sslapitest.c 207 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/opensslconf.h>
  11. #include <openssl/bio.h>
  12. #include <openssl/crypto.h>
  13. #include <openssl/ssl.h>
  14. #include <openssl/ocsp.h>
  15. #include <openssl/srp.h>
  16. #include <openssl/txt_db.h>
  17. #include <openssl/aes.h>
  18. #include "ssltestlib.h"
  19. #include "testutil.h"
  20. #include "testutil/output.h"
  21. #include "internal/nelem.h"
  22. #include "internal/ktls.h"
  23. #include "../ssl/ssl_locl.h"
  24. #ifndef OPENSSL_NO_TLS1_3
  25. static SSL_SESSION *clientpsk = NULL;
  26. static SSL_SESSION *serverpsk = NULL;
  27. static const char *pskid = "Identity";
  28. static const char *srvid;
  29. static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
  30. size_t *idlen, SSL_SESSION **sess);
  31. static int find_session_cb(SSL *ssl, const unsigned char *identity,
  32. size_t identity_len, SSL_SESSION **sess);
  33. static int use_session_cb_cnt = 0;
  34. static int find_session_cb_cnt = 0;
  35. static SSL_SESSION *create_a_psk(SSL *ssl);
  36. #endif
  37. static char *cert = NULL;
  38. static char *privkey = NULL;
  39. static char *srpvfile = NULL;
  40. static char *tmpfilename = NULL;
  41. #define LOG_BUFFER_SIZE 2048
  42. static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
  43. static size_t server_log_buffer_index = 0;
  44. static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
  45. static size_t client_log_buffer_index = 0;
  46. static int error_writing_log = 0;
  47. #ifndef OPENSSL_NO_OCSP
  48. static const unsigned char orespder[] = "Dummy OCSP Response";
  49. static int ocsp_server_called = 0;
  50. static int ocsp_client_called = 0;
  51. static int cdummyarg = 1;
  52. static X509 *ocspcert = NULL;
  53. #endif
  54. #define NUM_EXTRA_CERTS 40
  55. #define CLIENT_VERSION_LEN 2
  56. /*
  57. * This structure is used to validate that the correct number of log messages
  58. * of various types are emitted when emitting secret logs.
  59. */
  60. struct sslapitest_log_counts {
  61. unsigned int rsa_key_exchange_count;
  62. unsigned int master_secret_count;
  63. unsigned int client_early_secret_count;
  64. unsigned int client_handshake_secret_count;
  65. unsigned int server_handshake_secret_count;
  66. unsigned int client_application_secret_count;
  67. unsigned int server_application_secret_count;
  68. unsigned int early_exporter_secret_count;
  69. unsigned int exporter_secret_count;
  70. };
  71. static unsigned char serverinfov1[] = {
  72. 0xff, 0xff, /* Dummy extension type */
  73. 0x00, 0x01, /* Extension length is 1 byte */
  74. 0xff /* Dummy extension data */
  75. };
  76. static unsigned char serverinfov2[] = {
  77. 0x00, 0x00, 0x00,
  78. (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
  79. 0xff, 0xff, /* Dummy extension type */
  80. 0x00, 0x01, /* Extension length is 1 byte */
  81. 0xff /* Dummy extension data */
  82. };
  83. static void client_keylog_callback(const SSL *ssl, const char *line)
  84. {
  85. int line_length = strlen(line);
  86. /* If the log doesn't fit, error out. */
  87. if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
  88. TEST_info("Client log too full");
  89. error_writing_log = 1;
  90. return;
  91. }
  92. strcat(client_log_buffer, line);
  93. client_log_buffer_index += line_length;
  94. client_log_buffer[client_log_buffer_index++] = '\n';
  95. }
  96. static void server_keylog_callback(const SSL *ssl, const char *line)
  97. {
  98. int line_length = strlen(line);
  99. /* If the log doesn't fit, error out. */
  100. if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
  101. TEST_info("Server log too full");
  102. error_writing_log = 1;
  103. return;
  104. }
  105. strcat(server_log_buffer, line);
  106. server_log_buffer_index += line_length;
  107. server_log_buffer[server_log_buffer_index++] = '\n';
  108. }
  109. static int compare_hex_encoded_buffer(const char *hex_encoded,
  110. size_t hex_length,
  111. const uint8_t *raw,
  112. size_t raw_length)
  113. {
  114. size_t i, j;
  115. char hexed[3];
  116. if (!TEST_size_t_eq(raw_length * 2, hex_length))
  117. return 1;
  118. for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
  119. sprintf(hexed, "%02x", raw[i]);
  120. if (!TEST_int_eq(hexed[0], hex_encoded[j])
  121. || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
  122. return 1;
  123. }
  124. return 0;
  125. }
  126. static int test_keylog_output(char *buffer, const SSL *ssl,
  127. const SSL_SESSION *session,
  128. struct sslapitest_log_counts *expected)
  129. {
  130. char *token = NULL;
  131. unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
  132. size_t client_random_size = SSL3_RANDOM_SIZE;
  133. unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
  134. size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
  135. unsigned int rsa_key_exchange_count = 0;
  136. unsigned int master_secret_count = 0;
  137. unsigned int client_early_secret_count = 0;
  138. unsigned int client_handshake_secret_count = 0;
  139. unsigned int server_handshake_secret_count = 0;
  140. unsigned int client_application_secret_count = 0;
  141. unsigned int server_application_secret_count = 0;
  142. unsigned int early_exporter_secret_count = 0;
  143. unsigned int exporter_secret_count = 0;
  144. for (token = strtok(buffer, " \n"); token != NULL;
  145. token = strtok(NULL, " \n")) {
  146. if (strcmp(token, "RSA") == 0) {
  147. /*
  148. * Premaster secret. Tokens should be: 16 ASCII bytes of
  149. * hex-encoded encrypted secret, then the hex-encoded pre-master
  150. * secret.
  151. */
  152. if (!TEST_ptr(token = strtok(NULL, " \n")))
  153. return 0;
  154. if (!TEST_size_t_eq(strlen(token), 16))
  155. return 0;
  156. if (!TEST_ptr(token = strtok(NULL, " \n")))
  157. return 0;
  158. /*
  159. * We can't sensibly check the log because the premaster secret is
  160. * transient, and OpenSSL doesn't keep hold of it once the master
  161. * secret is generated.
  162. */
  163. rsa_key_exchange_count++;
  164. } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
  165. /*
  166. * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
  167. * client random, then the hex-encoded master secret.
  168. */
  169. client_random_size = SSL_get_client_random(ssl,
  170. actual_client_random,
  171. SSL3_RANDOM_SIZE);
  172. if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
  173. return 0;
  174. if (!TEST_ptr(token = strtok(NULL, " \n")))
  175. return 0;
  176. if (!TEST_size_t_eq(strlen(token), 64))
  177. return 0;
  178. if (!TEST_false(compare_hex_encoded_buffer(token, 64,
  179. actual_client_random,
  180. client_random_size)))
  181. return 0;
  182. if (!TEST_ptr(token = strtok(NULL, " \n")))
  183. return 0;
  184. master_key_size = SSL_SESSION_get_master_key(session,
  185. actual_master_key,
  186. master_key_size);
  187. if (!TEST_size_t_ne(master_key_size, 0))
  188. return 0;
  189. if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
  190. actual_master_key,
  191. master_key_size)))
  192. return 0;
  193. master_secret_count++;
  194. } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
  195. || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
  196. || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
  197. || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
  198. || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
  199. || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
  200. || strcmp(token, "EXPORTER_SECRET") == 0) {
  201. /*
  202. * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
  203. * client random, and then the hex-encoded secret. In this case,
  204. * we treat all of these secrets identically and then just
  205. * distinguish between them when counting what we saw.
  206. */
  207. if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
  208. client_early_secret_count++;
  209. else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
  210. client_handshake_secret_count++;
  211. else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
  212. server_handshake_secret_count++;
  213. else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
  214. client_application_secret_count++;
  215. else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
  216. server_application_secret_count++;
  217. else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
  218. early_exporter_secret_count++;
  219. else if (strcmp(token, "EXPORTER_SECRET") == 0)
  220. exporter_secret_count++;
  221. client_random_size = SSL_get_client_random(ssl,
  222. actual_client_random,
  223. SSL3_RANDOM_SIZE);
  224. if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
  225. return 0;
  226. if (!TEST_ptr(token = strtok(NULL, " \n")))
  227. return 0;
  228. if (!TEST_size_t_eq(strlen(token), 64))
  229. return 0;
  230. if (!TEST_false(compare_hex_encoded_buffer(token, 64,
  231. actual_client_random,
  232. client_random_size)))
  233. return 0;
  234. if (!TEST_ptr(token = strtok(NULL, " \n")))
  235. return 0;
  236. /*
  237. * TODO(TLS1.3): test that application traffic secrets are what
  238. * we expect */
  239. } else {
  240. TEST_info("Unexpected token %s\n", token);
  241. return 0;
  242. }
  243. }
  244. /* Got what we expected? */
  245. if (!TEST_size_t_eq(rsa_key_exchange_count,
  246. expected->rsa_key_exchange_count)
  247. || !TEST_size_t_eq(master_secret_count,
  248. expected->master_secret_count)
  249. || !TEST_size_t_eq(client_early_secret_count,
  250. expected->client_early_secret_count)
  251. || !TEST_size_t_eq(client_handshake_secret_count,
  252. expected->client_handshake_secret_count)
  253. || !TEST_size_t_eq(server_handshake_secret_count,
  254. expected->server_handshake_secret_count)
  255. || !TEST_size_t_eq(client_application_secret_count,
  256. expected->client_application_secret_count)
  257. || !TEST_size_t_eq(server_application_secret_count,
  258. expected->server_application_secret_count)
  259. || !TEST_size_t_eq(early_exporter_secret_count,
  260. expected->early_exporter_secret_count)
  261. || !TEST_size_t_eq(exporter_secret_count,
  262. expected->exporter_secret_count))
  263. return 0;
  264. return 1;
  265. }
  266. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  267. static int test_keylog(void)
  268. {
  269. SSL_CTX *cctx = NULL, *sctx = NULL;
  270. SSL *clientssl = NULL, *serverssl = NULL;
  271. int testresult = 0;
  272. struct sslapitest_log_counts expected = {0};
  273. /* Clean up logging space */
  274. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  275. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  276. client_log_buffer_index = 0;
  277. server_log_buffer_index = 0;
  278. error_writing_log = 0;
  279. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  280. TLS_client_method(),
  281. TLS1_VERSION, 0,
  282. &sctx, &cctx, cert, privkey)))
  283. return 0;
  284. /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
  285. SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
  286. SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
  287. /* We also want to ensure that we use RSA-based key exchange. */
  288. if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
  289. goto end;
  290. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
  291. || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
  292. goto end;
  293. SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
  294. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
  295. == client_keylog_callback))
  296. goto end;
  297. SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
  298. if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
  299. == server_keylog_callback))
  300. goto end;
  301. /* Now do a handshake and check that the logs have been written to. */
  302. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  303. &clientssl, NULL, NULL))
  304. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  305. SSL_ERROR_NONE))
  306. || !TEST_false(error_writing_log)
  307. || !TEST_int_gt(client_log_buffer_index, 0)
  308. || !TEST_int_gt(server_log_buffer_index, 0))
  309. goto end;
  310. /*
  311. * Now we want to test that our output data was vaguely sensible. We
  312. * do that by using strtok and confirming that we have more or less the
  313. * data we expect. For both client and server, we expect to see one master
  314. * secret. The client should also see a RSA key exchange.
  315. */
  316. expected.rsa_key_exchange_count = 1;
  317. expected.master_secret_count = 1;
  318. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  319. SSL_get_session(clientssl), &expected)))
  320. goto end;
  321. expected.rsa_key_exchange_count = 0;
  322. if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
  323. SSL_get_session(serverssl), &expected)))
  324. goto end;
  325. testresult = 1;
  326. end:
  327. SSL_free(serverssl);
  328. SSL_free(clientssl);
  329. SSL_CTX_free(sctx);
  330. SSL_CTX_free(cctx);
  331. return testresult;
  332. }
  333. #endif
  334. #ifndef OPENSSL_NO_TLS1_3
  335. static int test_keylog_no_master_key(void)
  336. {
  337. SSL_CTX *cctx = NULL, *sctx = NULL;
  338. SSL *clientssl = NULL, *serverssl = NULL;
  339. SSL_SESSION *sess = NULL;
  340. int testresult = 0;
  341. struct sslapitest_log_counts expected = {0};
  342. unsigned char buf[1];
  343. size_t readbytes, written;
  344. /* Clean up logging space */
  345. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  346. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  347. client_log_buffer_index = 0;
  348. server_log_buffer_index = 0;
  349. error_writing_log = 0;
  350. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  351. TLS1_VERSION, 0,
  352. &sctx, &cctx, cert, privkey))
  353. || !TEST_true(SSL_CTX_set_max_early_data(sctx,
  354. SSL3_RT_MAX_PLAIN_LENGTH)))
  355. return 0;
  356. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
  357. || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
  358. goto end;
  359. SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
  360. if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
  361. == client_keylog_callback))
  362. goto end;
  363. SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
  364. if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
  365. == server_keylog_callback))
  366. goto end;
  367. /* Now do a handshake and check that the logs have been written to. */
  368. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  369. &clientssl, NULL, NULL))
  370. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  371. SSL_ERROR_NONE))
  372. || !TEST_false(error_writing_log))
  373. goto end;
  374. /*
  375. * Now we want to test that our output data was vaguely sensible. For this
  376. * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
  377. * TLSv1.3, but we do expect both client and server to emit keys.
  378. */
  379. expected.client_handshake_secret_count = 1;
  380. expected.server_handshake_secret_count = 1;
  381. expected.client_application_secret_count = 1;
  382. expected.server_application_secret_count = 1;
  383. expected.exporter_secret_count = 1;
  384. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  385. SSL_get_session(clientssl), &expected))
  386. || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
  387. SSL_get_session(serverssl),
  388. &expected)))
  389. goto end;
  390. /* Terminate old session and resume with early data. */
  391. sess = SSL_get1_session(clientssl);
  392. SSL_shutdown(clientssl);
  393. SSL_shutdown(serverssl);
  394. SSL_free(serverssl);
  395. SSL_free(clientssl);
  396. serverssl = clientssl = NULL;
  397. /* Reset key log */
  398. memset(client_log_buffer, 0, sizeof(client_log_buffer));
  399. memset(server_log_buffer, 0, sizeof(server_log_buffer));
  400. client_log_buffer_index = 0;
  401. server_log_buffer_index = 0;
  402. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  403. &clientssl, NULL, NULL))
  404. || !TEST_true(SSL_set_session(clientssl, sess))
  405. /* Here writing 0 length early data is enough. */
  406. || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
  407. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  408. &readbytes),
  409. SSL_READ_EARLY_DATA_ERROR)
  410. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  411. SSL_EARLY_DATA_ACCEPTED)
  412. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  413. SSL_ERROR_NONE))
  414. || !TEST_true(SSL_session_reused(clientssl)))
  415. goto end;
  416. /* In addition to the previous entries, expect early secrets. */
  417. expected.client_early_secret_count = 1;
  418. expected.early_exporter_secret_count = 1;
  419. if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
  420. SSL_get_session(clientssl), &expected))
  421. || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
  422. SSL_get_session(serverssl),
  423. &expected)))
  424. goto end;
  425. testresult = 1;
  426. end:
  427. SSL_SESSION_free(sess);
  428. SSL_free(serverssl);
  429. SSL_free(clientssl);
  430. SSL_CTX_free(sctx);
  431. SSL_CTX_free(cctx);
  432. return testresult;
  433. }
  434. #endif
  435. #ifndef OPENSSL_NO_TLS1_2
  436. static int full_client_hello_callback(SSL *s, int *al, void *arg)
  437. {
  438. int *ctr = arg;
  439. const unsigned char *p;
  440. int *exts;
  441. /* We only configure two ciphers, but the SCSV is added automatically. */
  442. #ifdef OPENSSL_NO_EC
  443. const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
  444. #else
  445. const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
  446. 0x2c, 0x00, 0xff};
  447. #endif
  448. const int expected_extensions[] = {
  449. #ifndef OPENSSL_NO_EC
  450. 11, 10,
  451. #endif
  452. 35, 22, 23, 13};
  453. size_t len;
  454. /* Make sure we can defer processing and get called back. */
  455. if ((*ctr)++ == 0)
  456. return SSL_CLIENT_HELLO_RETRY;
  457. len = SSL_client_hello_get0_ciphers(s, &p);
  458. if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
  459. || !TEST_size_t_eq(
  460. SSL_client_hello_get0_compression_methods(s, &p), 1)
  461. || !TEST_int_eq(*p, 0))
  462. return SSL_CLIENT_HELLO_ERROR;
  463. if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
  464. return SSL_CLIENT_HELLO_ERROR;
  465. if (len != OSSL_NELEM(expected_extensions) ||
  466. memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
  467. printf("ClientHello callback expected extensions mismatch\n");
  468. OPENSSL_free(exts);
  469. return SSL_CLIENT_HELLO_ERROR;
  470. }
  471. OPENSSL_free(exts);
  472. return SSL_CLIENT_HELLO_SUCCESS;
  473. }
  474. static int test_client_hello_cb(void)
  475. {
  476. SSL_CTX *cctx = NULL, *sctx = NULL;
  477. SSL *clientssl = NULL, *serverssl = NULL;
  478. int testctr = 0, testresult = 0;
  479. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  480. TLS1_VERSION, 0,
  481. &sctx, &cctx, cert, privkey)))
  482. goto end;
  483. SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
  484. /* The gimpy cipher list we configure can't do TLS 1.3. */
  485. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  486. if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
  487. "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
  488. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  489. &clientssl, NULL, NULL))
  490. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  491. SSL_ERROR_WANT_CLIENT_HELLO_CB))
  492. /*
  493. * Passing a -1 literal is a hack since
  494. * the real value was lost.
  495. * */
  496. || !TEST_int_eq(SSL_get_error(serverssl, -1),
  497. SSL_ERROR_WANT_CLIENT_HELLO_CB)
  498. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  499. SSL_ERROR_NONE)))
  500. goto end;
  501. testresult = 1;
  502. end:
  503. SSL_free(serverssl);
  504. SSL_free(clientssl);
  505. SSL_CTX_free(sctx);
  506. SSL_CTX_free(cctx);
  507. return testresult;
  508. }
  509. static int test_no_ems(void)
  510. {
  511. SSL_CTX *cctx = NULL, *sctx = NULL;
  512. SSL *clientssl = NULL, *serverssl = NULL;
  513. int testresult = 0;
  514. if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  515. TLS1_VERSION, TLS1_2_VERSION,
  516. &sctx, &cctx, cert, privkey)) {
  517. printf("Unable to create SSL_CTX pair\n");
  518. goto end;
  519. }
  520. SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
  521. if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
  522. printf("Unable to create SSL objects\n");
  523. goto end;
  524. }
  525. if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
  526. printf("Creating SSL connection failed\n");
  527. goto end;
  528. }
  529. if (SSL_get_extms_support(serverssl)) {
  530. printf("Server reports Extended Master Secret support\n");
  531. goto end;
  532. }
  533. if (SSL_get_extms_support(clientssl)) {
  534. printf("Client reports Extended Master Secret support\n");
  535. goto end;
  536. }
  537. testresult = 1;
  538. end:
  539. SSL_free(serverssl);
  540. SSL_free(clientssl);
  541. SSL_CTX_free(sctx);
  542. SSL_CTX_free(cctx);
  543. return testresult;
  544. }
  545. #endif
  546. static int execute_test_large_message(const SSL_METHOD *smeth,
  547. const SSL_METHOD *cmeth,
  548. int min_version, int max_version,
  549. int read_ahead)
  550. {
  551. SSL_CTX *cctx = NULL, *sctx = NULL;
  552. SSL *clientssl = NULL, *serverssl = NULL;
  553. int testresult = 0;
  554. int i;
  555. BIO *certbio = NULL;
  556. X509 *chaincert = NULL;
  557. int certlen;
  558. if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
  559. goto end;
  560. chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  561. BIO_free(certbio);
  562. certbio = NULL;
  563. if (!TEST_ptr(chaincert))
  564. goto end;
  565. if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
  566. &sctx, &cctx, cert, privkey)))
  567. goto end;
  568. if (read_ahead) {
  569. /*
  570. * Test that read_ahead works correctly when dealing with large
  571. * records
  572. */
  573. SSL_CTX_set_read_ahead(cctx, 1);
  574. }
  575. /*
  576. * We assume the supplied certificate is big enough so that if we add
  577. * NUM_EXTRA_CERTS it will make the overall message large enough. The
  578. * default buffer size is requested to be 16k, but due to the way BUF_MEM
  579. * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
  580. * test we need to have a message larger than that.
  581. */
  582. certlen = i2d_X509(chaincert, NULL);
  583. OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
  584. (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
  585. for (i = 0; i < NUM_EXTRA_CERTS; i++) {
  586. if (!X509_up_ref(chaincert))
  587. goto end;
  588. if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
  589. X509_free(chaincert);
  590. goto end;
  591. }
  592. }
  593. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  594. NULL, NULL))
  595. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  596. SSL_ERROR_NONE)))
  597. goto end;
  598. /*
  599. * Calling SSL_clear() first is not required but this tests that SSL_clear()
  600. * doesn't leak (when using enable-crypto-mdebug).
  601. */
  602. if (!TEST_true(SSL_clear(serverssl)))
  603. goto end;
  604. testresult = 1;
  605. end:
  606. X509_free(chaincert);
  607. SSL_free(serverssl);
  608. SSL_free(clientssl);
  609. SSL_CTX_free(sctx);
  610. SSL_CTX_free(cctx);
  611. return testresult;
  612. }
  613. #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
  614. && !defined(OPENSSL_NO_SOCK)
  615. /* sock must be connected */
  616. static int ktls_chk_platform(int sock)
  617. {
  618. if (!ktls_enable(sock))
  619. return 0;
  620. return 1;
  621. }
  622. static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
  623. {
  624. static char count = 1;
  625. unsigned char cbuf[16000] = {0};
  626. unsigned char sbuf[16000];
  627. size_t err = 0;
  628. char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  629. char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  630. char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  631. char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  632. char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  633. char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
  634. cbuf[0] = count++;
  635. memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
  636. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  637. memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
  638. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  639. memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
  640. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  641. if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
  642. goto end;
  643. while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
  644. if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
  645. goto end;
  646. }
  647. }
  648. if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
  649. goto end;
  650. while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
  651. if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
  652. goto end;
  653. }
  654. }
  655. memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
  656. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  657. memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
  658. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  659. memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
  660. TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
  661. /* verify the payload */
  662. if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
  663. goto end;
  664. /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
  665. if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
  666. if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  667. crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  668. goto end;
  669. } else {
  670. if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  671. crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  672. goto end;
  673. }
  674. if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
  675. if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  676. srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  677. goto end;
  678. } else {
  679. if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  680. srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  681. goto end;
  682. }
  683. if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
  684. srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
  685. goto end;
  686. return 1;
  687. end:
  688. return 0;
  689. }
  690. static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
  691. {
  692. SSL_CTX *cctx = NULL, *sctx = NULL;
  693. SSL *clientssl = NULL, *serverssl = NULL;
  694. int testresult = 0;
  695. int cfd, sfd;
  696. if (!TEST_true(create_test_sockets(&cfd, &sfd)))
  697. goto end;
  698. /* Skip this test if the platform does not support ktls */
  699. if (!ktls_chk_platform(cfd))
  700. return 1;
  701. /* Create a session based on SHA-256 */
  702. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  703. TLS_client_method(),
  704. TLS1_2_VERSION, TLS1_2_VERSION,
  705. &sctx, &cctx, cert, privkey))
  706. || !TEST_true(SSL_CTX_set_cipher_list(cctx,
  707. "AES128-GCM-SHA256"))
  708. || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
  709. &clientssl, sfd, cfd)))
  710. goto end;
  711. if (!cis_ktls_tx) {
  712. if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
  713. goto end;
  714. }
  715. if (!sis_ktls_tx) {
  716. if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
  717. goto end;
  718. }
  719. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  720. SSL_ERROR_NONE)))
  721. goto end;
  722. if (!cis_ktls_tx) {
  723. if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
  724. goto end;
  725. } else {
  726. if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
  727. goto end;
  728. }
  729. if (!sis_ktls_tx) {
  730. if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
  731. goto end;
  732. } else {
  733. if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
  734. goto end;
  735. }
  736. if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
  737. goto end;
  738. testresult = 1;
  739. end:
  740. if (clientssl) {
  741. SSL_shutdown(clientssl);
  742. SSL_free(clientssl);
  743. }
  744. if (serverssl) {
  745. SSL_shutdown(serverssl);
  746. SSL_free(serverssl);
  747. }
  748. SSL_CTX_free(sctx);
  749. SSL_CTX_free(cctx);
  750. serverssl = clientssl = NULL;
  751. return testresult;
  752. }
  753. static int test_ktls_client_server(void)
  754. {
  755. return execute_test_ktls(1, 1);
  756. }
  757. static int test_ktls_no_client_server(void)
  758. {
  759. return execute_test_ktls(0, 1);
  760. }
  761. static int test_ktls_client_no_server(void)
  762. {
  763. return execute_test_ktls(1, 0);
  764. }
  765. static int test_ktls_no_client_no_server(void)
  766. {
  767. return execute_test_ktls(0, 0);
  768. }
  769. #endif
  770. static int test_large_message_tls(void)
  771. {
  772. return execute_test_large_message(TLS_server_method(), TLS_client_method(),
  773. TLS1_VERSION, 0, 0);
  774. }
  775. static int test_large_message_tls_read_ahead(void)
  776. {
  777. return execute_test_large_message(TLS_server_method(), TLS_client_method(),
  778. TLS1_VERSION, 0, 1);
  779. }
  780. #ifndef OPENSSL_NO_DTLS
  781. static int test_large_message_dtls(void)
  782. {
  783. /*
  784. * read_ahead is not relevant to DTLS because DTLS always acts as if
  785. * read_ahead is set.
  786. */
  787. return execute_test_large_message(DTLS_server_method(),
  788. DTLS_client_method(),
  789. DTLS1_VERSION, 0, 0);
  790. }
  791. #endif
  792. #ifndef OPENSSL_NO_OCSP
  793. static int ocsp_server_cb(SSL *s, void *arg)
  794. {
  795. int *argi = (int *)arg;
  796. unsigned char *copy = NULL;
  797. STACK_OF(OCSP_RESPID) *ids = NULL;
  798. OCSP_RESPID *id = NULL;
  799. if (*argi == 2) {
  800. /* In this test we are expecting exactly 1 OCSP_RESPID */
  801. SSL_get_tlsext_status_ids(s, &ids);
  802. if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
  803. return SSL_TLSEXT_ERR_ALERT_FATAL;
  804. id = sk_OCSP_RESPID_value(ids, 0);
  805. if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
  806. return SSL_TLSEXT_ERR_ALERT_FATAL;
  807. } else if (*argi != 1) {
  808. return SSL_TLSEXT_ERR_ALERT_FATAL;
  809. }
  810. if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
  811. return SSL_TLSEXT_ERR_ALERT_FATAL;
  812. SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
  813. ocsp_server_called = 1;
  814. return SSL_TLSEXT_ERR_OK;
  815. }
  816. static int ocsp_client_cb(SSL *s, void *arg)
  817. {
  818. int *argi = (int *)arg;
  819. const unsigned char *respderin;
  820. size_t len;
  821. if (*argi != 1 && *argi != 2)
  822. return 0;
  823. len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
  824. if (!TEST_mem_eq(orespder, len, respderin, len))
  825. return 0;
  826. ocsp_client_called = 1;
  827. return 1;
  828. }
  829. static int test_tlsext_status_type(void)
  830. {
  831. SSL_CTX *cctx = NULL, *sctx = NULL;
  832. SSL *clientssl = NULL, *serverssl = NULL;
  833. int testresult = 0;
  834. STACK_OF(OCSP_RESPID) *ids = NULL;
  835. OCSP_RESPID *id = NULL;
  836. BIO *certbio = NULL;
  837. if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  838. TLS1_VERSION, 0,
  839. &sctx, &cctx, cert, privkey))
  840. return 0;
  841. if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
  842. goto end;
  843. /* First just do various checks getting and setting tlsext_status_type */
  844. clientssl = SSL_new(cctx);
  845. if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
  846. || !TEST_true(SSL_set_tlsext_status_type(clientssl,
  847. TLSEXT_STATUSTYPE_ocsp))
  848. || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
  849. TLSEXT_STATUSTYPE_ocsp))
  850. goto end;
  851. SSL_free(clientssl);
  852. clientssl = NULL;
  853. if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
  854. || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
  855. goto end;
  856. clientssl = SSL_new(cctx);
  857. if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
  858. goto end;
  859. SSL_free(clientssl);
  860. clientssl = NULL;
  861. /*
  862. * Now actually do a handshake and check OCSP information is exchanged and
  863. * the callbacks get called
  864. */
  865. SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
  866. SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
  867. SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
  868. SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
  869. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  870. &clientssl, NULL, NULL))
  871. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  872. SSL_ERROR_NONE))
  873. || !TEST_true(ocsp_client_called)
  874. || !TEST_true(ocsp_server_called))
  875. goto end;
  876. SSL_free(serverssl);
  877. SSL_free(clientssl);
  878. serverssl = NULL;
  879. clientssl = NULL;
  880. /* Try again but this time force the server side callback to fail */
  881. ocsp_client_called = 0;
  882. ocsp_server_called = 0;
  883. cdummyarg = 0;
  884. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  885. &clientssl, NULL, NULL))
  886. /* This should fail because the callback will fail */
  887. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  888. SSL_ERROR_NONE))
  889. || !TEST_false(ocsp_client_called)
  890. || !TEST_false(ocsp_server_called))
  891. goto end;
  892. SSL_free(serverssl);
  893. SSL_free(clientssl);
  894. serverssl = NULL;
  895. clientssl = NULL;
  896. /*
  897. * This time we'll get the client to send an OCSP_RESPID that it will
  898. * accept.
  899. */
  900. ocsp_client_called = 0;
  901. ocsp_server_called = 0;
  902. cdummyarg = 2;
  903. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  904. &clientssl, NULL, NULL)))
  905. goto end;
  906. /*
  907. * We'll just use any old cert for this test - it doesn't have to be an OCSP
  908. * specific one. We'll use the server cert.
  909. */
  910. if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
  911. || !TEST_ptr(id = OCSP_RESPID_new())
  912. || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
  913. || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
  914. NULL, NULL, NULL))
  915. || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
  916. || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
  917. goto end;
  918. id = NULL;
  919. SSL_set_tlsext_status_ids(clientssl, ids);
  920. /* Control has been transferred */
  921. ids = NULL;
  922. BIO_free(certbio);
  923. certbio = NULL;
  924. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  925. SSL_ERROR_NONE))
  926. || !TEST_true(ocsp_client_called)
  927. || !TEST_true(ocsp_server_called))
  928. goto end;
  929. testresult = 1;
  930. end:
  931. SSL_free(serverssl);
  932. SSL_free(clientssl);
  933. SSL_CTX_free(sctx);
  934. SSL_CTX_free(cctx);
  935. sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
  936. OCSP_RESPID_free(id);
  937. BIO_free(certbio);
  938. X509_free(ocspcert);
  939. ocspcert = NULL;
  940. return testresult;
  941. }
  942. #endif
  943. #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
  944. static int new_called, remove_called, get_called;
  945. static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
  946. {
  947. new_called++;
  948. /*
  949. * sess has been up-refed for us, but we don't actually need it so free it
  950. * immediately.
  951. */
  952. SSL_SESSION_free(sess);
  953. return 1;
  954. }
  955. static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
  956. {
  957. remove_called++;
  958. }
  959. static SSL_SESSION *get_sess_val = NULL;
  960. static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
  961. int *copy)
  962. {
  963. get_called++;
  964. *copy = 1;
  965. return get_sess_val;
  966. }
  967. static int execute_test_session(int maxprot, int use_int_cache,
  968. int use_ext_cache)
  969. {
  970. SSL_CTX *sctx = NULL, *cctx = NULL;
  971. SSL *serverssl1 = NULL, *clientssl1 = NULL;
  972. SSL *serverssl2 = NULL, *clientssl2 = NULL;
  973. # ifndef OPENSSL_NO_TLS1_1
  974. SSL *serverssl3 = NULL, *clientssl3 = NULL;
  975. # endif
  976. SSL_SESSION *sess1 = NULL, *sess2 = NULL;
  977. int testresult = 0, numnewsesstick = 1;
  978. new_called = remove_called = 0;
  979. /* TLSv1.3 sends 2 NewSessionTickets */
  980. if (maxprot == TLS1_3_VERSION)
  981. numnewsesstick = 2;
  982. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  983. TLS1_VERSION, 0,
  984. &sctx, &cctx, cert, privkey)))
  985. return 0;
  986. /*
  987. * Only allow the max protocol version so we can force a connection failure
  988. * later
  989. */
  990. SSL_CTX_set_min_proto_version(cctx, maxprot);
  991. SSL_CTX_set_max_proto_version(cctx, maxprot);
  992. /* Set up session cache */
  993. if (use_ext_cache) {
  994. SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
  995. SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
  996. }
  997. if (use_int_cache) {
  998. /* Also covers instance where both are set */
  999. SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
  1000. } else {
  1001. SSL_CTX_set_session_cache_mode(cctx,
  1002. SSL_SESS_CACHE_CLIENT
  1003. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1004. }
  1005. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
  1006. NULL, NULL))
  1007. || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
  1008. SSL_ERROR_NONE))
  1009. || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
  1010. goto end;
  1011. /* Should fail because it should already be in the cache */
  1012. if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
  1013. goto end;
  1014. if (use_ext_cache
  1015. && (!TEST_int_eq(new_called, numnewsesstick)
  1016. || !TEST_int_eq(remove_called, 0)))
  1017. goto end;
  1018. new_called = remove_called = 0;
  1019. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1020. &clientssl2, NULL, NULL))
  1021. || !TEST_true(SSL_set_session(clientssl2, sess1))
  1022. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1023. SSL_ERROR_NONE))
  1024. || !TEST_true(SSL_session_reused(clientssl2)))
  1025. goto end;
  1026. if (maxprot == TLS1_3_VERSION) {
  1027. /*
  1028. * In TLSv1.3 we should have created a new session even though we have
  1029. * resumed. Since we attempted a resume we should also have removed the
  1030. * old ticket from the cache so that we try to only use tickets once.
  1031. */
  1032. if (use_ext_cache
  1033. && (!TEST_int_eq(new_called, 1)
  1034. || !TEST_int_eq(remove_called, 1)))
  1035. goto end;
  1036. } else {
  1037. /*
  1038. * In TLSv1.2 we expect to have resumed so no sessions added or
  1039. * removed.
  1040. */
  1041. if (use_ext_cache
  1042. && (!TEST_int_eq(new_called, 0)
  1043. || !TEST_int_eq(remove_called, 0)))
  1044. goto end;
  1045. }
  1046. SSL_SESSION_free(sess1);
  1047. if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
  1048. goto end;
  1049. shutdown_ssl_connection(serverssl2, clientssl2);
  1050. serverssl2 = clientssl2 = NULL;
  1051. new_called = remove_called = 0;
  1052. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1053. &clientssl2, NULL, NULL))
  1054. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1055. SSL_ERROR_NONE)))
  1056. goto end;
  1057. if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
  1058. goto end;
  1059. if (use_ext_cache
  1060. && (!TEST_int_eq(new_called, numnewsesstick)
  1061. || !TEST_int_eq(remove_called, 0)))
  1062. goto end;
  1063. new_called = remove_called = 0;
  1064. /*
  1065. * This should clear sess2 from the cache because it is a "bad" session.
  1066. * See SSL_set_session() documentation.
  1067. */
  1068. if (!TEST_true(SSL_set_session(clientssl2, sess1)))
  1069. goto end;
  1070. if (use_ext_cache
  1071. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1072. goto end;
  1073. if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
  1074. goto end;
  1075. if (use_int_cache) {
  1076. /* Should succeeded because it should not already be in the cache */
  1077. if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
  1078. || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
  1079. goto end;
  1080. }
  1081. new_called = remove_called = 0;
  1082. /* This shouldn't be in the cache so should fail */
  1083. if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
  1084. goto end;
  1085. if (use_ext_cache
  1086. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1087. goto end;
  1088. # if !defined(OPENSSL_NO_TLS1_1)
  1089. new_called = remove_called = 0;
  1090. /* Force a connection failure */
  1091. SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
  1092. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
  1093. &clientssl3, NULL, NULL))
  1094. || !TEST_true(SSL_set_session(clientssl3, sess1))
  1095. /* This should fail because of the mismatched protocol versions */
  1096. || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
  1097. SSL_ERROR_NONE)))
  1098. goto end;
  1099. /* We should have automatically removed the session from the cache */
  1100. if (use_ext_cache
  1101. && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
  1102. goto end;
  1103. /* Should succeed because it should not already be in the cache */
  1104. if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
  1105. goto end;
  1106. # endif
  1107. /* Now do some tests for server side caching */
  1108. if (use_ext_cache) {
  1109. SSL_CTX_sess_set_new_cb(cctx, NULL);
  1110. SSL_CTX_sess_set_remove_cb(cctx, NULL);
  1111. SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
  1112. SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
  1113. SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
  1114. get_sess_val = NULL;
  1115. }
  1116. SSL_CTX_set_session_cache_mode(cctx, 0);
  1117. /* Internal caching is the default on the server side */
  1118. if (!use_int_cache)
  1119. SSL_CTX_set_session_cache_mode(sctx,
  1120. SSL_SESS_CACHE_SERVER
  1121. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1122. SSL_free(serverssl1);
  1123. SSL_free(clientssl1);
  1124. serverssl1 = clientssl1 = NULL;
  1125. SSL_free(serverssl2);
  1126. SSL_free(clientssl2);
  1127. serverssl2 = clientssl2 = NULL;
  1128. SSL_SESSION_free(sess1);
  1129. sess1 = NULL;
  1130. SSL_SESSION_free(sess2);
  1131. sess2 = NULL;
  1132. SSL_CTX_set_max_proto_version(sctx, maxprot);
  1133. if (maxprot == TLS1_2_VERSION)
  1134. SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
  1135. new_called = remove_called = get_called = 0;
  1136. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
  1137. NULL, NULL))
  1138. || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
  1139. SSL_ERROR_NONE))
  1140. || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
  1141. || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
  1142. goto end;
  1143. if (use_int_cache) {
  1144. if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
  1145. /*
  1146. * In TLSv1.3 it should not have been added to the internal cache,
  1147. * except in the case where we also have an external cache (in that
  1148. * case it gets added to the cache in order to generate remove
  1149. * events after timeout).
  1150. */
  1151. if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
  1152. goto end;
  1153. } else {
  1154. /* Should fail because it should already be in the cache */
  1155. if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
  1156. goto end;
  1157. }
  1158. }
  1159. if (use_ext_cache) {
  1160. SSL_SESSION *tmp = sess2;
  1161. if (!TEST_int_eq(new_called, numnewsesstick)
  1162. || !TEST_int_eq(remove_called, 0)
  1163. || !TEST_int_eq(get_called, 0))
  1164. goto end;
  1165. /*
  1166. * Delete the session from the internal cache to force a lookup from
  1167. * the external cache. We take a copy first because
  1168. * SSL_CTX_remove_session() also marks the session as non-resumable.
  1169. */
  1170. if (use_int_cache && maxprot != TLS1_3_VERSION) {
  1171. if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
  1172. || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
  1173. goto end;
  1174. SSL_SESSION_free(sess2);
  1175. }
  1176. sess2 = tmp;
  1177. }
  1178. new_called = remove_called = get_called = 0;
  1179. get_sess_val = sess2;
  1180. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
  1181. &clientssl2, NULL, NULL))
  1182. || !TEST_true(SSL_set_session(clientssl2, sess1))
  1183. || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
  1184. SSL_ERROR_NONE))
  1185. || !TEST_true(SSL_session_reused(clientssl2)))
  1186. goto end;
  1187. if (use_ext_cache) {
  1188. if (!TEST_int_eq(remove_called, 0))
  1189. goto end;
  1190. if (maxprot == TLS1_3_VERSION) {
  1191. if (!TEST_int_eq(new_called, 1)
  1192. || !TEST_int_eq(get_called, 0))
  1193. goto end;
  1194. } else {
  1195. if (!TEST_int_eq(new_called, 0)
  1196. || !TEST_int_eq(get_called, 1))
  1197. goto end;
  1198. }
  1199. }
  1200. testresult = 1;
  1201. end:
  1202. SSL_free(serverssl1);
  1203. SSL_free(clientssl1);
  1204. SSL_free(serverssl2);
  1205. SSL_free(clientssl2);
  1206. # ifndef OPENSSL_NO_TLS1_1
  1207. SSL_free(serverssl3);
  1208. SSL_free(clientssl3);
  1209. # endif
  1210. SSL_SESSION_free(sess1);
  1211. SSL_SESSION_free(sess2);
  1212. SSL_CTX_free(sctx);
  1213. SSL_CTX_free(cctx);
  1214. return testresult;
  1215. }
  1216. #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
  1217. static int test_session_with_only_int_cache(void)
  1218. {
  1219. #ifndef OPENSSL_NO_TLS1_3
  1220. if (!execute_test_session(TLS1_3_VERSION, 1, 0))
  1221. return 0;
  1222. #endif
  1223. #ifndef OPENSSL_NO_TLS1_2
  1224. return execute_test_session(TLS1_2_VERSION, 1, 0);
  1225. #else
  1226. return 1;
  1227. #endif
  1228. }
  1229. static int test_session_with_only_ext_cache(void)
  1230. {
  1231. #ifndef OPENSSL_NO_TLS1_3
  1232. if (!execute_test_session(TLS1_3_VERSION, 0, 1))
  1233. return 0;
  1234. #endif
  1235. #ifndef OPENSSL_NO_TLS1_2
  1236. return execute_test_session(TLS1_2_VERSION, 0, 1);
  1237. #else
  1238. return 1;
  1239. #endif
  1240. }
  1241. static int test_session_with_both_cache(void)
  1242. {
  1243. #ifndef OPENSSL_NO_TLS1_3
  1244. if (!execute_test_session(TLS1_3_VERSION, 1, 1))
  1245. return 0;
  1246. #endif
  1247. #ifndef OPENSSL_NO_TLS1_2
  1248. return execute_test_session(TLS1_2_VERSION, 1, 1);
  1249. #else
  1250. return 1;
  1251. #endif
  1252. }
  1253. #ifndef OPENSSL_NO_TLS1_3
  1254. static SSL_SESSION *sesscache[6];
  1255. static int do_cache;
  1256. static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
  1257. {
  1258. if (do_cache) {
  1259. sesscache[new_called] = sess;
  1260. } else {
  1261. /* We don't need the reference to the session, so free it */
  1262. SSL_SESSION_free(sess);
  1263. }
  1264. new_called++;
  1265. return 1;
  1266. }
  1267. static int post_handshake_verify(SSL *sssl, SSL *cssl)
  1268. {
  1269. SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
  1270. if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
  1271. return 0;
  1272. /* Start handshake on the server and client */
  1273. if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
  1274. || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
  1275. || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
  1276. || !TEST_true(create_ssl_connection(sssl, cssl,
  1277. SSL_ERROR_NONE)))
  1278. return 0;
  1279. return 1;
  1280. }
  1281. static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
  1282. SSL_CTX **cctx)
  1283. {
  1284. int sess_id_ctx = 1;
  1285. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1286. TLS1_VERSION, 0, sctx,
  1287. cctx, cert, privkey))
  1288. || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
  1289. || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
  1290. (void *)&sess_id_ctx,
  1291. sizeof(sess_id_ctx))))
  1292. return 0;
  1293. if (stateful)
  1294. SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
  1295. SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
  1296. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1297. SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
  1298. return 1;
  1299. }
  1300. static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
  1301. {
  1302. SSL *serverssl = NULL, *clientssl = NULL;
  1303. int i;
  1304. /* Test that we can resume with all the tickets we got given */
  1305. for (i = 0; i < idx * 2; i++) {
  1306. new_called = 0;
  1307. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1308. &clientssl, NULL, NULL))
  1309. || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
  1310. goto end;
  1311. SSL_set_post_handshake_auth(clientssl, 1);
  1312. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1313. SSL_ERROR_NONE)))
  1314. goto end;
  1315. /*
  1316. * Following a successful resumption we only get 1 ticket. After a
  1317. * failed one we should get idx tickets.
  1318. */
  1319. if (succ) {
  1320. if (!TEST_true(SSL_session_reused(clientssl))
  1321. || !TEST_int_eq(new_called, 1))
  1322. goto end;
  1323. } else {
  1324. if (!TEST_false(SSL_session_reused(clientssl))
  1325. || !TEST_int_eq(new_called, idx))
  1326. goto end;
  1327. }
  1328. new_called = 0;
  1329. /* After a post-handshake authentication we should get 1 new ticket */
  1330. if (succ
  1331. && (!post_handshake_verify(serverssl, clientssl)
  1332. || !TEST_int_eq(new_called, 1)))
  1333. goto end;
  1334. SSL_shutdown(clientssl);
  1335. SSL_shutdown(serverssl);
  1336. SSL_free(serverssl);
  1337. SSL_free(clientssl);
  1338. serverssl = clientssl = NULL;
  1339. SSL_SESSION_free(sesscache[i]);
  1340. sesscache[i] = NULL;
  1341. }
  1342. return 1;
  1343. end:
  1344. SSL_free(clientssl);
  1345. SSL_free(serverssl);
  1346. return 0;
  1347. }
  1348. static int test_tickets(int stateful, int idx)
  1349. {
  1350. SSL_CTX *sctx = NULL, *cctx = NULL;
  1351. SSL *serverssl = NULL, *clientssl = NULL;
  1352. int testresult = 0;
  1353. size_t j;
  1354. /* idx is the test number, but also the number of tickets we want */
  1355. new_called = 0;
  1356. do_cache = 1;
  1357. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1358. goto end;
  1359. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1360. &clientssl, NULL, NULL)))
  1361. goto end;
  1362. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1363. SSL_ERROR_NONE))
  1364. /* Check we got the number of tickets we were expecting */
  1365. || !TEST_int_eq(idx, new_called))
  1366. goto end;
  1367. SSL_shutdown(clientssl);
  1368. SSL_shutdown(serverssl);
  1369. SSL_free(serverssl);
  1370. SSL_free(clientssl);
  1371. SSL_CTX_free(sctx);
  1372. SSL_CTX_free(cctx);
  1373. clientssl = serverssl = NULL;
  1374. sctx = cctx = NULL;
  1375. /*
  1376. * Now we try to resume with the tickets we previously created. The
  1377. * resumption attempt is expected to fail (because we're now using a new
  1378. * SSL_CTX). We should see idx number of tickets issued again.
  1379. */
  1380. /* Stop caching sessions - just count them */
  1381. do_cache = 0;
  1382. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1383. goto end;
  1384. if (!check_resumption(idx, sctx, cctx, 0))
  1385. goto end;
  1386. /* Start again with caching sessions */
  1387. new_called = 0;
  1388. do_cache = 1;
  1389. SSL_CTX_free(sctx);
  1390. SSL_CTX_free(cctx);
  1391. sctx = cctx = NULL;
  1392. if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
  1393. goto end;
  1394. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1395. &clientssl, NULL, NULL)))
  1396. goto end;
  1397. SSL_set_post_handshake_auth(clientssl, 1);
  1398. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1399. SSL_ERROR_NONE))
  1400. /* Check we got the number of tickets we were expecting */
  1401. || !TEST_int_eq(idx, new_called))
  1402. goto end;
  1403. /* After a post-handshake authentication we should get new tickets issued */
  1404. if (!post_handshake_verify(serverssl, clientssl)
  1405. || !TEST_int_eq(idx * 2, new_called))
  1406. goto end;
  1407. SSL_shutdown(clientssl);
  1408. SSL_shutdown(serverssl);
  1409. SSL_free(serverssl);
  1410. SSL_free(clientssl);
  1411. serverssl = clientssl = NULL;
  1412. /* Stop caching sessions - just count them */
  1413. do_cache = 0;
  1414. /*
  1415. * Check we can resume with all the tickets we created. This time around the
  1416. * resumptions should all be successful.
  1417. */
  1418. if (!check_resumption(idx, sctx, cctx, 1))
  1419. goto end;
  1420. testresult = 1;
  1421. end:
  1422. SSL_free(serverssl);
  1423. SSL_free(clientssl);
  1424. for (j = 0; j < OSSL_NELEM(sesscache); j++) {
  1425. SSL_SESSION_free(sesscache[j]);
  1426. sesscache[j] = NULL;
  1427. }
  1428. SSL_CTX_free(sctx);
  1429. SSL_CTX_free(cctx);
  1430. return testresult;
  1431. }
  1432. static int test_stateless_tickets(int idx)
  1433. {
  1434. return test_tickets(0, idx);
  1435. }
  1436. static int test_stateful_tickets(int idx)
  1437. {
  1438. return test_tickets(1, idx);
  1439. }
  1440. static int test_psk_tickets(void)
  1441. {
  1442. SSL_CTX *sctx = NULL, *cctx = NULL;
  1443. SSL *serverssl = NULL, *clientssl = NULL;
  1444. int testresult = 0;
  1445. int sess_id_ctx = 1;
  1446. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1447. TLS1_VERSION, 0, &sctx,
  1448. &cctx, NULL, NULL))
  1449. || !TEST_true(SSL_CTX_set_session_id_context(sctx,
  1450. (void *)&sess_id_ctx,
  1451. sizeof(sess_id_ctx))))
  1452. goto end;
  1453. SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
  1454. | SSL_SESS_CACHE_NO_INTERNAL_STORE);
  1455. SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
  1456. SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
  1457. SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
  1458. use_session_cb_cnt = 0;
  1459. find_session_cb_cnt = 0;
  1460. srvid = pskid;
  1461. new_called = 0;
  1462. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  1463. NULL, NULL)))
  1464. goto end;
  1465. clientpsk = serverpsk = create_a_psk(clientssl);
  1466. if (!TEST_ptr(clientpsk))
  1467. goto end;
  1468. SSL_SESSION_up_ref(clientpsk);
  1469. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  1470. SSL_ERROR_NONE))
  1471. || !TEST_int_eq(1, find_session_cb_cnt)
  1472. || !TEST_int_eq(1, use_session_cb_cnt)
  1473. /* We should always get 1 ticket when using external PSK */
  1474. || !TEST_int_eq(1, new_called))
  1475. goto end;
  1476. testresult = 1;
  1477. end:
  1478. SSL_free(serverssl);
  1479. SSL_free(clientssl);
  1480. SSL_CTX_free(sctx);
  1481. SSL_CTX_free(cctx);
  1482. SSL_SESSION_free(clientpsk);
  1483. SSL_SESSION_free(serverpsk);
  1484. clientpsk = serverpsk = NULL;
  1485. return testresult;
  1486. }
  1487. #endif
  1488. #define USE_NULL 0
  1489. #define USE_BIO_1 1
  1490. #define USE_BIO_2 2
  1491. #define USE_DEFAULT 3
  1492. #define CONNTYPE_CONNECTION_SUCCESS 0
  1493. #define CONNTYPE_CONNECTION_FAIL 1
  1494. #define CONNTYPE_NO_CONNECTION 2
  1495. #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
  1496. #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
  1497. #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
  1498. # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
  1499. #else
  1500. # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
  1501. #endif
  1502. #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
  1503. + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
  1504. + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
  1505. static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
  1506. {
  1507. switch (type) {
  1508. case USE_NULL:
  1509. *res = NULL;
  1510. break;
  1511. case USE_BIO_1:
  1512. *res = bio1;
  1513. break;
  1514. case USE_BIO_2:
  1515. *res = bio2;
  1516. break;
  1517. }
  1518. }
  1519. /*
  1520. * Tests calls to SSL_set_bio() under various conditions.
  1521. *
  1522. * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
  1523. * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
  1524. * then do more tests where we create a successful connection first using our
  1525. * standard connection setup functions, and then call SSL_set_bio() with
  1526. * various combinations of valid BIOs or NULL. We then repeat these tests
  1527. * following a failed connection. In this last case we are looking to check that
  1528. * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
  1529. */
  1530. static int test_ssl_set_bio(int idx)
  1531. {
  1532. SSL_CTX *sctx = NULL, *cctx = NULL;
  1533. BIO *bio1 = NULL;
  1534. BIO *bio2 = NULL;
  1535. BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
  1536. SSL *serverssl = NULL, *clientssl = NULL;
  1537. int initrbio, initwbio, newrbio, newwbio, conntype;
  1538. int testresult = 0;
  1539. if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
  1540. initrbio = idx % 3;
  1541. idx /= 3;
  1542. initwbio = idx % 3;
  1543. idx /= 3;
  1544. newrbio = idx % 3;
  1545. idx /= 3;
  1546. newwbio = idx % 3;
  1547. conntype = CONNTYPE_NO_CONNECTION;
  1548. } else {
  1549. idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
  1550. initrbio = initwbio = USE_DEFAULT;
  1551. newrbio = idx % 2;
  1552. idx /= 2;
  1553. newwbio = idx % 2;
  1554. idx /= 2;
  1555. conntype = idx % 2;
  1556. }
  1557. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1558. TLS1_VERSION, 0,
  1559. &sctx, &cctx, cert, privkey)))
  1560. goto end;
  1561. if (conntype == CONNTYPE_CONNECTION_FAIL) {
  1562. /*
  1563. * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
  1564. * because we reduced the number of tests in the definition of
  1565. * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
  1566. * mismatched protocol versions we will force a connection failure.
  1567. */
  1568. SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
  1569. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  1570. }
  1571. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  1572. NULL, NULL)))
  1573. goto end;
  1574. if (initrbio == USE_BIO_1
  1575. || initwbio == USE_BIO_1
  1576. || newrbio == USE_BIO_1
  1577. || newwbio == USE_BIO_1) {
  1578. if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
  1579. goto end;
  1580. }
  1581. if (initrbio == USE_BIO_2
  1582. || initwbio == USE_BIO_2
  1583. || newrbio == USE_BIO_2
  1584. || newwbio == USE_BIO_2) {
  1585. if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
  1586. goto end;
  1587. }
  1588. if (initrbio != USE_DEFAULT) {
  1589. setupbio(&irbio, bio1, bio2, initrbio);
  1590. setupbio(&iwbio, bio1, bio2, initwbio);
  1591. SSL_set_bio(clientssl, irbio, iwbio);
  1592. /*
  1593. * We want to maintain our own refs to these BIO, so do an up ref for
  1594. * each BIO that will have ownership transferred in the SSL_set_bio()
  1595. * call
  1596. */
  1597. if (irbio != NULL)
  1598. BIO_up_ref(irbio);
  1599. if (iwbio != NULL && iwbio != irbio)
  1600. BIO_up_ref(iwbio);
  1601. }
  1602. if (conntype != CONNTYPE_NO_CONNECTION
  1603. && !TEST_true(create_ssl_connection(serverssl, clientssl,
  1604. SSL_ERROR_NONE)
  1605. == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
  1606. goto end;
  1607. setupbio(&nrbio, bio1, bio2, newrbio);
  1608. setupbio(&nwbio, bio1, bio2, newwbio);
  1609. /*
  1610. * We will (maybe) transfer ownership again so do more up refs.
  1611. * SSL_set_bio() has some really complicated ownership rules where BIOs have
  1612. * already been set!
  1613. */
  1614. if (nrbio != NULL
  1615. && nrbio != irbio
  1616. && (nwbio != iwbio || nrbio != nwbio))
  1617. BIO_up_ref(nrbio);
  1618. if (nwbio != NULL
  1619. && nwbio != nrbio
  1620. && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
  1621. BIO_up_ref(nwbio);
  1622. SSL_set_bio(clientssl, nrbio, nwbio);
  1623. testresult = 1;
  1624. end:
  1625. BIO_free(bio1);
  1626. BIO_free(bio2);
  1627. /*
  1628. * This test is checking that the ref counting for SSL_set_bio is correct.
  1629. * If we get here and we did too many frees then we will fail in the above
  1630. * functions. If we haven't done enough then this will only be detected in
  1631. * a crypto-mdebug build
  1632. */
  1633. SSL_free(serverssl);
  1634. SSL_free(clientssl);
  1635. SSL_CTX_free(sctx);
  1636. SSL_CTX_free(cctx);
  1637. return testresult;
  1638. }
  1639. typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
  1640. static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
  1641. {
  1642. BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
  1643. SSL_CTX *ctx;
  1644. SSL *ssl = NULL;
  1645. int testresult = 0;
  1646. if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
  1647. || !TEST_ptr(ssl = SSL_new(ctx))
  1648. || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
  1649. || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
  1650. goto end;
  1651. BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
  1652. /*
  1653. * If anything goes wrong here then we could leak memory, so this will
  1654. * be caught in a crypto-mdebug build
  1655. */
  1656. BIO_push(sslbio, membio1);
  1657. /* Verify changing the rbio/wbio directly does not cause leaks */
  1658. if (change_bio != NO_BIO_CHANGE) {
  1659. if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
  1660. goto end;
  1661. if (change_bio == CHANGE_RBIO)
  1662. SSL_set0_rbio(ssl, membio2);
  1663. else
  1664. SSL_set0_wbio(ssl, membio2);
  1665. }
  1666. ssl = NULL;
  1667. if (pop_ssl)
  1668. BIO_pop(sslbio);
  1669. else
  1670. BIO_pop(membio1);
  1671. testresult = 1;
  1672. end:
  1673. BIO_free(membio1);
  1674. BIO_free(sslbio);
  1675. SSL_free(ssl);
  1676. SSL_CTX_free(ctx);
  1677. return testresult;
  1678. }
  1679. static int test_ssl_bio_pop_next_bio(void)
  1680. {
  1681. return execute_test_ssl_bio(0, NO_BIO_CHANGE);
  1682. }
  1683. static int test_ssl_bio_pop_ssl_bio(void)
  1684. {
  1685. return execute_test_ssl_bio(1, NO_BIO_CHANGE);
  1686. }
  1687. static int test_ssl_bio_change_rbio(void)
  1688. {
  1689. return execute_test_ssl_bio(0, CHANGE_RBIO);
  1690. }
  1691. static int test_ssl_bio_change_wbio(void)
  1692. {
  1693. return execute_test_ssl_bio(0, CHANGE_WBIO);
  1694. }
  1695. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  1696. typedef struct {
  1697. /* The list of sig algs */
  1698. const int *list;
  1699. /* The length of the list */
  1700. size_t listlen;
  1701. /* A sigalgs list in string format */
  1702. const char *liststr;
  1703. /* Whether setting the list should succeed */
  1704. int valid;
  1705. /* Whether creating a connection with the list should succeed */
  1706. int connsuccess;
  1707. } sigalgs_list;
  1708. static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
  1709. # ifndef OPENSSL_NO_EC
  1710. static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
  1711. static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
  1712. # endif
  1713. static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
  1714. static const int invalidlist2[] = {NID_sha256, NID_undef};
  1715. static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
  1716. static const int invalidlist4[] = {NID_sha256};
  1717. static const sigalgs_list testsigalgs[] = {
  1718. {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
  1719. # ifndef OPENSSL_NO_EC
  1720. {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
  1721. {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
  1722. # endif
  1723. {NULL, 0, "RSA+SHA256", 1, 1},
  1724. # ifndef OPENSSL_NO_EC
  1725. {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
  1726. {NULL, 0, "ECDSA+SHA512", 1, 0},
  1727. # endif
  1728. {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
  1729. {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
  1730. {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
  1731. {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
  1732. {NULL, 0, "RSA", 0, 0},
  1733. {NULL, 0, "SHA256", 0, 0},
  1734. {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
  1735. {NULL, 0, "Invalid", 0, 0}
  1736. };
  1737. static int test_set_sigalgs(int idx)
  1738. {
  1739. SSL_CTX *cctx = NULL, *sctx = NULL;
  1740. SSL *clientssl = NULL, *serverssl = NULL;
  1741. int testresult = 0;
  1742. const sigalgs_list *curr;
  1743. int testctx;
  1744. /* Should never happen */
  1745. if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
  1746. return 0;
  1747. testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
  1748. curr = testctx ? &testsigalgs[idx]
  1749. : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
  1750. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  1751. TLS1_VERSION, 0,
  1752. &sctx, &cctx, cert, privkey)))
  1753. return 0;
  1754. /*
  1755. * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
  1756. * for TLSv1.2 for now until we add a new API.
  1757. */
  1758. SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
  1759. if (testctx) {
  1760. int ret;
  1761. if (curr->list != NULL)
  1762. ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
  1763. else
  1764. ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
  1765. if (!ret) {
  1766. if (curr->valid)
  1767. TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
  1768. else
  1769. testresult = 1;
  1770. goto end;
  1771. }
  1772. if (!curr->valid) {
  1773. TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
  1774. goto end;
  1775. }
  1776. }
  1777. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  1778. &clientssl, NULL, NULL)))
  1779. goto end;
  1780. if (!testctx) {
  1781. int ret;
  1782. if (curr->list != NULL)
  1783. ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
  1784. else
  1785. ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
  1786. if (!ret) {
  1787. if (curr->valid)
  1788. TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
  1789. else
  1790. testresult = 1;
  1791. goto end;
  1792. }
  1793. if (!curr->valid)
  1794. goto end;
  1795. }
  1796. if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
  1797. SSL_ERROR_NONE),
  1798. curr->connsuccess))
  1799. goto end;
  1800. testresult = 1;
  1801. end:
  1802. SSL_free(serverssl);
  1803. SSL_free(clientssl);
  1804. SSL_CTX_free(sctx);
  1805. SSL_CTX_free(cctx);
  1806. return testresult;
  1807. }
  1808. #endif
  1809. #ifndef OPENSSL_NO_TLS1_3
  1810. static int psk_client_cb_cnt = 0;
  1811. static int psk_server_cb_cnt = 0;
  1812. static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
  1813. size_t *idlen, SSL_SESSION **sess)
  1814. {
  1815. switch (++use_session_cb_cnt) {
  1816. case 1:
  1817. /* The first call should always have a NULL md */
  1818. if (md != NULL)
  1819. return 0;
  1820. break;
  1821. case 2:
  1822. /* The second call should always have an md */
  1823. if (md == NULL)
  1824. return 0;
  1825. break;
  1826. default:
  1827. /* We should only be called a maximum of twice */
  1828. return 0;
  1829. }
  1830. if (clientpsk != NULL)
  1831. SSL_SESSION_up_ref(clientpsk);
  1832. *sess = clientpsk;
  1833. *id = (const unsigned char *)pskid;
  1834. *idlen = strlen(pskid);
  1835. return 1;
  1836. }
  1837. #ifndef OPENSSL_NO_PSK
  1838. static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
  1839. unsigned int max_id_len,
  1840. unsigned char *psk,
  1841. unsigned int max_psk_len)
  1842. {
  1843. unsigned int psklen = 0;
  1844. psk_client_cb_cnt++;
  1845. if (strlen(pskid) + 1 > max_id_len)
  1846. return 0;
  1847. /* We should only ever be called a maximum of twice per connection */
  1848. if (psk_client_cb_cnt > 2)
  1849. return 0;
  1850. if (clientpsk == NULL)
  1851. return 0;
  1852. /* We'll reuse the PSK we set up for TLSv1.3 */
  1853. if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
  1854. return 0;
  1855. psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
  1856. strncpy(id, pskid, max_id_len);
  1857. return psklen;
  1858. }
  1859. #endif /* OPENSSL_NO_PSK */
  1860. static int find_session_cb(SSL *ssl, const unsigned char *identity,
  1861. size_t identity_len, SSL_SESSION **sess)
  1862. {
  1863. find_session_cb_cnt++;
  1864. /* We should only ever be called a maximum of twice per connection */
  1865. if (find_session_cb_cnt > 2)
  1866. return 0;
  1867. if (serverpsk == NULL)
  1868. return 0;
  1869. /* Identity should match that set by the client */
  1870. if (strlen(srvid) != identity_len
  1871. || strncmp(srvid, (const char *)identity, identity_len) != 0) {
  1872. /* No PSK found, continue but without a PSK */
  1873. *sess = NULL;
  1874. return 1;
  1875. }
  1876. SSL_SESSION_up_ref(serverpsk);
  1877. *sess = serverpsk;
  1878. return 1;
  1879. }
  1880. #ifndef OPENSSL_NO_PSK
  1881. static unsigned int psk_server_cb(SSL *ssl, const char *identity,
  1882. unsigned char *psk, unsigned int max_psk_len)
  1883. {
  1884. unsigned int psklen = 0;
  1885. psk_server_cb_cnt++;
  1886. /* We should only ever be called a maximum of twice per connection */
  1887. if (find_session_cb_cnt > 2)
  1888. return 0;
  1889. if (serverpsk == NULL)
  1890. return 0;
  1891. /* Identity should match that set by the client */
  1892. if (strcmp(srvid, identity) != 0) {
  1893. return 0;
  1894. }
  1895. /* We'll reuse the PSK we set up for TLSv1.3 */
  1896. if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
  1897. return 0;
  1898. psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
  1899. return psklen;
  1900. }
  1901. #endif /* OPENSSL_NO_PSK */
  1902. #define MSG1 "Hello"
  1903. #define MSG2 "World."
  1904. #define MSG3 "This"
  1905. #define MSG4 "is"
  1906. #define MSG5 "a"
  1907. #define MSG6 "test"
  1908. #define MSG7 "message."
  1909. #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
  1910. #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
  1911. static SSL_SESSION *create_a_psk(SSL *ssl)
  1912. {
  1913. const SSL_CIPHER *cipher = NULL;
  1914. const unsigned char key[] = {
  1915. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
  1916. 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
  1917. 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
  1918. 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
  1919. 0x2c, 0x2d, 0x2e, 0x2f
  1920. };
  1921. SSL_SESSION *sess = NULL;
  1922. cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
  1923. sess = SSL_SESSION_new();
  1924. if (!TEST_ptr(sess)
  1925. || !TEST_ptr(cipher)
  1926. || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
  1927. sizeof(key)))
  1928. || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
  1929. || !TEST_true(
  1930. SSL_SESSION_set_protocol_version(sess,
  1931. TLS1_3_VERSION))) {
  1932. SSL_SESSION_free(sess);
  1933. return NULL;
  1934. }
  1935. return sess;
  1936. }
  1937. /*
  1938. * Helper method to setup objects for early data test. Caller frees objects on
  1939. * error.
  1940. */
  1941. static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
  1942. SSL **serverssl, SSL_SESSION **sess, int idx)
  1943. {
  1944. if (*sctx == NULL
  1945. && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  1946. TLS_client_method(),
  1947. TLS1_VERSION, 0,
  1948. sctx, cctx, cert, privkey)))
  1949. return 0;
  1950. if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
  1951. return 0;
  1952. if (idx == 1) {
  1953. /* When idx == 1 we repeat the tests with read_ahead set */
  1954. SSL_CTX_set_read_ahead(*cctx, 1);
  1955. SSL_CTX_set_read_ahead(*sctx, 1);
  1956. } else if (idx == 2) {
  1957. /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
  1958. SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
  1959. SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
  1960. use_session_cb_cnt = 0;
  1961. find_session_cb_cnt = 0;
  1962. srvid = pskid;
  1963. }
  1964. if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
  1965. NULL, NULL)))
  1966. return 0;
  1967. /*
  1968. * For one of the run throughs (doesn't matter which one), we'll try sending
  1969. * some SNI data in the initial ClientHello. This will be ignored (because
  1970. * there is no SNI cb set up by the server), so it should not impact
  1971. * early_data.
  1972. */
  1973. if (idx == 1
  1974. && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
  1975. return 0;
  1976. if (idx == 2) {
  1977. clientpsk = create_a_psk(*clientssl);
  1978. if (!TEST_ptr(clientpsk)
  1979. /*
  1980. * We just choose an arbitrary value for max_early_data which
  1981. * should be big enough for testing purposes.
  1982. */
  1983. || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
  1984. 0x100))
  1985. || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
  1986. SSL_SESSION_free(clientpsk);
  1987. clientpsk = NULL;
  1988. return 0;
  1989. }
  1990. serverpsk = clientpsk;
  1991. if (sess != NULL) {
  1992. if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
  1993. SSL_SESSION_free(clientpsk);
  1994. SSL_SESSION_free(serverpsk);
  1995. clientpsk = serverpsk = NULL;
  1996. return 0;
  1997. }
  1998. *sess = clientpsk;
  1999. }
  2000. return 1;
  2001. }
  2002. if (sess == NULL)
  2003. return 1;
  2004. if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
  2005. SSL_ERROR_NONE)))
  2006. return 0;
  2007. *sess = SSL_get1_session(*clientssl);
  2008. SSL_shutdown(*clientssl);
  2009. SSL_shutdown(*serverssl);
  2010. SSL_free(*serverssl);
  2011. SSL_free(*clientssl);
  2012. *serverssl = *clientssl = NULL;
  2013. if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
  2014. clientssl, NULL, NULL))
  2015. || !TEST_true(SSL_set_session(*clientssl, *sess)))
  2016. return 0;
  2017. return 1;
  2018. }
  2019. static int test_early_data_read_write(int idx)
  2020. {
  2021. SSL_CTX *cctx = NULL, *sctx = NULL;
  2022. SSL *clientssl = NULL, *serverssl = NULL;
  2023. int testresult = 0;
  2024. SSL_SESSION *sess = NULL;
  2025. unsigned char buf[20], data[1024];
  2026. size_t readbytes, written, eoedlen, rawread, rawwritten;
  2027. BIO *rbio;
  2028. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2029. &serverssl, &sess, idx)))
  2030. goto end;
  2031. /* Write and read some early data */
  2032. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2033. &written))
  2034. || !TEST_size_t_eq(written, strlen(MSG1))
  2035. || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
  2036. sizeof(buf), &readbytes),
  2037. SSL_READ_EARLY_DATA_SUCCESS)
  2038. || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
  2039. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2040. SSL_EARLY_DATA_ACCEPTED))
  2041. goto end;
  2042. /*
  2043. * Server should be able to write data, and client should be able to
  2044. * read it.
  2045. */
  2046. if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
  2047. &written))
  2048. || !TEST_size_t_eq(written, strlen(MSG2))
  2049. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2050. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2051. goto end;
  2052. /* Even after reading normal data, client should be able write early data */
  2053. if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
  2054. &written))
  2055. || !TEST_size_t_eq(written, strlen(MSG3)))
  2056. goto end;
  2057. /* Server should still be able read early data after writing data */
  2058. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2059. &readbytes),
  2060. SSL_READ_EARLY_DATA_SUCCESS)
  2061. || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
  2062. goto end;
  2063. /* Write more data from server and read it from client */
  2064. if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
  2065. &written))
  2066. || !TEST_size_t_eq(written, strlen(MSG4))
  2067. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2068. || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
  2069. goto end;
  2070. /*
  2071. * If client writes normal data it should mean writing early data is no
  2072. * longer possible.
  2073. */
  2074. if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
  2075. || !TEST_size_t_eq(written, strlen(MSG5))
  2076. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2077. SSL_EARLY_DATA_ACCEPTED))
  2078. goto end;
  2079. /*
  2080. * At this point the client has written EndOfEarlyData, ClientFinished and
  2081. * normal (fully protected) data. We are going to cause a delay between the
  2082. * arrival of EndOfEarlyData and ClientFinished. We read out all the data
  2083. * in the read BIO, and then just put back the EndOfEarlyData message.
  2084. */
  2085. rbio = SSL_get_rbio(serverssl);
  2086. if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
  2087. || !TEST_size_t_lt(rawread, sizeof(data))
  2088. || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
  2089. goto end;
  2090. /* Record length is in the 4th and 5th bytes of the record header */
  2091. eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
  2092. if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
  2093. || !TEST_size_t_eq(rawwritten, eoedlen))
  2094. goto end;
  2095. /* Server should be told that there is no more early data */
  2096. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2097. &readbytes),
  2098. SSL_READ_EARLY_DATA_FINISH)
  2099. || !TEST_size_t_eq(readbytes, 0))
  2100. goto end;
  2101. /*
  2102. * Server has not finished init yet, so should still be able to write early
  2103. * data.
  2104. */
  2105. if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
  2106. &written))
  2107. || !TEST_size_t_eq(written, strlen(MSG6)))
  2108. goto end;
  2109. /* Push the ClientFinished and the normal data back into the server rbio */
  2110. if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
  2111. &rawwritten))
  2112. || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
  2113. goto end;
  2114. /* Server should be able to read normal data */
  2115. if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2116. || !TEST_size_t_eq(readbytes, strlen(MSG5)))
  2117. goto end;
  2118. /* Client and server should not be able to write/read early data now */
  2119. if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
  2120. &written)))
  2121. goto end;
  2122. ERR_clear_error();
  2123. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2124. &readbytes),
  2125. SSL_READ_EARLY_DATA_ERROR))
  2126. goto end;
  2127. ERR_clear_error();
  2128. /* Client should be able to read the data sent by the server */
  2129. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2130. || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
  2131. goto end;
  2132. /*
  2133. * Make sure we process the two NewSessionTickets. These arrive
  2134. * post-handshake. We attempt reads which we do not expect to return any
  2135. * data.
  2136. */
  2137. if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2138. || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
  2139. &readbytes)))
  2140. goto end;
  2141. /* Server should be able to write normal data */
  2142. if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
  2143. || !TEST_size_t_eq(written, strlen(MSG7))
  2144. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2145. || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
  2146. goto end;
  2147. SSL_SESSION_free(sess);
  2148. sess = SSL_get1_session(clientssl);
  2149. use_session_cb_cnt = 0;
  2150. find_session_cb_cnt = 0;
  2151. SSL_shutdown(clientssl);
  2152. SSL_shutdown(serverssl);
  2153. SSL_free(serverssl);
  2154. SSL_free(clientssl);
  2155. serverssl = clientssl = NULL;
  2156. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2157. &clientssl, NULL, NULL))
  2158. || !TEST_true(SSL_set_session(clientssl, sess)))
  2159. goto end;
  2160. /* Write and read some early data */
  2161. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2162. &written))
  2163. || !TEST_size_t_eq(written, strlen(MSG1))
  2164. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2165. &readbytes),
  2166. SSL_READ_EARLY_DATA_SUCCESS)
  2167. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
  2168. goto end;
  2169. if (!TEST_int_gt(SSL_connect(clientssl), 0)
  2170. || !TEST_int_gt(SSL_accept(serverssl), 0))
  2171. goto end;
  2172. /* Client and server should not be able to write/read early data now */
  2173. if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
  2174. &written)))
  2175. goto end;
  2176. ERR_clear_error();
  2177. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2178. &readbytes),
  2179. SSL_READ_EARLY_DATA_ERROR))
  2180. goto end;
  2181. ERR_clear_error();
  2182. /* Client and server should be able to write/read normal data */
  2183. if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
  2184. || !TEST_size_t_eq(written, strlen(MSG5))
  2185. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2186. || !TEST_size_t_eq(readbytes, strlen(MSG5)))
  2187. goto end;
  2188. testresult = 1;
  2189. end:
  2190. SSL_SESSION_free(sess);
  2191. SSL_SESSION_free(clientpsk);
  2192. SSL_SESSION_free(serverpsk);
  2193. clientpsk = serverpsk = NULL;
  2194. SSL_free(serverssl);
  2195. SSL_free(clientssl);
  2196. SSL_CTX_free(sctx);
  2197. SSL_CTX_free(cctx);
  2198. return testresult;
  2199. }
  2200. static int allow_ed_cb_called = 0;
  2201. static int allow_early_data_cb(SSL *s, void *arg)
  2202. {
  2203. int *usecb = (int *)arg;
  2204. allow_ed_cb_called++;
  2205. if (*usecb == 1)
  2206. return 0;
  2207. return 1;
  2208. }
  2209. /*
  2210. * idx == 0: Standard early_data setup
  2211. * idx == 1: early_data setup using read_ahead
  2212. * usecb == 0: Don't use a custom early data callback
  2213. * usecb == 1: Use a custom early data callback and reject the early data
  2214. * usecb == 2: Use a custom early data callback and accept the early data
  2215. * confopt == 0: Configure anti-replay directly
  2216. * confopt == 1: Configure anti-replay using SSL_CONF
  2217. */
  2218. static int test_early_data_replay_int(int idx, int usecb, int confopt)
  2219. {
  2220. SSL_CTX *cctx = NULL, *sctx = NULL;
  2221. SSL *clientssl = NULL, *serverssl = NULL;
  2222. int testresult = 0;
  2223. SSL_SESSION *sess = NULL;
  2224. size_t readbytes, written;
  2225. unsigned char buf[20];
  2226. allow_ed_cb_called = 0;
  2227. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  2228. TLS1_VERSION, 0, &sctx,
  2229. &cctx, cert, privkey)))
  2230. return 0;
  2231. if (usecb > 0) {
  2232. if (confopt == 0) {
  2233. SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
  2234. } else {
  2235. SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
  2236. if (!TEST_ptr(confctx))
  2237. goto end;
  2238. SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
  2239. | SSL_CONF_FLAG_SERVER);
  2240. SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
  2241. if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
  2242. 2)) {
  2243. SSL_CONF_CTX_free(confctx);
  2244. goto end;
  2245. }
  2246. SSL_CONF_CTX_free(confctx);
  2247. }
  2248. SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
  2249. }
  2250. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2251. &serverssl, &sess, idx)))
  2252. goto end;
  2253. /*
  2254. * The server is configured to accept early data. Create a connection to
  2255. * "use up" the ticket
  2256. */
  2257. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  2258. || !TEST_true(SSL_session_reused(clientssl)))
  2259. goto end;
  2260. SSL_shutdown(clientssl);
  2261. SSL_shutdown(serverssl);
  2262. SSL_free(serverssl);
  2263. SSL_free(clientssl);
  2264. serverssl = clientssl = NULL;
  2265. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2266. &clientssl, NULL, NULL))
  2267. || !TEST_true(SSL_set_session(clientssl, sess)))
  2268. goto end;
  2269. /* Write and read some early data */
  2270. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2271. &written))
  2272. || !TEST_size_t_eq(written, strlen(MSG1)))
  2273. goto end;
  2274. if (usecb <= 1) {
  2275. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2276. &readbytes),
  2277. SSL_READ_EARLY_DATA_FINISH)
  2278. /*
  2279. * The ticket was reused, so the we should have rejected the
  2280. * early data
  2281. */
  2282. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2283. SSL_EARLY_DATA_REJECTED))
  2284. goto end;
  2285. } else {
  2286. /* In this case the callback decides to accept the early data */
  2287. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2288. &readbytes),
  2289. SSL_READ_EARLY_DATA_SUCCESS)
  2290. || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
  2291. /*
  2292. * Server will have sent its flight so client can now send
  2293. * end of early data and complete its half of the handshake
  2294. */
  2295. || !TEST_int_gt(SSL_connect(clientssl), 0)
  2296. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2297. &readbytes),
  2298. SSL_READ_EARLY_DATA_FINISH)
  2299. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2300. SSL_EARLY_DATA_ACCEPTED))
  2301. goto end;
  2302. }
  2303. /* Complete the connection */
  2304. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  2305. || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
  2306. || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
  2307. goto end;
  2308. testresult = 1;
  2309. end:
  2310. SSL_SESSION_free(sess);
  2311. SSL_SESSION_free(clientpsk);
  2312. SSL_SESSION_free(serverpsk);
  2313. clientpsk = serverpsk = NULL;
  2314. SSL_free(serverssl);
  2315. SSL_free(clientssl);
  2316. SSL_CTX_free(sctx);
  2317. SSL_CTX_free(cctx);
  2318. return testresult;
  2319. }
  2320. static int test_early_data_replay(int idx)
  2321. {
  2322. int ret = 1, usecb, confopt;
  2323. for (usecb = 0; usecb < 3; usecb++) {
  2324. for (confopt = 0; confopt < 2; confopt++)
  2325. ret &= test_early_data_replay_int(idx, usecb, confopt);
  2326. }
  2327. return ret;
  2328. }
  2329. /*
  2330. * Helper function to test that a server attempting to read early data can
  2331. * handle a connection from a client where the early data should be skipped.
  2332. * testtype: 0 == No HRR
  2333. * testtype: 1 == HRR
  2334. * testtype: 2 == HRR, invalid early_data sent after HRR
  2335. * testtype: 3 == recv_max_early_data set to 0
  2336. */
  2337. static int early_data_skip_helper(int testtype, int idx)
  2338. {
  2339. SSL_CTX *cctx = NULL, *sctx = NULL;
  2340. SSL *clientssl = NULL, *serverssl = NULL;
  2341. int testresult = 0;
  2342. SSL_SESSION *sess = NULL;
  2343. unsigned char buf[20];
  2344. size_t readbytes, written;
  2345. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2346. &serverssl, &sess, idx)))
  2347. goto end;
  2348. if (testtype == 1 || testtype == 2) {
  2349. /* Force an HRR to occur */
  2350. if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
  2351. goto end;
  2352. } else if (idx == 2) {
  2353. /*
  2354. * We force early_data rejection by ensuring the PSK identity is
  2355. * unrecognised
  2356. */
  2357. srvid = "Dummy Identity";
  2358. } else {
  2359. /*
  2360. * Deliberately corrupt the creation time. We take 20 seconds off the
  2361. * time. It could be any value as long as it is not within tolerance.
  2362. * This should mean the ticket is rejected.
  2363. */
  2364. if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
  2365. goto end;
  2366. }
  2367. if (testtype == 3
  2368. && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
  2369. goto end;
  2370. /* Write some early data */
  2371. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2372. &written))
  2373. || !TEST_size_t_eq(written, strlen(MSG1)))
  2374. goto end;
  2375. /* Server should reject the early data */
  2376. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2377. &readbytes),
  2378. SSL_READ_EARLY_DATA_FINISH)
  2379. || !TEST_size_t_eq(readbytes, 0)
  2380. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2381. SSL_EARLY_DATA_REJECTED))
  2382. goto end;
  2383. switch (testtype) {
  2384. case 0:
  2385. /* Nothing to do */
  2386. break;
  2387. case 1:
  2388. /*
  2389. * Finish off the handshake. We perform the same writes and reads as
  2390. * further down but we expect them to fail due to the incomplete
  2391. * handshake.
  2392. */
  2393. if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2394. || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
  2395. &readbytes)))
  2396. goto end;
  2397. break;
  2398. case 2:
  2399. {
  2400. BIO *wbio = SSL_get_wbio(clientssl);
  2401. /* A record that will appear as bad early_data */
  2402. const unsigned char bad_early_data[] = {
  2403. 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
  2404. };
  2405. /*
  2406. * We force the client to attempt a write. This will fail because
  2407. * we're still in the handshake. It will cause the second
  2408. * ClientHello to be sent.
  2409. */
  2410. if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
  2411. &written)))
  2412. goto end;
  2413. /*
  2414. * Inject some early_data after the second ClientHello. This should
  2415. * cause the server to fail
  2416. */
  2417. if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
  2418. sizeof(bad_early_data), &written)))
  2419. goto end;
  2420. }
  2421. /* fallthrough */
  2422. case 3:
  2423. /*
  2424. * This client has sent more early_data than we are willing to skip
  2425. * (case 3) or sent invalid early_data (case 2) so the connection should
  2426. * abort.
  2427. */
  2428. if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2429. || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
  2430. goto end;
  2431. /* Connection has failed - nothing more to do */
  2432. testresult = 1;
  2433. goto end;
  2434. default:
  2435. TEST_error("Invalid test type");
  2436. goto end;
  2437. }
  2438. /*
  2439. * Should be able to send normal data despite rejection of early data. The
  2440. * early_data should be skipped.
  2441. */
  2442. if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2443. || !TEST_size_t_eq(written, strlen(MSG2))
  2444. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2445. SSL_EARLY_DATA_REJECTED)
  2446. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2447. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2448. goto end;
  2449. testresult = 1;
  2450. end:
  2451. SSL_SESSION_free(clientpsk);
  2452. SSL_SESSION_free(serverpsk);
  2453. clientpsk = serverpsk = NULL;
  2454. SSL_SESSION_free(sess);
  2455. SSL_free(serverssl);
  2456. SSL_free(clientssl);
  2457. SSL_CTX_free(sctx);
  2458. SSL_CTX_free(cctx);
  2459. return testresult;
  2460. }
  2461. /*
  2462. * Test that a server attempting to read early data can handle a connection
  2463. * from a client where the early data is not acceptable.
  2464. */
  2465. static int test_early_data_skip(int idx)
  2466. {
  2467. return early_data_skip_helper(0, idx);
  2468. }
  2469. /*
  2470. * Test that a server attempting to read early data can handle a connection
  2471. * from a client where an HRR occurs.
  2472. */
  2473. static int test_early_data_skip_hrr(int idx)
  2474. {
  2475. return early_data_skip_helper(1, idx);
  2476. }
  2477. /*
  2478. * Test that a server attempting to read early data can handle a connection
  2479. * from a client where an HRR occurs and correctly fails if early_data is sent
  2480. * after the HRR
  2481. */
  2482. static int test_early_data_skip_hrr_fail(int idx)
  2483. {
  2484. return early_data_skip_helper(2, idx);
  2485. }
  2486. /*
  2487. * Test that a server attempting to read early data will abort if it tries to
  2488. * skip over too much.
  2489. */
  2490. static int test_early_data_skip_abort(int idx)
  2491. {
  2492. return early_data_skip_helper(3, idx);
  2493. }
  2494. /*
  2495. * Test that a server attempting to read early data can handle a connection
  2496. * from a client that doesn't send any.
  2497. */
  2498. static int test_early_data_not_sent(int idx)
  2499. {
  2500. SSL_CTX *cctx = NULL, *sctx = NULL;
  2501. SSL *clientssl = NULL, *serverssl = NULL;
  2502. int testresult = 0;
  2503. SSL_SESSION *sess = NULL;
  2504. unsigned char buf[20];
  2505. size_t readbytes, written;
  2506. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2507. &serverssl, &sess, idx)))
  2508. goto end;
  2509. /* Write some data - should block due to handshake with server */
  2510. SSL_set_connect_state(clientssl);
  2511. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
  2512. goto end;
  2513. /* Server should detect that early data has not been sent */
  2514. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2515. &readbytes),
  2516. SSL_READ_EARLY_DATA_FINISH)
  2517. || !TEST_size_t_eq(readbytes, 0)
  2518. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2519. SSL_EARLY_DATA_NOT_SENT)
  2520. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2521. SSL_EARLY_DATA_NOT_SENT))
  2522. goto end;
  2523. /* Continue writing the message we started earlier */
  2524. if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  2525. || !TEST_size_t_eq(written, strlen(MSG1))
  2526. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2527. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
  2528. || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
  2529. || !TEST_size_t_eq(written, strlen(MSG2)))
  2530. goto end;
  2531. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  2532. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2533. goto end;
  2534. testresult = 1;
  2535. end:
  2536. SSL_SESSION_free(sess);
  2537. SSL_SESSION_free(clientpsk);
  2538. SSL_SESSION_free(serverpsk);
  2539. clientpsk = serverpsk = NULL;
  2540. SSL_free(serverssl);
  2541. SSL_free(clientssl);
  2542. SSL_CTX_free(sctx);
  2543. SSL_CTX_free(cctx);
  2544. return testresult;
  2545. }
  2546. static int hostname_cb(SSL *s, int *al, void *arg)
  2547. {
  2548. const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
  2549. if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
  2550. return SSL_TLSEXT_ERR_OK;
  2551. return SSL_TLSEXT_ERR_NOACK;
  2552. }
  2553. static const char *servalpn;
  2554. static int alpn_select_cb(SSL *ssl, const unsigned char **out,
  2555. unsigned char *outlen, const unsigned char *in,
  2556. unsigned int inlen, void *arg)
  2557. {
  2558. unsigned int protlen = 0;
  2559. const unsigned char *prot;
  2560. for (prot = in; prot < in + inlen; prot += protlen) {
  2561. protlen = *prot++;
  2562. if (in + inlen < prot + protlen)
  2563. return SSL_TLSEXT_ERR_NOACK;
  2564. if (protlen == strlen(servalpn)
  2565. && memcmp(prot, servalpn, protlen) == 0) {
  2566. *out = prot;
  2567. *outlen = protlen;
  2568. return SSL_TLSEXT_ERR_OK;
  2569. }
  2570. }
  2571. return SSL_TLSEXT_ERR_NOACK;
  2572. }
  2573. /* Test that a PSK can be used to send early_data */
  2574. static int test_early_data_psk(int idx)
  2575. {
  2576. SSL_CTX *cctx = NULL, *sctx = NULL;
  2577. SSL *clientssl = NULL, *serverssl = NULL;
  2578. int testresult = 0;
  2579. SSL_SESSION *sess = NULL;
  2580. unsigned char alpnlist[] = {
  2581. 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
  2582. 'l', 'p', 'n'
  2583. };
  2584. #define GOODALPNLEN 9
  2585. #define BADALPNLEN 8
  2586. #define GOODALPN (alpnlist)
  2587. #define BADALPN (alpnlist + GOODALPNLEN)
  2588. int err = 0;
  2589. unsigned char buf[20];
  2590. size_t readbytes, written;
  2591. int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
  2592. int edstatus = SSL_EARLY_DATA_ACCEPTED;
  2593. /* We always set this up with a final parameter of "2" for PSK */
  2594. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2595. &serverssl, &sess, 2)))
  2596. goto end;
  2597. servalpn = "goodalpn";
  2598. /*
  2599. * Note: There is no test for inconsistent SNI with late client detection.
  2600. * This is because servers do not acknowledge SNI even if they are using
  2601. * it in a resumption handshake - so it is not actually possible for a
  2602. * client to detect a problem.
  2603. */
  2604. switch (idx) {
  2605. case 0:
  2606. /* Set inconsistent SNI (early client detection) */
  2607. err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
  2608. if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
  2609. || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
  2610. goto end;
  2611. break;
  2612. case 1:
  2613. /* Set inconsistent ALPN (early client detection) */
  2614. err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
  2615. /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
  2616. if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
  2617. GOODALPNLEN))
  2618. || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
  2619. BADALPNLEN)))
  2620. goto end;
  2621. break;
  2622. case 2:
  2623. /*
  2624. * Set invalid protocol version. Technically this affects PSKs without
  2625. * early_data too, but we test it here because it is similar to the
  2626. * SNI/ALPN consistency tests.
  2627. */
  2628. err = SSL_R_BAD_PSK;
  2629. if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
  2630. goto end;
  2631. break;
  2632. case 3:
  2633. /*
  2634. * Set inconsistent SNI (server detected). In this case the connection
  2635. * will succeed but reject early_data.
  2636. */
  2637. SSL_SESSION_free(serverpsk);
  2638. serverpsk = SSL_SESSION_dup(clientpsk);
  2639. if (!TEST_ptr(serverpsk)
  2640. || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
  2641. goto end;
  2642. edstatus = SSL_EARLY_DATA_REJECTED;
  2643. readearlyres = SSL_READ_EARLY_DATA_FINISH;
  2644. /* Fall through */
  2645. case 4:
  2646. /* Set consistent SNI */
  2647. if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
  2648. || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
  2649. || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
  2650. hostname_cb)))
  2651. goto end;
  2652. break;
  2653. case 5:
  2654. /*
  2655. * Set inconsistent ALPN (server detected). In this case the connection
  2656. * will succeed but reject early_data.
  2657. */
  2658. servalpn = "badalpn";
  2659. edstatus = SSL_EARLY_DATA_REJECTED;
  2660. readearlyres = SSL_READ_EARLY_DATA_FINISH;
  2661. /* Fall through */
  2662. case 6:
  2663. /*
  2664. * Set consistent ALPN.
  2665. * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
  2666. * accepts a list of protos (each one length prefixed).
  2667. * SSL_set1_alpn_selected accepts a single protocol (not length
  2668. * prefixed)
  2669. */
  2670. if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
  2671. GOODALPNLEN - 1))
  2672. || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
  2673. GOODALPNLEN)))
  2674. goto end;
  2675. SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
  2676. break;
  2677. case 7:
  2678. /* Set inconsistent ALPN (late client detection) */
  2679. SSL_SESSION_free(serverpsk);
  2680. serverpsk = SSL_SESSION_dup(clientpsk);
  2681. if (!TEST_ptr(serverpsk)
  2682. || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
  2683. BADALPN + 1,
  2684. BADALPNLEN - 1))
  2685. || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
  2686. GOODALPN + 1,
  2687. GOODALPNLEN - 1))
  2688. || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
  2689. sizeof(alpnlist))))
  2690. goto end;
  2691. SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
  2692. edstatus = SSL_EARLY_DATA_ACCEPTED;
  2693. readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
  2694. /* SSL_connect() call should fail */
  2695. connectres = -1;
  2696. break;
  2697. default:
  2698. TEST_error("Bad test index");
  2699. goto end;
  2700. }
  2701. SSL_set_connect_state(clientssl);
  2702. if (err != 0) {
  2703. if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2704. &written))
  2705. || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
  2706. || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
  2707. goto end;
  2708. } else {
  2709. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2710. &written)))
  2711. goto end;
  2712. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2713. &readbytes), readearlyres)
  2714. || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
  2715. && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
  2716. || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
  2717. || !TEST_int_eq(SSL_connect(clientssl), connectres))
  2718. goto end;
  2719. }
  2720. testresult = 1;
  2721. end:
  2722. SSL_SESSION_free(sess);
  2723. SSL_SESSION_free(clientpsk);
  2724. SSL_SESSION_free(serverpsk);
  2725. clientpsk = serverpsk = NULL;
  2726. SSL_free(serverssl);
  2727. SSL_free(clientssl);
  2728. SSL_CTX_free(sctx);
  2729. SSL_CTX_free(cctx);
  2730. return testresult;
  2731. }
  2732. /*
  2733. * Test that a server that doesn't try to read early data can handle a
  2734. * client sending some.
  2735. */
  2736. static int test_early_data_not_expected(int idx)
  2737. {
  2738. SSL_CTX *cctx = NULL, *sctx = NULL;
  2739. SSL *clientssl = NULL, *serverssl = NULL;
  2740. int testresult = 0;
  2741. SSL_SESSION *sess = NULL;
  2742. unsigned char buf[20];
  2743. size_t readbytes, written;
  2744. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2745. &serverssl, &sess, idx)))
  2746. goto end;
  2747. /* Write some early data */
  2748. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  2749. &written)))
  2750. goto end;
  2751. /*
  2752. * Server should skip over early data and then block waiting for client to
  2753. * continue handshake
  2754. */
  2755. if (!TEST_int_le(SSL_accept(serverssl), 0)
  2756. || !TEST_int_gt(SSL_connect(clientssl), 0)
  2757. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2758. SSL_EARLY_DATA_REJECTED)
  2759. || !TEST_int_gt(SSL_accept(serverssl), 0)
  2760. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2761. SSL_EARLY_DATA_REJECTED))
  2762. goto end;
  2763. /* Send some normal data from client to server */
  2764. if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
  2765. || !TEST_size_t_eq(written, strlen(MSG2)))
  2766. goto end;
  2767. if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2768. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2769. goto end;
  2770. testresult = 1;
  2771. end:
  2772. SSL_SESSION_free(sess);
  2773. SSL_SESSION_free(clientpsk);
  2774. SSL_SESSION_free(serverpsk);
  2775. clientpsk = serverpsk = NULL;
  2776. SSL_free(serverssl);
  2777. SSL_free(clientssl);
  2778. SSL_CTX_free(sctx);
  2779. SSL_CTX_free(cctx);
  2780. return testresult;
  2781. }
  2782. # ifndef OPENSSL_NO_TLS1_2
  2783. /*
  2784. * Test that a server attempting to read early data can handle a connection
  2785. * from a TLSv1.2 client.
  2786. */
  2787. static int test_early_data_tls1_2(int idx)
  2788. {
  2789. SSL_CTX *cctx = NULL, *sctx = NULL;
  2790. SSL *clientssl = NULL, *serverssl = NULL;
  2791. int testresult = 0;
  2792. unsigned char buf[20];
  2793. size_t readbytes, written;
  2794. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  2795. &serverssl, NULL, idx)))
  2796. goto end;
  2797. /* Write some data - should block due to handshake with server */
  2798. SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
  2799. SSL_set_connect_state(clientssl);
  2800. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
  2801. goto end;
  2802. /*
  2803. * Server should do TLSv1.2 handshake. First it will block waiting for more
  2804. * messages from client after ServerDone. Then SSL_read_early_data should
  2805. * finish and detect that early data has not been sent
  2806. */
  2807. if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2808. &readbytes),
  2809. SSL_READ_EARLY_DATA_ERROR))
  2810. goto end;
  2811. /*
  2812. * Continue writing the message we started earlier. Will still block waiting
  2813. * for the CCS/Finished from server
  2814. */
  2815. if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  2816. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  2817. &readbytes),
  2818. SSL_READ_EARLY_DATA_FINISH)
  2819. || !TEST_size_t_eq(readbytes, 0)
  2820. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  2821. SSL_EARLY_DATA_NOT_SENT))
  2822. goto end;
  2823. /* Continue writing the message we started earlier */
  2824. if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
  2825. || !TEST_size_t_eq(written, strlen(MSG1))
  2826. || !TEST_int_eq(SSL_get_early_data_status(clientssl),
  2827. SSL_EARLY_DATA_NOT_SENT)
  2828. || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  2829. || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
  2830. || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
  2831. || !TEST_size_t_eq(written, strlen(MSG2))
  2832. || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
  2833. || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
  2834. goto end;
  2835. testresult = 1;
  2836. end:
  2837. SSL_SESSION_free(clientpsk);
  2838. SSL_SESSION_free(serverpsk);
  2839. clientpsk = serverpsk = NULL;
  2840. SSL_free(serverssl);
  2841. SSL_free(clientssl);
  2842. SSL_CTX_free(sctx);
  2843. SSL_CTX_free(cctx);
  2844. return testresult;
  2845. }
  2846. # endif /* OPENSSL_NO_TLS1_2 */
  2847. /*
  2848. * Test configuring the TLSv1.3 ciphersuites
  2849. *
  2850. * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
  2851. * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
  2852. * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
  2853. * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
  2854. * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
  2855. * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
  2856. * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
  2857. * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
  2858. * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
  2859. * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
  2860. */
  2861. static int test_set_ciphersuite(int idx)
  2862. {
  2863. SSL_CTX *cctx = NULL, *sctx = NULL;
  2864. SSL *clientssl = NULL, *serverssl = NULL;
  2865. int testresult = 0;
  2866. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  2867. TLS1_VERSION, 0,
  2868. &sctx, &cctx, cert, privkey))
  2869. || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  2870. "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
  2871. goto end;
  2872. if (idx >=4 && idx <= 7) {
  2873. /* SSL_CTX explicit cipher list */
  2874. if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
  2875. goto end;
  2876. }
  2877. if (idx == 0 || idx == 4) {
  2878. /* Default ciphersuite */
  2879. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  2880. "TLS_AES_128_GCM_SHA256")))
  2881. goto end;
  2882. } else if (idx == 1 || idx == 5) {
  2883. /* Non default ciphersuite */
  2884. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  2885. "TLS_AES_128_CCM_SHA256")))
  2886. goto end;
  2887. }
  2888. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2889. &clientssl, NULL, NULL)))
  2890. goto end;
  2891. if (idx == 8 || idx == 9) {
  2892. /* SSL explicit cipher list */
  2893. if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
  2894. goto end;
  2895. }
  2896. if (idx == 2 || idx == 6 || idx == 8) {
  2897. /* Default ciphersuite */
  2898. if (!TEST_true(SSL_set_ciphersuites(clientssl,
  2899. "TLS_AES_128_GCM_SHA256")))
  2900. goto end;
  2901. } else if (idx == 3 || idx == 7 || idx == 9) {
  2902. /* Non default ciphersuite */
  2903. if (!TEST_true(SSL_set_ciphersuites(clientssl,
  2904. "TLS_AES_128_CCM_SHA256")))
  2905. goto end;
  2906. }
  2907. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
  2908. goto end;
  2909. testresult = 1;
  2910. end:
  2911. SSL_free(serverssl);
  2912. SSL_free(clientssl);
  2913. SSL_CTX_free(sctx);
  2914. SSL_CTX_free(cctx);
  2915. return testresult;
  2916. }
  2917. static int test_ciphersuite_change(void)
  2918. {
  2919. SSL_CTX *cctx = NULL, *sctx = NULL;
  2920. SSL *clientssl = NULL, *serverssl = NULL;
  2921. SSL_SESSION *clntsess = NULL;
  2922. int testresult = 0;
  2923. const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
  2924. /* Create a session based on SHA-256 */
  2925. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  2926. TLS1_VERSION, 0,
  2927. &sctx, &cctx, cert, privkey))
  2928. || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
  2929. "TLS_AES_128_GCM_SHA256"))
  2930. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2931. &clientssl, NULL, NULL))
  2932. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  2933. SSL_ERROR_NONE)))
  2934. goto end;
  2935. clntsess = SSL_get1_session(clientssl);
  2936. /* Save for later */
  2937. aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
  2938. SSL_shutdown(clientssl);
  2939. SSL_shutdown(serverssl);
  2940. SSL_free(serverssl);
  2941. SSL_free(clientssl);
  2942. serverssl = clientssl = NULL;
  2943. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  2944. /* Check we can resume a session with a different SHA-256 ciphersuite */
  2945. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  2946. "TLS_CHACHA20_POLY1305_SHA256"))
  2947. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  2948. NULL, NULL))
  2949. || !TEST_true(SSL_set_session(clientssl, clntsess))
  2950. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  2951. SSL_ERROR_NONE))
  2952. || !TEST_true(SSL_session_reused(clientssl)))
  2953. goto end;
  2954. SSL_SESSION_free(clntsess);
  2955. clntsess = SSL_get1_session(clientssl);
  2956. SSL_shutdown(clientssl);
  2957. SSL_shutdown(serverssl);
  2958. SSL_free(serverssl);
  2959. SSL_free(clientssl);
  2960. serverssl = clientssl = NULL;
  2961. # endif
  2962. /*
  2963. * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
  2964. * succeeds but does not resume.
  2965. */
  2966. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
  2967. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  2968. NULL, NULL))
  2969. || !TEST_true(SSL_set_session(clientssl, clntsess))
  2970. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  2971. SSL_ERROR_SSL))
  2972. || !TEST_false(SSL_session_reused(clientssl)))
  2973. goto end;
  2974. SSL_SESSION_free(clntsess);
  2975. clntsess = NULL;
  2976. SSL_shutdown(clientssl);
  2977. SSL_shutdown(serverssl);
  2978. SSL_free(serverssl);
  2979. SSL_free(clientssl);
  2980. serverssl = clientssl = NULL;
  2981. /* Create a session based on SHA384 */
  2982. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
  2983. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  2984. &clientssl, NULL, NULL))
  2985. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  2986. SSL_ERROR_NONE)))
  2987. goto end;
  2988. clntsess = SSL_get1_session(clientssl);
  2989. SSL_shutdown(clientssl);
  2990. SSL_shutdown(serverssl);
  2991. SSL_free(serverssl);
  2992. SSL_free(clientssl);
  2993. serverssl = clientssl = NULL;
  2994. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  2995. "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
  2996. || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  2997. "TLS_AES_256_GCM_SHA384"))
  2998. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  2999. NULL, NULL))
  3000. || !TEST_true(SSL_set_session(clientssl, clntsess))
  3001. /*
  3002. * We use SSL_ERROR_WANT_READ below so that we can pause the
  3003. * connection after the initial ClientHello has been sent to
  3004. * enable us to make some session changes.
  3005. */
  3006. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3007. SSL_ERROR_WANT_READ)))
  3008. goto end;
  3009. /* Trick the client into thinking this session is for a different digest */
  3010. clntsess->cipher = aes_128_gcm_sha256;
  3011. clntsess->cipher_id = clntsess->cipher->id;
  3012. /*
  3013. * Continue the previously started connection. Server has selected a SHA-384
  3014. * ciphersuite, but client thinks the session is for SHA-256, so it should
  3015. * bail out.
  3016. */
  3017. if (!TEST_false(create_ssl_connection(serverssl, clientssl,
  3018. SSL_ERROR_SSL))
  3019. || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
  3020. SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
  3021. goto end;
  3022. testresult = 1;
  3023. end:
  3024. SSL_SESSION_free(clntsess);
  3025. SSL_free(serverssl);
  3026. SSL_free(clientssl);
  3027. SSL_CTX_free(sctx);
  3028. SSL_CTX_free(cctx);
  3029. return testresult;
  3030. }
  3031. /*
  3032. * Test TLSv1.3 PSKs
  3033. * Test 0 = Test new style callbacks
  3034. * Test 1 = Test both new and old style callbacks
  3035. * Test 2 = Test old style callbacks
  3036. * Test 3 = Test old style callbacks with no certificate
  3037. */
  3038. static int test_tls13_psk(int idx)
  3039. {
  3040. SSL_CTX *sctx = NULL, *cctx = NULL;
  3041. SSL *serverssl = NULL, *clientssl = NULL;
  3042. const SSL_CIPHER *cipher = NULL;
  3043. const unsigned char key[] = {
  3044. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
  3045. 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  3046. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
  3047. 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
  3048. };
  3049. int testresult = 0;
  3050. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3051. TLS1_VERSION, 0,
  3052. &sctx, &cctx, idx == 3 ? NULL : cert,
  3053. idx == 3 ? NULL : privkey)))
  3054. goto end;
  3055. if (idx != 3) {
  3056. /*
  3057. * We use a ciphersuite with SHA256 to ease testing old style PSK
  3058. * callbacks which will always default to SHA256. This should not be
  3059. * necessary if we have no cert/priv key. In that case the server should
  3060. * prefer SHA256 automatically.
  3061. */
  3062. if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
  3063. "TLS_AES_128_GCM_SHA256")))
  3064. goto end;
  3065. }
  3066. /*
  3067. * Test 0: New style callbacks only
  3068. * Test 1: New and old style callbacks (only the new ones should be used)
  3069. * Test 2: Old style callbacks only
  3070. */
  3071. if (idx == 0 || idx == 1) {
  3072. SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
  3073. SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
  3074. }
  3075. #ifndef OPENSSL_NO_PSK
  3076. if (idx >= 1) {
  3077. SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
  3078. SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
  3079. }
  3080. #endif
  3081. srvid = pskid;
  3082. use_session_cb_cnt = 0;
  3083. find_session_cb_cnt = 0;
  3084. psk_client_cb_cnt = 0;
  3085. psk_server_cb_cnt = 0;
  3086. if (idx != 3) {
  3087. /*
  3088. * Check we can create a connection if callback decides not to send a
  3089. * PSK
  3090. */
  3091. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3092. NULL, NULL))
  3093. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3094. SSL_ERROR_NONE))
  3095. || !TEST_false(SSL_session_reused(clientssl))
  3096. || !TEST_false(SSL_session_reused(serverssl)))
  3097. goto end;
  3098. if (idx == 0 || idx == 1) {
  3099. if (!TEST_true(use_session_cb_cnt == 1)
  3100. || !TEST_true(find_session_cb_cnt == 0)
  3101. /*
  3102. * If no old style callback then below should be 0
  3103. * otherwise 1
  3104. */
  3105. || !TEST_true(psk_client_cb_cnt == idx)
  3106. || !TEST_true(psk_server_cb_cnt == 0))
  3107. goto end;
  3108. } else {
  3109. if (!TEST_true(use_session_cb_cnt == 0)
  3110. || !TEST_true(find_session_cb_cnt == 0)
  3111. || !TEST_true(psk_client_cb_cnt == 1)
  3112. || !TEST_true(psk_server_cb_cnt == 0))
  3113. goto end;
  3114. }
  3115. shutdown_ssl_connection(serverssl, clientssl);
  3116. serverssl = clientssl = NULL;
  3117. use_session_cb_cnt = psk_client_cb_cnt = 0;
  3118. }
  3119. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3120. NULL, NULL)))
  3121. goto end;
  3122. /* Create the PSK */
  3123. cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
  3124. clientpsk = SSL_SESSION_new();
  3125. if (!TEST_ptr(clientpsk)
  3126. || !TEST_ptr(cipher)
  3127. || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
  3128. sizeof(key)))
  3129. || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
  3130. || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
  3131. TLS1_3_VERSION))
  3132. || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
  3133. goto end;
  3134. serverpsk = clientpsk;
  3135. /* Check we can create a connection and the PSK is used */
  3136. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  3137. || !TEST_true(SSL_session_reused(clientssl))
  3138. || !TEST_true(SSL_session_reused(serverssl)))
  3139. goto end;
  3140. if (idx == 0 || idx == 1) {
  3141. if (!TEST_true(use_session_cb_cnt == 1)
  3142. || !TEST_true(find_session_cb_cnt == 1)
  3143. || !TEST_true(psk_client_cb_cnt == 0)
  3144. || !TEST_true(psk_server_cb_cnt == 0))
  3145. goto end;
  3146. } else {
  3147. if (!TEST_true(use_session_cb_cnt == 0)
  3148. || !TEST_true(find_session_cb_cnt == 0)
  3149. || !TEST_true(psk_client_cb_cnt == 1)
  3150. || !TEST_true(psk_server_cb_cnt == 1))
  3151. goto end;
  3152. }
  3153. shutdown_ssl_connection(serverssl, clientssl);
  3154. serverssl = clientssl = NULL;
  3155. use_session_cb_cnt = find_session_cb_cnt = 0;
  3156. psk_client_cb_cnt = psk_server_cb_cnt = 0;
  3157. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3158. NULL, NULL)))
  3159. goto end;
  3160. /* Force an HRR */
  3161. if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
  3162. goto end;
  3163. /*
  3164. * Check we can create a connection, the PSK is used and the callbacks are
  3165. * called twice.
  3166. */
  3167. if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
  3168. || !TEST_true(SSL_session_reused(clientssl))
  3169. || !TEST_true(SSL_session_reused(serverssl)))
  3170. goto end;
  3171. if (idx == 0 || idx == 1) {
  3172. if (!TEST_true(use_session_cb_cnt == 2)
  3173. || !TEST_true(find_session_cb_cnt == 2)
  3174. || !TEST_true(psk_client_cb_cnt == 0)
  3175. || !TEST_true(psk_server_cb_cnt == 0))
  3176. goto end;
  3177. } else {
  3178. if (!TEST_true(use_session_cb_cnt == 0)
  3179. || !TEST_true(find_session_cb_cnt == 0)
  3180. || !TEST_true(psk_client_cb_cnt == 2)
  3181. || !TEST_true(psk_server_cb_cnt == 2))
  3182. goto end;
  3183. }
  3184. shutdown_ssl_connection(serverssl, clientssl);
  3185. serverssl = clientssl = NULL;
  3186. use_session_cb_cnt = find_session_cb_cnt = 0;
  3187. psk_client_cb_cnt = psk_server_cb_cnt = 0;
  3188. if (idx != 3) {
  3189. /*
  3190. * Check that if the server rejects the PSK we can still connect, but with
  3191. * a full handshake
  3192. */
  3193. srvid = "Dummy Identity";
  3194. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3195. NULL, NULL))
  3196. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3197. SSL_ERROR_NONE))
  3198. || !TEST_false(SSL_session_reused(clientssl))
  3199. || !TEST_false(SSL_session_reused(serverssl)))
  3200. goto end;
  3201. if (idx == 0 || idx == 1) {
  3202. if (!TEST_true(use_session_cb_cnt == 1)
  3203. || !TEST_true(find_session_cb_cnt == 1)
  3204. || !TEST_true(psk_client_cb_cnt == 0)
  3205. /*
  3206. * If no old style callback then below should be 0
  3207. * otherwise 1
  3208. */
  3209. || !TEST_true(psk_server_cb_cnt == idx))
  3210. goto end;
  3211. } else {
  3212. if (!TEST_true(use_session_cb_cnt == 0)
  3213. || !TEST_true(find_session_cb_cnt == 0)
  3214. || !TEST_true(psk_client_cb_cnt == 1)
  3215. || !TEST_true(psk_server_cb_cnt == 1))
  3216. goto end;
  3217. }
  3218. shutdown_ssl_connection(serverssl, clientssl);
  3219. serverssl = clientssl = NULL;
  3220. }
  3221. testresult = 1;
  3222. end:
  3223. SSL_SESSION_free(clientpsk);
  3224. SSL_SESSION_free(serverpsk);
  3225. clientpsk = serverpsk = NULL;
  3226. SSL_free(serverssl);
  3227. SSL_free(clientssl);
  3228. SSL_CTX_free(sctx);
  3229. SSL_CTX_free(cctx);
  3230. return testresult;
  3231. }
  3232. static unsigned char cookie_magic_value[] = "cookie magic";
  3233. static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
  3234. unsigned int *cookie_len)
  3235. {
  3236. /*
  3237. * Not suitable as a real cookie generation function but good enough for
  3238. * testing!
  3239. */
  3240. memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
  3241. *cookie_len = sizeof(cookie_magic_value) - 1;
  3242. return 1;
  3243. }
  3244. static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
  3245. unsigned int cookie_len)
  3246. {
  3247. if (cookie_len == sizeof(cookie_magic_value) - 1
  3248. && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
  3249. return 1;
  3250. return 0;
  3251. }
  3252. static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
  3253. size_t *cookie_len)
  3254. {
  3255. unsigned int temp;
  3256. int res = generate_cookie_callback(ssl, cookie, &temp);
  3257. *cookie_len = temp;
  3258. return res;
  3259. }
  3260. static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
  3261. size_t cookie_len)
  3262. {
  3263. return verify_cookie_callback(ssl, cookie, cookie_len);
  3264. }
  3265. static int test_stateless(void)
  3266. {
  3267. SSL_CTX *sctx = NULL, *cctx = NULL;
  3268. SSL *serverssl = NULL, *clientssl = NULL;
  3269. int testresult = 0;
  3270. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3271. TLS1_VERSION, 0,
  3272. &sctx, &cctx, cert, privkey)))
  3273. goto end;
  3274. /* The arrival of CCS messages can confuse the test */
  3275. SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
  3276. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3277. NULL, NULL))
  3278. /* Send the first ClientHello */
  3279. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3280. SSL_ERROR_WANT_READ))
  3281. /*
  3282. * This should fail with a -1 return because we have no callbacks
  3283. * set up
  3284. */
  3285. || !TEST_int_eq(SSL_stateless(serverssl), -1))
  3286. goto end;
  3287. /* Fatal error so abandon the connection from this client */
  3288. SSL_free(clientssl);
  3289. clientssl = NULL;
  3290. /* Set up the cookie generation and verification callbacks */
  3291. SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
  3292. SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
  3293. /*
  3294. * Create a new connection from the client (we can reuse the server SSL
  3295. * object).
  3296. */
  3297. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3298. NULL, NULL))
  3299. /* Send the first ClientHello */
  3300. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3301. SSL_ERROR_WANT_READ))
  3302. /* This should fail because there is no cookie */
  3303. || !TEST_int_eq(SSL_stateless(serverssl), 0))
  3304. goto end;
  3305. /* Abandon the connection from this client */
  3306. SSL_free(clientssl);
  3307. clientssl = NULL;
  3308. /*
  3309. * Now create a connection from a new client but with the same server SSL
  3310. * object
  3311. */
  3312. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3313. NULL, NULL))
  3314. /* Send the first ClientHello */
  3315. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3316. SSL_ERROR_WANT_READ))
  3317. /* This should fail because there is no cookie */
  3318. || !TEST_int_eq(SSL_stateless(serverssl), 0)
  3319. /* Send the second ClientHello */
  3320. || !TEST_false(create_ssl_connection(serverssl, clientssl,
  3321. SSL_ERROR_WANT_READ))
  3322. /* This should succeed because a cookie is now present */
  3323. || !TEST_int_eq(SSL_stateless(serverssl), 1)
  3324. /* Complete the connection */
  3325. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3326. SSL_ERROR_NONE)))
  3327. goto end;
  3328. shutdown_ssl_connection(serverssl, clientssl);
  3329. serverssl = clientssl = NULL;
  3330. testresult = 1;
  3331. end:
  3332. SSL_free(serverssl);
  3333. SSL_free(clientssl);
  3334. SSL_CTX_free(sctx);
  3335. SSL_CTX_free(cctx);
  3336. return testresult;
  3337. }
  3338. #endif /* OPENSSL_NO_TLS1_3 */
  3339. static int clntaddoldcb = 0;
  3340. static int clntparseoldcb = 0;
  3341. static int srvaddoldcb = 0;
  3342. static int srvparseoldcb = 0;
  3343. static int clntaddnewcb = 0;
  3344. static int clntparsenewcb = 0;
  3345. static int srvaddnewcb = 0;
  3346. static int srvparsenewcb = 0;
  3347. static int snicb = 0;
  3348. #define TEST_EXT_TYPE1 0xff00
  3349. static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
  3350. size_t *outlen, int *al, void *add_arg)
  3351. {
  3352. int *server = (int *)add_arg;
  3353. unsigned char *data;
  3354. if (SSL_is_server(s))
  3355. srvaddoldcb++;
  3356. else
  3357. clntaddoldcb++;
  3358. if (*server != SSL_is_server(s)
  3359. || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
  3360. return -1;
  3361. *data = 1;
  3362. *out = data;
  3363. *outlen = sizeof(char);
  3364. return 1;
  3365. }
  3366. static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
  3367. void *add_arg)
  3368. {
  3369. OPENSSL_free((unsigned char *)out);
  3370. }
  3371. static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
  3372. size_t inlen, int *al, void *parse_arg)
  3373. {
  3374. int *server = (int *)parse_arg;
  3375. if (SSL_is_server(s))
  3376. srvparseoldcb++;
  3377. else
  3378. clntparseoldcb++;
  3379. if (*server != SSL_is_server(s)
  3380. || inlen != sizeof(char)
  3381. || *in != 1)
  3382. return -1;
  3383. return 1;
  3384. }
  3385. static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3386. const unsigned char **out, size_t *outlen, X509 *x,
  3387. size_t chainidx, int *al, void *add_arg)
  3388. {
  3389. int *server = (int *)add_arg;
  3390. unsigned char *data;
  3391. if (SSL_is_server(s))
  3392. srvaddnewcb++;
  3393. else
  3394. clntaddnewcb++;
  3395. if (*server != SSL_is_server(s)
  3396. || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
  3397. return -1;
  3398. *data = 1;
  3399. *out = data;
  3400. *outlen = sizeof(*data);
  3401. return 1;
  3402. }
  3403. static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3404. const unsigned char *out, void *add_arg)
  3405. {
  3406. OPENSSL_free((unsigned char *)out);
  3407. }
  3408. static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
  3409. const unsigned char *in, size_t inlen, X509 *x,
  3410. size_t chainidx, int *al, void *parse_arg)
  3411. {
  3412. int *server = (int *)parse_arg;
  3413. if (SSL_is_server(s))
  3414. srvparsenewcb++;
  3415. else
  3416. clntparsenewcb++;
  3417. if (*server != SSL_is_server(s)
  3418. || inlen != sizeof(char) || *in != 1)
  3419. return -1;
  3420. return 1;
  3421. }
  3422. static int sni_cb(SSL *s, int *al, void *arg)
  3423. {
  3424. SSL_CTX *ctx = (SSL_CTX *)arg;
  3425. if (SSL_set_SSL_CTX(s, ctx) == NULL) {
  3426. *al = SSL_AD_INTERNAL_ERROR;
  3427. return SSL_TLSEXT_ERR_ALERT_FATAL;
  3428. }
  3429. snicb++;
  3430. return SSL_TLSEXT_ERR_OK;
  3431. }
  3432. /*
  3433. * Custom call back tests.
  3434. * Test 0: Old style callbacks in TLSv1.2
  3435. * Test 1: New style callbacks in TLSv1.2
  3436. * Test 2: New style callbacks in TLSv1.2 with SNI
  3437. * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
  3438. * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
  3439. */
  3440. static int test_custom_exts(int tst)
  3441. {
  3442. SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
  3443. SSL *clientssl = NULL, *serverssl = NULL;
  3444. int testresult = 0;
  3445. static int server = 1;
  3446. static int client = 0;
  3447. SSL_SESSION *sess = NULL;
  3448. unsigned int context;
  3449. #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
  3450. /* Skip tests for TLSv1.2 and below in this case */
  3451. if (tst < 3)
  3452. return 1;
  3453. #endif
  3454. /* Reset callback counters */
  3455. clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
  3456. clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
  3457. snicb = 0;
  3458. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3459. TLS1_VERSION, 0,
  3460. &sctx, &cctx, cert, privkey)))
  3461. goto end;
  3462. if (tst == 2
  3463. && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
  3464. TLS1_VERSION, 0,
  3465. &sctx2, NULL, cert, privkey)))
  3466. goto end;
  3467. if (tst < 3) {
  3468. SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
  3469. SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
  3470. if (sctx2 != NULL)
  3471. SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
  3472. }
  3473. if (tst == 4) {
  3474. context = SSL_EXT_CLIENT_HELLO
  3475. | SSL_EXT_TLS1_2_SERVER_HELLO
  3476. | SSL_EXT_TLS1_3_SERVER_HELLO
  3477. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  3478. | SSL_EXT_TLS1_3_CERTIFICATE
  3479. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
  3480. } else {
  3481. context = SSL_EXT_CLIENT_HELLO
  3482. | SSL_EXT_TLS1_2_SERVER_HELLO
  3483. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
  3484. }
  3485. /* Create a client side custom extension */
  3486. if (tst == 0) {
  3487. if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
  3488. old_add_cb, old_free_cb,
  3489. &client, old_parse_cb,
  3490. &client)))
  3491. goto end;
  3492. } else {
  3493. if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
  3494. new_add_cb, new_free_cb,
  3495. &client, new_parse_cb, &client)))
  3496. goto end;
  3497. }
  3498. /* Should not be able to add duplicates */
  3499. if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
  3500. old_add_cb, old_free_cb,
  3501. &client, old_parse_cb,
  3502. &client))
  3503. || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
  3504. context, new_add_cb,
  3505. new_free_cb, &client,
  3506. new_parse_cb, &client)))
  3507. goto end;
  3508. /* Create a server side custom extension */
  3509. if (tst == 0) {
  3510. if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
  3511. old_add_cb, old_free_cb,
  3512. &server, old_parse_cb,
  3513. &server)))
  3514. goto end;
  3515. } else {
  3516. if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
  3517. new_add_cb, new_free_cb,
  3518. &server, new_parse_cb, &server)))
  3519. goto end;
  3520. if (sctx2 != NULL
  3521. && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
  3522. context, new_add_cb,
  3523. new_free_cb, &server,
  3524. new_parse_cb, &server)))
  3525. goto end;
  3526. }
  3527. /* Should not be able to add duplicates */
  3528. if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
  3529. old_add_cb, old_free_cb,
  3530. &server, old_parse_cb,
  3531. &server))
  3532. || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
  3533. context, new_add_cb,
  3534. new_free_cb, &server,
  3535. new_parse_cb, &server)))
  3536. goto end;
  3537. if (tst == 2) {
  3538. /* Set up SNI */
  3539. if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
  3540. || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
  3541. goto end;
  3542. }
  3543. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3544. &clientssl, NULL, NULL))
  3545. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3546. SSL_ERROR_NONE)))
  3547. goto end;
  3548. if (tst == 0) {
  3549. if (clntaddoldcb != 1
  3550. || clntparseoldcb != 1
  3551. || srvaddoldcb != 1
  3552. || srvparseoldcb != 1)
  3553. goto end;
  3554. } else if (tst == 1 || tst == 2 || tst == 3) {
  3555. if (clntaddnewcb != 1
  3556. || clntparsenewcb != 1
  3557. || srvaddnewcb != 1
  3558. || srvparsenewcb != 1
  3559. || (tst != 2 && snicb != 0)
  3560. || (tst == 2 && snicb != 1))
  3561. goto end;
  3562. } else {
  3563. /* In this case there 2 NewSessionTicket messages created */
  3564. if (clntaddnewcb != 1
  3565. || clntparsenewcb != 5
  3566. || srvaddnewcb != 5
  3567. || srvparsenewcb != 1)
  3568. goto end;
  3569. }
  3570. sess = SSL_get1_session(clientssl);
  3571. SSL_shutdown(clientssl);
  3572. SSL_shutdown(serverssl);
  3573. SSL_free(serverssl);
  3574. SSL_free(clientssl);
  3575. serverssl = clientssl = NULL;
  3576. if (tst == 3) {
  3577. /* We don't bother with the resumption aspects for this test */
  3578. testresult = 1;
  3579. goto end;
  3580. }
  3581. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3582. NULL, NULL))
  3583. || !TEST_true(SSL_set_session(clientssl, sess))
  3584. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3585. SSL_ERROR_NONE)))
  3586. goto end;
  3587. /*
  3588. * For a resumed session we expect to add the ClientHello extension. For the
  3589. * old style callbacks we ignore it on the server side because they set
  3590. * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
  3591. * them.
  3592. */
  3593. if (tst == 0) {
  3594. if (clntaddoldcb != 2
  3595. || clntparseoldcb != 1
  3596. || srvaddoldcb != 1
  3597. || srvparseoldcb != 1)
  3598. goto end;
  3599. } else if (tst == 1 || tst == 2 || tst == 3) {
  3600. if (clntaddnewcb != 2
  3601. || clntparsenewcb != 2
  3602. || srvaddnewcb != 2
  3603. || srvparsenewcb != 2)
  3604. goto end;
  3605. } else {
  3606. /*
  3607. * No Certificate message extensions in the resumption handshake,
  3608. * 2 NewSessionTickets in the initial handshake, 1 in the resumption
  3609. */
  3610. if (clntaddnewcb != 2
  3611. || clntparsenewcb != 8
  3612. || srvaddnewcb != 8
  3613. || srvparsenewcb != 2)
  3614. goto end;
  3615. }
  3616. testresult = 1;
  3617. end:
  3618. SSL_SESSION_free(sess);
  3619. SSL_free(serverssl);
  3620. SSL_free(clientssl);
  3621. SSL_CTX_free(sctx2);
  3622. SSL_CTX_free(sctx);
  3623. SSL_CTX_free(cctx);
  3624. return testresult;
  3625. }
  3626. /*
  3627. * Test loading of serverinfo data in various formats. test_sslmessages actually
  3628. * tests to make sure the extensions appear in the handshake
  3629. */
  3630. static int test_serverinfo(int tst)
  3631. {
  3632. unsigned int version;
  3633. unsigned char *sibuf;
  3634. size_t sibuflen;
  3635. int ret, expected, testresult = 0;
  3636. SSL_CTX *ctx;
  3637. ctx = SSL_CTX_new(TLS_method());
  3638. if (!TEST_ptr(ctx))
  3639. goto end;
  3640. if ((tst & 0x01) == 0x01)
  3641. version = SSL_SERVERINFOV2;
  3642. else
  3643. version = SSL_SERVERINFOV1;
  3644. if ((tst & 0x02) == 0x02) {
  3645. sibuf = serverinfov2;
  3646. sibuflen = sizeof(serverinfov2);
  3647. expected = (version == SSL_SERVERINFOV2);
  3648. } else {
  3649. sibuf = serverinfov1;
  3650. sibuflen = sizeof(serverinfov1);
  3651. expected = (version == SSL_SERVERINFOV1);
  3652. }
  3653. if ((tst & 0x04) == 0x04) {
  3654. ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
  3655. } else {
  3656. ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
  3657. /*
  3658. * The version variable is irrelevant in this case - it's what is in the
  3659. * buffer that matters
  3660. */
  3661. if ((tst & 0x02) == 0x02)
  3662. expected = 0;
  3663. else
  3664. expected = 1;
  3665. }
  3666. if (!TEST_true(ret == expected))
  3667. goto end;
  3668. testresult = 1;
  3669. end:
  3670. SSL_CTX_free(ctx);
  3671. return testresult;
  3672. }
  3673. /*
  3674. * Test that SSL_export_keying_material() produces expected results. There are
  3675. * no test vectors so all we do is test that both sides of the communication
  3676. * produce the same results for different protocol versions.
  3677. */
  3678. #define SMALL_LABEL_LEN 10
  3679. #define LONG_LABEL_LEN 249
  3680. static int test_export_key_mat(int tst)
  3681. {
  3682. int testresult = 0;
  3683. SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
  3684. SSL *clientssl = NULL, *serverssl = NULL;
  3685. const char label[LONG_LABEL_LEN + 1] = "test label";
  3686. const unsigned char context[] = "context";
  3687. const unsigned char *emptycontext = NULL;
  3688. unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
  3689. unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
  3690. size_t labellen;
  3691. const int protocols[] = {
  3692. TLS1_VERSION,
  3693. TLS1_1_VERSION,
  3694. TLS1_2_VERSION,
  3695. TLS1_3_VERSION,
  3696. TLS1_3_VERSION,
  3697. TLS1_3_VERSION
  3698. };
  3699. #ifdef OPENSSL_NO_TLS1
  3700. if (tst == 0)
  3701. return 1;
  3702. #endif
  3703. #ifdef OPENSSL_NO_TLS1_1
  3704. if (tst == 1)
  3705. return 1;
  3706. #endif
  3707. #ifdef OPENSSL_NO_TLS1_2
  3708. if (tst == 2)
  3709. return 1;
  3710. #endif
  3711. #ifdef OPENSSL_NO_TLS1_3
  3712. if (tst >= 3)
  3713. return 1;
  3714. #endif
  3715. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3716. TLS1_VERSION, 0,
  3717. &sctx, &cctx, cert, privkey)))
  3718. goto end;
  3719. OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
  3720. SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
  3721. SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
  3722. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  3723. NULL))
  3724. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3725. SSL_ERROR_NONE)))
  3726. goto end;
  3727. if (tst == 5) {
  3728. /*
  3729. * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
  3730. * go over that.
  3731. */
  3732. if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
  3733. sizeof(ckeymat1), label,
  3734. LONG_LABEL_LEN + 1, context,
  3735. sizeof(context) - 1, 1), 0))
  3736. goto end;
  3737. testresult = 1;
  3738. goto end;
  3739. } else if (tst == 4) {
  3740. labellen = LONG_LABEL_LEN;
  3741. } else {
  3742. labellen = SMALL_LABEL_LEN;
  3743. }
  3744. if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
  3745. sizeof(ckeymat1), label,
  3746. labellen, context,
  3747. sizeof(context) - 1, 1), 1)
  3748. || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
  3749. sizeof(ckeymat2), label,
  3750. labellen,
  3751. emptycontext,
  3752. 0, 1), 1)
  3753. || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
  3754. sizeof(ckeymat3), label,
  3755. labellen,
  3756. NULL, 0, 0), 1)
  3757. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
  3758. sizeof(skeymat1), label,
  3759. labellen,
  3760. context,
  3761. sizeof(context) -1, 1),
  3762. 1)
  3763. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
  3764. sizeof(skeymat2), label,
  3765. labellen,
  3766. emptycontext,
  3767. 0, 1), 1)
  3768. || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
  3769. sizeof(skeymat3), label,
  3770. labellen,
  3771. NULL, 0, 0), 1)
  3772. /*
  3773. * Check that both sides created the same key material with the
  3774. * same context.
  3775. */
  3776. || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
  3777. sizeof(skeymat1))
  3778. /*
  3779. * Check that both sides created the same key material with an
  3780. * empty context.
  3781. */
  3782. || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
  3783. sizeof(skeymat2))
  3784. /*
  3785. * Check that both sides created the same key material without a
  3786. * context.
  3787. */
  3788. || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
  3789. sizeof(skeymat3))
  3790. /* Different contexts should produce different results */
  3791. || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
  3792. sizeof(ckeymat2)))
  3793. goto end;
  3794. /*
  3795. * Check that an empty context and no context produce different results in
  3796. * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
  3797. */
  3798. if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
  3799. sizeof(ckeymat3)))
  3800. || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
  3801. sizeof(ckeymat3))))
  3802. goto end;
  3803. testresult = 1;
  3804. end:
  3805. SSL_free(serverssl);
  3806. SSL_free(clientssl);
  3807. SSL_CTX_free(sctx2);
  3808. SSL_CTX_free(sctx);
  3809. SSL_CTX_free(cctx);
  3810. return testresult;
  3811. }
  3812. #ifndef OPENSSL_NO_TLS1_3
  3813. /*
  3814. * Test that SSL_export_keying_material_early() produces expected
  3815. * results. There are no test vectors so all we do is test that both
  3816. * sides of the communication produce the same results for different
  3817. * protocol versions.
  3818. */
  3819. static int test_export_key_mat_early(int idx)
  3820. {
  3821. static const char label[] = "test label";
  3822. static const unsigned char context[] = "context";
  3823. int testresult = 0;
  3824. SSL_CTX *cctx = NULL, *sctx = NULL;
  3825. SSL *clientssl = NULL, *serverssl = NULL;
  3826. SSL_SESSION *sess = NULL;
  3827. const unsigned char *emptycontext = NULL;
  3828. unsigned char ckeymat1[80], ckeymat2[80];
  3829. unsigned char skeymat1[80], skeymat2[80];
  3830. unsigned char buf[1];
  3831. size_t readbytes, written;
  3832. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
  3833. &sess, idx)))
  3834. goto end;
  3835. /* Here writing 0 length early data is enough. */
  3836. if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
  3837. || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
  3838. &readbytes),
  3839. SSL_READ_EARLY_DATA_ERROR)
  3840. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  3841. SSL_EARLY_DATA_ACCEPTED))
  3842. goto end;
  3843. if (!TEST_int_eq(SSL_export_keying_material_early(
  3844. clientssl, ckeymat1, sizeof(ckeymat1), label,
  3845. sizeof(label) - 1, context, sizeof(context) - 1), 1)
  3846. || !TEST_int_eq(SSL_export_keying_material_early(
  3847. clientssl, ckeymat2, sizeof(ckeymat2), label,
  3848. sizeof(label) - 1, emptycontext, 0), 1)
  3849. || !TEST_int_eq(SSL_export_keying_material_early(
  3850. serverssl, skeymat1, sizeof(skeymat1), label,
  3851. sizeof(label) - 1, context, sizeof(context) - 1), 1)
  3852. || !TEST_int_eq(SSL_export_keying_material_early(
  3853. serverssl, skeymat2, sizeof(skeymat2), label,
  3854. sizeof(label) - 1, emptycontext, 0), 1)
  3855. /*
  3856. * Check that both sides created the same key material with the
  3857. * same context.
  3858. */
  3859. || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
  3860. sizeof(skeymat1))
  3861. /*
  3862. * Check that both sides created the same key material with an
  3863. * empty context.
  3864. */
  3865. || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
  3866. sizeof(skeymat2))
  3867. /* Different contexts should produce different results */
  3868. || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
  3869. sizeof(ckeymat2)))
  3870. goto end;
  3871. testresult = 1;
  3872. end:
  3873. SSL_SESSION_free(sess);
  3874. SSL_SESSION_free(clientpsk);
  3875. SSL_SESSION_free(serverpsk);
  3876. clientpsk = serverpsk = NULL;
  3877. SSL_free(serverssl);
  3878. SSL_free(clientssl);
  3879. SSL_CTX_free(sctx);
  3880. SSL_CTX_free(cctx);
  3881. return testresult;
  3882. }
  3883. #endif /* OPENSSL_NO_TLS1_3 */
  3884. static int test_ssl_clear(int idx)
  3885. {
  3886. SSL_CTX *cctx = NULL, *sctx = NULL;
  3887. SSL *clientssl = NULL, *serverssl = NULL;
  3888. int testresult = 0;
  3889. #ifdef OPENSSL_NO_TLS1_2
  3890. if (idx == 1)
  3891. return 1;
  3892. #endif
  3893. /* Create an initial connection */
  3894. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  3895. TLS1_VERSION, 0,
  3896. &sctx, &cctx, cert, privkey))
  3897. || (idx == 1
  3898. && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
  3899. TLS1_2_VERSION)))
  3900. || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  3901. &clientssl, NULL, NULL))
  3902. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3903. SSL_ERROR_NONE)))
  3904. goto end;
  3905. SSL_shutdown(clientssl);
  3906. SSL_shutdown(serverssl);
  3907. SSL_free(serverssl);
  3908. serverssl = NULL;
  3909. /* Clear clientssl - we're going to reuse the object */
  3910. if (!TEST_true(SSL_clear(clientssl)))
  3911. goto end;
  3912. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  3913. NULL, NULL))
  3914. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  3915. SSL_ERROR_NONE))
  3916. || !TEST_true(SSL_session_reused(clientssl)))
  3917. goto end;
  3918. SSL_shutdown(clientssl);
  3919. SSL_shutdown(serverssl);
  3920. testresult = 1;
  3921. end:
  3922. SSL_free(serverssl);
  3923. SSL_free(clientssl);
  3924. SSL_CTX_free(sctx);
  3925. SSL_CTX_free(cctx);
  3926. return testresult;
  3927. }
  3928. /* Parse CH and retrieve any MFL extension value if present */
  3929. static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
  3930. {
  3931. long len;
  3932. unsigned char *data;
  3933. PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
  3934. unsigned int MFL_code = 0, type = 0;
  3935. if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
  3936. goto end;
  3937. if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
  3938. /* Skip the record header */
  3939. || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
  3940. /* Skip the handshake message header */
  3941. || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
  3942. /* Skip client version and random */
  3943. || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
  3944. + SSL3_RANDOM_SIZE))
  3945. /* Skip session id */
  3946. || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
  3947. /* Skip ciphers */
  3948. || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
  3949. /* Skip compression */
  3950. || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
  3951. /* Extensions len */
  3952. || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
  3953. goto end;
  3954. /* Loop through all extensions */
  3955. while (PACKET_remaining(&pkt2)) {
  3956. if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
  3957. || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
  3958. goto end;
  3959. if (type == TLSEXT_TYPE_max_fragment_length) {
  3960. if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
  3961. || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
  3962. goto end;
  3963. *mfl_codemfl_code = MFL_code;
  3964. return 1;
  3965. }
  3966. }
  3967. end:
  3968. return 0;
  3969. }
  3970. /* Maximum-Fragment-Length TLS extension mode to test */
  3971. static const unsigned char max_fragment_len_test[] = {
  3972. TLSEXT_max_fragment_length_512,
  3973. TLSEXT_max_fragment_length_1024,
  3974. TLSEXT_max_fragment_length_2048,
  3975. TLSEXT_max_fragment_length_4096
  3976. };
  3977. static int test_max_fragment_len_ext(int idx_tst)
  3978. {
  3979. SSL_CTX *ctx;
  3980. SSL *con = NULL;
  3981. int testresult = 0, MFL_mode = 0;
  3982. BIO *rbio, *wbio;
  3983. ctx = SSL_CTX_new(TLS_method());
  3984. if (!TEST_ptr(ctx))
  3985. goto end;
  3986. if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
  3987. ctx, max_fragment_len_test[idx_tst])))
  3988. goto end;
  3989. con = SSL_new(ctx);
  3990. if (!TEST_ptr(con))
  3991. goto end;
  3992. rbio = BIO_new(BIO_s_mem());
  3993. wbio = BIO_new(BIO_s_mem());
  3994. if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
  3995. BIO_free(rbio);
  3996. BIO_free(wbio);
  3997. goto end;
  3998. }
  3999. SSL_set_bio(con, rbio, wbio);
  4000. SSL_set_connect_state(con);
  4001. if (!TEST_int_le(SSL_connect(con), 0)) {
  4002. /* This shouldn't succeed because we don't have a server! */
  4003. goto end;
  4004. }
  4005. if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
  4006. /* no MFL in client hello */
  4007. goto end;
  4008. if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
  4009. goto end;
  4010. testresult = 1;
  4011. end:
  4012. SSL_free(con);
  4013. SSL_CTX_free(ctx);
  4014. return testresult;
  4015. }
  4016. #ifndef OPENSSL_NO_TLS1_3
  4017. static int test_pha_key_update(void)
  4018. {
  4019. SSL_CTX *cctx = NULL, *sctx = NULL;
  4020. SSL *clientssl = NULL, *serverssl = NULL;
  4021. int testresult = 0;
  4022. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4023. TLS1_VERSION, 0,
  4024. &sctx, &cctx, cert, privkey)))
  4025. return 0;
  4026. if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
  4027. || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
  4028. || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
  4029. || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
  4030. goto end;
  4031. SSL_CTX_set_post_handshake_auth(cctx, 1);
  4032. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4033. NULL, NULL)))
  4034. goto end;
  4035. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  4036. SSL_ERROR_NONE)))
  4037. goto end;
  4038. SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
  4039. if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
  4040. goto end;
  4041. if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
  4042. goto end;
  4043. /* Start handshake on the server */
  4044. if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
  4045. goto end;
  4046. /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
  4047. if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  4048. SSL_ERROR_NONE)))
  4049. goto end;
  4050. SSL_shutdown(clientssl);
  4051. SSL_shutdown(serverssl);
  4052. testresult = 1;
  4053. end:
  4054. SSL_free(serverssl);
  4055. SSL_free(clientssl);
  4056. SSL_CTX_free(sctx);
  4057. SSL_CTX_free(cctx);
  4058. return testresult;
  4059. }
  4060. #endif
  4061. #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
  4062. static SRP_VBASE *vbase = NULL;
  4063. static int ssl_srp_cb(SSL *s, int *ad, void *arg)
  4064. {
  4065. int ret = SSL3_AL_FATAL;
  4066. char *username;
  4067. SRP_user_pwd *user = NULL;
  4068. username = SSL_get_srp_username(s);
  4069. if (username == NULL) {
  4070. *ad = SSL_AD_INTERNAL_ERROR;
  4071. goto err;
  4072. }
  4073. user = SRP_VBASE_get1_by_user(vbase, username);
  4074. if (user == NULL) {
  4075. *ad = SSL_AD_INTERNAL_ERROR;
  4076. goto err;
  4077. }
  4078. if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
  4079. user->info) <= 0) {
  4080. *ad = SSL_AD_INTERNAL_ERROR;
  4081. goto err;
  4082. }
  4083. ret = 0;
  4084. err:
  4085. SRP_user_pwd_free(user);
  4086. return ret;
  4087. }
  4088. static int create_new_vfile(char *userid, char *password, const char *filename)
  4089. {
  4090. char *gNid = NULL;
  4091. OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
  4092. TXT_DB *db = NULL;
  4093. int ret = 0;
  4094. BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
  4095. size_t i;
  4096. if (!TEST_ptr(dummy) || !TEST_ptr(row))
  4097. goto end;
  4098. gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
  4099. &row[DB_srpverifier], NULL, NULL);
  4100. if (!TEST_ptr(gNid))
  4101. goto end;
  4102. /*
  4103. * The only way to create an empty TXT_DB is to provide a BIO with no data
  4104. * in it!
  4105. */
  4106. db = TXT_DB_read(dummy, DB_NUMBER);
  4107. if (!TEST_ptr(db))
  4108. goto end;
  4109. out = BIO_new_file(filename, "w");
  4110. if (!TEST_ptr(out))
  4111. goto end;
  4112. row[DB_srpid] = OPENSSL_strdup(userid);
  4113. row[DB_srptype] = OPENSSL_strdup("V");
  4114. row[DB_srpgN] = OPENSSL_strdup(gNid);
  4115. if (!TEST_ptr(row[DB_srpid])
  4116. || !TEST_ptr(row[DB_srptype])
  4117. || !TEST_ptr(row[DB_srpgN])
  4118. || !TEST_true(TXT_DB_insert(db, row)))
  4119. goto end;
  4120. row = NULL;
  4121. if (!TXT_DB_write(out, db))
  4122. goto end;
  4123. ret = 1;
  4124. end:
  4125. if (row != NULL) {
  4126. for (i = 0; i < DB_NUMBER; i++)
  4127. OPENSSL_free(row[i]);
  4128. }
  4129. OPENSSL_free(row);
  4130. BIO_free(dummy);
  4131. BIO_free(out);
  4132. TXT_DB_free(db);
  4133. return ret;
  4134. }
  4135. static int create_new_vbase(char *userid, char *password)
  4136. {
  4137. BIGNUM *verifier = NULL, *salt = NULL;
  4138. const SRP_gN *lgN = NULL;
  4139. SRP_user_pwd *user_pwd = NULL;
  4140. int ret = 0;
  4141. lgN = SRP_get_default_gN(NULL);
  4142. if (!TEST_ptr(lgN))
  4143. goto end;
  4144. if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
  4145. lgN->N, lgN->g)))
  4146. goto end;
  4147. user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
  4148. if (!TEST_ptr(user_pwd))
  4149. goto end;
  4150. user_pwd->N = lgN->N;
  4151. user_pwd->g = lgN->g;
  4152. user_pwd->id = OPENSSL_strdup(userid);
  4153. if (!TEST_ptr(user_pwd->id))
  4154. goto end;
  4155. user_pwd->v = verifier;
  4156. user_pwd->s = salt;
  4157. verifier = salt = NULL;
  4158. if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
  4159. goto end;
  4160. user_pwd = NULL;
  4161. ret = 1;
  4162. end:
  4163. SRP_user_pwd_free(user_pwd);
  4164. BN_free(salt);
  4165. BN_free(verifier);
  4166. return ret;
  4167. }
  4168. /*
  4169. * SRP tests
  4170. *
  4171. * Test 0: Simple successful SRP connection, new vbase
  4172. * Test 1: Connection failure due to bad password, new vbase
  4173. * Test 2: Simple successful SRP connection, vbase loaded from existing file
  4174. * Test 3: Connection failure due to bad password, vbase loaded from existing
  4175. * file
  4176. * Test 4: Simple successful SRP connection, vbase loaded from new file
  4177. * Test 5: Connection failure due to bad password, vbase loaded from new file
  4178. */
  4179. static int test_srp(int tst)
  4180. {
  4181. char *userid = "test", *password = "password", *tstsrpfile;
  4182. SSL_CTX *cctx = NULL, *sctx = NULL;
  4183. SSL *clientssl = NULL, *serverssl = NULL;
  4184. int ret, testresult = 0;
  4185. vbase = SRP_VBASE_new(NULL);
  4186. if (!TEST_ptr(vbase))
  4187. goto end;
  4188. if (tst == 0 || tst == 1) {
  4189. if (!TEST_true(create_new_vbase(userid, password)))
  4190. goto end;
  4191. } else {
  4192. if (tst == 4 || tst == 5) {
  4193. if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
  4194. goto end;
  4195. tstsrpfile = tmpfilename;
  4196. } else {
  4197. tstsrpfile = srpvfile;
  4198. }
  4199. if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
  4200. goto end;
  4201. }
  4202. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
  4203. TLS1_VERSION, 0,
  4204. &sctx, &cctx, cert, privkey)))
  4205. goto end;
  4206. if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
  4207. || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
  4208. || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
  4209. || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
  4210. || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
  4211. goto end;
  4212. if (tst % 2 == 1) {
  4213. if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
  4214. goto end;
  4215. } else {
  4216. if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
  4217. goto end;
  4218. }
  4219. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4220. NULL, NULL)))
  4221. goto end;
  4222. ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
  4223. if (ret) {
  4224. if (!TEST_true(tst % 2 == 0))
  4225. goto end;
  4226. } else {
  4227. if (!TEST_true(tst % 2 == 1))
  4228. goto end;
  4229. }
  4230. testresult = 1;
  4231. end:
  4232. SRP_VBASE_free(vbase);
  4233. vbase = NULL;
  4234. SSL_free(serverssl);
  4235. SSL_free(clientssl);
  4236. SSL_CTX_free(sctx);
  4237. SSL_CTX_free(cctx);
  4238. return testresult;
  4239. }
  4240. #endif
  4241. static int info_cb_failed = 0;
  4242. static int info_cb_offset = 0;
  4243. static int info_cb_this_state = -1;
  4244. static struct info_cb_states_st {
  4245. int where;
  4246. const char *statestr;
  4247. } info_cb_states[][60] = {
  4248. {
  4249. /* TLSv1.2 server followed by resumption */
  4250. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4251. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4252. {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
  4253. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
  4254. {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
  4255. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4256. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4257. {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
  4258. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
  4259. {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4260. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
  4261. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4262. {SSL_CB_EXIT, NULL}, {0, NULL},
  4263. }, {
  4264. /* TLSv1.2 client followed by resumption */
  4265. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4266. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4267. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
  4268. {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
  4269. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
  4270. {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
  4271. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
  4272. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4273. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4274. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
  4275. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4276. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4277. }, {
  4278. /* TLSv1.3 server followed by resumption */
  4279. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4280. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4281. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
  4282. {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
  4283. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
  4284. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
  4285. {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
  4286. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4287. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4288. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
  4289. {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
  4290. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4291. {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4292. }, {
  4293. /* TLSv1.3 client followed by resumption */
  4294. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4295. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
  4296. {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
  4297. {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
  4298. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4299. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
  4300. {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
  4301. {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
  4302. {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
  4303. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
  4304. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
  4305. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
  4306. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4307. {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
  4308. {SSL_CB_EXIT, NULL}, {0, NULL},
  4309. }, {
  4310. /* TLSv1.3 server, early_data */
  4311. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4312. {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
  4313. {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
  4314. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4315. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
  4316. {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
  4317. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
  4318. {SSL_CB_EXIT, NULL}, {0, NULL},
  4319. }, {
  4320. /* TLSv1.3 client, early_data */
  4321. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
  4322. {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
  4323. {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
  4324. {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
  4325. {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
  4326. {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
  4327. {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
  4328. {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
  4329. {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
  4330. }, {
  4331. {0, NULL},
  4332. }
  4333. };
  4334. static void sslapi_info_callback(const SSL *s, int where, int ret)
  4335. {
  4336. struct info_cb_states_st *state = info_cb_states[info_cb_offset];
  4337. /* We do not ever expect a connection to fail in this test */
  4338. if (!TEST_false(ret == 0)) {
  4339. info_cb_failed = 1;
  4340. return;
  4341. }
  4342. /*
  4343. * Do some sanity checks. We never expect these things to happen in this
  4344. * test
  4345. */
  4346. if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
  4347. || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
  4348. || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
  4349. info_cb_failed = 1;
  4350. return;
  4351. }
  4352. /* Now check we're in the right state */
  4353. if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
  4354. info_cb_failed = 1;
  4355. return;
  4356. }
  4357. if ((where & SSL_CB_LOOP) != 0
  4358. && !TEST_int_eq(strcmp(SSL_state_string(s),
  4359. state[info_cb_this_state].statestr), 0)) {
  4360. info_cb_failed = 1;
  4361. return;
  4362. }
  4363. /*
  4364. * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
  4365. */
  4366. if ((where & SSL_CB_HANDSHAKE_DONE)
  4367. && SSL_in_init((SSL *)s) != 0) {
  4368. info_cb_failed = 1;
  4369. return;
  4370. }
  4371. }
  4372. /*
  4373. * Test the info callback gets called when we expect it to.
  4374. *
  4375. * Test 0: TLSv1.2, server
  4376. * Test 1: TLSv1.2, client
  4377. * Test 2: TLSv1.3, server
  4378. * Test 3: TLSv1.3, client
  4379. * Test 4: TLSv1.3, server, early_data
  4380. * Test 5: TLSv1.3, client, early_data
  4381. */
  4382. static int test_info_callback(int tst)
  4383. {
  4384. SSL_CTX *cctx = NULL, *sctx = NULL;
  4385. SSL *clientssl = NULL, *serverssl = NULL;
  4386. SSL_SESSION *clntsess = NULL;
  4387. int testresult = 0;
  4388. int tlsvers;
  4389. if (tst < 2) {
  4390. /* We need either ECDHE or DHE for the TLSv1.2 test to work */
  4391. #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
  4392. || !defined(OPENSSL_NO_DH))
  4393. tlsvers = TLS1_2_VERSION;
  4394. #else
  4395. return 1;
  4396. #endif
  4397. } else {
  4398. #ifndef OPENSSL_NO_TLS1_3
  4399. tlsvers = TLS1_3_VERSION;
  4400. #else
  4401. return 1;
  4402. #endif
  4403. }
  4404. /* Reset globals */
  4405. info_cb_failed = 0;
  4406. info_cb_this_state = -1;
  4407. info_cb_offset = tst;
  4408. #ifndef OPENSSL_NO_TLS1_3
  4409. if (tst >= 4) {
  4410. SSL_SESSION *sess = NULL;
  4411. size_t written, readbytes;
  4412. unsigned char buf[80];
  4413. /* early_data tests */
  4414. if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
  4415. &serverssl, &sess, 0)))
  4416. goto end;
  4417. /* We don't actually need this reference */
  4418. SSL_SESSION_free(sess);
  4419. SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
  4420. sslapi_info_callback);
  4421. /* Write and read some early data and then complete the connection */
  4422. if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
  4423. &written))
  4424. || !TEST_size_t_eq(written, strlen(MSG1))
  4425. || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
  4426. sizeof(buf), &readbytes),
  4427. SSL_READ_EARLY_DATA_SUCCESS)
  4428. || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
  4429. || !TEST_int_eq(SSL_get_early_data_status(serverssl),
  4430. SSL_EARLY_DATA_ACCEPTED)
  4431. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4432. SSL_ERROR_NONE))
  4433. || !TEST_false(info_cb_failed))
  4434. goto end;
  4435. testresult = 1;
  4436. goto end;
  4437. }
  4438. #endif
  4439. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4440. TLS_client_method(),
  4441. tlsvers, tlsvers, &sctx, &cctx, cert,
  4442. privkey)))
  4443. goto end;
  4444. /*
  4445. * For even numbered tests we check the server callbacks. For odd numbers we
  4446. * check the client.
  4447. */
  4448. SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
  4449. sslapi_info_callback);
  4450. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
  4451. &clientssl, NULL, NULL))
  4452. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4453. SSL_ERROR_NONE))
  4454. || !TEST_false(info_cb_failed))
  4455. goto end;
  4456. clntsess = SSL_get1_session(clientssl);
  4457. SSL_shutdown(clientssl);
  4458. SSL_shutdown(serverssl);
  4459. SSL_free(serverssl);
  4460. SSL_free(clientssl);
  4461. serverssl = clientssl = NULL;
  4462. /* Now do a resumption */
  4463. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  4464. NULL))
  4465. || !TEST_true(SSL_set_session(clientssl, clntsess))
  4466. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4467. SSL_ERROR_NONE))
  4468. || !TEST_true(SSL_session_reused(clientssl))
  4469. || !TEST_false(info_cb_failed))
  4470. goto end;
  4471. testresult = 1;
  4472. end:
  4473. SSL_free(serverssl);
  4474. SSL_free(clientssl);
  4475. SSL_SESSION_free(clntsess);
  4476. SSL_CTX_free(sctx);
  4477. SSL_CTX_free(cctx);
  4478. return testresult;
  4479. }
  4480. static int test_ssl_pending(int tst)
  4481. {
  4482. SSL_CTX *cctx = NULL, *sctx = NULL;
  4483. SSL *clientssl = NULL, *serverssl = NULL;
  4484. int testresult = 0;
  4485. char msg[] = "A test message";
  4486. char buf[5];
  4487. size_t written, readbytes;
  4488. if (tst == 0) {
  4489. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4490. TLS_client_method(),
  4491. TLS1_VERSION, 0,
  4492. &sctx, &cctx, cert, privkey)))
  4493. goto end;
  4494. } else {
  4495. #ifndef OPENSSL_NO_DTLS
  4496. if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
  4497. DTLS_client_method(),
  4498. DTLS1_VERSION, 0,
  4499. &sctx, &cctx, cert, privkey)))
  4500. goto end;
  4501. #else
  4502. return 1;
  4503. #endif
  4504. }
  4505. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4506. NULL, NULL))
  4507. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4508. SSL_ERROR_NONE)))
  4509. goto end;
  4510. if (!TEST_int_eq(SSL_pending(clientssl), 0)
  4511. || !TEST_false(SSL_has_pending(clientssl))
  4512. || !TEST_int_eq(SSL_pending(serverssl), 0)
  4513. || !TEST_false(SSL_has_pending(serverssl))
  4514. || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
  4515. || !TEST_size_t_eq(written, sizeof(msg))
  4516. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
  4517. || !TEST_size_t_eq(readbytes, sizeof(buf))
  4518. || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
  4519. || !TEST_true(SSL_has_pending(clientssl)))
  4520. goto end;
  4521. testresult = 1;
  4522. end:
  4523. SSL_free(serverssl);
  4524. SSL_free(clientssl);
  4525. SSL_CTX_free(sctx);
  4526. SSL_CTX_free(cctx);
  4527. return testresult;
  4528. }
  4529. static struct {
  4530. unsigned int maxprot;
  4531. const char *clntciphers;
  4532. const char *clnttls13ciphers;
  4533. const char *srvrciphers;
  4534. const char *srvrtls13ciphers;
  4535. const char *shared;
  4536. } shared_ciphers_data[] = {
  4537. /*
  4538. * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
  4539. * TLSv1.3 is enabled but TLSv1.2 is disabled.
  4540. */
  4541. #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
  4542. {
  4543. TLS1_2_VERSION,
  4544. "AES128-SHA:AES256-SHA",
  4545. NULL,
  4546. "AES256-SHA:DHE-RSA-AES128-SHA",
  4547. NULL,
  4548. "AES256-SHA"
  4549. },
  4550. {
  4551. TLS1_2_VERSION,
  4552. "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
  4553. NULL,
  4554. "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
  4555. NULL,
  4556. "AES128-SHA:AES256-SHA"
  4557. },
  4558. {
  4559. TLS1_2_VERSION,
  4560. "AES128-SHA:AES256-SHA",
  4561. NULL,
  4562. "AES128-SHA:DHE-RSA-AES128-SHA",
  4563. NULL,
  4564. "AES128-SHA"
  4565. },
  4566. #endif
  4567. /*
  4568. * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
  4569. * enabled.
  4570. */
  4571. #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
  4572. && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  4573. {
  4574. TLS1_3_VERSION,
  4575. "AES128-SHA:AES256-SHA",
  4576. NULL,
  4577. "AES256-SHA:AES128-SHA256",
  4578. NULL,
  4579. "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
  4580. "TLS_AES_128_GCM_SHA256:AES256-SHA"
  4581. },
  4582. #endif
  4583. #ifndef OPENSSL_NO_TLS1_3
  4584. {
  4585. TLS1_3_VERSION,
  4586. "AES128-SHA",
  4587. "TLS_AES_256_GCM_SHA384",
  4588. "AES256-SHA",
  4589. "TLS_AES_256_GCM_SHA384",
  4590. "TLS_AES_256_GCM_SHA384"
  4591. },
  4592. #endif
  4593. };
  4594. static int test_ssl_get_shared_ciphers(int tst)
  4595. {
  4596. SSL_CTX *cctx = NULL, *sctx = NULL;
  4597. SSL *clientssl = NULL, *serverssl = NULL;
  4598. int testresult = 0;
  4599. char buf[1024];
  4600. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4601. TLS_client_method(),
  4602. TLS1_VERSION,
  4603. shared_ciphers_data[tst].maxprot,
  4604. &sctx, &cctx, cert, privkey)))
  4605. goto end;
  4606. if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
  4607. shared_ciphers_data[tst].clntciphers))
  4608. || (shared_ciphers_data[tst].clnttls13ciphers != NULL
  4609. && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
  4610. shared_ciphers_data[tst].clnttls13ciphers)))
  4611. || !TEST_true(SSL_CTX_set_cipher_list(sctx,
  4612. shared_ciphers_data[tst].srvrciphers))
  4613. || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
  4614. && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
  4615. shared_ciphers_data[tst].srvrtls13ciphers))))
  4616. goto end;
  4617. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4618. NULL, NULL))
  4619. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4620. SSL_ERROR_NONE)))
  4621. goto end;
  4622. if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
  4623. || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
  4624. TEST_info("Shared ciphers are: %s\n", buf);
  4625. goto end;
  4626. }
  4627. testresult = 1;
  4628. end:
  4629. SSL_free(serverssl);
  4630. SSL_free(clientssl);
  4631. SSL_CTX_free(sctx);
  4632. SSL_CTX_free(cctx);
  4633. return testresult;
  4634. }
  4635. static const char *appdata = "Hello World";
  4636. static int gen_tick_called, dec_tick_called, tick_key_cb_called;
  4637. static int tick_key_renew = 0;
  4638. static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
  4639. static int gen_tick_cb(SSL *s, void *arg)
  4640. {
  4641. gen_tick_called = 1;
  4642. return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
  4643. strlen(appdata));
  4644. }
  4645. static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
  4646. const unsigned char *keyname,
  4647. size_t keyname_length,
  4648. SSL_TICKET_STATUS status,
  4649. void *arg)
  4650. {
  4651. void *tickdata;
  4652. size_t tickdlen;
  4653. dec_tick_called = 1;
  4654. if (status == SSL_TICKET_EMPTY)
  4655. return SSL_TICKET_RETURN_IGNORE_RENEW;
  4656. if (!TEST_true(status == SSL_TICKET_SUCCESS
  4657. || status == SSL_TICKET_SUCCESS_RENEW))
  4658. return SSL_TICKET_RETURN_ABORT;
  4659. if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
  4660. &tickdlen))
  4661. || !TEST_size_t_eq(tickdlen, strlen(appdata))
  4662. || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
  4663. return SSL_TICKET_RETURN_ABORT;
  4664. if (tick_key_cb_called) {
  4665. /* Don't change what the ticket key callback wanted to do */
  4666. switch (status) {
  4667. case SSL_TICKET_NO_DECRYPT:
  4668. return SSL_TICKET_RETURN_IGNORE_RENEW;
  4669. case SSL_TICKET_SUCCESS:
  4670. return SSL_TICKET_RETURN_USE;
  4671. case SSL_TICKET_SUCCESS_RENEW:
  4672. return SSL_TICKET_RETURN_USE_RENEW;
  4673. default:
  4674. return SSL_TICKET_RETURN_ABORT;
  4675. }
  4676. }
  4677. return tick_dec_ret;
  4678. }
  4679. static int tick_key_cb(SSL *s, unsigned char key_name[16],
  4680. unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
  4681. HMAC_CTX *hctx, int enc)
  4682. {
  4683. const unsigned char tick_aes_key[16] = "0123456789abcdef";
  4684. const unsigned char tick_hmac_key[16] = "0123456789abcdef";
  4685. tick_key_cb_called = 1;
  4686. memset(iv, 0, AES_BLOCK_SIZE);
  4687. memset(key_name, 0, 16);
  4688. if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
  4689. || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
  4690. EVP_sha256(), NULL))
  4691. return -1;
  4692. return tick_key_renew ? 2 : 1;
  4693. }
  4694. /*
  4695. * Test the various ticket callbacks
  4696. * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
  4697. * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
  4698. * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
  4699. * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
  4700. * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
  4701. * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
  4702. * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
  4703. * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
  4704. * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
  4705. * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
  4706. * Test 10: TLSv1.2, ticket key callback, ticket, renewal
  4707. * Test 11: TLSv1.3, ticket key callback, ticket, renewal
  4708. */
  4709. static int test_ticket_callbacks(int tst)
  4710. {
  4711. SSL_CTX *cctx = NULL, *sctx = NULL;
  4712. SSL *clientssl = NULL, *serverssl = NULL;
  4713. SSL_SESSION *clntsess = NULL;
  4714. int testresult = 0;
  4715. #ifdef OPENSSL_NO_TLS1_2
  4716. if (tst % 2 == 0)
  4717. return 1;
  4718. #endif
  4719. #ifdef OPENSSL_NO_TLS1_3
  4720. if (tst % 2 == 1)
  4721. return 1;
  4722. #endif
  4723. gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
  4724. /* Which tests the ticket key callback should request renewal for */
  4725. if (tst == 10 || tst == 11)
  4726. tick_key_renew = 1;
  4727. else
  4728. tick_key_renew = 0;
  4729. /* Which tests the decrypt ticket callback should request renewal for */
  4730. switch (tst) {
  4731. case 0:
  4732. case 1:
  4733. tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
  4734. break;
  4735. case 2:
  4736. case 3:
  4737. tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
  4738. break;
  4739. case 4:
  4740. case 5:
  4741. tick_dec_ret = SSL_TICKET_RETURN_USE;
  4742. break;
  4743. case 6:
  4744. case 7:
  4745. tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
  4746. break;
  4747. default:
  4748. tick_dec_ret = SSL_TICKET_RETURN_ABORT;
  4749. }
  4750. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4751. TLS_client_method(),
  4752. TLS1_VERSION,
  4753. ((tst % 2) == 0) ? TLS1_2_VERSION
  4754. : TLS1_3_VERSION,
  4755. &sctx, &cctx, cert, privkey)))
  4756. goto end;
  4757. /*
  4758. * We only want sessions to resume from tickets - not the session cache. So
  4759. * switch the cache off.
  4760. */
  4761. if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
  4762. goto end;
  4763. if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
  4764. NULL)))
  4765. goto end;
  4766. if (tst >= 8
  4767. && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
  4768. goto end;
  4769. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4770. NULL, NULL))
  4771. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4772. SSL_ERROR_NONE)))
  4773. goto end;
  4774. /*
  4775. * The decrypt ticket key callback in TLSv1.2 should be called even though
  4776. * we have no ticket yet, because it gets called with a status of
  4777. * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
  4778. * actually send any ticket data). This does not happen in TLSv1.3 because
  4779. * it is not valid to send empty ticket data in TLSv1.3.
  4780. */
  4781. if (!TEST_int_eq(gen_tick_called, 1)
  4782. || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
  4783. goto end;
  4784. gen_tick_called = dec_tick_called = 0;
  4785. clntsess = SSL_get1_session(clientssl);
  4786. SSL_shutdown(clientssl);
  4787. SSL_shutdown(serverssl);
  4788. SSL_free(serverssl);
  4789. SSL_free(clientssl);
  4790. serverssl = clientssl = NULL;
  4791. /* Now do a resumption */
  4792. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
  4793. NULL))
  4794. || !TEST_true(SSL_set_session(clientssl, clntsess))
  4795. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  4796. SSL_ERROR_NONE)))
  4797. goto end;
  4798. if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
  4799. || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
  4800. if (!TEST_false(SSL_session_reused(clientssl)))
  4801. goto end;
  4802. } else {
  4803. if (!TEST_true(SSL_session_reused(clientssl)))
  4804. goto end;
  4805. }
  4806. if (!TEST_int_eq(gen_tick_called,
  4807. (tick_key_renew
  4808. || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
  4809. || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
  4810. ? 1 : 0)
  4811. || !TEST_int_eq(dec_tick_called, 1))
  4812. goto end;
  4813. testresult = 1;
  4814. end:
  4815. SSL_SESSION_free(clntsess);
  4816. SSL_free(serverssl);
  4817. SSL_free(clientssl);
  4818. SSL_CTX_free(sctx);
  4819. SSL_CTX_free(cctx);
  4820. return testresult;
  4821. }
  4822. /*
  4823. * Test bi-directional shutdown.
  4824. * Test 0: TLSv1.2
  4825. * Test 1: TLSv1.2, server continues to read/write after client shutdown
  4826. * Test 2: TLSv1.3, no pending NewSessionTicket messages
  4827. * Test 3: TLSv1.3, pending NewSessionTicket messages
  4828. * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
  4829. * sends key update, client reads it
  4830. * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
  4831. * sends CertificateRequest, client reads and ignores it
  4832. * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
  4833. * doesn't read it
  4834. */
  4835. static int test_shutdown(int tst)
  4836. {
  4837. SSL_CTX *cctx = NULL, *sctx = NULL;
  4838. SSL *clientssl = NULL, *serverssl = NULL;
  4839. int testresult = 0;
  4840. char msg[] = "A test message";
  4841. char buf[80];
  4842. size_t written, readbytes;
  4843. SSL_SESSION *sess;
  4844. #ifdef OPENSSL_NO_TLS1_2
  4845. if (tst <= 1)
  4846. return 1;
  4847. #endif
  4848. #ifdef OPENSSL_NO_TLS1_3
  4849. if (tst >= 2)
  4850. return 1;
  4851. #endif
  4852. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  4853. TLS_client_method(),
  4854. TLS1_VERSION,
  4855. (tst <= 1) ? TLS1_2_VERSION
  4856. : TLS1_3_VERSION,
  4857. &sctx, &cctx, cert, privkey)))
  4858. goto end;
  4859. if (tst == 5)
  4860. SSL_CTX_set_post_handshake_auth(cctx, 1);
  4861. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  4862. NULL, NULL)))
  4863. goto end;
  4864. if (tst == 3) {
  4865. if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
  4866. SSL_ERROR_NONE, 1))
  4867. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  4868. || !TEST_false(SSL_SESSION_is_resumable(sess)))
  4869. goto end;
  4870. } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
  4871. SSL_ERROR_NONE))
  4872. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  4873. || !TEST_true(SSL_SESSION_is_resumable(sess))) {
  4874. goto end;
  4875. }
  4876. if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
  4877. goto end;
  4878. if (tst >= 4) {
  4879. /*
  4880. * Reading on the server after the client has sent close_notify should
  4881. * fail and provide SSL_ERROR_ZERO_RETURN
  4882. */
  4883. if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
  4884. || !TEST_int_eq(SSL_get_error(serverssl, 0),
  4885. SSL_ERROR_ZERO_RETURN)
  4886. || !TEST_int_eq(SSL_get_shutdown(serverssl),
  4887. SSL_RECEIVED_SHUTDOWN)
  4888. /*
  4889. * Even though we're shutdown on receive we should still be
  4890. * able to write.
  4891. */
  4892. || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
  4893. goto end;
  4894. if (tst == 4
  4895. && !TEST_true(SSL_key_update(serverssl,
  4896. SSL_KEY_UPDATE_REQUESTED)))
  4897. goto end;
  4898. if (tst == 5) {
  4899. SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
  4900. if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
  4901. goto end;
  4902. }
  4903. if ((tst == 4 || tst == 5)
  4904. && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
  4905. goto end;
  4906. if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
  4907. goto end;
  4908. if (tst == 4 || tst == 5) {
  4909. /* Should still be able to read data from server */
  4910. if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
  4911. &readbytes))
  4912. || !TEST_size_t_eq(readbytes, sizeof(msg))
  4913. || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
  4914. || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
  4915. &readbytes))
  4916. || !TEST_size_t_eq(readbytes, sizeof(msg))
  4917. || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
  4918. goto end;
  4919. }
  4920. }
  4921. /* Writing on the client after sending close_notify shouldn't be possible */
  4922. if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
  4923. goto end;
  4924. if (tst < 4) {
  4925. /*
  4926. * For these tests the client has sent close_notify but it has not yet
  4927. * been received by the server. The server has not sent close_notify
  4928. * yet.
  4929. */
  4930. if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
  4931. /*
  4932. * Writing on the server after sending close_notify shouldn't
  4933. * be possible.
  4934. */
  4935. || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
  4936. || !TEST_int_eq(SSL_shutdown(clientssl), 1)
  4937. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  4938. || !TEST_true(SSL_SESSION_is_resumable(sess))
  4939. || !TEST_int_eq(SSL_shutdown(serverssl), 1))
  4940. goto end;
  4941. } else if (tst == 4 || tst == 5) {
  4942. /*
  4943. * In this test the client has sent close_notify and it has been
  4944. * received by the server which has responded with a close_notify. The
  4945. * client needs to read the close_notify sent by the server.
  4946. */
  4947. if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
  4948. || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
  4949. || !TEST_true(SSL_SESSION_is_resumable(sess)))
  4950. goto end;
  4951. } else {
  4952. /*
  4953. * tst == 6
  4954. *
  4955. * The client has sent close_notify and is expecting a close_notify
  4956. * back, but instead there is application data first. The shutdown
  4957. * should fail with a fatal error.
  4958. */
  4959. if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
  4960. || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
  4961. goto end;
  4962. }
  4963. testresult = 1;
  4964. end:
  4965. SSL_free(serverssl);
  4966. SSL_free(clientssl);
  4967. SSL_CTX_free(sctx);
  4968. SSL_CTX_free(cctx);
  4969. return testresult;
  4970. }
  4971. #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
  4972. static int cert_cb_cnt;
  4973. static int cert_cb(SSL *s, void *arg)
  4974. {
  4975. SSL_CTX *ctx = (SSL_CTX *)arg;
  4976. if (cert_cb_cnt == 0) {
  4977. /* Suspend the handshake */
  4978. cert_cb_cnt++;
  4979. return -1;
  4980. } else if (cert_cb_cnt == 1) {
  4981. /*
  4982. * Update the SSL_CTX, set the certificate and private key and then
  4983. * continue the handshake normally.
  4984. */
  4985. if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
  4986. return 0;
  4987. if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
  4988. || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
  4989. SSL_FILETYPE_PEM))
  4990. || !TEST_true(SSL_check_private_key(s)))
  4991. return 0;
  4992. cert_cb_cnt++;
  4993. return 1;
  4994. }
  4995. /* Abort the handshake */
  4996. return 0;
  4997. }
  4998. /*
  4999. * Test the certificate callback.
  5000. * Test 0: Callback fails
  5001. * Test 1: Success - no SSL_set_SSL_CTX() in the callback
  5002. * Test 2: Success - SSL_set_SSL_CTX() in the callback
  5003. */
  5004. static int test_cert_cb_int(int prot, int tst)
  5005. {
  5006. SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
  5007. SSL *clientssl = NULL, *serverssl = NULL;
  5008. int testresult = 0, ret;
  5009. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5010. TLS_client_method(),
  5011. TLS1_VERSION,
  5012. prot,
  5013. &sctx, &cctx, NULL, NULL)))
  5014. goto end;
  5015. if (tst == 0)
  5016. cert_cb_cnt = -1;
  5017. else
  5018. cert_cb_cnt = 0;
  5019. if (tst == 2)
  5020. snictx = SSL_CTX_new(TLS_server_method());
  5021. SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
  5022. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5023. NULL, NULL)))
  5024. goto end;
  5025. ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
  5026. if (!TEST_true(tst == 0 ? !ret : ret)
  5027. || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
  5028. goto end;
  5029. }
  5030. testresult = 1;
  5031. end:
  5032. SSL_free(serverssl);
  5033. SSL_free(clientssl);
  5034. SSL_CTX_free(sctx);
  5035. SSL_CTX_free(cctx);
  5036. SSL_CTX_free(snictx);
  5037. return testresult;
  5038. }
  5039. #endif
  5040. static int test_cert_cb(int tst)
  5041. {
  5042. int testresult = 1;
  5043. #ifndef OPENSSL_NO_TLS1_2
  5044. testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
  5045. #endif
  5046. #ifndef OPENSSL_NO_TLS1_3
  5047. testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
  5048. #endif
  5049. return testresult;
  5050. }
  5051. static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
  5052. {
  5053. X509 *xcert, *peer;
  5054. EVP_PKEY *privpkey;
  5055. BIO *in = NULL;
  5056. /* Check that SSL_get_peer_certificate() returns something sensible */
  5057. peer = SSL_get_peer_certificate(ssl);
  5058. if (!TEST_ptr(peer))
  5059. return 0;
  5060. X509_free(peer);
  5061. in = BIO_new_file(cert, "r");
  5062. if (!TEST_ptr(in))
  5063. return 0;
  5064. xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
  5065. BIO_free(in);
  5066. if (!TEST_ptr(xcert))
  5067. return 0;
  5068. in = BIO_new_file(privkey, "r");
  5069. if (!TEST_ptr(in)) {
  5070. X509_free(xcert);
  5071. return 0;
  5072. }
  5073. privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
  5074. BIO_free(in);
  5075. if (!TEST_ptr(privpkey)) {
  5076. X509_free(xcert);
  5077. return 0;
  5078. }
  5079. *x509 = xcert;
  5080. *pkey = privpkey;
  5081. return 1;
  5082. }
  5083. static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
  5084. {
  5085. return 1;
  5086. }
  5087. static int test_client_cert_cb(int tst)
  5088. {
  5089. SSL_CTX *cctx = NULL, *sctx = NULL;
  5090. SSL *clientssl = NULL, *serverssl = NULL;
  5091. int testresult = 0;
  5092. #ifdef OPENSSL_NO_TLS1_2
  5093. if (tst == 0)
  5094. return 1;
  5095. #endif
  5096. #ifdef OPENSSL_NO_TLS1_3
  5097. if (tst == 1)
  5098. return 1;
  5099. #endif
  5100. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5101. TLS_client_method(),
  5102. TLS1_VERSION,
  5103. tst == 0 ? TLS1_2_VERSION
  5104. : TLS1_3_VERSION,
  5105. &sctx, &cctx, cert, privkey)))
  5106. goto end;
  5107. /*
  5108. * Test that setting a client_cert_cb results in a client certificate being
  5109. * sent.
  5110. */
  5111. SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
  5112. SSL_CTX_set_verify(sctx,
  5113. SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
  5114. verify_cb);
  5115. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5116. NULL, NULL))
  5117. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5118. SSL_ERROR_NONE)))
  5119. goto end;
  5120. testresult = 1;
  5121. end:
  5122. SSL_free(serverssl);
  5123. SSL_free(clientssl);
  5124. SSL_CTX_free(sctx);
  5125. SSL_CTX_free(cctx);
  5126. return testresult;
  5127. }
  5128. #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
  5129. /*
  5130. * Test setting certificate authorities on both client and server.
  5131. *
  5132. * Test 0: SSL_CTX_set0_CA_list() only
  5133. * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
  5134. * Test 2: Only SSL_CTX_set_client_CA_list()
  5135. */
  5136. static int test_ca_names_int(int prot, int tst)
  5137. {
  5138. SSL_CTX *cctx = NULL, *sctx = NULL;
  5139. SSL *clientssl = NULL, *serverssl = NULL;
  5140. int testresult = 0;
  5141. size_t i;
  5142. X509_NAME *name[] = { NULL, NULL, NULL, NULL };
  5143. char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
  5144. STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
  5145. const STACK_OF(X509_NAME) *sktmp = NULL;
  5146. for (i = 0; i < OSSL_NELEM(name); i++) {
  5147. name[i] = X509_NAME_new();
  5148. if (!TEST_ptr(name[i])
  5149. || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
  5150. MBSTRING_ASC,
  5151. (unsigned char *)
  5152. strnames[i],
  5153. -1, -1, 0)))
  5154. goto end;
  5155. }
  5156. if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
  5157. TLS_client_method(),
  5158. TLS1_VERSION,
  5159. prot,
  5160. &sctx, &cctx, cert, privkey)))
  5161. goto end;
  5162. SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
  5163. if (tst == 0 || tst == 1) {
  5164. if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
  5165. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
  5166. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
  5167. || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
  5168. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
  5169. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
  5170. goto end;
  5171. SSL_CTX_set0_CA_list(sctx, sk1);
  5172. SSL_CTX_set0_CA_list(cctx, sk2);
  5173. sk1 = sk2 = NULL;
  5174. }
  5175. if (tst == 1 || tst == 2) {
  5176. if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
  5177. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
  5178. || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
  5179. || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
  5180. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
  5181. || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
  5182. goto end;
  5183. SSL_CTX_set_client_CA_list(sctx, sk1);
  5184. SSL_CTX_set_client_CA_list(cctx, sk2);
  5185. sk1 = sk2 = NULL;
  5186. }
  5187. if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
  5188. NULL, NULL))
  5189. || !TEST_true(create_ssl_connection(serverssl, clientssl,
  5190. SSL_ERROR_NONE)))
  5191. goto end;
  5192. /*
  5193. * We only expect certificate authorities to have been sent to the server
  5194. * if we are using TLSv1.3 and SSL_set0_CA_list() was used
  5195. */
  5196. sktmp = SSL_get0_peer_CA_list(serverssl);
  5197. if (prot == TLS1_3_VERSION
  5198. && (tst == 0 || tst == 1)) {
  5199. if (!TEST_ptr(sktmp)
  5200. || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
  5201. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
  5202. name[0]), 0)
  5203. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
  5204. name[1]), 0))
  5205. goto end;
  5206. } else if (!TEST_ptr_null(sktmp)) {
  5207. goto end;
  5208. }
  5209. /*
  5210. * In all tests we expect certificate authorities to have been sent to the
  5211. * client. However, SSL_set_client_CA_list() should override
  5212. * SSL_set0_CA_list()
  5213. */
  5214. sktmp = SSL_get0_peer_CA_list(clientssl);
  5215. if (!TEST_ptr(sktmp)
  5216. || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
  5217. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
  5218. name[tst == 0 ? 0 : 2]), 0)
  5219. || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
  5220. name[tst == 0 ? 1 : 3]), 0))
  5221. goto end;
  5222. testresult = 1;
  5223. end:
  5224. SSL_free(serverssl);
  5225. SSL_free(clientssl);
  5226. SSL_CTX_free(sctx);
  5227. SSL_CTX_free(cctx);
  5228. for (i = 0; i < OSSL_NELEM(name); i++)
  5229. X509_NAME_free(name[i]);
  5230. sk_X509_NAME_pop_free(sk1, X509_NAME_free);
  5231. sk_X509_NAME_pop_free(sk2, X509_NAME_free);
  5232. return testresult;
  5233. }
  5234. #endif
  5235. static int test_ca_names(int tst)
  5236. {
  5237. int testresult = 1;
  5238. #ifndef OPENSSL_NO_TLS1_2
  5239. testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
  5240. #endif
  5241. #ifndef OPENSSL_NO_TLS1_3
  5242. testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
  5243. #endif
  5244. return testresult;
  5245. }
  5246. OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
  5247. int setup_tests(void)
  5248. {
  5249. if (!TEST_ptr(cert = test_get_argument(0))
  5250. || !TEST_ptr(privkey = test_get_argument(1))
  5251. || !TEST_ptr(srpvfile = test_get_argument(2))
  5252. || !TEST_ptr(tmpfilename = test_get_argument(3)))
  5253. return 0;
  5254. if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
  5255. #ifdef OPENSSL_NO_CRYPTO_MDEBUG
  5256. TEST_error("not supported in this build");
  5257. return 0;
  5258. #else
  5259. int i, mcount, rcount, fcount;
  5260. for (i = 0; i < 4; i++)
  5261. test_export_key_mat(i);
  5262. CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
  5263. test_printf_stdout("malloc %d realloc %d free %d\n",
  5264. mcount, rcount, fcount);
  5265. return 1;
  5266. #endif
  5267. }
  5268. #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
  5269. && !defined(OPENSSL_NO_SOCK)
  5270. ADD_TEST(test_ktls_client_server);
  5271. ADD_TEST(test_ktls_no_client_server);
  5272. ADD_TEST(test_ktls_client_no_server);
  5273. ADD_TEST(test_ktls_no_client_no_server);
  5274. #endif
  5275. ADD_TEST(test_large_message_tls);
  5276. ADD_TEST(test_large_message_tls_read_ahead);
  5277. #ifndef OPENSSL_NO_DTLS
  5278. ADD_TEST(test_large_message_dtls);
  5279. #endif
  5280. #ifndef OPENSSL_NO_OCSP
  5281. ADD_TEST(test_tlsext_status_type);
  5282. #endif
  5283. ADD_TEST(test_session_with_only_int_cache);
  5284. ADD_TEST(test_session_with_only_ext_cache);
  5285. ADD_TEST(test_session_with_both_cache);
  5286. #ifndef OPENSSL_NO_TLS1_3
  5287. ADD_ALL_TESTS(test_stateful_tickets, 3);
  5288. ADD_ALL_TESTS(test_stateless_tickets, 3);
  5289. ADD_TEST(test_psk_tickets);
  5290. #endif
  5291. ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
  5292. ADD_TEST(test_ssl_bio_pop_next_bio);
  5293. ADD_TEST(test_ssl_bio_pop_ssl_bio);
  5294. ADD_TEST(test_ssl_bio_change_rbio);
  5295. ADD_TEST(test_ssl_bio_change_wbio);
  5296. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  5297. ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
  5298. ADD_TEST(test_keylog);
  5299. #endif
  5300. #ifndef OPENSSL_NO_TLS1_3
  5301. ADD_TEST(test_keylog_no_master_key);
  5302. #endif
  5303. #ifndef OPENSSL_NO_TLS1_2
  5304. ADD_TEST(test_client_hello_cb);
  5305. ADD_TEST(test_no_ems);
  5306. #endif
  5307. #ifndef OPENSSL_NO_TLS1_3
  5308. ADD_ALL_TESTS(test_early_data_read_write, 3);
  5309. /*
  5310. * We don't do replay tests for external PSK. Replay protection isn't used
  5311. * in that scenario.
  5312. */
  5313. ADD_ALL_TESTS(test_early_data_replay, 2);
  5314. ADD_ALL_TESTS(test_early_data_skip, 3);
  5315. ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
  5316. ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
  5317. ADD_ALL_TESTS(test_early_data_skip_abort, 3);
  5318. ADD_ALL_TESTS(test_early_data_not_sent, 3);
  5319. ADD_ALL_TESTS(test_early_data_psk, 8);
  5320. ADD_ALL_TESTS(test_early_data_not_expected, 3);
  5321. # ifndef OPENSSL_NO_TLS1_2
  5322. ADD_ALL_TESTS(test_early_data_tls1_2, 3);
  5323. # endif
  5324. #endif
  5325. #ifndef OPENSSL_NO_TLS1_3
  5326. ADD_ALL_TESTS(test_set_ciphersuite, 10);
  5327. ADD_TEST(test_ciphersuite_change);
  5328. #ifdef OPENSSL_NO_PSK
  5329. ADD_ALL_TESTS(test_tls13_psk, 1);
  5330. #else
  5331. ADD_ALL_TESTS(test_tls13_psk, 4);
  5332. #endif /* OPENSSL_NO_PSK */
  5333. ADD_ALL_TESTS(test_custom_exts, 5);
  5334. ADD_TEST(test_stateless);
  5335. ADD_TEST(test_pha_key_update);
  5336. #else
  5337. ADD_ALL_TESTS(test_custom_exts, 3);
  5338. #endif
  5339. ADD_ALL_TESTS(test_serverinfo, 8);
  5340. ADD_ALL_TESTS(test_export_key_mat, 6);
  5341. #ifndef OPENSSL_NO_TLS1_3
  5342. ADD_ALL_TESTS(test_export_key_mat_early, 3);
  5343. #endif
  5344. ADD_ALL_TESTS(test_ssl_clear, 2);
  5345. ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
  5346. #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
  5347. ADD_ALL_TESTS(test_srp, 6);
  5348. #endif
  5349. ADD_ALL_TESTS(test_info_callback, 6);
  5350. ADD_ALL_TESTS(test_ssl_pending, 2);
  5351. ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
  5352. ADD_ALL_TESTS(test_ticket_callbacks, 12);
  5353. ADD_ALL_TESTS(test_shutdown, 7);
  5354. ADD_ALL_TESTS(test_cert_cb, 3);
  5355. ADD_ALL_TESTS(test_client_cert_cb, 2);
  5356. ADD_ALL_TESTS(test_ca_names, 3);
  5357. return 1;
  5358. }
  5359. void cleanup_tests(void)
  5360. {
  5361. bio_s_mempacket_test_free();
  5362. }