1321. if (maxprot == TLS1_2_VERSION)
  1322. SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
  1323. new_called = remove_called = get_called = 0;
  1324. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
  1325. NULL, NULL))
  1326. || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
  1327. SSL_ERROR_NONE))
  1328. || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
  1329. || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
  1330. goto end;
  1331. if (use_int_cache) {
  1332. if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
  1333. /*
  1334. * In TLSv1.3 it should not have been added to the internal cache,
  1335. * except in the case where we also have an external cache (in that
  1336. * case it gets added to the cache in order to generate remove
  1337. * events after timeout).
  1338. */
  1339. if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
  1340. goto end;
  1341. } else {
  1342. /* Should fail because it should already be in the cache */
  1343. if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
  1344. goto end;
  1345. }
  1346. }
  1347. if (use_ext_cache) {
  1348. SSL_SESSION *tmp = sess2;
  1349. if (!TEST_int_eq(new_called, numnewsesstick)
  1350. || !TEST_int_eq(remove_called, 0)
  1351. || !TEST_int_eq(get_called, 0))
  1352. goto end;
  1353. /*
  1354. * Delete the session from the internal cache to force a lookup from
  1355. * the external cache. We take a copy first because
  1356. * SSL_CTX_remove_session() also marks the session as non-resumable.
  1357. */
  1358. if (use_int_cache && maxprot != TLS1_3_VERSION) {
  1359. if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
  1360. || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
  1361. goto end;
  1362. SSL_SESSION_free(sess2);
  1363. }
  1364. sess2 = tmp;
  1365. }
  1366. new_called = remove_called = get_called = 0;
  1367. get_sess_val = sess2;
  1368. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1369. &clientssl2, NULL, NULL))
  1370. || !TEST_true(SSL_set_session(clientssl2, sess1))
  1371. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1372. SSL_ERROR_NONE))
  1373. || !TEST_true(SSL_session_reused(clientssl2)))
  1374. goto end;
  1375. if (use_ext_cache) {
  1376. if (!TEST_int_eq(remove_called, 0))
  1377. goto end;
  1378. if (maxprot == TLS1_3_VERSION) {
  1379. if (!TEST_int_eq(new_called, 1)
  1380. || !TEST_int_eq(get_called, 0))
  1381. goto end;
  1382. } else {
  1383. if (!TEST_int_eq(new_called, 0)
  1384. || !TEST_int_eq(get_called, 1))
  1385. goto end;
  1386. }
  1387. }
  1388. testresult = 1;
  1389. end:
  1390. SSL_free(serverssl1);
  1391. SSL_free(clientssl1);
  1392. SSL_free(serverssl2);
  1393. SSL_free(clientssl2);
  1394. # ifndef OPENSSL_NO_TLS1_1
  1395. SSL_free(serverssl3);
  1396. SSL_free(clientssl3);
  1397. # endif
  1398. SSL_SESSION_free(sess1);
  1399. SSL_SESSION_free(sess2);
  1400. SSL_CTX_free(sctx);
  1401. SSL_CTX_free(cctx);
  1402. return testresult;
  1403. }
  1404. #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
  1405. static int test_session_with_only_int_cache(void)
  1406. {
  1407. #ifndef OPENSSL_NO_TLS1_3
  1408. if (!execute_test_session(TLS1_3_VERSION, 1, 0))
  1409. return 0;
  1410. #endif
  1411. #ifndef OPENSSL_NO_TLS1_2
  1412. return execute_test_session(TLS1_2_VERSION, 1, 0);
  1413. #else
  1414. return 1;
  1415. #endif
  1416. }
  1417. static int test_session_with_only_ext_cache(void)
  1418. {
  1419. #ifndef OPENSSL_NO_TLS1_3
  1420. if (!execute_test_session(TLS1_3_VERSION, 0, 1))
  1421. return 0;
  1422. #endif
  1423. #ifndef OPENSSL_NO_TLS1_2
  1424. return execute_test_session(TLS1_2_VERSION, 0, 1);
  1425. #else
  1426. return 1;
  1427. #endif
  1428. }
  1429. static int test_session_with_both_cache(void)
  1430. {
  1431. #ifndef OPENSSL_NO_TLS1_3
  1432. if (!execute_test_session(TLS1_3_VERSION, 1, 1))
  1433. return 0;
  1434. #endif
  1435. #ifndef OPENSSL_NO_TLS1_2
  1436. return execute_test_session(TLS1_2_VERSION, 1, 1);
  1437. #else
  1438. return 1;
  1439. #endif
  1440. }
  1441. #ifndef OPENSSL_NO_TLS1_3
  1442. static SSL_SESSION *sesscache[6];
  1443. static int do_cache;
  1444. static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
  1445. {
  1446. if (do_cache) {
  1447. sesscache[new_called] = sess;
  1448. } else {
  1449. /* We don't need the reference to the session, so free it */
  1450. SSL_SESSION_free(sess);
  1451. }
  1452. new_called++;
  1453. return 1;
  1454. }
  1455. static int post_handshake_verify(SSL *sssl, SSL *cssl)
  1456. {
  1457. SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
  1458. if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
  1459. return 0;
  1460. /* Start handshake on the server and client */
  1461. if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
  1462. || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
  1463. || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
  1464. || !TEST_true(create_ssl_connection(sssl, cssl,
  1465. SSL_ERROR_NONE)))
  1466. return 0;
  1467. return 1;
  1468. }
  1469. static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
  1470. SSL_CTX **cctx)
  1471. {
  1472. int sess_id_ctx = 1;
  1473. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1474. TLS1_VERSION, 0, sctx,
  1475. cctx, cert, privkey))
  1476. || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
  1477. || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
  1478. (void *)&sess_id_ctx,
  1479. sizeof(sess_id_ctx))))
  1480. return 0;
  1481. if (stateful)
  1482. SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
  1483. SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
  1484. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1485. SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
  1486. return 1;
  1487. }
  1488. static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
  1489. {
  1490. SSL *serverssl = NULL, *clientssl = NULL;
  1491. int i;
  1492. /* Test that we can resume with all the tickets we got given */
  1493. for (i = 0; i < idx * 2; i++) {
  1494. new_called = 0;
  1495. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1496. &clientssl, NULL, NULL))
  1497. || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
  1498. goto end;
  1499. SSL_set_post_handshake_auth(clientssl, 1);
  1500. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1501. SSL_ERROR_NONE)))
  1502. goto end;
  1503. /*
  1504. * Following a successful resumption we only get 1 ticket. After a
  1505. * failed one we should get idx tickets.
  1506. */
  1507. if (succ) {
  1508. if (!TEST_true(SSL_session_reused(clientssl))
  1509. || !TEST_int_eq(new_called, 1))
  1510. goto end;
  1511. } else {
  1512. if (!TEST_false(SSL_session_reused(clientssl))
  1513. || !TEST_int_eq(new_called, idx))
  1514. goto end;
  1515. }
  1516. new_called = 0;
  1517. /* After a post-handshake authentication we should get 1 new ticket */
  1518. if (succ
  1519. && (!post_handshake_verify(serverssl, clientssl)
  1520. || !TEST_int_eq(new_called, 1)))
  1521. goto end;
  1522. SSL_shutdown(clientssl);
  1523. SSL_shutdown(serverssl);
  1524. SSL_free(serverssl);
  1525. SSL_free(clientssl);
  1526. serverssl = clientssl = NULL;
  1527. SSL_SESSION_free(sesscache[i]);
  1528. sesscache[i] = NULL;
  1529. }
  1530. return 1;
  1531. end:
  1532. SSL_free(clientssl);
  1533. SSL_free(serverssl);
  1534. return 0;
  1535. }
  1536. static int test_tickets(int stateful, int idx)
  1537. {
  1538. SSL_CTX *sctx = NULL, *cctx = NULL;
  1539. SSL *serverssl = NULL, *clientssl = NULL;
  1540. int testresult = 0;
  1541. size_t j;
  1542. /* idx is the test number, but also the number of tickets we want */
  1543. new_called = 0;
  1544. do_cache = 1;
  1545. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1546. goto end;
  1547. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1548. &clientssl, NULL, NULL)))
  1549. goto end;
  1550. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1551. SSL_ERROR_NONE))
  1552. /* Check we got the number of tickets we were expecting */
  1553. || !TEST_int_eq(idx, new_called))
  1554. goto end;
  1555. SSL_shutdown(clientssl);
  1556. SSL_shutdown(serverssl);
  1557. SSL_free(serverssl);
  1558. SSL_free(clientssl);
  1559. SSL_CTX_free(sctx);
  1560. SSL_CTX_free(cctx);
  1561. clientssl = serverssl = NULL;
  1562. sctx = cctx = NULL;
  1563. /*
  1564. * Now we try to resume with the tickets we previously created. The
  1565. * resumption attempt is expected to fail (because we're now using a new
  1566. * SSL_CTX). We should see idx number of tickets issued again.
  1567. */
  1568. /* Stop caching sessions - just count them */
  1569. do_cache = 0;
  1570. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1571. goto end;
  1572. if (!check_resumption(idx, sctx, cctx, 0))
  1573. goto end;
  1574. /* Start again with caching sessions */
  1575. new_called = 0;
  1576. do_cache = 1;
  1577. SSL_CTX_free(sctx);
  1578. SSL_CTX_free(cctx);
  1579. sctx = cctx = NULL;
  1580. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1581. goto end;
  1582. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1583. &clientssl, NULL, NULL)))
  1584. goto end;
  1585. SSL_set_post_handshake_auth(clientssl, 1);
  1586. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1587. SSL_ERROR_NONE))
  1588. /* Check we got the number of tickets we were expecting */
  1589. || !TEST_int_eq(idx, new_called))
  1590. goto end;
  1591. /* After a post-handshake authentication we should get new tickets issued */
  1592. if (!post_handshake_verify(serverssl, clientssl)
  1593. || !TEST_int_eq(idx * 2, new_called))
  1594. goto end;
  1595. SSL_shutdown(clientssl);
  1596. SSL_shutdown(serverssl);
  1597. SSL_free(serverssl);
  1598. SSL_free(clientssl);
  1599. serverssl = clientssl = NULL;
  1600. /* Stop caching sessions - just count them */
  1601. do_cache = 0;
  1602. /*
  1603. * Check we can resume with all the tickets we created. This time around the
  1604. * resumptions should all be successful.
  1605. */
  1606. if (!check_resumption(idx, sctx, cctx, 1))
  1607. goto end;
  1608. testresult = 1;
  1609. end:
  1610. SSL_free(serverssl);
  1611. SSL_free(clientssl);
  1612. for (j = 0; j < OSSL_NELEM(sesscache); j++) {
  1613. SSL_SESSION_free(sesscache[j]);
  1614. sesscache[j] = NULL;
  1615. }
  1616. SSL_CTX_free(sctx);
  1617. SSL_CTX_free(cctx);
  1618. return testresult;
  1619. }
  1620. static int test_stateless_tickets(int idx)
  1621. {
  1622. return test_tickets(0, idx);
  1623. }
  1624. static int test_stateful_tickets(int idx)
  1625. {
  1626. return test_tickets(1, idx);
  1627. }
  1628. static int test_psk_tickets(void)
  1629. {
  1630. SSL_CTX *sctx = NULL, *cctx = NULL;
  1631. SSL *serverssl = NULL, *clientssl = NULL;
  1632. int testresult = 0;
  1633. int sess_id_ctx = 1;
  1634. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1635. TLS1_VERSION, 0, &sctx,
  1636. &cctx, NULL, NULL))
  1637. || !TEST_true(SSL_CTX_set_session_id_context(sctx,
  1638. (void *)&sess_id_ctx,
  1639. sizeof(sess_id_ctx))))
  1640. goto end;
  1641. SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
  1642. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1643. SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
  1644. SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
  1645. SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
  1646. use_session_cb_cnt = 0;
  1647. find_session_cb_cnt = 0;
  1648. srvid = pskid;
  1649. new_called = 0;
  1650. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  1651. NULL, NULL)))
  1652. goto end;
  1653. clientpsk = serverpsk = create_a_psk(clientssl);
  1654. if (!TEST_ptr(clientpsk))
  1655. goto end;
  1656. SSL_SESSION_up_ref(clientpsk);
  1657. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1658. SSL_ERROR_NONE))
  1659. || !TEST_int_eq(1, find_session_cb_cnt)
  1660. || !TEST_int_eq(1, use_session_cb_cnt)
  1661. /* We should always get 1 ticket when using external PSK */
  1662. || !TEST_int_eq(1, new_called))
  1663. goto end;
  1664. testresult = 1;
  1665. end:
  1666. SSL_free(serverssl);
  1667. SSL_free(clientssl);
  1668. SSL_CTX_free(sctx);
  1669. SSL_CTX_free(cctx);
  1670. SSL_SESSION_free(clientpsk);
  1671. SSL_SESSION_free(serverpsk);
  1672. clientpsk = serverpsk = NULL;
  1673. return testresult;
  1674. }
  1675. #endif
  1676. #define USE_NULL 0
  1677. #define USE_BIO_1 1
  1678. #define USE_BIO_2 2
  1679. #define USE_DEFAULT 3
  1680. #define CONNTYPE_CONNECTION_SUCCESS 0
  1681. #define CONNTYPE_CONNECTION_FAIL 1
  1682. #define CONNTYPE_NO_CONNECTION 2
  1683. #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
  1684. #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
  1685. #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
  1686. # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
  1687. #else
  1688. # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
  1689. #endif
  1690. #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
  1691. + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
  1692. + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
  1693. static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
  1694. {
  1695. switch (type) {
  1696. case USE_NULL:
  1697. *res = NULL;
  1698. break;
  1699. case USE_BIO_1:
  1700. *res = bio1;
  1701. break;
  1702. case USE_BIO_2:
  1703. *res = bio2;
  1704. break;
  1705. }
  1706. }
  1707. /*
  1708. * Tests calls to SSL_set_bio() under various conditions.
  1709. *
  1710. * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
  1711. * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
  1712. * then do more tests where we create a successful connection first using our
  1713. * standard connection setup functions, and then call SSL_set_bio() with
  1714. * various combinations of valid BIOs or NULL. We then repeat these tests
  1715. * following a failed connection. In this last case we are looking to check that
  1716. * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
  1717. */
  1718. static int test_ssl_set_bio(int idx)
  1719. {
  1720. SSL_CTX *sctx = NULL, *cctx = NULL;
  1721. BIO *bio1 = NULL;
  1722. BIO *bio2 = NULL;
  1723. BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
  1724. SSL *serverssl = NULL, *clientssl = NULL;
  1725. int initrbio, initwbio, newrbio, newwbio, conntype;
  1726. int testresult = 0;
  1727. if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
  1728. initrbio = idx % 3;
  1729. idx /= 3;
  1730. initwbio = idx % 3;
  1731. idx /= 3;
  1732. newrbio = idx % 3;
  1733. idx /= 3;
  1734. newwbio = idx % 3;
  1735. conntype = CONNTYPE_NO_CONNECTION;
  1736. } else {
  1737. idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
  1738. initrbio = initwbio = USE_DEFAULT;
  1739. newrbio = idx % 2;
  1740. idx /= 2;
  1741. newwbio = idx % 2;
  1742. idx /= 2;
  1743. conntype = idx % 2;
  1744. }
  1745. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1746. TLS1_VERSION, 0,
  1747. &sctx, &cctx, cert, privkey)))
  1748. goto end;
  1749. if (conntype == CONNTYPE_CONNECTION_FAIL) {
  1750. /*
  1751. * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
  1752. * because we reduced the number of tests in the definition of
  1753. * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
  1754. * mismatched protocol versions we will force a connection failure.
  1755. */
  1756. SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
  1757. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  1758. }
  1759. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  1760. NULL, NULL)))
  1761. goto end;
  1762. if (initrbio == USE_BIO_1
  1763. || initwbio == USE_BIO_1
  1764. || newrbio == USE_BIO_1
  1765. || newwbio == USE_BIO_1) {
  1766. if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
  1767. goto end;
  1768. }
  1769. if (initrbio == USE_BIO_2
  1770. || initwbio == USE_BIO_2
  1771. || newrbio == USE_BIO_2
  1772. || newwbio == USE_BIO_2) {
  1773. if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
  1774. goto end;
  1775. }
  1776. if (initrbio != USE_DEFAULT) {
  1777. setupbio(&irbio, bio1, bio2, initrbio);
  1778. setupbio(&iwbio, bio1, bio2, initwbio);
  1779. SSL_set_bio(clientssl, irbio, iwbio);
  1780. /*
  1781. * We want to maintain our own refs to these BIO, so do an up ref for
  1782. * each BIO that will have ownership transferred in the SSL_set_bio()
  1783. * call
  1784. */
  1785. if (irbio != NULL)
  1786. BIO_up_ref(irbio);
  1787. if (iwbio != NULL && iwbio != irbio)
  1788. BIO_up_ref(iwbio);
  1789. }
  1790. if (conntype != CONNTYPE_NO_CONNECTION
  1791. && !TEST_true(create_ssl_connection(serverssl, clientssl,
  1792. SSL_ERROR_NONE)
  1793. == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
  1794. goto end;
  1795. setupbio(&nrbio, bio1, bio2, newrbio);
  1796. setupbio(&nwbio, bio1, bio2, newwbio);
  1797. /*
  1798. * We will (maybe) transfer ownership again so do more up refs.
  1799. * SSL_set_bio() has some really complicated ownership rules where BIOs have
  1800. * already been set!
  1801. */
  1802. if (nrbio != NULL
  1803. && nrbio != irbio
  1804. && (nwbio != iwbio || nrbio != nwbio))
  1805. BIO_up_ref(nrbio);
  1806. if (nwbio != NULL
  1807. && nwbio != nrbio
  1808. && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
  1809. BIO_up_ref(nwbio);
  1810. SSL_set_bio(clientssl, nrbio, nwbio);
  1811. testresult = 1;
  1812. end:
  1813. BIO_free(bio1);
  1814. BIO_free(bio2);
  1815. /*
  1816. * This test is checking that the ref counting for SSL_set_bio is correct.
  1817. * If we get here and we did too many frees then we will fail in the above
  1818. * functions. If we haven't done enough then this will only be detected in
  1819. * a crypto-mdebug build
  1820. */
  1821. SSL_free(serverssl);
  1822. SSL_free(clientssl);
  1823. SSL_CTX_free(sctx);
  1824. SSL_CTX_free(cctx);
  1825. return testresult;
  1826. }
  1827. typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
  1828. static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
  1829. {
  1830. BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
  1831. SSL_CTX *ctx;
  1832. SSL *ssl = NULL;
  1833. int testresult = 0;
  1834. if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
  1835. || !TEST_ptr(ssl = SSL_new(ctx))
  1836. || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
  1837. || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
  1838. goto end;
  1839. BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
  1840. /*
  1841. * If anything goes wrong here then we could leak memory, so this will
  1842. * be caught in a crypto-mdebug build
  1843. */
  1844. BIO_push(sslbio, membio1);
  1845. /* Verify changing the rbio/wbio directly does not cause leaks */
  1846. if (change_bio != NO_BIO_CHANGE) {
  1847. if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
  1848. goto end;
  1849. if (change_bio == CHANGE_RBIO)
  1850. SSL_set0_rbio(ssl, membio2);
  1851. else
  1852. SSL_set0_wbio(ssl, membio2);
  1853. }
  1854. ssl = NULL;
  1855. if (pop_ssl)
  1856. BIO_pop(sslbio);
  1857. else
  1858. BIO_pop(membio1);
  1859. testresult = 1;
  1860. end:
  1861. BIO_free(membio1);
  1862. BIO_free(sslbio);
  1863. SSL_free(ssl);
  1864. SSL_CTX_free(ctx);
  1865. return testresult;
  1866. }
  1867. static int test_ssl_bio_pop_next_bio(void)
  1868. {
  1869. return execute_test_ssl_bio(0, NO_BIO_CHANGE);
  1870. }
  1871. static int test_ssl_bio_pop_ssl_bio(void)
  1872. {
  1873. return execute_test_ssl_bio(1, NO_BIO_CHANGE);
  1874. }
  1875. static int test_ssl_bio_change_rbio(void)
  1876. {
  1877. return execute_test_ssl_bio(0, CHANGE_RBIO);
  1878. }
  1879. static int test_ssl_bio_change_wbio(void)
  1880. {
  1881. return execute_test_ssl_bio(0, CHANGE_WBIO);
  1882. }
  1883. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  1884. typedef struct {
  1885. /* The list of sig algs */
  1886. const int *list;
  1887. /* The length of the list */
  1888. size_t listlen;
  1889. /* A sigalgs list in string format */
  1890. const char *liststr;
  1891. /* Whether setting the list should succeed */
  1892. int valid;
  1893. /* Whether creating a connection with the list should succeed */
  1894. int connsuccess;
  1895. } sigalgs_list;
  1896. static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
  1897. # ifndef OPENSSL_NO_EC
  1898. static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
  1899. static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
  1900. # endif
  1901. static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
  1902. static const int invalidlist2[] = {NID_sha256, NID_undef};
  1903. static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
  1904. static const int invalidlist4[] = {NID_sha256};
  1905. static const sigalgs_list testsigalgs[] = {
  1906. {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
  1907. # ifndef OPENSSL_NO_EC
  1908. {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
  1909. {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
  1910. # endif
  1911. {NULL, 0, "RSA+SHA256", 1, 1},
  1912. # ifndef OPENSSL_NO_EC
  1913. {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
  1914. {NULL, 0, "ECDSA+SHA512", 1, 0},
  1915. # endif
  1916. {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
  1917. {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
  1918. {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
  1919. {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
  1920. {NULL, 0, "RSA", 0, 0},
  1921. {NULL, 0, "SHA256", 0, 0},
  1922. {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
  1923. {NULL, 0, "Invalid", 0, 0}
  1924. };
  1925. static int test_set_sigalgs(int idx)
  1926. {
  1927. SSL_CTX *cctx = NULL, *sctx = NULL;
  1928. SSL *clientssl = NULL, *serverssl = NULL;
  1929. int testresult = 0;
  1930. const sigalgs_list *curr;
  1931. int testctx;
  1932. /* Should never happen */
  1933. if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
  1934. return 0;
  1935. testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
  1936. curr = testctx ? &testsigalgs[idx]
  1937. : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
  1938. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1939. TLS1_VERSION, 0,
  1940. &sctx, &cctx, cert, privkey)))
  1941. return 0;
  1942. /*
  1943. * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
  1944. * for TLSv1.2 for now until we add a new API.
  1945. */
  1946. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  1947. if (testctx) {
  1948. int ret;
  1949. if (curr->list != NULL)
  1950. ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
  1951. else
  1952. ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
  1953. if (!ret) {
  1954. if (curr->valid)
  1955. TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
  1956. else
  1957. testresult = 1;
  1958. goto end;
  1959. }
  1960. if (!curr->valid) {
  1961. TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
  1962. goto end;
  1963. }
  1964. }
  1965. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1966. &clientssl, NULL, NULL)))
  1967. goto end;
  1968. if (!testctx) {
  1969. int ret;
  1970. if (curr->list != NULL)
  1971. ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
  1972. else
  1973. ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
  1974. if (!ret) {
  1975. if (curr->valid)
  1976. TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
  1977. else
  1978. testresult = 1;
  1979. goto end;
  1980. }
  1981. if (!curr->valid)
  1982. goto end;
  1983. }
  1984. if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
  1985. SSL_ERROR_NONE),
  1986. curr->connsuccess))
  1987. goto end;
  1988. testresult = 1;
  1989. end:
  1990. SSL_free(serverssl);
  1991. SSL_free(clientssl);
  1992. SSL_CTX_free(sctx);
  1993. SSL_CTX_free(cctx);
  1994. return testresult;
  1995. }
  1996. #endif
  1997. #ifndef OPENSSL_NO_TLS1_3
  1998. static int psk_client_cb_cnt = 0;
  1999. static int psk_server_cb_cnt = 0;
  2000. static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
  2001. size_t *idlen, SSL_SESSION **sess)
  2002. {
  2003. switch (++use_session_cb_cnt) {
  2004. case 1:
  2005. /* The first call should always have a NULL md */
  2006. if (md != NULL)
  2007. return 0;
  2008. break;
  2009. case 2:
  2010. /* The second call should always have an md */
  2011. if (md == NULL)
  2012. return 0;
  2013. break;
  2014. default:
  2015. /* We should only be called a maximum of twice */
  2016. return 0;
  2017. }
  2018. if (clientpsk != NULL)
  2019. SSL_SESSION_up_ref(clientpsk);
  2020. *sess = clientpsk;
  2021. *id = (const unsigned char *)pskid;
  2022. *idlen = strlen(pskid);
  2023. return 1;
  2024. }
  2025. #ifndef OPENSSL_NO_PSK
  2026. static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
  2027. unsigned int max_id_len,
  2028. unsigned char *psk,
  2029. unsigned int max_psk_len)
  2030. {
  2031. unsigned int psklen = 0;
  2032. psk_client_cb_cnt++;
  2033. if (strlen(pskid) + 1 > max_id_len)
  2034. return 0;
  2035. /* We should only ever be called a maximum of twice per connection */
  2036. if (psk_client_cb_cnt > 2)
  2037. return 0;
  2038. if (clientpsk == NULL)
  2039. return 0;
  2040. /* We'll reuse the PSK we set up for TLSv1.3 */
  2041. if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
  2042. return 0;
  2043. psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
  2044. strncpy(id, pskid, max_id_len);
  2045. return psklen;
  2046. }
  2047. #endif /* OPENSSL_NO_PSK */
  2048. static int find_session_cb(SSL *ssl, const unsigned char *identity,
  2049. size_t identity_len, SSL_SESSION **sess)
  2050. {
  2051. find_session_cb_cnt++;
  2052. /* We should only ever be called a maximum of twice per connection */
  2053. if (find_session_cb_cnt > 2)
  2054. return 0;
  2055. if (serverpsk == NULL)
  2056. return 0;
  2057. /* Identity should match that set by the client */
  2058. if (strlen(srvid) != identity_len
  2059. || strncmp(srvid, (const char *)identity, identity_len) != 0) {
  2060. /* No PSK found, continue but without a PSK */
  2061. *sess = NULL;
  2062. return 1;
  2063. }
  2064. SSL_SESSION_up_ref(serverpsk);
  2065. *sess = serverpsk;
  2066. return 1;
  2067. }
  2068. #ifndef OPENSSL_NO_PSK
  2069. static unsigned int psk_server_cb(SSL *ssl, const char *identity,
  2070. unsigned char *psk, unsigned int max_psk_len)
  2071. {
  2072. unsigned int psklen = 0;
  2073. psk_server_cb_cnt++;
  2074. /* We should only ever be called a maximum of twice per connection */
  2075. if (find_session_cb_cnt > 2)
  2076. return 0;
  2077. if (serverpsk == NULL)
  2078. return 0;
  2079. /* Identity should match that set by the client */
  2080. if (strcmp(srvid, identity) != 0) {
  2081. return 0;
  2082. }
  2083. /* We'll reuse the PSK we set up for TLSv1.3 */
  2084. if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
  2085. return 0;
  2086. psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
  2087. return psklen;
  2088. }
  2089. #endif /* OPENSSL_NO_PSK */
  2090. #define MSG1 "Hello"
  2091. #define MSG2 "World."
  2092. #define MSG3 "This"
  2093. #define MSG4 "is"
  2094. #define MSG5 "a"
  2095. #define MSG6 "test"
  2096. #define MSG7 "message."
  2097. #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
  2098. #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
  2099. static SSL_SESSION *create_a_psk(SSL *ssl)
  2100. {
  2101. const SSL_CIPHER *cipher = NULL;
  2102. const unsigned char key[] = {
  2103. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
  2104. 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
  2105. 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
  2106. 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
  2107. 0x2c, 0x2d, 0x2e, 0x2f
  2108. };
  2109. SSL_SESSION *sess = NULL;
  2110. cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
  2111. sess = SSL_SESSION_new();
  2112. if (!TEST_ptr(sess)
  2113. || !TEST_ptr(cipher)
  2114. || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
  2115. sizeof(key)))
  2116. || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
  2117. || !TEST_true(
  2118. SSL_SESSION_set_protocol_version(sess,
  2119. TLS1_3_VERSION))) {
  2120. SSL_SESSION_free(sess);
  2121. return NULL;
  2122. }
  2123. return sess;
  2124. }
  2125. /*
  2126. * Helper method to setup objects for early data test. Caller frees objects on
  2127. * error.
  2128. */
  2129. static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
  2130. SSL **serverssl, SSL_SESSION **sess, int idx)
  2131. {
  2132. if (*sctx == NULL
  2133. && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  2134. TLS_client_method(),
  2135. TLS1_VERSION, 0,
  2136. sctx, cctx, cert, privkey)))
  2137. return 0;
  2138. if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
  2139. return 0;
  2140. if (idx == 1) {
  2141. /* When idx == 1 we repeat the tests with read_ahead set */
  2142. SSL_CTX_set_read_ahead(*cctx, 1);
  2143. SSL_CTX_set_read_ahead(*sctx, 1);
  2144. } else if (idx == 2) {
  2145. /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
  2146. SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
  2147. SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
  2148. use_session_cb_cnt = 0;
  2149. find_session_cb_cnt = 0;
  2150. srvid = pskid;
  2151. }
  2152. if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
  2153. NULL, NULL)))
  2154. return 0;
  2155. /*
  2156. * For one of the run throughs (doesn't matter which one), we'll try sending
  2157. * some SNI data in the initial ClientHello. This will be ignored (because
  2158. * there is no SNI cb set up by the server), so it should not impact
  2159. * early_data.
  2160. */
  2161. if (idx == 1
  2162. && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
  2163. return 0;
  2164. if (idx == 2) {
  2165. clientpsk = create_a_psk(*clientssl);
  2166. if (!TEST_ptr(clientpsk)
  2167. /*
  2168. * We just choose an arbitrary value for max_early_data which
  2169. * should be big enough for testing purposes.
  2170. */
  2171. || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
  2172. 0x100))
  2173. || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
  2174. SSL_SESSION_free(clientpsk);
  2175. clientpsk = NULL;
  2176. return 0;
  2177. }
  2178. serverpsk = clientpsk;
  2179. if (sess != NULL) {
  2180. if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
  2181. SSL_SESSION_free(clientpsk);
  2182. SSL_SESSION_free(serverpsk);
  2183. clientpsk = serverpsk = NULL;
  2184. return 0;
  2185. }
  2186. *sess = clientpsk;
  2187. }
  2188. return 1;
  2189. }
  2190. if (sess == NULL)
  2191. return 1;
  2192. if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
  2193. SSL_ERROR_NONE)))
  2194. return 0;
  2195. *sess = SSL_get1_session(*clientssl);
  2196. SSL_shutdown(*clientssl);
  2197. SSL_shutdown(*serverssl);
  2198. SSL_free(*serverssl);
  2199. SSL_free(*clientssl);
  2200. *serverssl = *clientssl = NULL;
  2201. if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
  2202. clientssl, NULL, NULL))
  2203. || !TEST_true(SSL_set_session(*clientssl, *sess)))
  2204. return 0;
  2205. return 1;
  2206. }
  2207. static int test_early_data_read_write(int idx)
  2208. {
  2209. SSL_CTX *cctx = NULL, *sctx = NULL;
  2210. SSL *clientssl = NULL, *serverssl = NULL;
  2211. int testresult = 0;
  2212. SSL_SESSION *sess = NULL;
  2213. unsigned char buf[20], data[1024];
  2214. size_t readbytes, written, eoedlen, rawread, rawwritten;
  2215. BIO *rbio;
  2216. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2217. &serverssl, &sess, idx)))
  2218. goto end;
  2219. /* Write and read some early data */
  2220. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2221. &written))
  2222. || !TEST_size_t_eq(written, strlen(MSG1))
  2223. || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
  2224. sizeof(buf), &readbytes),
  2225. SSL_READ_EARLY_DATA_SUCCESS)
  2226. || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
  2227. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2228. SSL_EARLY_DATA_ACCEPTED))
  2229. goto end;
  2230. /*
  2231. * Server should be able to write data, and client should be able to
  2232. * read it.
  2233. */
  2234. if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
  2235. &written))
  2236. || !TEST_size_t_eq(written, strlen(MSG2))
  2237. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2238. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2239. goto end;
  2240. /* Even after reading normal data, client should be able write early data */
  2241. if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
  2242. &written))
  2243. || !TEST_size_t_eq(written, strlen(MSG3)))
  2244. goto end;
  2245. /* Server should still be able read early data after writing data */
  2246. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2247. &readbytes),
  2248. SSL_READ_EARLY_DATA_SUCCESS)
  2249. || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
  2250. goto end;
  2251. /* Write more data from server and read it from client */
  2252. if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
  2253. &written))
  2254. || !TEST_size_t_eq(written, strlen(MSG4))
  2255. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2256. || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
  2257. goto end;
  2258. /*
  2259. * If client writes normal data it should mean writing early data is no
  2260. * longer possible.
  2261. */
  2262. if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
  2263. || !TEST_size_t_eq(written, strlen(MSG5))
  2264. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2265. SSL_EARLY_DATA_ACCEPTED))
  2266. goto end;
  2267. /*
  2268. * At this point the client has written EndOfEarlyData, ClientFinished and
  2269. * normal (fully protected) data. We are going to cause a delay between the
  2270. * arrival of EndOfEarlyData and ClientFinished. We read out all the data
  2271. * in the read BIO, and then just put back the EndOfEarlyData message.
  2272. */
  2273. rbio = SSL_get_rbio(serverssl);
  2274. if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
  2275. || !TEST_size_t_lt(rawread, sizeof(data))
  2276. || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
  2277. goto end;
  2278. /* Record length is in the 4th and 5th bytes of the record header */
  2279. eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
  2280. if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
  2281. || !TEST_size_t_eq(rawwritten, eoedlen))
  2282. goto end;
  2283. /* Server should be told that there is no more early data */
  2284. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2285. &readbytes),
  2286. SSL_READ_EARLY_DATA_FINISH)
  2287. || !TEST_size_t_eq(readbytes, 0))
  2288. goto end;
  2289. /*
  2290. * Server has not finished init yet, so should still be able to write early
  2291. * data.
  2292. */
  2293. if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
  2294. &written))
  2295. || !TEST_size_t_eq(written, strlen(MSG6)))
  2296. goto end;
  2297. /* Push the ClientFinished and the normal data back into the server rbio */
  2298. if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
  2299. &rawwritten))
  2300. || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
  2301. goto end;
  2302. /* Server should be able to read normal data */
  2303. if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2304. || !TEST_size_t_eq(readbytes, strlen(MSG5)))
  2305. goto end;
  2306. /* Client and server should not be able to write/read early data now */
  2307. if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
  2308. &written)))
  2309. goto end;
  2310. ERR_clear_error();
  2311. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2312. &readbytes),
  2313. SSL_READ_EARLY_DATA_ERROR))
  2314. goto end;
  2315. ERR_clear_error();
  2316. /* Client should be able to read the data sent by the server */
  2317. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2318. || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
  2319. goto end;
  2320. /*
  2321. * Make sure we process the two NewSessionTickets. These arrive
  2322. * post-handshake. We attempt reads which we do not expect to return any
  2323. * data.
  2324. */
  2325. if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2326. || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
  2327. &readbytes)))
  2328. goto end;
  2329. /* Server should be able to write normal data */
  2330. if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
  2331. || !TEST_size_t_eq(written, strlen(MSG7))
  2332. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2333. || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
  2334. goto end;
  2335. SSL_SESSION_free(sess);
  2336. sess = SSL_get1_session(clientssl);
  2337. use_session_cb_cnt = 0;
  2338. find_session_cb_cnt = 0;
  2339. SSL_shutdown(clientssl);
  2340. SSL_shutdown(serverssl);
  2341. SSL_free(serverssl);
  2342. SSL_free(clientssl);
  2343. serverssl = clientssl = NULL;
  2344. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2345. &clientssl, NULL, NULL))
  2346. || !TEST_true(SSL_set_session(clientssl, sess)))
  2347. goto end;
  2348. /* Write and read some early data */
  2349. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2350. &written))
  2351. || !TEST_size_t_eq(written, strlen(MSG1))
  2352. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2353. &readbytes),
  2354. SSL_READ_EARLY_DATA_SUCCESS)
  2355. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
  2356. goto end;
  2357. if (!TEST_int_gt(SSL_connect(clientssl), 0)
  2358. || !TEST_int_gt(SSL_accept(serverssl), 0))
  2359. goto end;
  2360. /* Client and server should not be able to write/read early data now */
  2361. if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
  2362. &written)))
  2363. goto end;
  2364. ERR_clear_error();
  2365. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2366. &readbytes),
  2367. SSL_READ_EARLY_DATA_ERROR))
  2368. goto end;
  2369. ERR_clear_error();
  2370. /* Client and server should be able to write/read normal data */
  2371. if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
  2372. || !TEST_size_t_eq(written, strlen(MSG5))
  2373. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2374. || !TEST_size_t_eq(readbytes, strlen(MSG5)))
  2375. goto end;
  2376. testresult = 1;
  2377. end:
  2378. SSL_SESSION_free(sess);
  2379. SSL_SESSION_free(clientpsk);
  2380. SSL_SESSION_free(serverpsk);
  2381. clientpsk = serverpsk = NULL;
  2382. SSL_free(serverssl);
  2383. SSL_free(clientssl);
  2384. SSL_CTX_free(sctx);
  2385. SSL_CTX_free(cctx);
  2386. return testresult;
  2387. }
  2388. static int allow_ed_cb_called = 0;
  2389. static int allow_early_data_cb(SSL *s, void *arg)
  2390. {
  2391. int *usecb = (int *)arg;
  2392. allow_ed_cb_called++;
  2393. if (*usecb == 1)
  2394. return 0;
  2395. return 1;
  2396. }
  2397. /*
  2398. * idx == 0: Standard early_data setup
  2399. * idx == 1: early_data setup using read_ahead
  2400. * usecb == 0: Don't use a custom early data callback
  2401. * usecb == 1: Use a custom early data callback and reject the early data
  2402. * usecb == 2: Use a custom early data callback and accept the early data
  2403. * confopt == 0: Configure anti-replay directly
  2404. * confopt == 1: Configure anti-replay using SSL_CONF
  2405. */
  2406. static int test_early_data_replay_int(int idx, int usecb, int confopt)
  2407. {
  2408. SSL_CTX *cctx = NULL, *sctx = NULL;
  2409. SSL *clientssl = NULL, *serverssl = NULL;
  2410. int testresult = 0;
  2411. SSL_SESSION *sess = NULL;
  2412. size_t readbytes, written;
  2413. unsigned char buf[20];
  2414. allow_ed_cb_called = 0;
  2415. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  2416. TLS1_VERSION, 0, &sctx,
  2417. &cctx, cert, privkey)))
  2418. return 0;
  2419. if (usecb > 0) {
  2420. if (confopt == 0) {
  2421. SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
  2422. } else {
  2423. SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
  2424. if (!TEST_ptr(confctx))
  2425. goto end;
  2426. SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
  2427. | SSL_CONF_FLAG_SERVER);
  2428. SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
  2429. if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
  2430. 2)) {
  2431. SSL_CONF_CTX_free(confctx);
  2432. goto end;
  2433. }
  2434. SSL_CONF_CTX_free(confctx);
  2435. }
  2436. SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
  2437. }
  2438. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2439. &serverssl, &sess, idx)))
  2440. goto end;
  2441. /*
  2442. * The server is configured to accept early data. Create a connection to
  2443. * "use up" the ticket
  2444. */
  2445. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  2446. || !TEST_true(SSL_session_reused(clientssl)))
  2447. goto end;
  2448. SSL_shutdown(clientssl);
  2449. SSL_shutdown(serverssl);
  2450. SSL_free(serverssl);
  2451. SSL_free(clientssl);
  2452. serverssl = clientssl = NULL;
  2453. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2454. &clientssl, NULL, NULL))
  2455. || !TEST_true(SSL_set_session(clientssl, sess)))
  2456. goto end;
  2457. /* Write and read some early data */
  2458. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2459. &written))
  2460. || !TEST_size_t_eq(written, strlen(MSG1)))
  2461. goto end;
  2462. if (usecb <= 1) {
  2463. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2464. &readbytes),
  2465. SSL_READ_EARLY_DATA_FINISH)
  2466. /*
  2467. * The ticket was reused, so the we should have rejected the
  2468. * early data
  2469. */
  2470. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2471. SSL_EARLY_DATA_REJECTED))
  2472. goto end;
  2473. } else {
  2474. /* In this case the callback decides to accept the early data */
  2475. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2476. &readbytes),
  2477. SSL_READ_EARLY_DATA_SUCCESS)
  2478. || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
  2479. /*
  2480. * Server will have sent its flight so client can now send
  2481. * end of early data and complete its half of the handshake
  2482. */
  2483. || !TEST_int_gt(SSL_connect(clientssl), 0)
  2484. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2485. &readbytes),
  2486. SSL_READ_EARLY_DATA_FINISH)
  2487. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2488. SSL_EARLY_DATA_ACCEPTED))
  2489. goto end;
  2490. }
  2491. /* Complete the connection */
  2492. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  2493. || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
  2494. || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
  2495. goto end;
  2496. testresult = 1;
  2497. end:
  2498. SSL_SESSION_free(sess);
  2499. SSL_SESSION_free(clientpsk);
  2500. SSL_SESSION_free(serverpsk);
  2501. clientpsk = serverpsk = NULL;
  2502. SSL_free(serverssl);
  2503. SSL_free(clientssl);
  2504. SSL_CTX_free(sctx);
  2505. SSL_CTX_free(cctx);
  2506. return testresult;
  2507. }
  2508. static int test_early_data_replay(int idx)
  2509. {
  2510. int ret = 1, usecb, confopt;
  2511. for (usecb = 0; usecb < 3; usecb++) {
  2512. for (confopt = 0; confopt < 2; confopt++)
  2513. ret &= test_early_data_replay_int(idx, usecb, confopt);
  2514. }
  2515. return ret;
  2516. }
  2517. /*
  2518. * Helper function to test that a server attempting to read early data can
  2519. * handle a connection from a client where the early data should be skipped.
  2520. * testtype: 0 == No HRR
  2521. * testtype: 1 == HRR
  2522. * testtype: 2 == HRR, invalid early_data sent after HRR
  2523. * testtype: 3 == recv_max_early_data set to 0
  2524. */
  2525. static int early_data_skip_helper(int testtype, int idx)
  2526. {
  2527. SSL_CTX *cctx = NULL, *sctx = NULL;
  2528. SSL *clientssl = NULL, *serverssl = NULL;
  2529. int testresult = 0;
  2530. SSL_SESSION *sess = NULL;
  2531. unsigned char buf[20];
  2532. size_t readbytes, written;
  2533. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2534. &serverssl, &sess, idx)))
  2535. goto end;
  2536. if (testtype == 1 || testtype == 2) {
  2537. /* Force an HRR to occur */
  2538. #if defined(OPENSSL_NO_EC)
  2539. if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
  2540. goto end;
  2541. #else
  2542. if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
  2543. goto end;
  2544. #endif
  2545. } else if (idx == 2) {
  2546. /*
  2547. * We force early_data rejection by ensuring the PSK identity is
  2548. * unrecognised
  2549. */
  2550. srvid = "Dummy Identity";
  2551. } else {
  2552. /*
  2553. * Deliberately corrupt the creation time. We take 20 seconds off the
  2554. * time. It could be any value as long as it is not within tolerance.
  2555. * This should mean the ticket is rejected.
  2556. */
  2557. if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
  2558. goto end;
  2559. }
  2560. if (testtype == 3
  2561. && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
  2562. goto end;
  2563. /* Write some early data */
  2564. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2565. &written))
  2566. || !TEST_size_t_eq(written, strlen(MSG1)))
  2567. goto end;
  2568. /* Server should reject the early data */
  2569. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2570. &readbytes),
  2571. SSL_READ_EARLY_DATA_FINISH)
  2572. || !TEST_size_t_eq(readbytes, 0)
  2573. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2574. SSL_EARLY_DATA_REJECTED))
  2575. goto end;
  2576. switch (testtype) {
  2577. case 0:
  2578. /* Nothing to do */
  2579. break;
  2580. case 1:
  2581. /*
  2582. * Finish off the handshake. We perform the same writes and reads as
  2583. * further down but we expect them to fail due to the incomplete
  2584. * handshake.
  2585. */
  2586. if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2587. || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
  2588. &readbytes)))
  2589. goto end;
  2590. break;
  2591. case 2:
  2592. {
  2593. BIO *wbio = SSL_get_wbio(clientssl);
  2594. /* A record that will appear as bad early_data */
  2595. const unsigned char bad_early_data[] = {
  2596. 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
  2597. };
  2598. /*
  2599. * We force the client to attempt a write. This will fail because
  2600. * we're still in the handshake. It will cause the second
  2601. * ClientHello to be sent.
  2602. */
  2603. if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
  2604. &written)))
  2605. goto end;
  2606. /*
  2607. * Inject some early_data after the second ClientHello. This should
  2608. * cause the server to fail
  2609. */
  2610. if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
  2611. sizeof(bad_early_data), &written)))
  2612. goto end;
  2613. }
  2614. /* fallthrough */
  2615. case 3:
  2616. /*
  2617. * This client has sent more early_data than we are willing to skip
  2618. * (case 3) or sent invalid early_data (case 2) so the connection should
  2619. * abort.
  2620. */
  2621. if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2622. || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
  2623. goto end;
  2624. /* Connection has failed - nothing more to do */
  2625. testresult = 1;
  2626. goto end;
  2627. default:
  2628. TEST_error("Invalid test type");
  2629. goto end;
  2630. }
  2631. /*
  2632. * Should be able to send normal data despite rejection of early data. The
  2633. * early_data should be skipped.
  2634. */
  2635. if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2636. || !TEST_size_t_eq(written, strlen(MSG2))
  2637. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2638. SSL_EARLY_DATA_REJECTED)
  2639. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2640. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2641. goto end;
  2642. testresult = 1;
  2643. end:
  2644. SSL_SESSION_free(clientpsk);
  2645. SSL_SESSION_free(serverpsk);
  2646. clientpsk = serverpsk = NULL;
  2647. SSL_SESSION_free(sess);
  2648. SSL_free(serverssl);
  2649. SSL_free(clientssl);
  2650. SSL_CTX_free(sctx);
  2651. SSL_CTX_free(cctx);
  2652. return testresult;
  2653. }
  2654. /*
  2655. * Test that a server attempting to read early data can handle a connection
  2656. * from a client where the early data is not acceptable.
  2657. */
  2658. static int test_early_data_skip(int idx)
  2659. {
  2660. return early_data_skip_helper(0, idx);
  2661. }
  2662. /*
  2663. * Test that a server attempting to read early data can handle a connection
  2664. * from a client where an HRR occurs.
  2665. */
  2666. static int test_early_data_skip_hrr(int idx)
  2667. {
  2668. return early_data_skip_helper(1, idx);
  2669. }
  2670. /*
  2671. * Test that a server attempting to read early data can handle a connection
  2672. * from a client where an HRR occurs and correctly fails if early_data is sent
  2673. * after the HRR
  2674. */
  2675. static int test_early_data_skip_hrr_fail(int idx)
  2676. {
  2677. return early_data_skip_helper(2, idx);
  2678. }
  2679. /*
  2680. * Test that a server attempting to read early data will abort if it tries to
  2681. * skip over too much.
  2682. */
  2683. static int test_early_data_skip_abort(int idx)
  2684. {
  2685. return early_data_skip_helper(3, idx);
  2686. }
  2687. /*
  2688. * Test that a server attempting to read early data can handle a connection
  2689. * from a client that doesn't send any.
  2690. */
  2691. static int test_early_data_not_sent(int idx)
  2692. {
  2693. SSL_CTX *cctx = NULL, *sctx = NULL;
  2694. SSL *clientssl = NULL, *serverssl = NULL;
  2695. int testresult = 0;
  2696. SSL_SESSION *sess = NULL;
  2697. unsigned char buf[20];
  2698. size_t readbytes, written;
  2699. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2700. &serverssl, &sess, idx)))
  2701. goto end;
  2702. /* Write some data - should block due to handshake with server */
  2703. SSL_set_connect_state(clientssl);
  2704. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
  2705. goto end;
  2706. /* Server should detect that early data has not been sent */
  2707. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2708. &readbytes),
  2709. SSL_READ_EARLY_DATA_FINISH)
  2710. || !TEST_size_t_eq(readbytes, 0)
  2711. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2712. SSL_EARLY_DATA_NOT_SENT)
  2713. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2714. SSL_EARLY_DATA_NOT_SENT))
  2715. goto end;
  2716. /* Continue writing the message we started earlier */
  2717. if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  2718. || !TEST_size_t_eq(written, strlen(MSG1))
  2719. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2720. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
  2721. || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
  2722. || !TEST_size_t_eq(written, strlen(MSG2)))
  2723. goto end;
  2724. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2725. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2726. goto end;
  2727. testresult = 1;
  2728. end:
  2729. SSL_SESSION_free(sess);
  2730. SSL_SESSION_free(clientpsk);
  2731. SSL_SESSION_free(serverpsk);
  2732. clientpsk = serverpsk = NULL;
  2733. SSL_free(serverssl);
  2734. SSL_free(clientssl);
  2735. SSL_CTX_free(sctx);
  2736. SSL_CTX_free(cctx);
  2737. return testresult;
  2738. }
  2739. static int hostname_cb(SSL *s, int *al, void *arg)
  2740. {
  2741. const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
  2742. if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
  2743. return SSL_TLSEXT_ERR_OK;
  2744. return SSL_TLSEXT_ERR_NOACK;
  2745. }
  2746. static const char *servalpn;
  2747. static int alpn_select_cb(SSL *ssl, const unsigned char **out,
  2748. unsigned char *outlen, const unsigned char *in,
  2749. unsigned int inlen, void *arg)
  2750. {
  2751. unsigned int protlen = 0;
  2752. const unsigned char *prot;
  2753. for (prot = in; prot < in + inlen; prot += protlen) {
  2754. protlen = *prot++;
  2755. if (in + inlen < prot + protlen)
  2756. return SSL_TLSEXT_ERR_NOACK;
  2757. if (protlen == strlen(servalpn)
  2758. && memcmp(prot, servalpn, protlen) == 0) {
  2759. *out = prot;
  2760. *outlen = protlen;
  2761. return SSL_TLSEXT_ERR_OK;
  2762. }
  2763. }
  2764. return SSL_TLSEXT_ERR_NOACK;
  2765. }
  2766. /* Test that a PSK can be used to send early_data */
  2767. static int test_early_data_psk(int idx)
  2768. {
  2769. SSL_CTX *cctx = NULL, *sctx = NULL;
  2770. SSL *clientssl = NULL, *serverssl = NULL;
  2771. int testresult = 0;
  2772. SSL_SESSION *sess = NULL;
  2773. unsigned char alpnlist[] = {
  2774. 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
  2775. 'l', 'p', 'n'
  2776. };
  2777. #define GOODALPNLEN 9
  2778. #define BADALPNLEN 8
  2779. #define GOODALPN (alpnlist)
  2780. #define BADALPN (alpnlist + GOODALPNLEN)
  2781. int err = 0;
  2782. unsigned char buf[20];
  2783. size_t readbytes, written;
  2784. int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
  2785. int edstatus = SSL_EARLY_DATA_ACCEPTED;
  2786. /* We always set this up with a final parameter of "2" for PSK */
  2787. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2788. &serverssl, &sess, 2)))
  2789. goto end;
  2790. servalpn = "goodalpn";
  2791. /*
  2792. * Note: There is no test for inconsistent SNI with late client detection.
  2793. * This is because servers do not acknowledge SNI even if they are using
  2794. * it in a resumption handshake - so it is not actually possible for a
  2795. * client to detect a problem.
  2796. */
  2797. switch (idx) {
  2798. case 0:
  2799. /* Set inconsistent SNI (early client detection) */
  2800. err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
  2801. if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
  2802. || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
  2803. goto end;
  2804. break;
  2805. case 1:
  2806. /* Set inconsistent ALPN (early client detection) */
  2807. err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
  2808. /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
  2809. if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
  2810. GOODALPNLEN))
  2811. || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
  2812. BADALPNLEN)))
  2813. goto end;
  2814. break;
  2815. case 2:
  2816. /*
  2817. * Set invalid protocol version. Technically this affects PSKs without
  2818. * early_data too, but we test it here because it is similar to the
  2819. * SNI/ALPN consistency tests.
  2820. */
  2821. err = SSL_R_BAD_PSK;
  2822. if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
  2823. goto end;
  2824. break;
  2825. case 3:
  2826. /*
  2827. * Set inconsistent SNI (server detected). In this case the connection
  2828. * will succeed but reject early_data.
  2829. */
  2830. SSL_SESSION_free(serverpsk);
  2831. serverpsk = SSL_SESSION_dup(clientpsk);
  2832. if (!TEST_ptr(serverpsk)
  2833. || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
  2834. goto end;
  2835. edstatus = SSL_EARLY_DATA_REJECTED;
  2836. readearlyres = SSL_READ_EARLY_DATA_FINISH;
  2837. /* Fall through */
  2838. case 4:
  2839. /* Set consistent SNI */
  2840. if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
  2841. || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
  2842. || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
  2843. hostname_cb)))
  2844. goto end;
  2845. break;
  2846. case 5:
  2847. /*
  2848. * Set inconsistent ALPN (server detected). In this case the connection
  2849. * will succeed but reject early_data.
  2850. */
  2851. servalpn = "badalpn";
  2852. edstatus = SSL_EARLY_DATA_REJECTED;
  2853. readearlyres = SSL_READ_EARLY_DATA_FINISH;
  2854. /* Fall through */
  2855. case 6:
  2856. /*
  2857. * Set consistent ALPN.
  2858. * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
  2859. * accepts a list of protos (each one length prefixed).
  2860. * SSL_set1_alpn_selected accepts a single protocol (not length
  2861. * prefixed)
  2862. */
  2863. if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
  2864. GOODALPNLEN - 1))
  2865. || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
  2866. GOODALPNLEN)))
  2867. goto end;
  2868. SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
  2869. break;
  2870. case 7:
  2871. /* Set inconsistent ALPN (late client detection) */
  2872. SSL_SESSION_free(serverpsk);
  2873. serverpsk = SSL_SESSION_dup(clientpsk);
  2874. if (!TEST_ptr(serverpsk)
  2875. || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
  2876. BADALPN + 1,
  2877. BADALPNLEN - 1))
  2878. || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
  2879. GOODALPN + 1,
  2880. GOODALPNLEN - 1))
  2881. || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
  2882. sizeof(alpnlist))))
  2883. goto end;
  2884. SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
  2885. edstatus = SSL_EARLY_DATA_ACCEPTED;
  2886. readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
  2887. /* SSL_connect() call should fail */
  2888. connectres = -1;
  2889. break;
  2890. default:
  2891. TEST_error("Bad test index");
  2892. goto end;
  2893. }
  2894. SSL_set_connect_state(clientssl);
  2895. if (err != 0) {
  2896. if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2897. &written))
  2898. || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
  2899. || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
  2900. goto end;
  2901. } else {
  2902. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2903. &written)))
  2904. goto end;
  2905. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2906. &readbytes), readearlyres)
  2907. || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
  2908. && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
  2909. || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
  2910. || !TEST_int_eq(SSL_connect(clientssl), connectres))
  2911. goto end;
  2912. }
  2913. testresult = 1;
  2914. end:
  2915. SSL_SESSION_free(sess);
  2916. SSL_SESSION_free(clientpsk);
  2917. SSL_SESSION_free(serverpsk);
  2918. clientpsk = serverpsk = NULL;
  2919. SSL_free(serverssl);
  2920. SSL_free(clientssl);
  2921. SSL_CTX_free(sctx);
  2922. SSL_CTX_free(cctx);
  2923. return testresult;
  2924. }
  2925. /*
  2926. * Test that a server that doesn't try to read early data can handle a
  2927. * client sending some.
  2928. */
  2929. static int test_early_data_not_expected(int idx)
  2930. {
  2931. SSL_CTX *cctx = NULL, *sctx = NULL;
  2932. SSL *clientssl = NULL, *serverssl = NULL;
  2933. int testresult = 0;
  2934. SSL_SESSION *sess = NULL;
  2935. unsigned char buf[20];
  2936. size_t readbytes, written;
  2937. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2938. &serverssl, &sess, idx)))
  2939. goto end;
  2940. /* Write some early data */
  2941. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2942. &written)))
  2943. goto end;
  2944. /*
  2945. * Server should skip over early data and then block waiting for client to
  2946. * continue handshake
  2947. */
  2948. if (!TEST_int_le(SSL_accept(serverssl), 0)
  2949. || !TEST_int_gt(SSL_connect(clientssl), 0)
  2950. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2951. SSL_EARLY_DATA_REJECTED)
  2952. || !TEST_int_gt(SSL_accept(serverssl), 0)
  2953. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2954. SSL_EARLY_DATA_REJECTED))
  2955. goto end;
  2956. /* Send some normal data from client to server */
  2957. if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2958. || !TEST_size_t_eq(written, strlen(MSG2)))
  2959. goto end;
  2960. if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2961. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2962. goto end;
  2963. testresult = 1;
  2964. end:
  2965. SSL_SESSION_free(sess);
  2966. SSL_SESSION_free(clientpsk);
  2967. SSL_SESSION_free(serverpsk);
  2968. clientpsk = serverpsk = NULL;
  2969. SSL_free(serverssl);
  2970. SSL_free(clientssl);
  2971. SSL_CTX_free(sctx);
  2972. SSL_CTX_free(cctx);
  2973. return testresult;
  2974. }
  2975. # ifndef OPENSSL_NO_TLS1_2
  2976. /*
  2977. * Test that a server attempting to read early data can handle a connection
  2978. * from a TLSv1.2 client.
  2979. */
  2980. static int test_early_data_tls1_2(int idx)
  2981. {
  2982. SSL_CTX *cctx = NULL, *sctx = NULL;
  2983. SSL *clientssl = NULL, *serverssl = NULL;
  2984. int testresult = 0;
  2985. unsigned char buf[20];
  2986. size_t readbytes, written;
  2987. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2988. &serverssl, NULL, idx)))
  2989. goto end;
  2990. /* Write some data - should block due to handshake with server */
  2991. SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
  2992. SSL_set_connect_state(clientssl);
  2993. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
  2994. goto end;
  2995. /*
  2996. * Server should do TLSv1.2 handshake. First it will block waiting for more
  2997. * messages from client after ServerDone. Then SSL_read_early_data should
  2998. * finish and detect that early data has not been sent
  2999. */
  3000. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  3001. &readbytes),
  3002. SSL_READ_EARLY_DATA_ERROR))
  3003. goto end;
  3004. /*
  3005. * Continue writing the message we started earlier. Will still block waiting
  3006. * for the CCS/Finished from server
  3007. */
  3008. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  3009. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  3010. &readbytes),
  3011. SSL_READ_EARLY_DATA_FINISH)
  3012. || !TEST_size_t_eq(readbytes, 0)
  3013. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  3014. SSL_EARLY_DATA_NOT_SENT))
  3015. goto end;
  3016. /* Continue writing the message we started earlier */
  3017. if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  3018. || !TEST_size_t_eq(written, strlen(MSG1))
  3019. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  3020. SSL_EARLY_DATA_NOT_SENT)
  3021. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  3022. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
  3023. || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
  3024. || !TEST_size_t_eq(written, strlen(MSG2))
  3025. || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
  3026. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  3027. goto end;
  3028. testresult = 1;
  3029. end:
  3030. SSL_SESSION_free(clientpsk);
  3031. SSL_SESSION_free(serverpsk);
  3032. clientpsk = serverpsk = NULL;
  3033. SSL_free(serverssl);
  3034. SSL_free(clientssl);
  3035. SSL_CTX_free(sctx);
  3036. SSL_CTX_free(cctx);
  3037. return testresult;
  3038. }
  3039. # endif /* OPENSSL_NO_TLS1_2 */
  3040. /*
  3041. * Test configuring the TLSv1.3 ciphersuites
  3042. *
  3043. * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
  3044. * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
  3045. * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
  3046. * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
  3047. * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
  3048. * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
  3049. * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
  3050. * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
  3051. * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
  3052. * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
  3053. */
  3054. static int test_set_ciphersuite(int idx)
  3055. {
  3056. SSL_CTX *cctx = NULL, *sctx = NULL;
  3057. SSL *clientssl = NULL, *serverssl = NULL;
  3058. int testresult = 0;
  3059. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3060. TLS1_VERSION, 0,
  3061. &sctx, &cctx, cert, privkey))
  3062. || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  3063. "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
  3064. goto end;
  3065. if (idx >=4 && idx <= 7) {
  3066. /* SSL_CTX explicit cipher list */
  3067. if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
  3068. goto end;
  3069. }
  3070. if (idx == 0 || idx == 4) {
  3071. /* Default ciphersuite */
  3072. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3073. "TLS_AES_128_GCM_SHA256")))
  3074. goto end;
  3075. } else if (idx == 1 || idx == 5) {
  3076. /* Non default ciphersuite */
  3077. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3078. "TLS_AES_128_CCM_SHA256")))
  3079. goto end;
  3080. }
  3081. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3082. &clientssl, NULL, NULL)))
  3083. goto end;
  3084. if (idx == 8 || idx == 9) {
  3085. /* SSL explicit cipher list */
  3086. if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
  3087. goto end;
  3088. }
  3089. if (idx == 2 || idx == 6 || idx == 8) {
  3090. /* Default ciphersuite */
  3091. if (!TEST_true(SSL_set_ciphersuites(clientssl,
  3092. "TLS_AES_128_GCM_SHA256")))
  3093. goto end;
  3094. } else if (idx == 3 || idx == 7 || idx == 9) {
  3095. /* Non default ciphersuite */
  3096. if (!TEST_true(SSL_set_ciphersuites(clientssl,
  3097. "TLS_AES_128_CCM_SHA256")))
  3098. goto end;
  3099. }
  3100. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
  3101. goto end;
  3102. testresult = 1;
  3103. end:
  3104. SSL_free(serverssl);
  3105. SSL_free(clientssl);
  3106. SSL_CTX_free(sctx);
  3107. SSL_CTX_free(cctx);
  3108. return testresult;
  3109. }
  3110. static int test_ciphersuite_change(void)
  3111. {
  3112. SSL_CTX *cctx = NULL, *sctx = NULL;
  3113. SSL *clientssl = NULL, *serverssl = NULL;
  3114. SSL_SESSION *clntsess = NULL;
  3115. int testresult = 0;
  3116. const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
  3117. /* Create a session based on SHA-256 */
  3118. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3119. TLS1_VERSION, 0,
  3120. &sctx, &cctx, cert, privkey))
  3121. || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3122. "TLS_AES_128_GCM_SHA256"))
  3123. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3124. &clientssl, NULL, NULL))
  3125. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3126. SSL_ERROR_NONE)))
  3127. goto end;
  3128. clntsess = SSL_get1_session(clientssl);
  3129. /* Save for later */
  3130. aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
  3131. SSL_shutdown(clientssl);
  3132. SSL_shutdown(serverssl);
  3133. SSL_free(serverssl);
  3134. SSL_free(clientssl);
  3135. serverssl = clientssl = NULL;
  3136. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  3137. /* Check we can resume a session with a different SHA-256 ciphersuite */
  3138. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3139. "TLS_CHACHA20_POLY1305_SHA256"))
  3140. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3141. NULL, NULL))
  3142. || !TEST_true(SSL_set_session(clientssl, clntsess))
  3143. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3144. SSL_ERROR_NONE))
  3145. || !TEST_true(SSL_session_reused(clientssl)))
  3146. goto end;
  3147. SSL_SESSION_free(clntsess);
  3148. clntsess = SSL_get1_session(clientssl);
  3149. SSL_shutdown(clientssl);
  3150. SSL_shutdown(serverssl);
  3151. SSL_free(serverssl);
  3152. SSL_free(clientssl);
  3153. serverssl = clientssl = NULL;
  3154. # endif
  3155. /*
  3156. * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
  3157. * succeeds but does not resume.
  3158. */
  3159. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
  3160. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3161. NULL, NULL))
  3162. || !TEST_true(SSL_set_session(clientssl, clntsess))
  3163. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3164. SSL_ERROR_SSL))
  3165. || !TEST_false(SSL_session_reused(clientssl)))
  3166. goto end;
  3167. SSL_SESSION_free(clntsess);
  3168. clntsess = NULL;
  3169. SSL_shutdown(clientssl);
  3170. SSL_shutdown(serverssl);
  3171. SSL_free(serverssl);
  3172. SSL_free(clientssl);
  3173. serverssl = clientssl = NULL;
  3174. /* Create a session based on SHA384 */
  3175. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
  3176. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3177. &clientssl, NULL, NULL))
  3178. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3179. SSL_ERROR_NONE)))
  3180. goto end;
  3181. clntsess = SSL_get1_session(clientssl);
  3182. SSL_shutdown(clientssl);
  3183. SSL_shutdown(serverssl);
  3184. SSL_free(serverssl);
  3185. SSL_free(clientssl);
  3186. serverssl = clientssl = NULL;
  3187. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3188. "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
  3189. || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  3190. "TLS_AES_256_GCM_SHA384"))
  3191. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3192. NULL, NULL))
  3193. || !TEST_true(SSL_set_session(clientssl, clntsess))
  3194. /*
  3195. * We use SSL_ERROR_WANT_READ below so that we can pause the
  3196. * connection after the initial ClientHello has been sent to
  3197. * enable us to make some session changes.
  3198. */
  3199. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3200. SSL_ERROR_WANT_READ)))
  3201. goto end;
  3202. /* Trick the client into thinking this session is for a different digest */
  3203. clntsess->cipher = aes_128_gcm_sha256;
  3204. clntsess->cipher_id = clntsess->cipher->id;
  3205. /*
  3206. * Continue the previously started connection. Server has selected a SHA-384
  3207. * ciphersuite, but client thinks the session is for SHA-256, so it should
  3208. * bail out.
  3209. */
  3210. if (!TEST_false(create_ssl_connection(serverssl, clientssl,
  3211. SSL_ERROR_SSL))
  3212. || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
  3213. SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
  3214. goto end;
  3215. testresult = 1;
  3216. end:
  3217. SSL_SESSION_free(clntsess);
  3218. SSL_free(serverssl);
  3219. SSL_free(clientssl);
  3220. SSL_CTX_free(sctx);
  3221. SSL_CTX_free(cctx);
  3222. return testresult;
  3223. }
  3224. /*
  3225. * Test TLSv1.3 Key exchange
  3226. * Test 0 = Test ECDHE Key exchange
  3227. * Test 1 = Test ECDHE with TLSv1.2 client and TLSv1.2 server
  3228. * Test 2 = Test FFDHE Key exchange
  3229. * Test 3 = Test FFDHE with TLSv1.2 client and TLSv1.2 server
  3230. */
  3231. static int test_tls13_key_exchange(int idx)
  3232. {
  3233. SSL_CTX *sctx = NULL, *cctx = NULL;
  3234. SSL *serverssl = NULL, *clientssl = NULL;
  3235. int testresult = 0;
  3236. #ifndef OPENSSL_NO_EC
  3237. int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
  3238. NID_X25519, NID_X448};
  3239. #endif
  3240. #ifndef OPENSSL_NO_DH
  3241. int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
  3242. NID_ffdhe6144, NID_ffdhe8192};
  3243. #endif
  3244. int *kexch_groups = NULL;
  3245. int kexch_groups_size = 0;
  3246. int max_version = TLS1_3_VERSION;
  3247. int want_err = SSL_ERROR_NONE;
  3248. int expected_err_reason = 0;
  3249. switch (idx) {
  3250. #ifndef OPENSSL_NO_DH
  3251. case 3:
  3252. max_version = TLS1_2_VERSION;
  3253. /* Fall through */
  3254. case 2:
  3255. kexch_groups = ffdhe_kexch_groups;
  3256. kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
  3257. break;
  3258. #endif
  3259. #ifndef OPENSSL_NO_EC
  3260. case 1:
  3261. max_version = TLS1_2_VERSION;
  3262. /* Fall through */
  3263. case 0:
  3264. kexch_groups = ecdhe_kexch_groups;
  3265. kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
  3266. break;
  3267. #endif
  3268. default:
  3269. /* We're skipping this test */
  3270. return 1;
  3271. }
  3272. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3273. TLS1_VERSION, max_version,
  3274. &sctx, &cctx, cert, privkey)))
  3275. goto end;
  3276. if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
  3277. goto end;
  3278. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
  3279. goto end;
  3280. if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
  3281. goto end;
  3282. /*
  3283. * Must include an EC ciphersuite so that we send supported groups in
  3284. * TLSv1.2
  3285. */
  3286. if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
  3287. TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
  3288. TLS1_TXT_RSA_WITH_AES_128_SHA)))
  3289. goto end;
  3290. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3291. NULL, NULL)))
  3292. goto end;
  3293. if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
  3294. || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
  3295. goto end;
  3296. if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
  3297. /* Fail only if no error is expected in handshake */
  3298. if (expected_err_reason == 0)
  3299. goto end;
  3300. }
  3301. /* Fail if expected error is not happening for failure testcases */
  3302. if (expected_err_reason != 0) {
  3303. unsigned long err_code = ERR_get_error();
  3304. ERR_print_errors_fp(stdout);
  3305. if (TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
  3306. testresult = 1;
  3307. goto end;
  3308. }
  3309. /*
  3310. * If Handshake succeeds the negotiated kexch alg should the first one in
  3311. * configured, except in the case of FFDHE groups which are TLSv1.3 only
  3312. * so we expect no shared group to exist.
  3313. */
  3314. if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
  3315. idx == 3 ? 0 : kexch_groups[0]))
  3316. goto end;
  3317. testresult = 1;
  3318. end:
  3319. SSL_free(serverssl);
  3320. SSL_free(clientssl);
  3321. SSL_CTX_free(sctx);
  3322. SSL_CTX_free(cctx);
  3323. return testresult;
  3324. }
  3325. /*
  3326. * Test TLSv1.3 PSKs
  3327. * Test 0 = Test new style callbacks
  3328. * Test 1 = Test both new and old style callbacks
  3329. * Test 2 = Test old style callbacks
  3330. * Test 3 = Test old style callbacks with no certificate
  3331. */
  3332. static int test_tls13_psk(int idx)
  3333. {
  3334. SSL_CTX *sctx = NULL, *cctx = NULL;
  3335. SSL *serverssl = NULL, *clientssl = NULL;
  3336. const SSL_CIPHER *cipher = NULL;
  3337. const unsigned char key[] = {
  3338. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
  3339. 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  3340. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
  3341. 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
  3342. };
  3343. int testresult = 0;
  3344. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3345. TLS1_VERSION, 0,
  3346. &sctx, &cctx, idx == 3 ? NULL : cert,
  3347. idx == 3 ? NULL : privkey)))
  3348. goto end;
  3349. if (idx != 3) {
  3350. /*
  3351. * We use a ciphersuite with SHA256 to ease testing old style PSK
  3352. * callbacks which will always default to SHA256. This should not be
  3353. * necessary if we have no cert/priv key. In that case the server should
  3354. * prefer SHA256 automatically.
  3355. */
  3356. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3357. "TLS_AES_128_GCM_SHA256")))
  3358. goto end;
  3359. }
  3360. /*
  3361. * Test 0: New style callbacks only
  3362. * Test 1: New and old style callbacks (only the new ones should be used)
  3363. * Test 2: Old style callbacks only
  3364. */
  3365. if (idx == 0 || idx == 1) {
  3366. SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
  3367. SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
  3368. }
  3369. #ifndef OPENSSL_NO_PSK
  3370. if (idx >= 1) {
  3371. SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
  3372. SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
  3373. }
  3374. #endif
  3375. srvid = pskid;
  3376. use_session_cb_cnt = 0;
  3377. find_session_cb_cnt = 0;
  3378. psk_client_cb_cnt = 0;
  3379. psk_server_cb_cnt = 0;
  3380. if (idx != 3) {
  3381. /*
  3382. * Check we can create a connection if callback decides not to send a
  3383. * PSK
  3384. */
  3385. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3386. NULL, NULL))
  3387. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3388. SSL_ERROR_NONE))
  3389. || !TEST_false(SSL_session_reused(clientssl))
  3390. || !TEST_false(SSL_session_reused(serverssl)))
  3391. goto end;
  3392. if (idx == 0 || idx == 1) {
  3393. if (!TEST_true(use_session_cb_cnt == 1)
  3394. || !TEST_true(find_session_cb_cnt == 0)
  3395. /*
  3396. * If no old style callback then below should be 0
  3397. * otherwise 1
  3398. */
  3399. || !TEST_true(psk_client_cb_cnt == idx)
  3400. || !TEST_true(psk_server_cb_cnt == 0))
  3401. goto end;
  3402. } else {
  3403. if (!TEST_true(use_session_cb_cnt == 0)
  3404. || !TEST_true(find_session_cb_cnt == 0)
  3405. || !TEST_true(psk_client_cb_cnt == 1)
  3406. || !TEST_true(psk_server_cb_cnt == 0))
  3407. goto end;
  3408. }
  3409. shutdown_ssl_connection(serverssl, clientssl);
  3410. serverssl = clientssl = NULL;
  3411. use_session_cb_cnt = psk_client_cb_cnt = 0;
  3412. }
  3413. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3414. NULL, NULL)))
  3415. goto end;
  3416. /* Create the PSK */
  3417. cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
  3418. clientpsk = SSL_SESSION_new();
  3419. if (!TEST_ptr(clientpsk)
  3420. || !TEST_ptr(cipher)
  3421. || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
  3422. sizeof(key)))
  3423. || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
  3424. || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
  3425. TLS1_3_VERSION))
  3426. || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
  3427. goto end;
  3428. serverpsk = clientpsk;
  3429. /* Check we can create a connection and the PSK is used */
  3430. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  3431. || !TEST_true(SSL_session_reused(clientssl))
  3432. || !TEST_true(SSL_session_reused(serverssl)))
  3433. goto end;
  3434. if (idx == 0 || idx == 1) {
  3435. if (!TEST_true(use_session_cb_cnt == 1)
  3436. || !TEST_true(find_session_cb_cnt == 1)
  3437. || !TEST_true(psk_client_cb_cnt == 0)
  3438. || !TEST_true(psk_server_cb_cnt == 0))
  3439. goto end;
  3440. } else {
  3441. if (!TEST_true(use_session_cb_cnt == 0)
  3442. || !TEST_true(find_session_cb_cnt == 0)
  3443. || !TEST_true(psk_client_cb_cnt == 1)
  3444. || !TEST_true(psk_server_cb_cnt == 1))
  3445. goto end;
  3446. }
  3447. shutdown_ssl_connection(serverssl, clientssl);
  3448. serverssl = clientssl = NULL;
  3449. use_session_cb_cnt = find_session_cb_cnt = 0;
  3450. psk_client_cb_cnt = psk_server_cb_cnt = 0;
  3451. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3452. NULL, NULL)))
  3453. goto end;
  3454. /* Force an HRR */
  3455. #if defined(OPENSSL_NO_EC)
  3456. if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
  3457. goto end;
  3458. #else
  3459. if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
  3460. goto end;
  3461. #endif
  3462. /*
  3463. * Check we can create a connection, the PSK is used and the callbacks are
  3464. * called twice.
  3465. */
  3466. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  3467. || !TEST_true(SSL_session_reused(clientssl))
  3468. || !TEST_true(SSL_session_reused(serverssl)))
  3469. goto end;
  3470. if (idx == 0 || idx == 1) {
  3471. if (!TEST_true(use_session_cb_cnt == 2)
  3472. || !TEST_true(find_session_cb_cnt == 2)
  3473. || !TEST_true(psk_client_cb_cnt == 0)
  3474. || !TEST_true(psk_server_cb_cnt == 0))
  3475. goto end;
  3476. } else {
  3477. if (!TEST_true(use_session_cb_cnt == 0)
  3478. || !TEST_true(find_session_cb_cnt == 0)
  3479. || !TEST_true(psk_client_cb_cnt == 2)
  3480. || !TEST_true(psk_server_cb_cnt == 2))
  3481. goto end;
  3482. }
  3483. shutdown_ssl_connection(serverssl, clientssl);
  3484. serverssl = clientssl = NULL;
  3485. use_session_cb_cnt = find_session_cb_cnt = 0;
  3486. psk_client_cb_cnt = psk_server_cb_cnt = 0;
  3487. if (idx != 3) {
  3488. /*
  3489. * Check that if the server rejects the PSK we can still connect, but with
  3490. * a full handshake
  3491. */
  3492. srvid = "Dummy Identity";
  3493. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3494. NULL, NULL))
  3495. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3496. SSL_ERROR_NONE))
  3497. || !TEST_false(SSL_session_reused(clientssl))
  3498. || !TEST_false(SSL_session_reused(serverssl)))
  3499. goto end;
  3500. if (idx == 0 || idx == 1) {
  3501. if (!TEST_true(use_session_cb_cnt == 1)
  3502. || !TEST_true(find_session_cb_cnt == 1)
  3503. || !TEST_true(psk_client_cb_cnt == 0)
  3504. /*
  3505. * If no old style callback then below should be 0
  3506. * otherwise 1
  3507. */
  3508. || !TEST_true(psk_server_cb_cnt == idx))
  3509. goto end;
  3510. } else {
  3511. if (!TEST_true(use_session_cb_cnt == 0)
  3512. || !TEST_true(find_session_cb_cnt == 0)
  3513. || !TEST_true(psk_client_cb_cnt == 1)
  3514. || !TEST_true(psk_server_cb_cnt == 1))
  3515. goto end;
  3516. }
  3517. shutdown_ssl_connection(serverssl, clientssl);
  3518. serverssl = clientssl = NULL;
  3519. }
  3520. testresult = 1;
  3521. end:
  3522. SSL_SESSION_free(clientpsk);
  3523. SSL_SESSION_free(serverpsk);
  3524. clientpsk = serverpsk = NULL;
  3525. SSL_free(serverssl);
  3526. SSL_free(clientssl);
  3527. SSL_CTX_free(sctx);
  3528. SSL_CTX_free(cctx);
  3529. return testresult;
  3530. }
  3531. static unsigned char cookie_magic_value[] = "cookie magic";
  3532. static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
  3533. unsigned int *cookie_len)
  3534. {
  3535. /*
  3536. * Not suitable as a real cookie generation function but good enough for
  3537. * testing!
  3538. */
  3539. memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
  3540. *cookie_len = sizeof(cookie_magic_value) - 1;
  3541. return 1;
  3542. }
  3543. static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
  3544. unsigned int cookie_len)
  3545. {
  3546. if (cookie_len == sizeof(cookie_magic_value) - 1
  3547. && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
  3548. return 1;
  3549. return 0;
  3550. }
  3551. static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
  3552. size_t *cookie_len)
  3553. {
  3554. unsigned int temp;
  3555. int res = generate_cookie_callback(ssl, cookie, &temp);
  3556. *cookie_len = temp;
  3557. return res;
  3558. }
  3559. static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
  3560. size_t cookie_len)
  3561. {
  3562. return verify_cookie_callback(ssl, cookie, cookie_len);
  3563. }
  3564. static int test_stateless(void)
  3565. {
  3566. SSL_CTX *sctx = NULL, *cctx = NULL;
  3567. SSL *serverssl = NULL, *clientssl = NULL;
  3568. int testresult = 0;
  3569. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3570. TLS1_VERSION, 0,
  3571. &sctx, &cctx, cert, privkey)))
  3572. goto end;
  3573. /* The arrival of CCS messages can confuse the test */
  3574. SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
  3575. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3576. NULL, NULL))
  3577. /* Send the first ClientHello */
  3578. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3579. SSL_ERROR_WANT_READ))
  3580. /*
  3581. * This should fail with a -1 return because we have no callbacks
  3582. * set up
  3583. */
  3584. || !TEST_int_eq(SSL_stateless(serverssl), -1))
  3585. goto end;
  3586. /* Fatal error so abandon the connection from this client */
  3587. SSL_free(clientssl);
  3588. clientssl = NULL;
  3589. /* Set up the cookie generation and verification callbacks */
  3590. SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
  3591. SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
  3592. /*
  3593. * Create a new connection from the client (we can reuse the server SSL
  3594. * object).
  3595. */
  3596. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3597. NULL, NULL))
  3598. /* Send the first ClientHello */
  3599. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3600. SSL_ERROR_WANT_READ))
  3601. /* This should fail because there is no cookie */
  3602. || !TEST_int_eq(SSL_stateless(serverssl), 0))
  3603. goto end;
  3604. /* Abandon the connection from this client */
  3605. SSL_free(clientssl);
  3606. clientssl = NULL;
  3607. /*
  3608. * Now create a connection from a new client but with the same server SSL
  3609. * object
  3610. */
  3611. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3612. NULL, NULL))
  3613. /* Send the first ClientHello */
  3614. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3615. SSL_ERROR_WANT_READ))
  3616. /* This should fail because there is no cookie */
  3617. || !TEST_int_eq(SSL_stateless(serverssl), 0)
  3618. /* Send the second ClientHello */
  3619. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3620. SSL_ERROR_WANT_READ))
  3621. /* This should succeed because a cookie is now present */
  3622. || !TEST_int_eq(SSL_stateless(serverssl), 1)
  3623. /* Complete the connection */
  3624. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3625. SSL_ERROR_NONE)))
  3626. goto end;
  3627. shutdown_ssl_connection(serverssl, clientssl);
  3628. serverssl = clientssl = NULL;
  3629. testresult = 1;
  3630. end:
  3631. SSL_free(serverssl);
  3632. SSL_free(clientssl);
  3633. SSL_CTX_free(sctx);
  3634. SSL_CTX_free(cctx);
  3635. return testresult;
  3636. }
  3637. #endif /* OPENSSL_NO_TLS1_3 */
  3638. static int clntaddoldcb = 0;
  3639. static int clntparseoldcb = 0;
  3640. static int srvaddoldcb = 0;
  3641. static int srvparseoldcb = 0;
  3642. static int clntaddnewcb = 0;
  3643. static int clntparsenewcb = 0;
  3644. static int srvaddnewcb = 0;
  3645. static int srvparsenewcb = 0;
  3646. static int snicb = 0;
  3647. #define TEST_EXT_TYPE1 0xff00
  3648. static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
  3649. size_t *outlen, int *al, void *add_arg)
  3650. {
  3651. int *server = (int *)add_arg;
  3652. unsigned char *data;
  3653. if (SSL_is_server(s))
  3654. srvaddoldcb++;
  3655. else
  3656. clntaddoldcb++;
  3657. if (*server != SSL_is_server(s)
  3658. || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
  3659. return -1;
  3660. *data = 1;
  3661. *out = data;
  3662. *outlen = sizeof(char);
  3663. return 1;
  3664. }
  3665. static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
  3666. void *add_arg)
  3667. {
  3668. OPENSSL_free((unsigned char *)out);
  3669. }
  3670. static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
  3671. size_t inlen, int *al, void *parse_arg)
  3672. {
  3673. int *server = (int *)parse_arg;
  3674. if (SSL_is_server(s))
  3675. srvparseoldcb++;
  3676. else
  3677. clntparseoldcb++;
  3678. if (*server != SSL_is_server(s)
  3679. || inlen != sizeof(char)
  3680. || *in != 1)
  3681. return -1;
  3682. return 1;
  3683. }
  3684. static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3685. const unsigned char **out, size_t *outlen, X509 *x,
  3686. size_t chainidx, int *al, void *add_arg)
  3687. {
  3688. int *server = (int *)add_arg;
  3689. unsigned char *data;
  3690. if (SSL_is_server(s))
  3691. srvaddnewcb++;
  3692. else
  3693. clntaddnewcb++;
  3694. if (*server != SSL_is_server(s)
  3695. || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
  3696. return -1;
  3697. *data = 1;
  3698. *out = data;
  3699. *outlen = sizeof(*data);
  3700. return 1;
  3701. }
  3702. static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3703. const unsigned char *out, void *add_arg)
  3704. {
  3705. OPENSSL_free((unsigned char *)out);
  3706. }
  3707. static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3708. const unsigned char *in, size_t inlen, X509 *x,
  3709. size_t chainidx, int *al, void *parse_arg)
  3710. {
  3711. int *server = (int *)parse_arg;
  3712. if (SSL_is_server(s))
  3713. srvparsenewcb++;
  3714. else
  3715. clntparsenewcb++;
  3716. if (*server != SSL_is_server(s)
  3717. || inlen != sizeof(char) || *in != 1)
  3718. return -1;
  3719. return 1;
  3720. }
  3721. static int sni_cb(SSL *s, int *al, void *arg)
  3722. {
  3723. SSL_CTX *ctx = (SSL_CTX *)arg;
  3724. if (SSL_set_SSL_CTX(s, ctx) == NULL) {
  3725. *al = SSL_AD_INTERNAL_ERROR;
  3726. return SSL_TLSEXT_ERR_ALERT_FATAL;
  3727. }
  3728. snicb++;
  3729. return SSL_TLSEXT_ERR_OK;
  3730. }
  3731. /*
  3732. * Custom call back tests.
  3733. * Test 0: Old style callbacks in TLSv1.2
  3734. * Test 1: New style callbacks in TLSv1.2
  3735. * Test 2: New style callbacks in TLSv1.2 with SNI
  3736. * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
  3737. * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
  3738. */
  3739. static int test_custom_exts(int tst)
  3740. {
  3741. SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
  3742. SSL *clientssl = NULL, *serverssl = NULL;
  3743. int testresult = 0;
  3744. static int server = 1;
  3745. static int client = 0;
  3746. SSL_SESSION *sess = NULL;
  3747. unsigned int context;
  3748. #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
  3749. /* Skip tests for TLSv1.2 and below in this case */
  3750. if (tst < 3)
  3751. return 1;
  3752. #endif
  3753. /* Reset callback counters */
  3754. clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
  3755. clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
  3756. snicb = 0;
  3757. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3758. TLS1_VERSION, 0,
  3759. &sctx, &cctx, cert, privkey)))
  3760. goto end;
  3761. if (tst == 2
  3762. && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
  3763. TLS1_VERSION, 0,
  3764. &sctx2, NULL, cert, privkey)))
  3765. goto end;
  3766. if (tst < 3) {
  3767. SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
  3768. SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
  3769. if (sctx2 != NULL)
  3770. SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
  3771. }
  3772. if (tst == 4) {
  3773. context = SSL_EXT_CLIENT_HELLO
  3774. | SSL_EXT_TLS1_2_SERVER_HELLO
  3775. | SSL_EXT_TLS1_3_SERVER_HELLO
  3776. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  3777. | SSL_EXT_TLS1_3_CERTIFICATE
  3778. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
  3779. } else {
  3780. context = SSL_EXT_CLIENT_HELLO
  3781. | SSL_EXT_TLS1_2_SERVER_HELLO
  3782. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
  3783. }
  3784. /* Create a client side custom extension */
  3785. if (tst == 0) {
  3786. if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
  3787. old_add_cb, old_free_cb,
  3788. &client, old_parse_cb,
  3789. &client)))
  3790. goto end;
  3791. } else {
  3792. if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
  3793. new_add_cb, new_free_cb,
  3794. &client, new_parse_cb, &client)))
  3795. goto end;
  3796. }
  3797. /* Should not be able to add duplicates */
  3798. if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
  3799. old_add_cb, old_free_cb,
  3800. &client, old_parse_cb,
  3801. &client))
  3802. || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
  3803. context, new_add_cb,
  3804. new_free_cb, &client,
  3805. new_parse_cb, &client)))
  3806. goto end;
  3807. /* Create a server side custom extension */
  3808. if (tst == 0) {
  3809. if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
  3810. old_add_cb, old_free_cb,
  3811. &server, old_parse_cb,
  3812. &server)))
  3813. goto end;
  3814. } else {
  3815. if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
  3816. new_add_cb, new_free_cb,
  3817. &server, new_parse_cb, &server)))
  3818. goto end;
  3819. if (sctx2 != NULL
  3820. && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
  3821. context, new_add_cb,
  3822. new_free_cb, &server,
  3823. new_parse_cb, &server)))
  3824. goto end;
  3825. }
  3826. /* Should not be able to add duplicates */
  3827. if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
  3828. old_add_cb, old_free_cb,
  3829. &server, old_parse_cb,
  3830. &server))
  3831. || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
  3832. context, new_add_cb,
  3833. new_free_cb, &server,
  3834. new_parse_cb, &server)))
  3835. goto end;
  3836. if (tst == 2) {
  3837. /* Set up SNI */
  3838. if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
  3839. || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
  3840. goto end;
  3841. }
  3842. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3843. &clientssl, NULL, NULL))
  3844. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3845. SSL_ERROR_NONE)))
  3846. goto end;
  3847. if (tst == 0) {
  3848. if (clntaddoldcb != 1
  3849. || clntparseoldcb != 1
  3850. || srvaddoldcb != 1
  3851. || srvparseoldcb != 1)
  3852. goto end;
  3853. } else if (tst == 1 || tst == 2 || tst == 3) {
  3854. if (clntaddnewcb != 1
  3855. || clntparsenewcb != 1
  3856. || srvaddnewcb != 1
  3857. || srvparsenewcb != 1
  3858. || (tst != 2 && snicb != 0)
  3859. || (tst == 2 && snicb != 1))
  3860. goto end;
  3861. } else {
  3862. /* In this case there 2 NewSessionTicket messages created */
  3863. if (clntaddnewcb != 1
  3864. || clntparsenewcb != 5
  3865. || srvaddnewcb != 5
  3866. || srvparsenewcb != 1)
  3867. goto end;
  3868. }
  3869. sess = SSL_get1_session(clientssl);
  3870. SSL_shutdown(clientssl);
  3871. SSL_shutdown(serverssl);
  3872. SSL_free(serverssl);
  3873. SSL_free(clientssl);
  3874. serverssl = clientssl = NULL;
  3875. if (tst == 3) {
  3876. /* We don't bother with the resumption aspects for this test */
  3877. testresult = 1;
  3878. goto end;
  3879. }
  3880. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3881. NULL, NULL))
  3882. || !TEST_true(SSL_set_session(clientssl, sess))
  3883. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3884. SSL_ERROR_NONE)))
  3885. goto end;
  3886. /*
  3887. * For a resumed session we expect to add the ClientHello extension. For the
  3888. * old style callbacks we ignore it on the server side because they set
  3889. * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
  3890. * them.
  3891. */
  3892. if (tst == 0) {
  3893. if (clntaddoldcb != 2
  3894. || clntparseoldcb != 1
  3895. || srvaddoldcb != 1
  3896. || srvparseoldcb != 1)
  3897. goto end;
  3898. } else if (tst == 1 || tst == 2 || tst == 3) {
  3899. if (clntaddnewcb != 2
  3900. || clntparsenewcb != 2
  3901. || srvaddnewcb != 2
  3902. || srvparsenewcb != 2)
  3903. goto end;
  3904. } else {
  3905. /*
  3906. * No Certificate message extensions in the resumption handshake,
  3907. * 2 NewSessionTickets in the initial handshake, 1 in the resumption
  3908. */
  3909. if (clntaddnewcb != 2
  3910. || clntparsenewcb != 8
  3911. || srvaddnewcb != 8
  3912. || srvparsenewcb != 2)
  3913. goto end;
  3914. }
  3915. testresult = 1;
  3916. end:
  3917. SSL_SESSION_free(sess);
  3918. SSL_free(serverssl);
  3919. SSL_free(clientssl);
  3920. SSL_CTX_free(sctx2);
  3921. SSL_CTX_free(sctx);
  3922. SSL_CTX_free(cctx);
  3923. return testresult;
  3924. }
  3925. /*
  3926. * Test loading of serverinfo data in various formats. test_sslmessages actually
  3927. * tests to make sure the extensions appear in the handshake
  3928. */
  3929. static int test_serverinfo(int tst)
  3930. {
  3931. unsigned int version;
  3932. unsigned char *sibuf;
  3933. size_t sibuflen;
  3934. int ret, expected, testresult = 0;
  3935. SSL_CTX *ctx;
  3936. ctx = SSL_CTX_new(TLS_method());
  3937. if (!TEST_ptr(ctx))
  3938. goto end;
  3939. if ((tst & 0x01) == 0x01)
  3940. version = SSL_SERVERINFOV2;
  3941. else
  3942. version = SSL_SERVERINFOV1;
  3943. if ((tst & 0x02) == 0x02) {
  3944. sibuf = serverinfov2;
  3945. sibuflen = sizeof(serverinfov2);
  3946. expected = (version == SSL_SERVERINFOV2);
  3947. } else {
  3948. sibuf = serverinfov1;
  3949. sibuflen = sizeof(serverinfov1);
  3950. expected = (version == SSL_SERVERINFOV1);
  3951. }
  3952. if ((tst & 0x04) == 0x04) {
  3953. ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
  3954. } else {
  3955. ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
  3956. /*
  3957. * The version variable is irrelevant in this case - it's what is in the
  3958. * buffer that matters
  3959. */
  3960. if ((tst & 0x02) == 0x02)
  3961. expected = 0;
  3962. else
  3963. expected = 1;
  3964. }
  3965. if (!TEST_true(ret == expected))
  3966. goto end;
  3967. testresult = 1;
  3968. end:
  3969. SSL_CTX_free(ctx);
  3970. return testresult;
  3971. }
  3972. /*
  3973. * Test that SSL_export_keying_material() produces expected results. There are
  3974. * no test vectors so all we do is test that both sides of the communication
  3975. * produce the same results for different protocol versions.
  3976. */
  3977. #define SMALL_LABEL_LEN 10
  3978. #define LONG_LABEL_LEN 249
  3979. static int test_export_key_mat(int tst)
  3980. {
  3981. int testresult = 0;
  3982. SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
  3983. SSL *clientssl = NULL, *serverssl = NULL;
  3984. const char label[LONG_LABEL_LEN + 1] = "test label";
  3985. const unsigned char context[] = "context";
  3986. const unsigned char *emptycontext = NULL;
  3987. unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
  3988. unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
  3989. size_t labellen;
  3990. const int protocols[] = {
  3991. TLS1_VERSION,
  3992. TLS1_1_VERSION,
  3993. TLS1_2_VERSION,
  3994. TLS1_3_VERSION,
  3995. TLS1_3_VERSION,
  3996. TLS1_3_VERSION
  3997. };
  3998. #ifdef OPENSSL_NO_TLS1
  3999. if (tst == 0)
  4000. return 1;
  4001. #endif
  4002. #ifdef OPENSSL_NO_TLS1_1
  4003. if (tst == 1)
  4004. return 1;
  4005. #endif
  4006. #ifdef OPENSSL_NO_TLS1_2
  4007. if (tst == 2)
  4008. return 1;
  4009. #endif
  4010. #ifdef OPENSSL_NO_TLS1_3
  4011. if (tst >= 3)
  4012. return 1;
  4013. #endif
  4014. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4015. TLS1_VERSION, 0,
  4016. &sctx, &cctx, cert, privkey)))
  4017. goto end;
  4018. OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
  4019. SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
  4020. SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
  4021. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  4022. NULL))
  4023. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4024. SSL_ERROR_NONE)))
  4025. goto end;
  4026. if (tst == 5) {
  4027. /*
  4028. * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
  4029. * go over that.
  4030. */
  4031. if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
  4032. sizeof(ckeymat1), label,
  4033. LONG_LABEL_LEN + 1, context,
  4034. sizeof(context) - 1, 1), 0))
  4035. goto end;
  4036. testresult = 1;
  4037. goto end;
  4038. } else if (tst == 4) {
  4039. labellen = LONG_LABEL_LEN;
  4040. } else {
  4041. labellen = SMALL_LABEL_LEN;
  4042. }
  4043. if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
  4044. sizeof(ckeymat1), label,
  4045. labellen, context,
  4046. sizeof(context) - 1, 1), 1)
  4047. || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
  4048. sizeof(ckeymat2), label,
  4049. labellen,
  4050. emptycontext,
  4051. 0, 1), 1)
  4052. || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
  4053. sizeof(ckeymat3), label,
  4054. labellen,
  4055. NULL, 0, 0), 1)
  4056. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
  4057. sizeof(skeymat1), label,
  4058. labellen,
  4059. context,
  4060. sizeof(context) -1, 1),
  4061. 1)
  4062. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
  4063. sizeof(skeymat2), label,
  4064. labellen,
  4065. emptycontext,
  4066. 0, 1), 1)
  4067. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
  4068. sizeof(skeymat3), label,
  4069. labellen,
  4070. NULL, 0, 0), 1)
  4071. /*
  4072. * Check that both sides created the same key material with the
  4073. * same context.
  4074. */
  4075. || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
  4076. sizeof(skeymat1))
  4077. /*
  4078. * Check that both sides created the same key material with an
  4079. * empty context.
  4080. */
  4081. || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
  4082. sizeof(skeymat2))
  4083. /*
  4084. * Check that both sides created the same key material without a
  4085. * context.
  4086. */
  4087. || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
  4088. sizeof(skeymat3))
  4089. /* Different contexts should produce different results */
  4090. || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
  4091. sizeof(ckeymat2)))
  4092. goto end;
  4093. /*
  4094. * Check that an empty context and no context produce different results in
  4095. * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
  4096. */
  4097. if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
  4098. sizeof(ckeymat3)))
  4099. || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
  4100. sizeof(ckeymat3))))
  4101. goto end;
  4102. testresult = 1;
  4103. end:
  4104. SSL_free(serverssl);
  4105. SSL_free(clientssl);
  4106. SSL_CTX_free(sctx2);
  4107. SSL_CTX_free(sctx);
  4108. SSL_CTX_free(cctx);
  4109. return testresult;
  4110. }
  4111. #ifndef OPENSSL_NO_TLS1_3
  4112. /*
  4113. * Test that SSL_export_keying_material_early() produces expected
  4114. * results. There are no test vectors so all we do is test that both
  4115. * sides of the communication produce the same results for different
  4116. * protocol versions.
  4117. */
  4118. static int test_export_key_mat_early(int idx)
  4119. {
  4120. static const char label[] = "test label";
  4121. static const unsigned char context[] = "context";
  4122. int testresult = 0;
  4123. SSL_CTX *cctx = NULL, *sctx = NULL;
  4124. SSL *clientssl = NULL, *serverssl = NULL;
  4125. SSL_SESSION *sess = NULL;
  4126. const unsigned char *emptycontext = NULL;
  4127. unsigned char ckeymat1[80], ckeymat2[80];
  4128. unsigned char skeymat1[80], skeymat2[80];
  4129. unsigned char buf[1];
  4130. size_t readbytes, written;
  4131. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
  4132. &sess, idx)))
  4133. goto end;
  4134. /* Here writing 0 length early data is enough. */
  4135. if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
  4136. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  4137. &readbytes),
  4138. SSL_READ_EARLY_DATA_ERROR)
  4139. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  4140. SSL_EARLY_DATA_ACCEPTED))
  4141. goto end;
  4142. if (!TEST_int_eq(SSL_export_keying_material_early(
  4143. clientssl, ckeymat1, sizeof(ckeymat1), label,
  4144. sizeof(label) - 1, context, sizeof(context) - 1), 1)
  4145. || !TEST_int_eq(SSL_export_keying_material_early(
  4146. clientssl, ckeymat2, sizeof(ckeymat2), label,
  4147. sizeof(label) - 1, emptycontext, 0), 1)
  4148. || !TEST_int_eq(SSL_export_keying_material_early(
  4149. serverssl, skeymat1, sizeof(skeymat1), label,
  4150. sizeof(label) - 1, context, sizeof(context) - 1), 1)
  4151. || !TEST_int_eq(SSL_export_keying_material_early(
  4152. serverssl, skeymat2, sizeof(skeymat2), label,
  4153. sizeof(label) - 1, emptycontext, 0), 1)
  4154. /*
  4155. * Check that both sides created the same key material with the
  4156. * same context.
  4157. */
  4158. || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
  4159. sizeof(skeymat1))
  4160. /*
  4161. * Check that both sides created the same key material with an
  4162. * empty context.
  4163. */
  4164. || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
  4165. sizeof(skeymat2))
  4166. /* Different contexts should produce different results */
  4167. || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
  4168. sizeof(ckeymat2)))
  4169. goto end;
  4170. testresult = 1;
  4171. end:
  4172. SSL_SESSION_free(sess);
  4173. SSL_SESSION_free(clientpsk);
  4174. SSL_SESSION_free(serverpsk);
  4175. clientpsk = serverpsk = NULL;
  4176. SSL_free(serverssl);
  4177. SSL_free(clientssl);
  4178. SSL_CTX_free(sctx);
  4179. SSL_CTX_free(cctx);
  4180. return testresult;
  4181. }
  4182. #define NUM_KEY_UPDATE_MESSAGES 40
  4183. /*
  4184. * Test KeyUpdate.
  4185. */
  4186. static int test_key_update(void)
  4187. {
  4188. SSL_CTX *cctx = NULL, *sctx = NULL;
  4189. SSL *clientssl = NULL, *serverssl = NULL;
  4190. int testresult = 0, i, j;
  4191. char buf[20];
  4192. static char *mess = "A test message";
  4193. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4194. TLS_client_method(),
  4195. TLS1_3_VERSION,
  4196. 0,
  4197. &sctx, &cctx, cert, privkey))
  4198. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4199. NULL, NULL))
  4200. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4201. SSL_ERROR_NONE)))
  4202. goto end;
  4203. for (j = 0; j < 2; j++) {
  4204. /* Send lots of KeyUpdate messages */
  4205. for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
  4206. if (!TEST_true(SSL_key_update(clientssl,
  4207. (j == 0)
  4208. ? SSL_KEY_UPDATE_NOT_REQUESTED
  4209. : SSL_KEY_UPDATE_REQUESTED))
  4210. || !TEST_true(SSL_do_handshake(clientssl)))
  4211. goto end;
  4212. }
  4213. /* Check that sending and receiving app data is ok */
  4214. if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
  4215. || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
  4216. strlen(mess)))
  4217. goto end;
  4218. if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
  4219. || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
  4220. strlen(mess)))
  4221. goto end;
  4222. }
  4223. testresult = 1;
  4224. end:
  4225. SSL_free(serverssl);
  4226. SSL_free(clientssl);
  4227. SSL_CTX_free(sctx);
  4228. SSL_CTX_free(cctx);
  4229. return testresult;
  4230. }
  4231. /*
  4232. * Test we can handle a KeyUpdate (update requested) message while write data
  4233. * is pending.
  4234. * Test 0: Client sends KeyUpdate while Server is writing
  4235. * Test 1: Server sends KeyUpdate while Client is writing
  4236. */
  4237. static int test_key_update_in_write(int tst)
  4238. {
  4239. SSL_CTX *cctx = NULL, *sctx = NULL;
  4240. SSL *clientssl = NULL, *serverssl = NULL;
  4241. int testresult = 0;
  4242. char buf[20];
  4243. static char *mess = "A test message";
  4244. BIO *bretry = BIO_new(bio_s_always_retry());
  4245. BIO *tmp = NULL;
  4246. SSL *peerupdate = NULL, *peerwrite = NULL;
  4247. if (!TEST_ptr(bretry)
  4248. || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4249. TLS_client_method(),
  4250. TLS1_3_VERSION,
  4251. 0,
  4252. &sctx, &cctx, cert, privkey))
  4253. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4254. NULL, NULL))
  4255. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4256. SSL_ERROR_NONE)))
  4257. goto end;
  4258. peerupdate = tst == 0 ? clientssl : serverssl;
  4259. peerwrite = tst == 0 ? serverssl : clientssl;
  4260. if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
  4261. || !TEST_true(SSL_do_handshake(peerupdate)))
  4262. goto end;
  4263. /* Swap the writing endpoint's write BIO to force a retry */
  4264. tmp = SSL_get_wbio(peerwrite);
  4265. if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
  4266. tmp = NULL;
  4267. goto end;
  4268. }
  4269. SSL_set0_wbio(peerwrite, bretry);
  4270. bretry = NULL;
  4271. /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
  4272. if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
  4273. || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
  4274. goto end;
  4275. /* Reinstate the original writing endpoint's write BIO */
  4276. SSL_set0_wbio(peerwrite, tmp);
  4277. tmp = NULL;
  4278. /* Now read some data - we will read the key update */
  4279. if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
  4280. || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
  4281. goto end;
  4282. /*
  4283. * Complete the write we started previously and read it from the other
  4284. * endpoint
  4285. */
  4286. if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
  4287. || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
  4288. goto end;
  4289. /* Write more data to ensure we send the KeyUpdate message back */
  4290. if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
  4291. || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
  4292. goto end;
  4293. testresult = 1;
  4294. end:
  4295. SSL_free(serverssl);
  4296. SSL_free(clientssl);
  4297. SSL_CTX_free(sctx);
  4298. SSL_CTX_free(cctx);
  4299. BIO_free(bretry);
  4300. BIO_free(tmp);
  4301. return testresult;
  4302. }
  4303. #endif /* OPENSSL_NO_TLS1_3 */
  4304. static int test_ssl_clear(int idx)
  4305. {
  4306. SSL_CTX *cctx = NULL, *sctx = NULL;
  4307. SSL *clientssl = NULL, *serverssl = NULL;
  4308. int testresult = 0;
  4309. #ifdef OPENSSL_NO_TLS1_2
  4310. if (idx == 1)
  4311. return 1;
  4312. #endif
  4313. /* Create an initial connection */
  4314. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4315. TLS1_VERSION, 0,
  4316. &sctx, &cctx, cert, privkey))
  4317. || (idx == 1
  4318. && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
  4319. TLS1_2_VERSION)))
  4320. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  4321. &clientssl, NULL, NULL))
  4322. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4323. SSL_ERROR_NONE)))
  4324. goto end;
  4325. SSL_shutdown(clientssl);
  4326. SSL_shutdown(serverssl);
  4327. SSL_free(serverssl);
  4328. serverssl = NULL;
  4329. /* Clear clientssl - we're going to reuse the object */
  4330. if (!TEST_true(SSL_clear(clientssl)))
  4331. goto end;
  4332. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4333. NULL, NULL))
  4334. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4335. SSL_ERROR_NONE))
  4336. || !TEST_true(SSL_session_reused(clientssl)))
  4337. goto end;
  4338. SSL_shutdown(clientssl);
  4339. SSL_shutdown(serverssl);
  4340. testresult = 1;
  4341. end:
  4342. SSL_free(serverssl);
  4343. SSL_free(clientssl);
  4344. SSL_CTX_free(sctx);
  4345. SSL_CTX_free(cctx);
  4346. return testresult;
  4347. }
  4348. /* Parse CH and retrieve any MFL extension value if present */
  4349. static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
  4350. {
  4351. long len;
  4352. unsigned char *data;
  4353. PACKET pkt, pkt2, pkt3;
  4354. unsigned int MFL_code = 0, type = 0;
  4355. if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
  4356. goto end;
  4357. memset(&pkt, 0, sizeof(pkt));
  4358. memset(&pkt2, 0, sizeof(pkt2));
  4359. memset(&pkt3, 0, sizeof(pkt3));
  4360. if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
  4361. /* Skip the record header */
  4362. || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
  4363. /* Skip the handshake message header */
  4364. || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
  4365. /* Skip client version and random */
  4366. || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
  4367. + SSL3_RANDOM_SIZE))
  4368. /* Skip session id */
  4369. || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
  4370. /* Skip ciphers */
  4371. || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
  4372. /* Skip compression */
  4373. || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
  4374. /* Extensions len */
  4375. || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
  4376. goto end;
  4377. /* Loop through all extensions */
  4378. while (PACKET_remaining(&pkt2)) {
  4379. if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
  4380. || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
  4381. goto end;
  4382. if (type == TLSEXT_TYPE_max_fragment_length) {
  4383. if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
  4384. || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
  4385. goto end;
  4386. *mfl_codemfl_code = MFL_code;
  4387. return 1;
  4388. }
  4389. }
  4390. end:
  4391. return 0;
  4392. }
  4393. /* Maximum-Fragment-Length TLS extension mode to test */
  4394. static const unsigned char max_fragment_len_test[] = {
  4395. TLSEXT_max_fragment_length_512,
  4396. TLSEXT_max_fragment_length_1024,
  4397. TLSEXT_max_fragment_length_2048,
  4398. TLSEXT_max_fragment_length_4096
  4399. };
  4400. static int test_max_fragment_len_ext(int idx_tst)
  4401. {
  4402. SSL_CTX *ctx;
  4403. SSL *con = NULL;
  4404. int testresult = 0, MFL_mode = 0;
  4405. BIO *rbio, *wbio;
  4406. ctx = SSL_CTX_new(TLS_method());
  4407. if (!TEST_ptr(ctx))
  4408. goto end;
  4409. if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
  4410. ctx, max_fragment_len_test[idx_tst])))
  4411. goto end;
  4412. con = SSL_new(ctx);
  4413. if (!TEST_ptr(con))
  4414. goto end;
  4415. rbio = BIO_new(BIO_s_mem());
  4416. wbio = BIO_new(BIO_s_mem());
  4417. if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
  4418. BIO_free(rbio);
  4419. BIO_free(wbio);
  4420. goto end;
  4421. }
  4422. SSL_set_bio(con, rbio, wbio);
  4423. SSL_set_connect_state(con);
  4424. if (!TEST_int_le(SSL_connect(con), 0)) {
  4425. /* This shouldn't succeed because we don't have a server! */
  4426. goto end;
  4427. }
  4428. if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
  4429. /* no MFL in client hello */
  4430. goto end;
  4431. if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
  4432. goto end;
  4433. testresult = 1;
  4434. end:
  4435. SSL_free(con);
  4436. SSL_CTX_free(ctx);
  4437. return testresult;
  4438. }
  4439. #ifndef OPENSSL_NO_TLS1_3
  4440. static int test_pha_key_update(void)
  4441. {
  4442. SSL_CTX *cctx = NULL, *sctx = NULL;
  4443. SSL *clientssl = NULL, *serverssl = NULL;
  4444. int testresult = 0;
  4445. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4446. TLS1_VERSION, 0,
  4447. &sctx, &cctx, cert, privkey)))
  4448. return 0;
  4449. if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
  4450. || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
  4451. || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
  4452. || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
  4453. goto end;
  4454. SSL_CTX_set_post_handshake_auth(cctx, 1);
  4455. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4456. NULL, NULL)))
  4457. goto end;
  4458. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  4459. SSL_ERROR_NONE)))
  4460. goto end;
  4461. SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
  4462. if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
  4463. goto end;
  4464. if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
  4465. goto end;
  4466. /* Start handshake on the server */
  4467. if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
  4468. goto end;
  4469. /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
  4470. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  4471. SSL_ERROR_NONE)))
  4472. goto end;
  4473. SSL_shutdown(clientssl);
  4474. SSL_shutdown(serverssl);
  4475. testresult = 1;
  4476. end:
  4477. SSL_free(serverssl);
  4478. SSL_free(clientssl);
  4479. SSL_CTX_free(sctx);
  4480. SSL_CTX_free(cctx);
  4481. return testresult;
  4482. }
  4483. #endif
  4484. #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
  4485. static SRP_VBASE *vbase = NULL;
  4486. static int ssl_srp_cb(SSL *s, int *ad, void *arg)
  4487. {
  4488. int ret = SSL3_AL_FATAL;
  4489. char *username;
  4490. SRP_user_pwd *user = NULL;
  4491. username = SSL_get_srp_username(s);
  4492. if (username == NULL) {
  4493. *ad = SSL_AD_INTERNAL_ERROR;
  4494. goto err;
  4495. }
  4496. user = SRP_VBASE_get1_by_user(vbase, username);
  4497. if (user == NULL) {
  4498. *ad = SSL_AD_INTERNAL_ERROR;
  4499. goto err;
  4500. }
  4501. if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
  4502. user->info) <= 0) {
  4503. *ad = SSL_AD_INTERNAL_ERROR;
  4504. goto err;
  4505. }
  4506. ret = 0;
  4507. err:
  4508. SRP_user_pwd_free(user);
  4509. return ret;
  4510. }
  4511. static int create_new_vfile(char *userid, char *password, const char *filename)
  4512. {
  4513. char *gNid = NULL;
  4514. OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
  4515. TXT_DB *db = NULL;
  4516. int ret = 0;
  4517. BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
  4518. size_t i;
  4519. if (!TEST_ptr(dummy) || !TEST_ptr(row))
  4520. goto end;
  4521. gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
  4522. &row[DB_srpverifier], NULL, NULL);
  4523. if (!TEST_ptr(gNid))
  4524. goto end;
  4525. /*
  4526. * The only way to create an empty TXT_DB is to provide a BIO with no data
  4527. * in it!
  4528. */
  4529. db = TXT_DB_read(dummy, DB_NUMBER);
  4530. if (!TEST_ptr(db))
  4531. goto end;
  4532. out = BIO_new_file(filename, "w");
  4533. if (!TEST_ptr(out))
  4534. goto end;
  4535. row[DB_srpid] = OPENSSL_strdup(userid);
  4536. row[DB_srptype] = OPENSSL_strdup("V");
  4537. row[DB_srpgN] = OPENSSL_strdup(gNid);
  4538. if (!TEST_ptr(row[DB_srpid])
  4539. || !TEST_ptr(row[DB_srptype])
  4540. || !TEST_ptr(row[DB_srpgN])
  4541. || !TEST_true(TXT_DB_insert(db, row)))
  4542. goto end;
  4543. row = NULL;
  4544. if (!TXT_DB_write(out, db))
  4545. goto end;
  4546. ret = 1;
  4547. end:
  4548. if (row != NULL) {
  4549. for (i = 0; i < DB_NUMBER; i++)
  4550. OPENSSL_free(row[i]);
  4551. }
  4552. OPENSSL_free(row);
  4553. BIO_free(dummy);
  4554. BIO_free(out);
  4555. TXT_DB_free(db);
  4556. return ret;
  4557. }
  4558. static int create_new_vbase(char *userid, char *password)
  4559. {
  4560. BIGNUM *verifier = NULL, *salt = NULL;
  4561. const SRP_gN *lgN = NULL;
  4562. SRP_user_pwd *user_pwd = NULL;
  4563. int ret = 0;
  4564. lgN = SRP_get_default_gN(NULL);
  4565. if (!TEST_ptr(lgN))
  4566. goto end;
  4567. if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
  4568. lgN->N, lgN->g)))
  4569. goto end;
  4570. user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
  4571. if (!TEST_ptr(user_pwd))
  4572. goto end;
  4573. user_pwd->N = lgN->N;
  4574. user_pwd->g = lgN->g;
  4575. user_pwd->id = OPENSSL_strdup(userid);
  4576. if (!TEST_ptr(user_pwd->id))
  4577. goto end;
  4578. user_pwd->v = verifier;
  4579. user_pwd->s = salt;
  4580. verifier = salt = NULL;
  4581. if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
  4582. goto end;
  4583. user_pwd = NULL;
  4584. ret = 1;
  4585. end:
  4586. SRP_user_pwd_free(user_pwd);
  4587. BN_free(salt);
  4588. BN_free(verifier);
  4589. return ret;
  4590. }
  4591. /*
  4592. * SRP tests
  4593. *
  4594. * Test 0: Simple successful SRP connection, new vbase
  4595. * Test 1: Connection failure due to bad password, new vbase
  4596. * Test 2: Simple successful SRP connection, vbase loaded from existing file
  4597. * Test 3: Connection failure due to bad password, vbase loaded from existing
  4598. * file
  4599. * Test 4: Simple successful SRP connection, vbase loaded from new file
  4600. * Test 5: Connection failure due to bad password, vbase loaded from new file
  4601. */
  4602. static int test_srp(int tst)
  4603. {
  4604. char *userid = "test", *password = "password", *tstsrpfile;
  4605. SSL_CTX *cctx = NULL, *sctx = NULL;
  4606. SSL *clientssl = NULL, *serverssl = NULL;
  4607. int ret, testresult = 0;
  4608. vbase = SRP_VBASE_new(NULL);
  4609. if (!TEST_ptr(vbase))
  4610. goto end;
  4611. if (tst == 0 || tst == 1) {
  4612. if (!TEST_true(create_new_vbase(userid, password)))
  4613. goto end;
  4614. } else {
  4615. if (tst == 4 || tst == 5) {
  4616. if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
  4617. goto end;
  4618. tstsrpfile = tmpfilename;
  4619. } else {
  4620. tstsrpfile = srpvfile;
  4621. }
  4622. if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
  4623. goto end;
  4624. }
  4625. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4626. TLS1_VERSION, 0,
  4627. &sctx, &cctx, cert, privkey)))
  4628. goto end;
  4629. if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
  4630. || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
  4631. || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
  4632. || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
  4633. || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
  4634. goto end;
  4635. if (tst % 2 == 1) {
  4636. if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
  4637. goto end;
  4638. } else {
  4639. if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
  4640. goto end;
  4641. }
  4642. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4643. NULL, NULL)))
  4644. goto end;
  4645. ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
  4646. if (ret) {
  4647. if (!TEST_true(tst % 2 == 0))
  4648. goto end;
  4649. } else {
  4650. if (!TEST_true(tst % 2 == 1))
  4651. goto end;
  4652. }
  4653. testresult = 1;
  4654. end:
  4655. SRP_VBASE_free(vbase);
  4656. vbase = NULL;
  4657. SSL_free(serverssl);
  4658. SSL_free(clientssl);
  4659. SSL_CTX_free(sctx);
  4660. SSL_CTX_free(cctx);
  4661. return testresult;
  4662. }
  4663. #endif
  4664. static int info_cb_failed = 0;
  4665. static int info_cb_offset = 0;
  4666. static int info_cb_this_state = -1;
  4667. static struct info_cb_states_st {
  4668. int where;
  4669. const char *statestr;
  4670. } info_cb_states[][60] = {
  4671. {
  4672. /* TLSv1.2 server followed by resumption */
  4673. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4674. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4675. {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
  4676. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
  4677. {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
  4678. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4679. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4680. {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
  4681. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
  4682. {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4683. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
  4684. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4685. {SSL_CB_EXIT, NULL}, {0, NULL},
  4686. }, {
  4687. /* TLSv1.2 client followed by resumption */
  4688. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4689. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4690. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
  4691. {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
  4692. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
  4693. {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
  4694. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
  4695. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4696. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4697. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
  4698. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4699. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4700. }, {
  4701. /* TLSv1.3 server followed by resumption */
  4702. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4703. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4704. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
  4705. {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
  4706. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
  4707. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
  4708. {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
  4709. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4710. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4711. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
  4712. {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
  4713. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4714. {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4715. }, {
  4716. /* TLSv1.3 client followed by resumption */
  4717. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4718. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4719. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
  4720. {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
  4721. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4722. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
  4723. {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
  4724. {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
  4725. {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
  4726. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
  4727. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
  4728. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4729. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4730. {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
  4731. {SSL_CB_EXIT, NULL}, {0, NULL},
  4732. }, {
  4733. /* TLSv1.3 server, early_data */
  4734. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4735. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4736. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
  4737. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4738. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
  4739. {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
  4740. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
  4741. {SSL_CB_EXIT, NULL}, {0, NULL},
  4742. }, {
  4743. /* TLSv1.3 client, early_data */
  4744. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4745. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
  4746. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4747. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
  4748. {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
  4749. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
  4750. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4751. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
  4752. {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4753. }, {
  4754. {0, NULL},
  4755. }
  4756. };
  4757. static void sslapi_info_callback(const SSL *s, int where, int ret)
  4758. {
  4759. struct info_cb_states_st *state = info_cb_states[info_cb_offset];
  4760. /* We do not ever expect a connection to fail in this test */
  4761. if (!TEST_false(ret == 0)) {
  4762. info_cb_failed = 1;
  4763. return;
  4764. }
  4765. /*
  4766. * Do some sanity checks. We never expect these things to happen in this
  4767. * test
  4768. */
  4769. if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
  4770. || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
  4771. || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
  4772. info_cb_failed = 1;
  4773. return;
  4774. }
  4775. /* Now check we're in the right state */
  4776. if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
  4777. info_cb_failed = 1;
  4778. return;
  4779. }
  4780. if ((where & SSL_CB_LOOP) != 0
  4781. && !TEST_int_eq(strcmp(SSL_state_string(s),
  4782. state[info_cb_this_state].statestr), 0)) {
  4783. info_cb_failed = 1;
  4784. return;
  4785. }
  4786. /*
  4787. * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
  4788. */
  4789. if ((where & SSL_CB_HANDSHAKE_DONE)
  4790. && SSL_in_init((SSL *)s) != 0) {
  4791. info_cb_failed = 1;
  4792. return;
  4793. }
  4794. }
  4795. /*
  4796. * Test the info callback gets called when we expect it to.
  4797. *
  4798. * Test 0: TLSv1.2, server
  4799. * Test 1: TLSv1.2, client
  4800. * Test 2: TLSv1.3, server
  4801. * Test 3: TLSv1.3, client
  4802. * Test 4: TLSv1.3, server, early_data
  4803. * Test 5: TLSv1.3, client, early_data
  4804. */
  4805. static int test_info_callback(int tst)
  4806. {
  4807. SSL_CTX *cctx = NULL, *sctx = NULL;
  4808. SSL *clientssl = NULL, *serverssl = NULL;
  4809. SSL_SESSION *clntsess = NULL;
  4810. int testresult = 0;
  4811. int tlsvers;
  4812. if (tst < 2) {
  4813. /* We need either ECDHE or DHE for the TLSv1.2 test to work */
  4814. #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
  4815. || !defined(OPENSSL_NO_DH))
  4816. tlsvers = TLS1_2_VERSION;
  4817. #else
  4818. return 1;
  4819. #endif
  4820. } else {
  4821. #ifndef OPENSSL_NO_TLS1_3
  4822. tlsvers = TLS1_3_VERSION;
  4823. #else
  4824. return 1;
  4825. #endif
  4826. }
  4827. /* Reset globals */
  4828. info_cb_failed = 0;
  4829. info_cb_this_state = -1;
  4830. info_cb_offset = tst;
  4831. #ifndef OPENSSL_NO_TLS1_3
  4832. if (tst >= 4) {
  4833. SSL_SESSION *sess = NULL;
  4834. size_t written, readbytes;
  4835. unsigned char buf[80];
  4836. /* early_data tests */
  4837. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  4838. &serverssl, &sess, 0)))
  4839. goto end;
  4840. /* We don't actually need this reference */
  4841. SSL_SESSION_free(sess);
  4842. SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
  4843. sslapi_info_callback);
  4844. /* Write and read some early data and then complete the connection */
  4845. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  4846. &written))
  4847. || !TEST_size_t_eq(written, strlen(MSG1))
  4848. || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
  4849. sizeof(buf), &readbytes),
  4850. SSL_READ_EARLY_DATA_SUCCESS)
  4851. || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
  4852. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  4853. SSL_EARLY_DATA_ACCEPTED)
  4854. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4855. SSL_ERROR_NONE))
  4856. || !TEST_false(info_cb_failed))
  4857. goto end;
  4858. testresult = 1;
  4859. goto end;
  4860. }
  4861. #endif
  4862. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4863. TLS_client_method(),
  4864. tlsvers, tlsvers, &sctx, &cctx, cert,
  4865. privkey)))
  4866. goto end;
  4867. /*
  4868. * For even numbered tests we check the server callbacks. For odd numbers we
  4869. * check the client.
  4870. */
  4871. SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
  4872. sslapi_info_callback);
  4873. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  4874. &clientssl, NULL, NULL))
  4875. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4876. SSL_ERROR_NONE))
  4877. || !TEST_false(info_cb_failed))
  4878. goto end;
  4879. clntsess = SSL_get1_session(clientssl);
  4880. SSL_shutdown(clientssl);
  4881. SSL_shutdown(serverssl);
  4882. SSL_free(serverssl);
  4883. SSL_free(clientssl);
  4884. serverssl = clientssl = NULL;
  4885. /* Now do a resumption */
  4886. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  4887. NULL))
  4888. || !TEST_true(SSL_set_session(clientssl, clntsess))
  4889. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4890. SSL_ERROR_NONE))
  4891. || !TEST_true(SSL_session_reused(clientssl))
  4892. || !TEST_false(info_cb_failed))
  4893. goto end;
  4894. testresult = 1;
  4895. end:
  4896. SSL_free(serverssl);
  4897. SSL_free(clientssl);
  4898. SSL_SESSION_free(clntsess);
  4899. SSL_CTX_free(sctx);
  4900. SSL_CTX_free(cctx);
  4901. return testresult;
  4902. }
  4903. static int test_ssl_pending(int tst)
  4904. {
  4905. SSL_CTX *cctx = NULL, *sctx = NULL;
  4906. SSL *clientssl = NULL, *serverssl = NULL;
  4907. int testresult = 0;
  4908. char msg[] = "A test message";
  4909. char buf[5];
  4910. size_t written, readbytes;
  4911. if (tst == 0) {
  4912. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4913. TLS_client_method(),
  4914. TLS1_VERSION, 0,
  4915. &sctx, &cctx, cert, privkey)))
  4916. goto end;
  4917. } else {
  4918. #ifndef OPENSSL_NO_DTLS
  4919. if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
  4920. DTLS_client_method(),
  4921. DTLS1_VERSION, 0,
  4922. &sctx, &cctx, cert, privkey)))
  4923. goto end;
  4924. #else
  4925. return 1;
  4926. #endif
  4927. }
  4928. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4929. NULL, NULL))
  4930. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4931. SSL_ERROR_NONE)))
  4932. goto end;
  4933. if (!TEST_int_eq(SSL_pending(clientssl), 0)
  4934. || !TEST_false(SSL_has_pending(clientssl))
  4935. || !TEST_int_eq(SSL_pending(serverssl), 0)
  4936. || !TEST_false(SSL_has_pending(serverssl))
  4937. || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
  4938. || !TEST_size_t_eq(written, sizeof(msg))
  4939. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  4940. || !TEST_size_t_eq(readbytes, sizeof(buf))
  4941. || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
  4942. || !TEST_true(SSL_has_pending(clientssl)))
  4943. goto end;
  4944. testresult = 1;
  4945. end:
  4946. SSL_free(serverssl);
  4947. SSL_free(clientssl);
  4948. SSL_CTX_free(sctx);
  4949. SSL_CTX_free(cctx);
  4950. return testresult;
  4951. }
  4952. static struct {
  4953. unsigned int maxprot;
  4954. const char *clntciphers;
  4955. const char *clnttls13ciphers;
  4956. const char *srvrciphers;
  4957. const char *srvrtls13ciphers;
  4958. const char *shared;
  4959. } shared_ciphers_data[] = {
  4960. /*
  4961. * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
  4962. * TLSv1.3 is enabled but TLSv1.2 is disabled.
  4963. */
  4964. #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
  4965. {
  4966. TLS1_2_VERSION,
  4967. "AES128-SHA:AES256-SHA",
  4968. NULL,
  4969. "AES256-SHA:DHE-RSA-AES128-SHA",
  4970. NULL,
  4971. "AES256-SHA"
  4972. },
  4973. {
  4974. TLS1_2_VERSION,
  4975. "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
  4976. NULL,
  4977. "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
  4978. NULL,
  4979. "AES128-SHA:AES256-SHA"
  4980. },
  4981. {
  4982. TLS1_2_VERSION,
  4983. "AES128-SHA:AES256-SHA",
  4984. NULL,
  4985. "AES128-SHA:DHE-RSA-AES128-SHA",
  4986. NULL,
  4987. "AES128-SHA"
  4988. },
  4989. #endif
  4990. /*
  4991. * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
  4992. * enabled.
  4993. */
  4994. #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
  4995. && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  4996. {
  4997. TLS1_3_VERSION,
  4998. "AES128-SHA:AES256-SHA",
  4999. NULL,
  5000. "AES256-SHA:AES128-SHA256",
  5001. NULL,
  5002. "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
  5003. "TLS_AES_128_GCM_SHA256:AES256-SHA"
  5004. },
  5005. #endif
  5006. #ifndef OPENSSL_NO_TLS1_3
  5007. {
  5008. TLS1_3_VERSION,
  5009. "AES128-SHA",
  5010. "TLS_AES_256_GCM_SHA384",
  5011. "AES256-SHA",
  5012. "TLS_AES_256_GCM_SHA384",
  5013. "TLS_AES_256_GCM_SHA384"
  5014. },
  5015. #endif
  5016. };
  5017. static int test_ssl_get_shared_ciphers(int tst)
  5018. {
  5019. SSL_CTX *cctx = NULL, *sctx = NULL;
  5020. SSL *clientssl = NULL, *serverssl = NULL;
  5021. int testresult = 0;
  5022. char buf[1024];
  5023. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5024. TLS_client_method(),
  5025. TLS1_VERSION,
  5026. shared_ciphers_data[tst].maxprot,
  5027. &sctx, &cctx, cert, privkey)))
  5028. goto end;
  5029. if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
  5030. shared_ciphers_data[tst].clntciphers))
  5031. || (shared_ciphers_data[tst].clnttls13ciphers != NULL
  5032. && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
  5033. shared_ciphers_data[tst].clnttls13ciphers)))
  5034. || !TEST_true(SSL_CTX_set_cipher_list(sctx,
  5035. shared_ciphers_data[tst].srvrciphers))
  5036. || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
  5037. && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  5038. shared_ciphers_data[tst].srvrtls13ciphers))))
  5039. goto end;
  5040. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5041. NULL, NULL))
  5042. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5043. SSL_ERROR_NONE)))
  5044. goto end;
  5045. if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
  5046. || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
  5047. TEST_info("Shared ciphers are: %s\n", buf);
  5048. goto end;
  5049. }
  5050. testresult = 1;
  5051. end:
  5052. SSL_free(serverssl);
  5053. SSL_free(clientssl);
  5054. SSL_CTX_free(sctx);
  5055. SSL_CTX_free(cctx);
  5056. return testresult;
  5057. }
  5058. static const char *appdata = "Hello World";
  5059. static int gen_tick_called, dec_tick_called, tick_key_cb_called;
  5060. static int tick_key_renew = 0;
  5061. static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
  5062. static int gen_tick_cb(SSL *s, void *arg)
  5063. {
  5064. gen_tick_called = 1;
  5065. return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
  5066. strlen(appdata));
  5067. }
  5068. static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
  5069. const unsigned char *keyname,
  5070. size_t keyname_length,
  5071. SSL_TICKET_STATUS status,
  5072. void *arg)
  5073. {
  5074. void *tickdata;
  5075. size_t tickdlen;
  5076. dec_tick_called = 1;
  5077. if (status == SSL_TICKET_EMPTY)
  5078. return SSL_TICKET_RETURN_IGNORE_RENEW;
  5079. if (!TEST_true(status == SSL_TICKET_SUCCESS
  5080. || status == SSL_TICKET_SUCCESS_RENEW))
  5081. return SSL_TICKET_RETURN_ABORT;
  5082. if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
  5083. &tickdlen))
  5084. || !TEST_size_t_eq(tickdlen, strlen(appdata))
  5085. || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
  5086. return SSL_TICKET_RETURN_ABORT;
  5087. if (tick_key_cb_called) {
  5088. /* Don't change what the ticket key callback wanted to do */
  5089. switch (status) {
  5090. case SSL_TICKET_NO_DECRYPT:
  5091. return SSL_TICKET_RETURN_IGNORE_RENEW;
  5092. case SSL_TICKET_SUCCESS:
  5093. return SSL_TICKET_RETURN_USE;
  5094. case SSL_TICKET_SUCCESS_RENEW:
  5095. return SSL_TICKET_RETURN_USE_RENEW;
  5096. default:
  5097. return SSL_TICKET_RETURN_ABORT;
  5098. }
  5099. }
  5100. return tick_dec_ret;
  5101. }
  5102. static int tick_key_cb(SSL *s, unsigned char key_name[16],
  5103. unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
  5104. HMAC_CTX *hctx, int enc)
  5105. {
  5106. const unsigned char tick_aes_key[16] = "0123456789abcdef";
  5107. const unsigned char tick_hmac_key[16] = "0123456789abcdef";
  5108. tick_key_cb_called = 1;
  5109. memset(iv, 0, AES_BLOCK_SIZE);
  5110. memset(key_name, 0, 16);
  5111. if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
  5112. || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
  5113. EVP_sha256(), NULL))
  5114. return -1;
  5115. return tick_key_renew ? 2 : 1;
  5116. }
  5117. /*
  5118. * Test the various ticket callbacks
  5119. * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
  5120. * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
  5121. * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
  5122. * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
  5123. * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
  5124. * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
  5125. * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
  5126. * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
  5127. * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
  5128. * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
  5129. * Test 10: TLSv1.2, ticket key callback, ticket, renewal
  5130. * Test 11: TLSv1.3, ticket key callback, ticket, renewal
  5131. */
  5132. static int test_ticket_callbacks(int tst)
  5133. {
  5134. SSL_CTX *cctx = NULL, *sctx = NULL;
  5135. SSL *clientssl = NULL, *serverssl = NULL;
  5136. SSL_SESSION *clntsess = NULL;
  5137. int testresult = 0;
  5138. #ifdef OPENSSL_NO_TLS1_2
  5139. if (tst % 2 == 0)
  5140. return 1;
  5141. #endif
  5142. #ifdef OPENSSL_NO_TLS1_3
  5143. if (tst % 2 == 1)
  5144. return 1;
  5145. #endif
  5146. gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
  5147. /* Which tests the ticket key callback should request renewal for */
  5148. if (tst == 10 || tst == 11)
  5149. tick_key_renew = 1;
  5150. else
  5151. tick_key_renew = 0;
  5152. /* Which tests the decrypt ticket callback should request renewal for */
  5153. switch (tst) {
  5154. case 0:
  5155. case 1:
  5156. tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
  5157. break;
  5158. case 2:
  5159. case 3:
  5160. tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
  5161. break;
  5162. case 4:
  5163. case 5:
  5164. tick_dec_ret = SSL_TICKET_RETURN_USE;
  5165. break;
  5166. case 6:
  5167. case 7:
  5168. tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
  5169. break;
  5170. default:
  5171. tick_dec_ret = SSL_TICKET_RETURN_ABORT;
  5172. }
  5173. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5174. TLS_client_method(),
  5175. TLS1_VERSION,
  5176. ((tst % 2) == 0) ? TLS1_2_VERSION
  5177. : TLS1_3_VERSION,
  5178. &sctx, &cctx, cert, privkey)))
  5179. goto end;
  5180. /*
  5181. * We only want sessions to resume from tickets - not the session cache. So
  5182. * switch the cache off.
  5183. */
  5184. if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
  5185. goto end;
  5186. if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
  5187. NULL)))
  5188. goto end;
  5189. if (tst >= 8
  5190. && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
  5191. goto end;
  5192. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5193. NULL, NULL))
  5194. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5195. SSL_ERROR_NONE)))
  5196. goto end;
  5197. /*
  5198. * The decrypt ticket key callback in TLSv1.2 should be called even though
  5199. * we have no ticket yet, because it gets called with a status of
  5200. * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
  5201. * actually send any ticket data). This does not happen in TLSv1.3 because
  5202. * it is not valid to send empty ticket data in TLSv1.3.
  5203. */
  5204. if (!TEST_int_eq(gen_tick_called, 1)
  5205. || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
  5206. goto end;
  5207. gen_tick_called = dec_tick_called = 0;
  5208. clntsess = SSL_get1_session(clientssl);
  5209. SSL_shutdown(clientssl);
  5210. SSL_shutdown(serverssl);
  5211. SSL_free(serverssl);
  5212. SSL_free(clientssl);
  5213. serverssl = clientssl = NULL;
  5214. /* Now do a resumption */
  5215. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  5216. NULL))
  5217. || !TEST_true(SSL_set_session(clientssl, clntsess))
  5218. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5219. SSL_ERROR_NONE)))
  5220. goto end;
  5221. if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
  5222. || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
  5223. if (!TEST_false(SSL_session_reused(clientssl)))
  5224. goto end;
  5225. } else {
  5226. if (!TEST_true(SSL_session_reused(clientssl)))
  5227. goto end;
  5228. }
  5229. if (!TEST_int_eq(gen_tick_called,
  5230. (tick_key_renew
  5231. || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
  5232. || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
  5233. ? 1 : 0)
  5234. || !TEST_int_eq(dec_tick_called, 1))
  5235. goto end;
  5236. testresult = 1;
  5237. end:
  5238. SSL_SESSION_free(clntsess);
  5239. SSL_free(serverssl);
  5240. SSL_free(clientssl);
  5241. SSL_CTX_free(sctx);
  5242. SSL_CTX_free(cctx);
  5243. return testresult;
  5244. }
  5245. /*
  5246. * Test bi-directional shutdown.
  5247. * Test 0: TLSv1.2
  5248. * Test 1: TLSv1.2, server continues to read/write after client shutdown
  5249. * Test 2: TLSv1.3, no pending NewSessionTicket messages
  5250. * Test 3: TLSv1.3, pending NewSessionTicket messages
  5251. * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
  5252. * sends key update, client reads it
  5253. * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
  5254. * sends CertificateRequest, client reads and ignores it
  5255. * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
  5256. * doesn't read it
  5257. */
  5258. static int test_shutdown(int tst)
  5259. {
  5260. SSL_CTX *cctx = NULL, *sctx = NULL;
  5261. SSL *clientssl = NULL, *serverssl = NULL;
  5262. int testresult = 0;
  5263. char msg[] = "A test message";
  5264. char buf[80];
  5265. size_t written, readbytes;
  5266. SSL_SESSION *sess;
  5267. #ifdef OPENSSL_NO_TLS1_2
  5268. if (tst <= 1)
  5269. return 1;
  5270. #endif
  5271. #ifdef OPENSSL_NO_TLS1_3
  5272. if (tst >= 2)
  5273. return 1;
  5274. #endif
  5275. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5276. TLS_client_method(),
  5277. TLS1_VERSION,
  5278. (tst <= 1) ? TLS1_2_VERSION
  5279. : TLS1_3_VERSION,
  5280. &sctx, &cctx, cert, privkey)))
  5281. goto end;
  5282. if (tst == 5)
  5283. SSL_CTX_set_post_handshake_auth(cctx, 1);
  5284. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5285. NULL, NULL)))
  5286. goto end;
  5287. if (tst == 3) {
  5288. if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
  5289. SSL_ERROR_NONE, 1))
  5290. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  5291. || !TEST_false(SSL_SESSION_is_resumable(sess)))
  5292. goto end;
  5293. } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  5294. SSL_ERROR_NONE))
  5295. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  5296. || !TEST_true(SSL_SESSION_is_resumable(sess))) {
  5297. goto end;
  5298. }
  5299. if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
  5300. goto end;
  5301. if (tst >= 4) {
  5302. /*
  5303. * Reading on the server after the client has sent close_notify should
  5304. * fail and provide SSL_ERROR_ZERO_RETURN
  5305. */
  5306. if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  5307. || !TEST_int_eq(SSL_get_error(serverssl, 0),
  5308. SSL_ERROR_ZERO_RETURN)
  5309. || !TEST_int_eq(SSL_get_shutdown(serverssl),
  5310. SSL_RECEIVED_SHUTDOWN)
  5311. /*
  5312. * Even though we're shutdown on receive we should still be
  5313. * able to write.
  5314. */
  5315. || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
  5316. goto end;
  5317. if (tst == 4
  5318. && !TEST_true(SSL_key_update(serverssl,
  5319. SSL_KEY_UPDATE_REQUESTED)))
  5320. goto end;
  5321. if (tst == 5) {
  5322. SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
  5323. if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
  5324. goto end;
  5325. }
  5326. if ((tst == 4 || tst == 5)
  5327. && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
  5328. goto end;
  5329. if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
  5330. goto end;
  5331. if (tst == 4 || tst == 5) {
  5332. /* Should still be able to read data from server */
  5333. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
  5334. &readbytes))
  5335. || !TEST_size_t_eq(readbytes, sizeof(msg))
  5336. || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
  5337. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
  5338. &readbytes))
  5339. || !TEST_size_t_eq(readbytes, sizeof(msg))
  5340. || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
  5341. goto end;
  5342. }
  5343. }
  5344. /* Writing on the client after sending close_notify shouldn't be possible */
  5345. if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
  5346. goto end;
  5347. if (tst < 4) {
  5348. /*
  5349. * For these tests the client has sent close_notify but it has not yet
  5350. * been received by the server. The server has not sent close_notify
  5351. * yet.
  5352. */
  5353. if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
  5354. /*
  5355. * Writing on the server after sending close_notify shouldn't
  5356. * be possible.
  5357. */
  5358. || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
  5359. || !TEST_int_eq(SSL_shutdown(clientssl), 1)
  5360. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  5361. || !TEST_true(SSL_SESSION_is_resumable(sess))
  5362. || !TEST_int_eq(SSL_shutdown(serverssl), 1))
  5363. goto end;
  5364. } else if (tst == 4 || tst == 5) {
  5365. /*
  5366. * In this test the client has sent close_notify and it has been
  5367. * received by the server which has responded with a close_notify. The
  5368. * client needs to read the close_notify sent by the server.
  5369. */
  5370. if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
  5371. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  5372. || !TEST_true(SSL_SESSION_is_resumable(sess)))
  5373. goto end;
  5374. } else {
  5375. /*
  5376. * tst == 6
  5377. *
  5378. * The client has sent close_notify and is expecting a close_notify
  5379. * back, but instead there is application data first. The shutdown
  5380. * should fail with a fatal error.
  5381. */
  5382. if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
  5383. || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
  5384. goto end;
  5385. }
  5386. testresult = 1;
  5387. end:
  5388. SSL_free(serverssl);
  5389. SSL_free(clientssl);
  5390. SSL_CTX_free(sctx);
  5391. SSL_CTX_free(cctx);
  5392. return testresult;
  5393. }
  5394. #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
  5395. static int cert_cb_cnt;
  5396. static int cert_cb(SSL *s, void *arg)
  5397. {
  5398. SSL_CTX *ctx = (SSL_CTX *)arg;
  5399. BIO *in = NULL;
  5400. EVP_PKEY *pkey = NULL;
  5401. X509 *x509 = NULL;
  5402. if (cert_cb_cnt == 0) {
  5403. /* Suspend the handshake */
  5404. cert_cb_cnt++;
  5405. return -1;
  5406. } else if (cert_cb_cnt == 1) {
  5407. /*
  5408. * Update the SSL_CTX, set the certificate and private key and then
  5409. * continue the handshake normally.
  5410. */
  5411. if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
  5412. return 0;
  5413. if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
  5414. || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
  5415. SSL_FILETYPE_PEM))
  5416. || !TEST_true(SSL_check_private_key(s)))
  5417. return 0;
  5418. cert_cb_cnt++;
  5419. return 1;
  5420. } else if (cert_cb_cnt == 3) {
  5421. int rv;
  5422. if (!TEST_ptr(in = BIO_new(BIO_s_file()))
  5423. || !TEST_int_ge(BIO_read_filename(in, cert), 0)
  5424. || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
  5425. goto out;
  5426. BIO_free(in);
  5427. if (!TEST_ptr(in = BIO_new(BIO_s_file()))
  5428. || !TEST_int_ge(BIO_read_filename(in, privkey), 0)
  5429. || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
  5430. goto out;
  5431. rv = SSL_check_chain(s, x509, pkey, NULL);
  5432. /*
  5433. * If the cert doesn't show as valid here (e.g., because we don't
  5434. * have any shared sigalgs), then we will not set it, and there will
  5435. * be no certificate at all on the SSL or SSL_CTX. This, in turn,
  5436. * will cause tls_choose_sigalgs() to fail the connection.
  5437. */
  5438. if ((rv & CERT_PKEY_VALID)) {
  5439. if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
  5440. goto out;
  5441. }
  5442. BIO_free(in);
  5443. EVP_PKEY_free(pkey);
  5444. X509_free(x509);
  5445. return 1;
  5446. }
  5447. /* Abort the handshake */
  5448. out:
  5449. BIO_free(in);
  5450. EVP_PKEY_free(pkey);
  5451. X509_free(x509);
  5452. return 0;
  5453. }
  5454. /*
  5455. * Test the certificate callback.
  5456. * Test 0: Callback fails
  5457. * Test 1: Success - no SSL_set_SSL_CTX() in the callback
  5458. * Test 2: Success - SSL_set_SSL_CTX() in the callback
  5459. */
  5460. static int test_cert_cb_int(int prot, int tst)
  5461. {
  5462. SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
  5463. SSL *clientssl = NULL, *serverssl = NULL;
  5464. int testresult = 0, ret;
  5465. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5466. TLS_client_method(),
  5467. TLS1_VERSION,
  5468. prot,
  5469. &sctx, &cctx, NULL, NULL)))
  5470. goto end;
  5471. if (tst == 0)
  5472. cert_cb_cnt = -1;
  5473. else if (tst == 3)
  5474. cert_cb_cnt = 3;
  5475. else
  5476. cert_cb_cnt = 0;
  5477. if (tst == 2)
  5478. snictx = SSL_CTX_new(TLS_server_method());
  5479. SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
  5480. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5481. NULL, NULL)))
  5482. goto end;
  5483. ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
  5484. if (!TEST_true(tst == 0 ? !ret : ret)
  5485. || (tst > 0
  5486. && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
  5487. goto end;
  5488. }
  5489. testresult = 1;
  5490. end:
  5491. SSL_free(serverssl);
  5492. SSL_free(clientssl);
  5493. SSL_CTX_free(sctx);
  5494. SSL_CTX_free(cctx);
  5495. SSL_CTX_free(snictx);
  5496. return testresult;
  5497. }
  5498. #endif
  5499. static int test_cert_cb(int tst)
  5500. {
  5501. int testresult = 1;
  5502. #ifndef OPENSSL_NO_TLS1_2
  5503. testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
  5504. #endif
  5505. #ifndef OPENSSL_NO_TLS1_3
  5506. testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
  5507. #endif
  5508. return testresult;
  5509. }
  5510. static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
  5511. {
  5512. X509 *xcert, *peer;
  5513. EVP_PKEY *privpkey;
  5514. BIO *in = NULL;
  5515. /* Check that SSL_get_peer_certificate() returns something sensible */
  5516. peer = SSL_get_peer_certificate(ssl);
  5517. if (!TEST_ptr(peer))
  5518. return 0;
  5519. X509_free(peer);
  5520. in = BIO_new_file(cert, "r");
  5521. if (!TEST_ptr(in))
  5522. return 0;
  5523. xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
  5524. BIO_free(in);
  5525. if (!TEST_ptr(xcert))
  5526. return 0;
  5527. in = BIO_new_file(privkey, "r");
  5528. if (!TEST_ptr(in)) {
  5529. X509_free(xcert);
  5530. return 0;
  5531. }
  5532. privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
  5533. BIO_free(in);
  5534. if (!TEST_ptr(privpkey)) {
  5535. X509_free(xcert);
  5536. return 0;
  5537. }
  5538. *x509 = xcert;
  5539. *pkey = privpkey;
  5540. return 1;
  5541. }
  5542. static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
  5543. {
  5544. return 1;
  5545. }
  5546. static int test_client_cert_cb(int tst)
  5547. {
  5548. SSL_CTX *cctx = NULL, *sctx = NULL;
  5549. SSL *clientssl = NULL, *serverssl = NULL;
  5550. int testresult = 0;
  5551. #ifdef OPENSSL_NO_TLS1_2
  5552. if (tst == 0)
  5553. return 1;
  5554. #endif
  5555. #ifdef OPENSSL_NO_TLS1_3
  5556. if (tst == 1)
  5557. return 1;
  5558. #endif
  5559. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5560. TLS_client_method(),
  5561. TLS1_VERSION,
  5562. tst == 0 ? TLS1_2_VERSION
  5563. : TLS1_3_VERSION,
  5564. &sctx, &cctx, cert, privkey)))
  5565. goto end;
  5566. /*
  5567. * Test that setting a client_cert_cb results in a client certificate being
  5568. * sent.
  5569. */
  5570. SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
  5571. SSL_CTX_set_verify(sctx,
  5572. SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
  5573. verify_cb);
  5574. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5575. NULL, NULL))
  5576. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5577. SSL_ERROR_NONE)))
  5578. goto end;
  5579. testresult = 1;
  5580. end:
  5581. SSL_free(serverssl);
  5582. SSL_free(clientssl);
  5583. SSL_CTX_free(sctx);
  5584. SSL_CTX_free(cctx);
  5585. return testresult;
  5586. }
  5587. #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
  5588. /*
  5589. * Test setting certificate authorities on both client and server.
  5590. *
  5591. * Test 0: SSL_CTX_set0_CA_list() only
  5592. * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
  5593. * Test 2: Only SSL_CTX_set_client_CA_list()
  5594. */
  5595. static int test_ca_names_int(int prot, int tst)
  5596. {
  5597. SSL_CTX *cctx = NULL, *sctx = NULL;
  5598. SSL *clientssl = NULL, *serverssl = NULL;
  5599. int testresult = 0;
  5600. size_t i;
  5601. X509_NAME *name[] = { NULL, NULL, NULL, NULL };
  5602. char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
  5603. STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
  5604. const STACK_OF(X509_NAME) *sktmp = NULL;
  5605. for (i = 0; i < OSSL_NELEM(name); i++) {
  5606. name[i] = X509_NAME_new();
  5607. if (!TEST_ptr(name[i])
  5608. || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
  5609. MBSTRING_ASC,
  5610. (unsigned char *)
  5611. strnames[i],
  5612. -1, -1, 0)))
  5613. goto end;
  5614. }
  5615. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5616. TLS_client_method(),
  5617. TLS1_VERSION,
  5618. prot,
  5619. &sctx, &cctx, cert, privkey)))
  5620. goto end;
  5621. SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
  5622. if (tst == 0 || tst == 1) {
  5623. if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
  5624. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
  5625. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
  5626. || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
  5627. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
  5628. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
  5629. goto end;
  5630. SSL_CTX_set0_CA_list(sctx, sk1);
  5631. SSL_CTX_set0_CA_list(cctx, sk2);
  5632. sk1 = sk2 = NULL;
  5633. }
  5634. if (tst == 1 || tst == 2) {
  5635. if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
  5636. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
  5637. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
  5638. || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
  5639. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
  5640. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
  5641. goto end;
  5642. SSL_CTX_set_client_CA_list(sctx, sk1);
  5643. SSL_CTX_set_client_CA_list(cctx, sk2);
  5644. sk1 = sk2 = NULL;
  5645. }
  5646. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5647. NULL, NULL))
  5648. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5649. SSL_ERROR_NONE)))
  5650. goto end;
  5651. /*
  5652. * We only expect certificate authorities to have been sent to the server
  5653. * if we are using TLSv1.3 and SSL_set0_CA_list() was used
  5654. */
  5655. sktmp = SSL_get0_peer_CA_list(serverssl);
  5656. if (prot == TLS1_3_VERSION
  5657. && (tst == 0 || tst == 1)) {
  5658. if (!TEST_ptr(sktmp)
  5659. || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
  5660. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
  5661. name[0]), 0)
  5662. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
  5663. name[1]), 0))
  5664. goto end;
  5665. } else if (!TEST_ptr_null(sktmp)) {
  5666. goto end;
  5667. }
  5668. /*
  5669. * In all tests we expect certificate authorities to have been sent to the
  5670. * client. However, SSL_set_client_CA_list() should override
  5671. * SSL_set0_CA_list()
  5672. */
  5673. sktmp = SSL_get0_peer_CA_list(clientssl);
  5674. if (!TEST_ptr(sktmp)
  5675. || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
  5676. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
  5677. name[tst == 0 ? 0 : 2]), 0)
  5678. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
  5679. name[tst == 0 ? 1 : 3]), 0))
  5680. goto end;
  5681. testresult = 1;
  5682. end:
  5683. SSL_free(serverssl);
  5684. SSL_free(clientssl);
  5685. SSL_CTX_free(sctx);
  5686. SSL_CTX_free(cctx);
  5687. for (i = 0; i < OSSL_NELEM(name); i++)
  5688. X509_NAME_free(name[i]);
  5689. sk_X509_NAME_pop_free(sk1, X509_NAME_free);
  5690. sk_X509_NAME_pop_free(sk2, X509_NAME_free);
  5691. return testresult;
  5692. }
  5693. #endif
  5694. static int test_ca_names(int tst)
  5695. {
  5696. int testresult = 1;
  5697. #ifndef OPENSSL_NO_TLS1_2
  5698. testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
  5699. #endif
  5700. #ifndef OPENSSL_NO_TLS1_3
  5701. testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
  5702. #endif
  5703. return testresult;
  5704. }
  5705. OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
  5706. int setup_tests(void)
  5707. {
  5708. if (!TEST_ptr(cert = test_get_argument(0))
  5709. || !TEST_ptr(privkey = test_get_argument(1))
  5710. || !TEST_ptr(srpvfile = test_get_argument(2))
  5711. || !TEST_ptr(tmpfilename = test_get_argument(3)))
  5712. return 0;
  5713. if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
  5714. #ifdef OPENSSL_NO_CRYPTO_MDEBUG
  5715. TEST_error("not supported in this build");
  5716. return 0;
  5717. #else
  5718. int i, mcount, rcount, fcount;
  5719. for (i = 0; i < 4; i++)
  5720. test_export_key_mat(i);
  5721. CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
  5722. test_printf_stdout("malloc %d realloc %d free %d\n",
  5723. mcount, rcount, fcount);
  5724. return 1;
  5725. #endif
  5726. }
  5727. #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
  5728. && !defined(OPENSSL_NO_SOCK)
  5729. ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
  5730. ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
  5731. ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
  5732. ADD_TEST(test_ktls_client_no_txrx_server);
  5733. ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
  5734. ADD_TEST(test_ktls_no_rx_client_no_rx_server);
  5735. ADD_TEST(test_ktls_no_tx_client_no_rx_server);
  5736. ADD_TEST(test_ktls_client_no_rx_server);
  5737. ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
  5738. ADD_TEST(test_ktls_no_rx_client_no_tx_server);
  5739. ADD_TEST(test_ktls_no_tx_client_no_tx_server);
  5740. ADD_TEST(test_ktls_client_no_tx_server);
  5741. ADD_TEST(test_ktls_no_txrx_client_server);
  5742. ADD_TEST(test_ktls_no_rx_client_server);
  5743. ADD_TEST(test_ktls_no_tx_client_server);
  5744. ADD_TEST(test_ktls_client_server);
  5745. ADD_TEST(test_ktls_sendfile);
  5746. #endif
  5747. ADD_TEST(test_large_message_tls);
  5748. ADD_TEST(test_large_message_tls_read_ahead);
  5749. #ifndef OPENSSL_NO_DTLS
  5750. ADD_TEST(test_large_message_dtls);
  5751. #endif
  5752. #ifndef OPENSSL_NO_OCSP
  5753. ADD_TEST(test_tlsext_status_type);
  5754. #endif
  5755. ADD_TEST(test_session_with_only_int_cache);
  5756. ADD_TEST(test_session_with_only_ext_cache);
  5757. ADD_TEST(test_session_with_both_cache);
  5758. #ifndef OPENSSL_NO_TLS1_3
  5759. ADD_ALL_TESTS(test_stateful_tickets, 3);
  5760. ADD_ALL_TESTS(test_stateless_tickets, 3);
  5761. ADD_TEST(test_psk_tickets);
  5762. #endif
  5763. ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
  5764. ADD_TEST(test_ssl_bio_pop_next_bio);
  5765. ADD_TEST(test_ssl_bio_pop_ssl_bio);
  5766. ADD_TEST(test_ssl_bio_change_rbio);
  5767. ADD_TEST(test_ssl_bio_change_wbio);
  5768. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  5769. ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
  5770. ADD_TEST(test_keylog);
  5771. #endif
  5772. #ifndef OPENSSL_NO_TLS1_3
  5773. ADD_TEST(test_keylog_no_master_key);
  5774. #endif
  5775. #ifndef OPENSSL_NO_TLS1_2
  5776. ADD_TEST(test_client_hello_cb);
  5777. ADD_TEST(test_no_ems);
  5778. #endif
  5779. #ifndef OPENSSL_NO_TLS1_3
  5780. ADD_ALL_TESTS(test_early_data_read_write, 3);
  5781. /*
  5782. * We don't do replay tests for external PSK. Replay protection isn't used
  5783. * in that scenario.
  5784. */
  5785. ADD_ALL_TESTS(test_early_data_replay, 2);
  5786. ADD_ALL_TESTS(test_early_data_skip, 3);
  5787. ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
  5788. ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
  5789. ADD_ALL_TESTS(test_early_data_skip_abort, 3);
  5790. ADD_ALL_TESTS(test_early_data_not_sent, 3);
  5791. ADD_ALL_TESTS(test_early_data_psk, 8);
  5792. ADD_ALL_TESTS(test_early_data_not_expected, 3);
  5793. # ifndef OPENSSL_NO_TLS1_2
  5794. ADD_ALL_TESTS(test_early_data_tls1_2, 3);
  5795. # endif
  5796. #endif
  5797. #ifndef OPENSSL_NO_TLS1_3
  5798. ADD_ALL_TESTS(test_set_ciphersuite, 10);
  5799. ADD_TEST(test_ciphersuite_change);
  5800. #ifdef OPENSSL_NO_PSK
  5801. ADD_ALL_TESTS(test_tls13_psk, 1);
  5802. #else
  5803. ADD_ALL_TESTS(test_tls13_psk, 4);
  5804. #endif /* OPENSSL_NO_PSK */
  5805. ADD_ALL_TESTS(test_tls13_key_exchange, 4);
  5806. ADD_ALL_TESTS(test_custom_exts, 5);
  5807. ADD_TEST(test_stateless);
  5808. ADD_TEST(test_pha_key_update);
  5809. #else
  5810. ADD_ALL_TESTS(test_custom_exts, 3);
  5811. #endif
  5812. ADD_ALL_TESTS(test_serverinfo, 8);
  5813. ADD_ALL_TESTS(test_export_key_mat, 6);
  5814. #ifndef OPENSSL_NO_TLS1_3
  5815. ADD_ALL_TESTS(test_export_key_mat_early, 3);
  5816. ADD_TEST(test_key_update);
  5817. ADD_ALL_TESTS(test_key_update_in_write, 2);
  5818. #endif
  5819. ADD_ALL_TESTS(test_ssl_clear, 2);
  5820. ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
  5821. #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
  5822. ADD_ALL_TESTS(test_srp, 6);
  5823. #endif
  5824. ADD_ALL_TESTS(test_info_callback, 6);
  5825. ADD_ALL_TESTS(test_ssl_pending, 2);
  5826. ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
  5827. ADD_ALL_TESTS(test_ticket_callbacks, 12);
  5828. ADD_ALL_TESTS(test_shutdown, 7);
  5829. ADD_ALL_TESTS(test_cert_cb, 4);
  5830. ADD_ALL_TESTS(test_client_cert_cb, 2);
  5831. ADD_ALL_TESTS(test_ca_names, 3);
  5832. return 1;
  5833. }
  5834. void cleanup_tests(void)
  5835. {
  5836. bio_s_mempacket_test_free();
  5837. bio_s_always_retry_free();
  5838. }