VirtualBox

source: vbox/trunk/src/libs/openssl-3.4.1/test/sslapitest.c

Last change on this file was 109052, checked in by vboxsync, 4 weeks ago

openssl-3.4.1: Applied our changes, regenerated files, added missing files and functions. This time with a three way merge. ​bugref:10890
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 420.0 KB
Line 
1/*
2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36#include <openssl/engine.h>
37
38#include "helpers/ssltestlib.h"
39#include "testutil.h"
40#include "testutil/output.h"
41#include "internal/nelem.h"
42#include "internal/tlsgroups.h"
43#include "internal/ktls.h"
44#include "../ssl/ssl_local.h"
45#include "../ssl/record/methods/recmethod_local.h"
46#include "filterprov.h"
47
48#undef OSSL_NO_USABLE_TLS1_3
49#if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51/*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55# define OSSL_NO_USABLE_TLS1_3
56#endif
57
58/* Defined in tls-provider.c */
59int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
63
64static OSSL_LIB_CTX *libctx = NULL;
65static OSSL_PROVIDER *defctxnull = NULL;
66
67#ifndef OSSL_NO_USABLE_TLS1_3
68
69static SSL_SESSION *clientpsk = NULL;
70static SSL_SESSION *serverpsk = NULL;
71static const char *pskid = "Identity";
72static const char *srvid;
73
74static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79static int use_session_cb_cnt = 0;
80static int find_session_cb_cnt = 0;
81#endif
82
83static char *certsdir = NULL;
84static char *cert = NULL;
85static char *privkey = NULL;
86static char *cert2 = NULL;
87static char *privkey2 = NULL;
88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
98static char *dhfile = NULL;
99
100static int is_fips = 0;
101static int fips_ems_check = 0;
102
103#define LOG_BUFFER_SIZE 2048
104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t server_log_buffer_index = 0;
106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107static size_t client_log_buffer_index = 0;
108static int error_writing_log = 0;
109
110#ifndef OPENSSL_NO_OCSP
111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
117#endif
118
119#define CLIENT_VERSION_LEN 2
120
121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135};
136
137
138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163}
164
165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205{
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345}
346
347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348static int test_keylog(void)
349{
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
426#endif
427
428#ifndef OSSL_NO_USABLE_TLS1_3
429static int test_keylog_no_master_key(void)
430{
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
710#ifndef OPENSSL_NO_TLS1_2
711static int full_client_hello_callback(SSL *s, int *al, void *arg)
712{
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716#ifdef OPENSSL_NO_EC
717 const unsigned char expected_ciphers[] = {0x00, 0x9d};
718#else
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
720 0x2c};
721#endif
722 const int expected_extensions[] = {
723 65281,
724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750}
751
752static int test_client_hello_cb(void)
753{
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766 /* Avoid problems where the default seclevel has been changed */
767 SSL_CTX_set_security_level(cctx, 2);
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0, status;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
816 if (fips_ems_check) {
817 if (status == 1) {
818 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
819 goto end;
820 }
821 } else {
822 if (!status) {
823 printf("Creating SSL connection failed\n");
824 goto end;
825 }
826 if (SSL_get_extms_support(serverssl)) {
827 printf("Server reports Extended Master Secret support\n");
828 goto end;
829 }
830 if (SSL_get_extms_support(clientssl)) {
831 printf("Client reports Extended Master Secret support\n");
832 goto end;
833 }
834 }
835 testresult = 1;
836
837end:
838 SSL_free(serverssl);
839 SSL_free(clientssl);
840 SSL_CTX_free(sctx);
841 SSL_CTX_free(cctx);
842
843 return testresult;
844}
845
846/*
847 * Very focused test to exercise a single case in the server-side state
848 * machine, when the ChangeCipherState message needs to actually change
849 * from one cipher to a different cipher (i.e., not changing from null
850 * encryption to real encryption).
851 */
852static int test_ccs_change_cipher(void)
853{
854 SSL_CTX *cctx = NULL, *sctx = NULL;
855 SSL *clientssl = NULL, *serverssl = NULL;
856 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 int testresult = 0;
858 int i;
859 unsigned char buf;
860 size_t readbytes;
861
862 /*
863 * Create a connection so we can resume and potentially (but not) use
864 * a different cipher in the second connection.
865 */
866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS_client_method(),
868 TLS1_VERSION, TLS1_2_VERSION,
869 &sctx, &cctx, cert, privkey))
870 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 NULL, NULL))
873 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
874 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 SSL_ERROR_NONE))
876 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
877 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
878 goto end;
879
880 shutdown_ssl_connection(serverssl, clientssl);
881 serverssl = clientssl = NULL;
882
883 /* Resume, preferring a different cipher. Our server will force the
884 * same cipher to be used as the initial handshake. */
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 NULL, NULL))
887 || !TEST_true(SSL_set_session(clientssl, sess))
888 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 SSL_ERROR_NONE))
891 || !TEST_true(SSL_session_reused(clientssl))
892 || !TEST_true(SSL_session_reused(serverssl))
893 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
894 || !TEST_ptr_eq(sesspre, sesspost)
895 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
896 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 goto end;
898 shutdown_ssl_connection(serverssl, clientssl);
899 serverssl = clientssl = NULL;
900
901 /*
902 * Now create a fresh connection and try to renegotiate a different
903 * cipher on it.
904 */
905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 NULL, NULL))
907 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 SSL_ERROR_NONE))
910 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
911 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
912 || !TEST_true(SSL_renegotiate(clientssl))
913 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 goto end;
915 /* Actually drive the renegotiation. */
916 for (i = 0; i < 3; i++) {
917 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
925 if (!TEST_ulong_eq(readbytes, 0))
926 goto end;
927 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
928 SSL_ERROR_WANT_READ)) {
929 goto end;
930 }
931 }
932 /* sesspre and sesspost should be different since the cipher changed. */
933 if (!TEST_false(SSL_renegotiate_pending(clientssl))
934 || !TEST_false(SSL_session_reused(clientssl))
935 || !TEST_false(SSL_session_reused(serverssl))
936 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
937 || !TEST_ptr_ne(sesspre, sesspost)
938 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
939 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
940 goto end;
941
942 shutdown_ssl_connection(serverssl, clientssl);
943 serverssl = clientssl = NULL;
944
945 testresult = 1;
946
947end:
948 SSL_free(serverssl);
949 SSL_free(clientssl);
950 SSL_CTX_free(sctx);
951 SSL_CTX_free(cctx);
952 SSL_SESSION_free(sess);
953
954 return testresult;
955}
956#endif
957
958static int execute_test_large_message(const SSL_METHOD *smeth,
959 const SSL_METHOD *cmeth,
960 int min_version, int max_version,
961 int read_ahead)
962{
963 SSL_CTX *cctx = NULL, *sctx = NULL;
964 SSL *clientssl = NULL, *serverssl = NULL;
965 int testresult = 0;
966
967 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
968 max_version, &sctx, &cctx, cert,
969 privkey)))
970 goto end;
971
972#ifdef OPENSSL_NO_DTLS1_2
973 if (smeth == DTLS_server_method()) {
974 /*
975 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
976 * level 0
977 */
978 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
979 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
980 "DEFAULT:@SECLEVEL=0")))
981 goto end;
982 }
983#endif
984
985 if (read_ahead) {
986 /*
987 * Test that read_ahead works correctly when dealing with large
988 * records
989 */
990 SSL_CTX_set_read_ahead(cctx, 1);
991 }
992
993 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
994 goto end;
995
996 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
997 NULL, NULL))
998 || !TEST_true(create_ssl_connection(serverssl, clientssl,
999 SSL_ERROR_NONE)))
1000 goto end;
1001
1002 /*
1003 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1004 * doesn't leak.
1005 */
1006 if (!TEST_true(SSL_clear(serverssl)))
1007 goto end;
1008
1009 testresult = 1;
1010 end:
1011 SSL_free(serverssl);
1012 SSL_free(clientssl);
1013 SSL_CTX_free(sctx);
1014 SSL_CTX_free(cctx);
1015
1016 return testresult;
1017}
1018
1019#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1020 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1021/* sock must be connected */
1022static int ktls_chk_platform(int sock)
1023{
1024 if (!ktls_enable(sock))
1025 return 0;
1026 return 1;
1027}
1028
1029static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1030{
1031 static char count = 1;
1032 unsigned char cbuf[16000] = {0};
1033 unsigned char sbuf[16000];
1034 size_t err = 0;
1035 char crec_wseq_before[SEQ_NUM_SIZE];
1036 char crec_wseq_after[SEQ_NUM_SIZE];
1037 char crec_rseq_before[SEQ_NUM_SIZE];
1038 char crec_rseq_after[SEQ_NUM_SIZE];
1039 char srec_wseq_before[SEQ_NUM_SIZE];
1040 char srec_wseq_after[SEQ_NUM_SIZE];
1041 char srec_rseq_before[SEQ_NUM_SIZE];
1042 char srec_rseq_after[SEQ_NUM_SIZE];
1043 SSL_CONNECTION *clientsc, *serversc;
1044
1045 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1046 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1047 goto end;
1048
1049 cbuf[0] = count++;
1050 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1053 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1054
1055 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1056 goto end;
1057
1058 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1059 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1060 goto end;
1061 }
1062 }
1063
1064 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1065 goto end;
1066
1067 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1068 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1069 goto end;
1070 }
1071 }
1072
1073 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1076 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1077
1078 /* verify the payload */
1079 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1080 goto end;
1081
1082 /*
1083 * If ktls is used then kernel sequences are used instead of
1084 * OpenSSL sequences
1085 */
1086 if (!BIO_get_ktls_send(clientsc->wbio)) {
1087 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1088 crec_wseq_after, SEQ_NUM_SIZE))
1089 goto end;
1090 } else {
1091 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1092 crec_wseq_after, SEQ_NUM_SIZE))
1093 goto end;
1094 }
1095
1096 if (!BIO_get_ktls_send(serversc->wbio)) {
1097 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1098 srec_wseq_after, SEQ_NUM_SIZE))
1099 goto end;
1100 } else {
1101 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1102 srec_wseq_after, SEQ_NUM_SIZE))
1103 goto end;
1104 }
1105
1106 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1107 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1108 crec_rseq_after, SEQ_NUM_SIZE))
1109 goto end;
1110 } else {
1111 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1112 crec_rseq_after, SEQ_NUM_SIZE))
1113 goto end;
1114 }
1115
1116 if (!BIO_get_ktls_recv(serversc->wbio)) {
1117 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1118 srec_rseq_after, SEQ_NUM_SIZE))
1119 goto end;
1120 } else {
1121 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1122 srec_rseq_after, SEQ_NUM_SIZE))
1123 goto end;
1124 }
1125
1126 return 1;
1127end:
1128 return 0;
1129}
1130
1131static int execute_test_ktls(int cis_ktls, int sis_ktls,
1132 int tls_version, const char *cipher)
1133{
1134 SSL_CTX *cctx = NULL, *sctx = NULL;
1135 SSL *clientssl = NULL, *serverssl = NULL;
1136 int ktls_used = 0, testresult = 0;
1137 int cfd = -1, sfd = -1;
1138 int rx_supported;
1139 SSL_CONNECTION *clientsc, *serversc;
1140 unsigned char *buf = NULL;
1141 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1142 int ret;
1143 size_t offset = 0, i;
1144
1145 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1146 goto end;
1147
1148 /* Skip this test if the platform does not support ktls */
1149 if (!ktls_chk_platform(cfd)) {
1150 testresult = TEST_skip("Kernel does not support KTLS");
1151 goto end;
1152 }
1153
1154 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1155 testresult = TEST_skip("CHACHA is not supported in FIPS");
1156 goto end;
1157 }
1158
1159 /* Create a session based on SHA-256 */
1160 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1161 TLS_client_method(),
1162 tls_version, tls_version,
1163 &sctx, &cctx, cert, privkey)))
1164 goto end;
1165
1166 if (tls_version == TLS1_3_VERSION) {
1167 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1168 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1169 goto end;
1170 } else {
1171 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1172 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1173 goto end;
1174 }
1175
1176 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1177 &clientssl, sfd, cfd)))
1178 goto end;
1179
1180 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1181 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1182 goto end;
1183
1184 if (cis_ktls) {
1185 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1186 goto end;
1187 }
1188
1189 if (sis_ktls) {
1190 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1191 goto end;
1192 }
1193
1194 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1195 goto end;
1196
1197 /*
1198 * The running kernel may not support a given cipher suite
1199 * or direction, so just check that KTLS isn't used when it
1200 * isn't enabled.
1201 */
1202 if (!cis_ktls) {
1203 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1204 goto end;
1205 } else {
1206 if (BIO_get_ktls_send(clientsc->wbio))
1207 ktls_used = 1;
1208 }
1209
1210 if (!sis_ktls) {
1211 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1212 goto end;
1213 } else {
1214 if (BIO_get_ktls_send(serversc->wbio))
1215 ktls_used = 1;
1216 }
1217
1218#if defined(OPENSSL_NO_KTLS_RX)
1219 rx_supported = 0;
1220#else
1221 rx_supported = 1;
1222#endif
1223 if (!cis_ktls || !rx_supported) {
1224 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1225 goto end;
1226 } else {
1227 if (BIO_get_ktls_send(clientsc->rbio))
1228 ktls_used = 1;
1229 }
1230
1231 if (!sis_ktls || !rx_supported) {
1232 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1233 goto end;
1234 } else {
1235 if (BIO_get_ktls_send(serversc->rbio))
1236 ktls_used = 1;
1237 }
1238
1239 if ((cis_ktls || sis_ktls) && !ktls_used) {
1240 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1241 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1242 "TLS 1.2", cipher);
1243 goto end;
1244 }
1245
1246 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1247 goto end;
1248
1249 buf = OPENSSL_zalloc(bufsz);
1250 if (!TEST_ptr(buf))
1251 goto end;
1252
1253 /*
1254 * Write some data that exceeds the maximum record length. KTLS may choose
1255 * to coalesce this data into a single buffer when we read it again.
1256 */
1257 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1258 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1259 goto end;
1260 }
1261
1262 /* Now check that we can read all the data we wrote */
1263 do {
1264 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1265 if (ret <= 0) {
1266 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1267 goto end;
1268 } else {
1269 offset += ret;
1270 }
1271 } while (offset < bufsz);
1272
1273 if (!TEST_true(offset == bufsz))
1274 goto end;
1275 for (i = 0; i < bufsz; i++)
1276 if (!TEST_true(buf[i] == 0))
1277 goto end;
1278
1279 testresult = 1;
1280end:
1281 OPENSSL_free(buf);
1282 if (clientssl) {
1283 SSL_shutdown(clientssl);
1284 SSL_free(clientssl);
1285 }
1286 if (serverssl) {
1287 SSL_shutdown(serverssl);
1288 SSL_free(serverssl);
1289 }
1290 SSL_CTX_free(sctx);
1291 SSL_CTX_free(cctx);
1292 serverssl = clientssl = NULL;
1293 if (cfd != -1)
1294 close(cfd);
1295 if (sfd != -1)
1296 close(sfd);
1297 return testresult;
1298}
1299
1300#define SENDFILE_SZ (16 * 4096)
1301#define SENDFILE_CHUNK (4 * 4096)
1302#define min(a,b) ((a) > (b) ? (b) : (a))
1303
1304static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1305 int zerocopy)
1306{
1307 SSL_CTX *cctx = NULL, *sctx = NULL;
1308 SSL *clientssl = NULL, *serverssl = NULL;
1309 unsigned char *buf, *buf_dst;
1310 BIO *out = NULL, *in = NULL;
1311 int cfd = -1, sfd = -1, ffd, err;
1312 ssize_t chunk_size = 0;
1313 off_t chunk_off = 0;
1314 int testresult = 0;
1315 FILE *ffdp;
1316 SSL_CONNECTION *serversc;
1317
1318 buf = OPENSSL_zalloc(SENDFILE_SZ);
1319 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1320 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1321 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1322 goto end;
1323
1324 /* Skip this test if the platform does not support ktls */
1325 if (!ktls_chk_platform(sfd)) {
1326 testresult = TEST_skip("Kernel does not support KTLS");
1327 goto end;
1328 }
1329
1330 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1331 testresult = TEST_skip("CHACHA is not supported in FIPS");
1332 goto end;
1333 }
1334
1335 /* Create a session based on SHA-256 */
1336 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1337 TLS_client_method(),
1338 tls_version, tls_version,
1339 &sctx, &cctx, cert, privkey)))
1340 goto end;
1341
1342 if (tls_version == TLS1_3_VERSION) {
1343 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1344 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1345 goto end;
1346 } else {
1347 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1348 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1349 goto end;
1350 }
1351
1352 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1353 &clientssl, sfd, cfd)))
1354 goto end;
1355
1356 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1357 goto end;
1358
1359 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1360 goto end;
1361
1362 if (zerocopy) {
1363 if (!TEST_true(SSL_set_options(serverssl,
1364 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1365 goto end;
1366 }
1367
1368 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1369 SSL_ERROR_NONE)))
1370 goto end;
1371
1372 if (!BIO_get_ktls_send(serversc->wbio)) {
1373 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1374 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1375 "TLS 1.2", cipher);
1376 goto end;
1377 }
1378
1379 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1380 goto end;
1381
1382 out = BIO_new_file(tmpfilename, "wb");
1383 if (!TEST_ptr(out))
1384 goto end;
1385
1386 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1387 goto end;
1388
1389 BIO_free(out);
1390 out = NULL;
1391 in = BIO_new_file(tmpfilename, "rb");
1392 BIO_get_fp(in, &ffdp);
1393 ffd = fileno(ffdp);
1394
1395 while (chunk_off < SENDFILE_SZ) {
1396 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1397 while ((err = SSL_sendfile(serverssl,
1398 ffd,
1399 chunk_off,
1400 chunk_size,
1401 0)) != chunk_size) {
1402 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1403 goto end;
1404 }
1405 while ((err = SSL_read(clientssl,
1406 buf_dst + chunk_off,
1407 chunk_size)) != chunk_size) {
1408 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1409 goto end;
1410 }
1411
1412 /* verify the payload */
1413 if (!TEST_mem_eq(buf_dst + chunk_off,
1414 chunk_size,
1415 buf + chunk_off,
1416 chunk_size))
1417 goto end;
1418
1419 chunk_off += chunk_size;
1420 }
1421
1422 testresult = 1;
1423end:
1424 if (clientssl) {
1425 SSL_shutdown(clientssl);
1426 SSL_free(clientssl);
1427 }
1428 if (serverssl) {
1429 SSL_shutdown(serverssl);
1430 SSL_free(serverssl);
1431 }
1432 SSL_CTX_free(sctx);
1433 SSL_CTX_free(cctx);
1434 serverssl = clientssl = NULL;
1435 BIO_free(out);
1436 BIO_free(in);
1437 if (cfd != -1)
1438 close(cfd);
1439 if (sfd != -1)
1440 close(sfd);
1441 OPENSSL_free(buf);
1442 OPENSSL_free(buf_dst);
1443 return testresult;
1444}
1445
1446static struct ktls_test_cipher {
1447 int tls_version;
1448 const char *cipher;
1449} ktls_test_ciphers[] = {
1450# if !defined(OPENSSL_NO_TLS1_2)
1451# ifdef OPENSSL_KTLS_AES_GCM_128
1452 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453# endif
1454# ifdef OPENSSL_KTLS_AES_CCM_128
1455 { TLS1_2_VERSION, "AES128-CCM"},
1456# endif
1457# ifdef OPENSSL_KTLS_AES_GCM_256
1458 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459# endif
1460# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1461# ifndef OPENSSL_NO_EC
1462 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1463# endif
1464# endif
1465# endif
1466# if !defined(OSSL_NO_USABLE_TLS1_3)
1467# ifdef OPENSSL_KTLS_AES_GCM_128
1468 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469# endif
1470# ifdef OPENSSL_KTLS_AES_CCM_128
1471 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472# endif
1473# ifdef OPENSSL_KTLS_AES_GCM_256
1474 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475# endif
1476# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1477 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1478# endif
1479# endif
1480};
1481
1482#define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1483
1484static int test_ktls(int test)
1485{
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1488
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1491
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1494
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
1497}
1498
1499static int test_ktls_sendfile(int test)
1500{
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1503
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1506
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
1509}
1510#endif
1511
1512static int test_large_message_tls(void)
1513{
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1522}
1523
1524#ifndef OPENSSL_NO_DTLS
1525static int test_large_message_dtls(void)
1526{
1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1539}
1540#endif
1541
1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return TEST_skip("TLS 1.3 not supported");
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return TEST_skip("TLS 1.2 not supported");
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return TEST_skip("TLS 1.1 not supported");
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return TEST_skip("TLS 1 not supported");
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return TEST_skip("SSL 3 not supported");
1599#endif
1600
1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return TEST_skip("DTLS 1.2 not supported");
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 if (is_fips)
1614 return TEST_skip("DTLS 1 not supported by FIPS provider");
1615 prot = DTLS1_VERSION;
1616 smeth = DTLS_server_method();
1617 cmeth = DTLS_client_method();
1618 break;
1619#else
1620 return TEST_skip("DTLS 1 not supported");
1621#endif
1622
1623 default:
1624 /* Shouldn't happen */
1625 return 0;
1626 }
1627
1628 if (is_fips && prot < TLS1_2_VERSION)
1629 return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1630
1631 /* Maximal sized message of zeros */
1632 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1633 if (!TEST_ptr(msg))
1634 goto end;
1635
1636 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 if (!TEST_ptr(buf))
1638 goto end;
1639 /* Set whole buffer to all bits set */
1640 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1641
1642 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1643 &sctx, &cctx, cert, privkey)))
1644 goto end;
1645
1646 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1647 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1648 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1649 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1650 "DEFAULT:@SECLEVEL=0")))
1651 goto end;
1652 }
1653
1654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1655 &clientssl, NULL, NULL)))
1656 goto end;
1657
1658 if ((tst & 1) != 0) {
1659 /* Setting this option gives us a minimally sized underlying buffer */
1660 if (!TEST_true(SSL_set_options(serverssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1662 || !TEST_true(SSL_set_options(clientssl,
1663 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1664 goto end;
1665 }
1666
1667 if ((tst & 2) != 0) {
1668 /*
1669 * Setting this option means the MAC is added before encryption
1670 * giving us a larger record for the encryption process
1671 */
1672 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1673 || !TEST_true(SSL_set_options(clientssl,
1674 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1675 goto end;
1676 }
1677
1678 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 goto end;
1680
1681 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1682 &written))
1683 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 goto end;
1685
1686 /* We provide a buffer slightly larger than what we are actually expecting */
1687 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1688 &readbytes)))
1689 goto end;
1690
1691 if (!TEST_mem_eq(msg, written, buf, readbytes))
1692 goto end;
1693
1694 testresult = 1;
1695end:
1696 OPENSSL_free(msg);
1697 OPENSSL_free(buf);
1698 SSL_free(serverssl);
1699 SSL_free(clientssl);
1700 SSL_CTX_free(sctx);
1701 SSL_CTX_free(cctx);
1702 return testresult;
1703}
1704
1705#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1706 || !defined(OPENSSL_NO_DTLS)
1707static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1708 const SSL_METHOD *cmeth,
1709 int min_version, int max_version)
1710{
1711 size_t i;
1712 SSL_CTX *cctx = NULL, *sctx = NULL;
1713 SSL *clientssl = NULL, *serverssl = NULL;
1714 int testresult = 0;
1715 const unsigned char *zbuf;
1716 SSL_CONNECTION *serversc;
1717 TLS_RECORD *rr;
1718
1719 static unsigned char cbuf[16000];
1720 static unsigned char sbuf[16000];
1721
1722 if (!TEST_true(create_ssl_ctx_pair(libctx,
1723 smeth, cmeth,
1724 min_version, max_version,
1725 &sctx, &cctx, cert,
1726 privkey)))
1727 goto end;
1728
1729# ifdef OPENSSL_NO_DTLS1_2
1730 if (smeth == DTLS_server_method()) {
1731 /* Not supported in the FIPS provider */
1732 if (is_fips) {
1733 testresult = 1;
1734 goto end;
1735 };
1736 /*
1737 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 * level 0
1739 */
1740 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1741 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1742 "DEFAULT:@SECLEVEL=0")))
1743 goto end;
1744 }
1745# endif
1746
1747 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1748 NULL, NULL)))
1749 goto end;
1750
1751 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 goto end;
1753
1754 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1755 SSL_ERROR_NONE)))
1756 goto end;
1757
1758 for (i = 0; i < sizeof(cbuf); i++) {
1759 cbuf[i] = i & 0xff;
1760 }
1761
1762 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 goto end;
1764
1765 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 goto end;
1767
1768 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1769 goto end;
1770
1771 /*
1772 * Since we called SSL_peek(), we know the data in the record
1773 * layer is a plaintext record. We can gather the pointer to check
1774 * for zeroization after SSL_read().
1775 */
1776 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1777 goto end;
1778 rr = serversc->rlayer.tlsrecs;
1779
1780 zbuf = &rr->data[rr->off];
1781 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1782 goto end;
1783
1784 /*
1785 * After SSL_peek() the plaintext must still be stored in the
1786 * record.
1787 */
1788 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 goto end;
1790
1791 memset(sbuf, 0, sizeof(sbuf));
1792 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 goto end;
1794
1795 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 goto end;
1797
1798 /* Check if rbuf is cleansed */
1799 memset(cbuf, 0, sizeof(cbuf));
1800 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1801 goto end;
1802
1803 testresult = 1;
1804 end:
1805 SSL_free(serverssl);
1806 SSL_free(clientssl);
1807 SSL_CTX_free(sctx);
1808 SSL_CTX_free(cctx);
1809
1810 return testresult;
1811}
1812#endif /*
1813 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1814 * || !defined(OPENSSL_NO_DTLS)
1815 */
1816
1817static int test_cleanse_plaintext(void)
1818{
1819#if !defined(OPENSSL_NO_TLS1_2)
1820 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1821 TLS_client_method(),
1822 TLS1_2_VERSION,
1823 TLS1_2_VERSION)))
1824 return 0;
1825
1826#endif
1827
1828#if !defined(OSSL_NO_USABLE_TLS1_3)
1829 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1830 TLS_client_method(),
1831 TLS1_3_VERSION,
1832 TLS1_3_VERSION)))
1833 return 0;
1834#endif
1835
1836#if !defined(OPENSSL_NO_DTLS)
1837
1838 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1839 DTLS_client_method(),
1840 DTLS1_VERSION,
1841 0)))
1842 return 0;
1843#endif
1844 return 1;
1845}
1846
1847#ifndef OPENSSL_NO_OCSP
1848static int ocsp_server_cb(SSL *s, void *arg)
1849{
1850 int *argi = (int *)arg;
1851 unsigned char *copy = NULL;
1852 STACK_OF(OCSP_RESPID) *ids = NULL;
1853 OCSP_RESPID *id = NULL;
1854
1855 if (*argi == 2) {
1856 /* In this test we are expecting exactly 1 OCSP_RESPID */
1857 SSL_get_tlsext_status_ids(s, &ids);
1858 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1859 return SSL_TLSEXT_ERR_ALERT_FATAL;
1860
1861 id = sk_OCSP_RESPID_value(ids, 0);
1862 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 } else if (*argi != 1) {
1865 return SSL_TLSEXT_ERR_ALERT_FATAL;
1866 }
1867
1868 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1869 return SSL_TLSEXT_ERR_ALERT_FATAL;
1870
1871 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1872 sizeof(orespder)))) {
1873 OPENSSL_free(copy);
1874 return SSL_TLSEXT_ERR_ALERT_FATAL;
1875 }
1876 ocsp_server_called = 1;
1877 return SSL_TLSEXT_ERR_OK;
1878}
1879
1880static int ocsp_client_cb(SSL *s, void *arg)
1881{
1882 int *argi = (int *)arg;
1883 const unsigned char *respderin;
1884 size_t len;
1885
1886 if (*argi != 1 && *argi != 2)
1887 return 0;
1888
1889 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1890 if (!TEST_mem_eq(orespder, len, respderin, len))
1891 return 0;
1892
1893 ocsp_client_called = 1;
1894 return 1;
1895}
1896
1897static int test_tlsext_status_type(void)
1898{
1899 SSL_CTX *cctx = NULL, *sctx = NULL;
1900 SSL *clientssl = NULL, *serverssl = NULL;
1901 int testresult = 0;
1902 STACK_OF(OCSP_RESPID) *ids = NULL;
1903 OCSP_RESPID *id = NULL;
1904 BIO *certbio = NULL;
1905
1906 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1907 TLS1_VERSION, 0,
1908 &sctx, &cctx, cert, privkey))
1909 return 0;
1910
1911 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1912 goto end;
1913
1914 /* First just do various checks getting and setting tlsext_status_type */
1915
1916 clientssl = SSL_new(cctx);
1917 if (!TEST_ptr(clientssl))
1918 goto end;
1919 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1920 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1921 TLSEXT_STATUSTYPE_ocsp))
1922 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1923 TLSEXT_STATUSTYPE_ocsp))
1924 goto end;
1925
1926 SSL_free(clientssl);
1927 clientssl = NULL;
1928
1929 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1930 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1931 goto end;
1932
1933 clientssl = SSL_new(cctx);
1934 if (!TEST_ptr(clientssl))
1935 goto end;
1936 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1937 goto end;
1938 SSL_free(clientssl);
1939 clientssl = NULL;
1940
1941 /*
1942 * Now actually do a handshake and check OCSP information is exchanged and
1943 * the callbacks get called
1944 */
1945 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1946 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1947 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1948 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1950 &clientssl, NULL, NULL))
1951 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1952 SSL_ERROR_NONE))
1953 || !TEST_true(ocsp_client_called)
1954 || !TEST_true(ocsp_server_called))
1955 goto end;
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = NULL;
1959 clientssl = NULL;
1960
1961 /* Try again but this time force the server side callback to fail */
1962 ocsp_client_called = 0;
1963 ocsp_server_called = 0;
1964 cdummyarg = 0;
1965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1966 &clientssl, NULL, NULL))
1967 /* This should fail because the callback will fail */
1968 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1969 SSL_ERROR_NONE))
1970 || !TEST_false(ocsp_client_called)
1971 || !TEST_false(ocsp_server_called))
1972 goto end;
1973 SSL_free(serverssl);
1974 SSL_free(clientssl);
1975 serverssl = NULL;
1976 clientssl = NULL;
1977
1978 /*
1979 * This time we'll get the client to send an OCSP_RESPID that it will
1980 * accept.
1981 */
1982 ocsp_client_called = 0;
1983 ocsp_server_called = 0;
1984 cdummyarg = 2;
1985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1986 &clientssl, NULL, NULL)))
1987 goto end;
1988
1989 /*
1990 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1991 * specific one. We'll use the server cert.
1992 */
1993 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1994 || !TEST_ptr(id = OCSP_RESPID_new())
1995 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1996 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1997 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1998 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1999 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2000 goto end;
2001 id = NULL;
2002 SSL_set_tlsext_status_ids(clientssl, ids);
2003 /* Control has been transferred */
2004 ids = NULL;
2005
2006 BIO_free(certbio);
2007 certbio = NULL;
2008
2009 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2010 SSL_ERROR_NONE))
2011 || !TEST_true(ocsp_client_called)
2012 || !TEST_true(ocsp_server_called))
2013 goto end;
2014
2015 testresult = 1;
2016
2017 end:
2018 SSL_free(serverssl);
2019 SSL_free(clientssl);
2020 SSL_CTX_free(sctx);
2021 SSL_CTX_free(cctx);
2022 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2023 OCSP_RESPID_free(id);
2024 BIO_free(certbio);
2025 X509_free(ocspcert);
2026 ocspcert = NULL;
2027
2028 return testresult;
2029}
2030#endif
2031
2032#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2033static int new_called, remove_called, get_called;
2034
2035static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2036{
2037 new_called++;
2038 /*
2039 * sess has been up-refed for us, but we don't actually need it so free it
2040 * immediately.
2041 */
2042 SSL_SESSION_free(sess);
2043 return 1;
2044}
2045
2046static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2047{
2048 remove_called++;
2049}
2050
2051static SSL_SESSION *get_sess_val = NULL;
2052
2053static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2054 int *copy)
2055{
2056 get_called++;
2057 *copy = 1;
2058 return get_sess_val;
2059}
2060
2061static int execute_test_session(int maxprot, int use_int_cache,
2062 int use_ext_cache, long s_options)
2063{
2064 SSL_CTX *sctx = NULL, *cctx = NULL;
2065 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2066 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2067# ifndef OPENSSL_NO_TLS1_1
2068 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2069# endif
2070 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2071 int testresult = 0, numnewsesstick = 1;
2072
2073 new_called = remove_called = 0;
2074
2075 /* TLSv1.3 sends 2 NewSessionTickets */
2076 if (maxprot == TLS1_3_VERSION)
2077 numnewsesstick = 2;
2078
2079 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2080 TLS_client_method(), TLS1_VERSION, 0,
2081 &sctx, &cctx, cert, privkey)))
2082 return 0;
2083
2084 /*
2085 * Only allow the max protocol version so we can force a connection failure
2086 * later
2087 */
2088 SSL_CTX_set_min_proto_version(cctx, maxprot);
2089 SSL_CTX_set_max_proto_version(cctx, maxprot);
2090
2091 /* Set up session cache */
2092 if (use_ext_cache) {
2093 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2094 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2095 }
2096 if (use_int_cache) {
2097 /* Also covers instance where both are set */
2098 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2099 } else {
2100 SSL_CTX_set_session_cache_mode(cctx,
2101 SSL_SESS_CACHE_CLIENT
2102 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2103 }
2104
2105 if (s_options) {
2106 SSL_CTX_set_options(sctx, s_options);
2107 }
2108
2109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2110 NULL, NULL))
2111 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2112 SSL_ERROR_NONE))
2113 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2114 goto end;
2115
2116 /* Should fail because it should already be in the cache */
2117 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2118 goto end;
2119 if (use_ext_cache
2120 && (!TEST_int_eq(new_called, numnewsesstick)
2121
2122 || !TEST_int_eq(remove_called, 0)))
2123 goto end;
2124
2125 new_called = remove_called = 0;
2126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2127 &clientssl2, NULL, NULL))
2128 || !TEST_true(SSL_set_session(clientssl2, sess1))
2129 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2130 SSL_ERROR_NONE))
2131 || !TEST_true(SSL_session_reused(clientssl2)))
2132 goto end;
2133
2134 if (maxprot == TLS1_3_VERSION) {
2135 /*
2136 * In TLSv1.3 we should have created a new session even though we have
2137 * resumed. Since we attempted a resume we should also have removed the
2138 * old ticket from the cache so that we try to only use tickets once.
2139 */
2140 if (use_ext_cache
2141 && (!TEST_int_eq(new_called, 1)
2142 || !TEST_int_eq(remove_called, 1)))
2143 goto end;
2144 } else {
2145 /*
2146 * In TLSv1.2 we expect to have resumed so no sessions added or
2147 * removed.
2148 */
2149 if (use_ext_cache
2150 && (!TEST_int_eq(new_called, 0)
2151 || !TEST_int_eq(remove_called, 0)))
2152 goto end;
2153 }
2154
2155 SSL_SESSION_free(sess1);
2156 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2157 goto end;
2158 shutdown_ssl_connection(serverssl2, clientssl2);
2159 serverssl2 = clientssl2 = NULL;
2160
2161 new_called = remove_called = 0;
2162 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2163 &clientssl2, NULL, NULL))
2164 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2165 SSL_ERROR_NONE)))
2166 goto end;
2167
2168 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2169 goto end;
2170
2171 if (use_ext_cache
2172 && (!TEST_int_eq(new_called, numnewsesstick)
2173 || !TEST_int_eq(remove_called, 0)))
2174 goto end;
2175
2176 new_called = remove_called = 0;
2177 /*
2178 * This should clear sess2 from the cache because it is a "bad" session.
2179 * See SSL_set_session() documentation.
2180 */
2181 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2182 goto end;
2183 if (use_ext_cache
2184 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2185 goto end;
2186 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2187 goto end;
2188
2189 if (use_int_cache) {
2190 /* Should succeeded because it should not already be in the cache */
2191 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2192 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2193 goto end;
2194 }
2195
2196 new_called = remove_called = 0;
2197 /* This shouldn't be in the cache so should fail */
2198 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2199 goto end;
2200
2201 if (use_ext_cache
2202 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2203 goto end;
2204
2205# if !defined(OPENSSL_NO_TLS1_1)
2206 new_called = remove_called = 0;
2207 /* Force a connection failure */
2208 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2210 &clientssl3, NULL, NULL))
2211 || !TEST_true(SSL_set_session(clientssl3, sess1))
2212 /* This should fail because of the mismatched protocol versions */
2213 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2214 SSL_ERROR_NONE)))
2215 goto end;
2216
2217 /* We should have automatically removed the session from the cache */
2218 if (use_ext_cache
2219 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2220 goto end;
2221
2222 /* Should succeed because it should not already be in the cache */
2223 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2224 goto end;
2225# endif
2226
2227 /* Now do some tests for server side caching */
2228 if (use_ext_cache) {
2229 SSL_CTX_sess_set_new_cb(cctx, NULL);
2230 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2231 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2232 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2233 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2234 get_sess_val = NULL;
2235 }
2236
2237 SSL_CTX_set_session_cache_mode(cctx, 0);
2238 /* Internal caching is the default on the server side */
2239 if (!use_int_cache)
2240 SSL_CTX_set_session_cache_mode(sctx,
2241 SSL_SESS_CACHE_SERVER
2242 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2243
2244 SSL_free(serverssl1);
2245 SSL_free(clientssl1);
2246 serverssl1 = clientssl1 = NULL;
2247 SSL_free(serverssl2);
2248 SSL_free(clientssl2);
2249 serverssl2 = clientssl2 = NULL;
2250 SSL_SESSION_free(sess1);
2251 sess1 = NULL;
2252 SSL_SESSION_free(sess2);
2253 sess2 = NULL;
2254
2255 SSL_CTX_set_max_proto_version(sctx, maxprot);
2256 if (maxprot == TLS1_2_VERSION)
2257 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2258 new_called = remove_called = get_called = 0;
2259 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2260 NULL, NULL))
2261 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2262 SSL_ERROR_NONE))
2263 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2264 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2265 goto end;
2266
2267 if (use_int_cache) {
2268 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2269 /*
2270 * In TLSv1.3 it should not have been added to the internal cache,
2271 * except in the case where we also have an external cache (in that
2272 * case it gets added to the cache in order to generate remove
2273 * events after timeout).
2274 */
2275 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2276 goto end;
2277 } else {
2278 /* Should fail because it should already be in the cache */
2279 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2280 goto end;
2281 }
2282 }
2283
2284 if (use_ext_cache) {
2285 SSL_SESSION *tmp = sess2;
2286
2287 if (!TEST_int_eq(new_called, numnewsesstick)
2288 || !TEST_int_eq(remove_called, 0)
2289 || !TEST_int_eq(get_called, 0))
2290 goto end;
2291 /*
2292 * Delete the session from the internal cache to force a lookup from
2293 * the external cache. We take a copy first because
2294 * SSL_CTX_remove_session() also marks the session as non-resumable.
2295 */
2296 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2297 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2298 || !TEST_true(sess2->owner != NULL)
2299 || !TEST_true(tmp->owner == NULL)
2300 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2301 goto end;
2302 SSL_SESSION_free(sess2);
2303 }
2304 sess2 = tmp;
2305 }
2306
2307 new_called = remove_called = get_called = 0;
2308 get_sess_val = sess2;
2309 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2310 &clientssl2, NULL, NULL))
2311 || !TEST_true(SSL_set_session(clientssl2, sess1))
2312 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2313 SSL_ERROR_NONE))
2314 || !TEST_true(SSL_session_reused(clientssl2)))
2315 goto end;
2316
2317 if (use_ext_cache) {
2318 if (!TEST_int_eq(remove_called, 0))
2319 goto end;
2320
2321 if (maxprot == TLS1_3_VERSION) {
2322 if (!TEST_int_eq(new_called, 1)
2323 || !TEST_int_eq(get_called, 0))
2324 goto end;
2325 } else {
2326 if (!TEST_int_eq(new_called, 0)
2327 || !TEST_int_eq(get_called, 1))
2328 goto end;
2329 }
2330 }
2331 /*
2332 * Make a small cache, force out all other sessions but
2333 * sess2, try to add sess1, which should succeed. Then
2334 * make sure it's there by checking the owners. Despite
2335 * the timeouts, sess1 should have kicked out sess2
2336 */
2337
2338 /* Make sess1 expire before sess2 */
2339 if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2340 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2341 || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2342 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2343 goto end;
2344
2345 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2346 goto end;
2347
2348 /* Don't care about results - cache should only be sess2 at end */
2349 SSL_CTX_add_session(sctx, sess1);
2350 SSL_CTX_add_session(sctx, sess2);
2351
2352 /* Now add sess1, and make sure it remains, despite timeout */
2353 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2354 || !TEST_ptr(sess1->owner)
2355 || !TEST_ptr_null(sess2->owner))
2356 goto end;
2357
2358 testresult = 1;
2359
2360 end:
2361 SSL_free(serverssl1);
2362 SSL_free(clientssl1);
2363 SSL_free(serverssl2);
2364 SSL_free(clientssl2);
2365# ifndef OPENSSL_NO_TLS1_1
2366 SSL_free(serverssl3);
2367 SSL_free(clientssl3);
2368# endif
2369 SSL_SESSION_free(sess1);
2370 SSL_SESSION_free(sess2);
2371 SSL_CTX_free(sctx);
2372 SSL_CTX_free(cctx);
2373
2374 return testresult;
2375}
2376#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2377
2378static int test_session_with_only_int_cache(void)
2379{
2380#ifndef OSSL_NO_USABLE_TLS1_3
2381 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2382 return 0;
2383#endif
2384
2385#ifndef OPENSSL_NO_TLS1_2
2386 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2387#else
2388 return 1;
2389#endif
2390}
2391
2392static int test_session_with_only_ext_cache(void)
2393{
2394#ifndef OSSL_NO_USABLE_TLS1_3
2395 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2396 return 0;
2397#endif
2398
2399#ifndef OPENSSL_NO_TLS1_2
2400 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2401#else
2402 return 1;
2403#endif
2404}
2405
2406static int test_session_with_both_cache(void)
2407{
2408#ifndef OSSL_NO_USABLE_TLS1_3
2409 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2410 return 0;
2411#endif
2412
2413#ifndef OPENSSL_NO_TLS1_2
2414 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2415#else
2416 return 1;
2417#endif
2418}
2419
2420static int test_session_wo_ca_names(void)
2421{
2422#ifndef OSSL_NO_USABLE_TLS1_3
2423 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2424 return 0;
2425#endif
2426
2427#ifndef OPENSSL_NO_TLS1_2
2428 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2429#else
2430 return 1;
2431#endif
2432}
2433
2434#ifndef OSSL_NO_USABLE_TLS1_3
2435static SSL_SESSION *sesscache[6];
2436static int do_cache;
2437
2438static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2439{
2440 if (do_cache) {
2441 sesscache[new_called] = sess;
2442 } else {
2443 /* We don't need the reference to the session, so free it */
2444 SSL_SESSION_free(sess);
2445 }
2446 new_called++;
2447
2448 return 1;
2449}
2450
2451static int post_handshake_verify(SSL *sssl, SSL *cssl)
2452{
2453 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2454 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2455 return 0;
2456
2457 /* Start handshake on the server and client */
2458 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2459 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2460 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2461 || !TEST_true(create_ssl_connection(sssl, cssl,
2462 SSL_ERROR_NONE)))
2463 return 0;
2464
2465 return 1;
2466}
2467
2468static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2469 SSL_CTX **cctx)
2470{
2471 int sess_id_ctx = 1;
2472
2473 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2474 TLS_client_method(), TLS1_VERSION, 0,
2475 sctx, cctx, cert, privkey))
2476 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2477 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2478 (void *)&sess_id_ctx,
2479 sizeof(sess_id_ctx))))
2480 return 0;
2481
2482 if (stateful)
2483 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2484
2485 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2486 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2487 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2488
2489 return 1;
2490}
2491
2492static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2493{
2494 SSL *serverssl = NULL, *clientssl = NULL;
2495 int i;
2496
2497 /* Test that we can resume with all the tickets we got given */
2498 for (i = 0; i < idx * 2; i++) {
2499 new_called = 0;
2500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2501 &clientssl, NULL, NULL))
2502 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2503 goto end;
2504
2505 SSL_set_post_handshake_auth(clientssl, 1);
2506
2507 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2508 SSL_ERROR_NONE)))
2509 goto end;
2510
2511 /*
2512 * Following a successful resumption we only get 1 ticket. After a
2513 * failed one we should get idx tickets.
2514 */
2515 if (succ) {
2516 if (!TEST_true(SSL_session_reused(clientssl))
2517 || !TEST_int_eq(new_called, 1))
2518 goto end;
2519 } else {
2520 if (!TEST_false(SSL_session_reused(clientssl))
2521 || !TEST_int_eq(new_called, idx))
2522 goto end;
2523 }
2524
2525 new_called = 0;
2526 /* After a post-handshake authentication we should get 1 new ticket */
2527 if (succ
2528 && (!post_handshake_verify(serverssl, clientssl)
2529 || !TEST_int_eq(new_called, 1)))
2530 goto end;
2531
2532 SSL_shutdown(clientssl);
2533 SSL_shutdown(serverssl);
2534 SSL_free(serverssl);
2535 SSL_free(clientssl);
2536 serverssl = clientssl = NULL;
2537 SSL_SESSION_free(sesscache[i]);
2538 sesscache[i] = NULL;
2539 }
2540
2541 return 1;
2542
2543 end:
2544 SSL_free(clientssl);
2545 SSL_free(serverssl);
2546 return 0;
2547}
2548
2549static int test_tickets(int stateful, int idx)
2550{
2551 SSL_CTX *sctx = NULL, *cctx = NULL;
2552 SSL *serverssl = NULL, *clientssl = NULL;
2553 int testresult = 0;
2554 size_t j;
2555
2556 /* idx is the test number, but also the number of tickets we want */
2557
2558 new_called = 0;
2559 do_cache = 1;
2560
2561 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2562 goto end;
2563
2564 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2565 &clientssl, NULL, NULL)))
2566 goto end;
2567
2568 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2569 SSL_ERROR_NONE))
2570 /* Check we got the number of tickets we were expecting */
2571 || !TEST_int_eq(idx, new_called))
2572 goto end;
2573
2574 SSL_shutdown(clientssl);
2575 SSL_shutdown(serverssl);
2576 SSL_free(serverssl);
2577 SSL_free(clientssl);
2578 SSL_CTX_free(sctx);
2579 SSL_CTX_free(cctx);
2580 clientssl = serverssl = NULL;
2581 sctx = cctx = NULL;
2582
2583 /*
2584 * Now we try to resume with the tickets we previously created. The
2585 * resumption attempt is expected to fail (because we're now using a new
2586 * SSL_CTX). We should see idx number of tickets issued again.
2587 */
2588
2589 /* Stop caching sessions - just count them */
2590 do_cache = 0;
2591
2592 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2593 goto end;
2594
2595 if (!check_resumption(idx, sctx, cctx, 0))
2596 goto end;
2597
2598 /* Start again with caching sessions */
2599 new_called = 0;
2600 do_cache = 1;
2601 SSL_CTX_free(sctx);
2602 SSL_CTX_free(cctx);
2603 sctx = cctx = NULL;
2604
2605 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2606 goto end;
2607
2608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2609 &clientssl, NULL, NULL)))
2610 goto end;
2611
2612 SSL_set_post_handshake_auth(clientssl, 1);
2613
2614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2615 SSL_ERROR_NONE))
2616 /* Check we got the number of tickets we were expecting */
2617 || !TEST_int_eq(idx, new_called))
2618 goto end;
2619
2620 /* After a post-handshake authentication we should get new tickets issued */
2621 if (!post_handshake_verify(serverssl, clientssl)
2622 || !TEST_int_eq(idx * 2, new_called))
2623 goto end;
2624
2625 SSL_shutdown(clientssl);
2626 SSL_shutdown(serverssl);
2627 SSL_free(serverssl);
2628 SSL_free(clientssl);
2629 serverssl = clientssl = NULL;
2630
2631 /* Stop caching sessions - just count them */
2632 do_cache = 0;
2633
2634 /*
2635 * Check we can resume with all the tickets we created. This time around the
2636 * resumptions should all be successful.
2637 */
2638 if (!check_resumption(idx, sctx, cctx, 1))
2639 goto end;
2640
2641 testresult = 1;
2642
2643 end:
2644 SSL_free(serverssl);
2645 SSL_free(clientssl);
2646 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2647 SSL_SESSION_free(sesscache[j]);
2648 sesscache[j] = NULL;
2649 }
2650 SSL_CTX_free(sctx);
2651 SSL_CTX_free(cctx);
2652
2653 return testresult;
2654}
2655
2656static int test_stateless_tickets(int idx)
2657{
2658 return test_tickets(0, idx);
2659}
2660
2661static int test_stateful_tickets(int idx)
2662{
2663 return test_tickets(1, idx);
2664}
2665
2666static int test_psk_tickets(void)
2667{
2668 SSL_CTX *sctx = NULL, *cctx = NULL;
2669 SSL *serverssl = NULL, *clientssl = NULL;
2670 int testresult = 0;
2671 int sess_id_ctx = 1;
2672
2673 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2674 TLS_client_method(), TLS1_VERSION, 0,
2675 &sctx, &cctx, NULL, NULL))
2676 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2677 (void *)&sess_id_ctx,
2678 sizeof(sess_id_ctx))))
2679 goto end;
2680
2681 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2682 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2683 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2684 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2685 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2686 use_session_cb_cnt = 0;
2687 find_session_cb_cnt = 0;
2688 srvid = pskid;
2689 new_called = 0;
2690
2691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2692 NULL, NULL)))
2693 goto end;
2694 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2695 if (!TEST_ptr(clientpsk))
2696 goto end;
2697 SSL_SESSION_up_ref(clientpsk);
2698
2699 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2700 SSL_ERROR_NONE))
2701 || !TEST_int_eq(1, find_session_cb_cnt)
2702 || !TEST_int_eq(1, use_session_cb_cnt)
2703 /* We should always get 1 ticket when using external PSK */
2704 || !TEST_int_eq(1, new_called))
2705 goto end;
2706
2707 testresult = 1;
2708
2709 end:
2710 SSL_free(serverssl);
2711 SSL_free(clientssl);
2712 SSL_CTX_free(sctx);
2713 SSL_CTX_free(cctx);
2714 SSL_SESSION_free(clientpsk);
2715 SSL_SESSION_free(serverpsk);
2716 clientpsk = serverpsk = NULL;
2717
2718 return testresult;
2719}
2720
2721static int test_extra_tickets(int idx)
2722{
2723 SSL_CTX *sctx = NULL, *cctx = NULL;
2724 SSL *serverssl = NULL, *clientssl = NULL;
2725 BIO *bretry = BIO_new(bio_s_always_retry());
2726 BIO *tmp = NULL;
2727 int testresult = 0;
2728 int stateful = 0;
2729 size_t nbytes;
2730 unsigned char c, buf[1];
2731
2732 new_called = 0;
2733 do_cache = 1;
2734
2735 if (idx >= 3) {
2736 idx -= 3;
2737 stateful = 1;
2738 }
2739
2740 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2741 goto end;
2742 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2743 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2744 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2745
2746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2747 &clientssl, NULL, NULL)))
2748 goto end;
2749
2750 /*
2751 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2752 * incremented by both client and server.
2753 */
2754 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2755 SSL_ERROR_NONE))
2756 /* Check we got the number of tickets we were expecting */
2757 || !TEST_int_eq(idx * 2, new_called)
2758 || !TEST_true(SSL_new_session_ticket(serverssl))
2759 || !TEST_true(SSL_new_session_ticket(serverssl))
2760 || !TEST_int_eq(idx * 2, new_called))
2761 goto end;
2762
2763 /* Now try a (real) write to actually send the tickets */
2764 c = '1';
2765 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2766 || !TEST_size_t_eq(1, nbytes)
2767 || !TEST_int_eq(idx * 2 + 2, new_called)
2768 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2769 || !TEST_int_eq(idx * 2 + 4, new_called)
2770 || !TEST_int_eq(sizeof(buf), nbytes)
2771 || !TEST_int_eq(c, buf[0])
2772 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2773 goto end;
2774
2775 /* Try with only requesting one new ticket, too */
2776 c = '2';
2777 new_called = 0;
2778 if (!TEST_true(SSL_new_session_ticket(serverssl))
2779 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2780 || !TEST_size_t_eq(sizeof(c), nbytes)
2781 || !TEST_int_eq(1, new_called)
2782 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2783 || !TEST_int_eq(2, new_called)
2784 || !TEST_size_t_eq(sizeof(buf), nbytes)
2785 || !TEST_int_eq(c, buf[0]))
2786 goto end;
2787
2788 /* Do it again but use dummy writes to drive the ticket generation */
2789 c = '3';
2790 new_called = 0;
2791 if (!TEST_true(SSL_new_session_ticket(serverssl))
2792 || !TEST_true(SSL_new_session_ticket(serverssl))
2793 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2794 || !TEST_size_t_eq(0, nbytes)
2795 || !TEST_int_eq(2, new_called)
2796 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2797 || !TEST_int_eq(4, new_called))
2798 goto end;
2799
2800 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2801 c = '4';
2802 new_called = 0;
2803 if (!TEST_true(SSL_new_session_ticket(serverssl))
2804 || !TEST_true(SSL_new_session_ticket(serverssl))
2805 || !TEST_true(SSL_do_handshake(serverssl))
2806 || !TEST_int_eq(2, new_called)
2807 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2808 || !TEST_int_eq(4, new_called))
2809 goto end;
2810
2811 /*
2812 * Use the always-retry BIO to exercise the logic that forces ticket
2813 * generation to wait until a record boundary.
2814 */
2815 c = '5';
2816 new_called = 0;
2817 tmp = SSL_get_wbio(serverssl);
2818 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2819 tmp = NULL;
2820 goto end;
2821 }
2822 SSL_set0_wbio(serverssl, bretry);
2823 bretry = NULL;
2824 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2825 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2826 || !TEST_size_t_eq(nbytes, 0))
2827 goto end;
2828 /* Restore a BIO that will let the write succeed */
2829 SSL_set0_wbio(serverssl, tmp);
2830 tmp = NULL;
2831 /*
2832 * These calls should just queue the request and not send anything
2833 * even if we explicitly try to hit the state machine.
2834 */
2835 if (!TEST_true(SSL_new_session_ticket(serverssl))
2836 || !TEST_true(SSL_new_session_ticket(serverssl))
2837 || !TEST_int_eq(0, new_called)
2838 || !TEST_true(SSL_do_handshake(serverssl))
2839 || !TEST_int_eq(0, new_called))
2840 goto end;
2841 /* Re-do the write; still no tickets sent */
2842 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2843 || !TEST_size_t_eq(1, nbytes)
2844 || !TEST_int_eq(0, new_called)
2845 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2846 || !TEST_int_eq(0, new_called)
2847 || !TEST_int_eq(sizeof(buf), nbytes)
2848 || !TEST_int_eq(c, buf[0])
2849 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2850 goto end;
2851 /* Even trying to hit the state machine now will still not send tickets */
2852 if (!TEST_true(SSL_do_handshake(serverssl))
2853 || !TEST_int_eq(0, new_called))
2854 goto end;
2855 /* Now the *next* write should send the tickets */
2856 c = '6';
2857 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2858 || !TEST_size_t_eq(1, nbytes)
2859 || !TEST_int_eq(2, new_called)
2860 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2861 || !TEST_int_eq(4, new_called)
2862 || !TEST_int_eq(sizeof(buf), nbytes)
2863 || !TEST_int_eq(c, buf[0])
2864 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2865 goto end;
2866
2867 SSL_shutdown(clientssl);
2868 SSL_shutdown(serverssl);
2869 testresult = 1;
2870
2871 end:
2872 BIO_free(bretry);
2873 BIO_free(tmp);
2874 SSL_free(serverssl);
2875 SSL_free(clientssl);
2876 SSL_CTX_free(sctx);
2877 SSL_CTX_free(cctx);
2878 clientssl = serverssl = NULL;
2879 sctx = cctx = NULL;
2880 return testresult;
2881}
2882#endif
2883
2884#define USE_NULL 0
2885#define USE_BIO_1 1
2886#define USE_BIO_2 2
2887#define USE_DEFAULT 3
2888
2889#define CONNTYPE_CONNECTION_SUCCESS 0
2890#define CONNTYPE_CONNECTION_FAIL 1
2891#define CONNTYPE_NO_CONNECTION 2
2892
2893#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2894#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2895#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2896# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2897#else
2898# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2899#endif
2900
2901#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2902 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2903 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2904
2905static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2906{
2907 switch (type) {
2908 case USE_NULL:
2909 *res = NULL;
2910 break;
2911 case USE_BIO_1:
2912 *res = bio1;
2913 break;
2914 case USE_BIO_2:
2915 *res = bio2;
2916 break;
2917 }
2918}
2919
2920
2921/*
2922 * Tests calls to SSL_set_bio() under various conditions.
2923 *
2924 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2925 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2926 * then do more tests where we create a successful connection first using our
2927 * standard connection setup functions, and then call SSL_set_bio() with
2928 * various combinations of valid BIOs or NULL. We then repeat these tests
2929 * following a failed connection. In this last case we are looking to check that
2930 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2931 */
2932static int test_ssl_set_bio(int idx)
2933{
2934 SSL_CTX *sctx = NULL, *cctx = NULL;
2935 BIO *bio1 = NULL;
2936 BIO *bio2 = NULL;
2937 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2938 SSL *serverssl = NULL, *clientssl = NULL;
2939 int initrbio, initwbio, newrbio, newwbio, conntype;
2940 int testresult = 0;
2941
2942 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2943 initrbio = idx % 3;
2944 idx /= 3;
2945 initwbio = idx % 3;
2946 idx /= 3;
2947 newrbio = idx % 3;
2948 idx /= 3;
2949 newwbio = idx % 3;
2950 conntype = CONNTYPE_NO_CONNECTION;
2951 } else {
2952 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2953 initrbio = initwbio = USE_DEFAULT;
2954 newrbio = idx % 2;
2955 idx /= 2;
2956 newwbio = idx % 2;
2957 idx /= 2;
2958 conntype = idx % 2;
2959 }
2960
2961 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2962 TLS_client_method(), TLS1_VERSION, 0,
2963 &sctx, &cctx, cert, privkey)))
2964 goto end;
2965
2966 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2967 /*
2968 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2969 * because we reduced the number of tests in the definition of
2970 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2971 * mismatched protocol versions we will force a connection failure.
2972 */
2973 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2974 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2975 }
2976
2977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2978 NULL, NULL)))
2979 goto end;
2980
2981 if (initrbio == USE_BIO_1
2982 || initwbio == USE_BIO_1
2983 || newrbio == USE_BIO_1
2984 || newwbio == USE_BIO_1) {
2985 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2986 goto end;
2987 }
2988
2989 if (initrbio == USE_BIO_2
2990 || initwbio == USE_BIO_2
2991 || newrbio == USE_BIO_2
2992 || newwbio == USE_BIO_2) {
2993 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2994 goto end;
2995 }
2996
2997 if (initrbio != USE_DEFAULT) {
2998 setupbio(&irbio, bio1, bio2, initrbio);
2999 setupbio(&iwbio, bio1, bio2, initwbio);
3000 SSL_set_bio(clientssl, irbio, iwbio);
3001
3002 /*
3003 * We want to maintain our own refs to these BIO, so do an up ref for
3004 * each BIO that will have ownership transferred in the SSL_set_bio()
3005 * call
3006 */
3007 if (irbio != NULL)
3008 BIO_up_ref(irbio);
3009 if (iwbio != NULL && iwbio != irbio)
3010 BIO_up_ref(iwbio);
3011 }
3012
3013 if (conntype != CONNTYPE_NO_CONNECTION
3014 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3015 SSL_ERROR_NONE)
3016 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3017 goto end;
3018
3019 setupbio(&nrbio, bio1, bio2, newrbio);
3020 setupbio(&nwbio, bio1, bio2, newwbio);
3021
3022 /*
3023 * We will (maybe) transfer ownership again so do more up refs.
3024 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3025 * already been set!
3026 */
3027 if (nrbio != NULL
3028 && nrbio != irbio
3029 && (nwbio != iwbio || nrbio != nwbio))
3030 BIO_up_ref(nrbio);
3031 if (nwbio != NULL
3032 && nwbio != nrbio
3033 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3034 BIO_up_ref(nwbio);
3035
3036 SSL_set_bio(clientssl, nrbio, nwbio);
3037
3038 testresult = 1;
3039
3040 end:
3041 BIO_free(bio1);
3042 BIO_free(bio2);
3043
3044 /*
3045 * This test is checking that the ref counting for SSL_set_bio is correct.
3046 * If we get here and we did too many frees then we will fail in the above
3047 * functions.
3048 */
3049 SSL_free(serverssl);
3050 SSL_free(clientssl);
3051 SSL_CTX_free(sctx);
3052 SSL_CTX_free(cctx);
3053 return testresult;
3054}
3055
3056typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3057
3058static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3059{
3060 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3061 SSL_CTX *ctx;
3062 SSL *ssl = NULL;
3063 int testresult = 0;
3064
3065 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3066 || !TEST_ptr(ssl = SSL_new(ctx))
3067 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3068 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3069 goto end;
3070
3071 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3072
3073 /*
3074 * If anything goes wrong here then we could leak memory.
3075 */
3076 BIO_push(sslbio, membio1);
3077
3078 /* Verify changing the rbio/wbio directly does not cause leaks */
3079 if (change_bio != NO_BIO_CHANGE) {
3080 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3081 ssl = NULL;
3082 goto end;
3083 }
3084 if (change_bio == CHANGE_RBIO)
3085 SSL_set0_rbio(ssl, membio2);
3086 else
3087 SSL_set0_wbio(ssl, membio2);
3088 }
3089 ssl = NULL;
3090
3091 if (pop_ssl)
3092 BIO_pop(sslbio);
3093 else
3094 BIO_pop(membio1);
3095
3096 testresult = 1;
3097 end:
3098 BIO_free(membio1);
3099 BIO_free(sslbio);
3100 SSL_free(ssl);
3101 SSL_CTX_free(ctx);
3102
3103 return testresult;
3104}
3105
3106static int test_ssl_bio_pop_next_bio(void)
3107{
3108 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3109}
3110
3111static int test_ssl_bio_pop_ssl_bio(void)
3112{
3113 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3114}
3115
3116static int test_ssl_bio_change_rbio(void)
3117{
3118 return execute_test_ssl_bio(0, CHANGE_RBIO);
3119}
3120
3121static int test_ssl_bio_change_wbio(void)
3122{
3123 return execute_test_ssl_bio(0, CHANGE_WBIO);
3124}
3125
3126#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3127typedef struct {
3128 /* The list of sig algs */
3129 const int *list;
3130 /* The length of the list */
3131 size_t listlen;
3132 /* A sigalgs list in string format */
3133 const char *liststr;
3134 /* Whether setting the list should succeed */
3135 int valid;
3136 /* Whether creating a connection with the list should succeed */
3137 int connsuccess;
3138} sigalgs_list;
3139
3140static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3141# ifndef OPENSSL_NO_EC
3142static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3143static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3144# endif
3145static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3146static const int invalidlist2[] = {NID_sha256, NID_undef};
3147static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3148static const int invalidlist4[] = {NID_sha256};
3149static const sigalgs_list testsigalgs[] = {
3150 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3151# ifndef OPENSSL_NO_EC
3152 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3153 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3154# endif
3155 {NULL, 0, "RSA+SHA256", 1, 1},
3156 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3157# ifndef OPENSSL_NO_EC
3158 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3159 {NULL, 0, "ECDSA+SHA512", 1, 0},
3160# endif
3161 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3162 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3163 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3164 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3165 {NULL, 0, "RSA", 0, 0},
3166 {NULL, 0, "SHA256", 0, 0},
3167 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3168 {NULL, 0, "Invalid", 0, 0}
3169};
3170
3171static int test_set_sigalgs(int idx)
3172{
3173 SSL_CTX *cctx = NULL, *sctx = NULL;
3174 SSL *clientssl = NULL, *serverssl = NULL;
3175 int testresult = 0;
3176 const sigalgs_list *curr;
3177 int testctx;
3178
3179 /* Should never happen */
3180 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3181 return 0;
3182
3183 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3184 curr = testctx ? &testsigalgs[idx]
3185 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3186
3187 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3188 TLS_client_method(), TLS1_VERSION, 0,
3189 &sctx, &cctx, cert, privkey)))
3190 return 0;
3191
3192 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3193
3194 if (testctx) {
3195 int ret;
3196
3197 if (curr->list != NULL)
3198 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3199 else
3200 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3201
3202 if (!ret) {
3203 if (curr->valid)
3204 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3205 else
3206 testresult = 1;
3207 goto end;
3208 }
3209 if (!curr->valid) {
3210 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3211 goto end;
3212 }
3213 }
3214
3215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3216 &clientssl, NULL, NULL)))
3217 goto end;
3218
3219 if (!testctx) {
3220 int ret;
3221
3222 if (curr->list != NULL)
3223 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3224 else
3225 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3226 if (!ret) {
3227 if (curr->valid)
3228 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3229 else
3230 testresult = 1;
3231 goto end;
3232 }
3233 if (!curr->valid)
3234 goto end;
3235 }
3236
3237 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3238 SSL_ERROR_NONE),
3239 curr->connsuccess))
3240 goto end;
3241
3242 testresult = 1;
3243
3244 end:
3245 SSL_free(serverssl);
3246 SSL_free(clientssl);
3247 SSL_CTX_free(sctx);
3248 SSL_CTX_free(cctx);
3249
3250 return testresult;
3251}
3252#endif
3253
3254#ifndef OSSL_NO_USABLE_TLS1_3
3255static int psk_client_cb_cnt = 0;
3256static int psk_server_cb_cnt = 0;
3257
3258static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3259 size_t *idlen, SSL_SESSION **sess)
3260{
3261 switch (++use_session_cb_cnt) {
3262 case 1:
3263 /* The first call should always have a NULL md */
3264 if (md != NULL)
3265 return 0;
3266 break;
3267
3268 case 2:
3269 /* The second call should always have an md */
3270 if (md == NULL)
3271 return 0;
3272 break;
3273
3274 default:
3275 /* We should only be called a maximum of twice */
3276 return 0;
3277 }
3278
3279 if (clientpsk != NULL)
3280 SSL_SESSION_up_ref(clientpsk);
3281
3282 *sess = clientpsk;
3283 *id = (const unsigned char *)pskid;
3284 *idlen = strlen(pskid);
3285
3286 return 1;
3287}
3288
3289#ifndef OPENSSL_NO_PSK
3290static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3291 unsigned int max_id_len,
3292 unsigned char *psk,
3293 unsigned int max_psk_len)
3294{
3295 unsigned int psklen = 0;
3296
3297 psk_client_cb_cnt++;
3298
3299 if (strlen(pskid) + 1 > max_id_len)
3300 return 0;
3301
3302 /* We should only ever be called a maximum of twice per connection */
3303 if (psk_client_cb_cnt > 2)
3304 return 0;
3305
3306 if (clientpsk == NULL)
3307 return 0;
3308
3309 /* We'll reuse the PSK we set up for TLSv1.3 */
3310 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3311 return 0;
3312 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3313 strncpy(id, pskid, max_id_len);
3314
3315 return psklen;
3316}
3317#endif /* OPENSSL_NO_PSK */
3318
3319static int find_session_cb(SSL *ssl, const unsigned char *identity,
3320 size_t identity_len, SSL_SESSION **sess)
3321{
3322 find_session_cb_cnt++;
3323
3324 /* We should only ever be called a maximum of twice per connection */
3325 if (find_session_cb_cnt > 2)
3326 return 0;
3327
3328 if (serverpsk == NULL)
3329 return 0;
3330
3331 /* Identity should match that set by the client */
3332 if (strlen(srvid) != identity_len
3333 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3334 /* No PSK found, continue but without a PSK */
3335 *sess = NULL;
3336 return 1;
3337 }
3338
3339 SSL_SESSION_up_ref(serverpsk);
3340 *sess = serverpsk;
3341
3342 return 1;
3343}
3344
3345#ifndef OPENSSL_NO_PSK
3346static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3347 unsigned char *psk, unsigned int max_psk_len)
3348{
3349 unsigned int psklen = 0;
3350
3351 psk_server_cb_cnt++;
3352
3353 /* We should only ever be called a maximum of twice per connection */
3354 if (find_session_cb_cnt > 2)
3355 return 0;
3356
3357 if (serverpsk == NULL)
3358 return 0;
3359
3360 /* Identity should match that set by the client */
3361 if (strcmp(srvid, identity) != 0) {
3362 return 0;
3363 }
3364
3365 /* We'll reuse the PSK we set up for TLSv1.3 */
3366 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3367 return 0;
3368 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3369
3370 return psklen;
3371}
3372#endif /* OPENSSL_NO_PSK */
3373
3374#define MSG1 "Hello"
3375#define MSG2 "World."
3376#define MSG3 "This"
3377#define MSG4 "is"
3378#define MSG5 "a"
3379#define MSG6 "test"
3380#define MSG7 "message."
3381
3382static int artificial_ticket_time = 0;
3383
3384static int sub_session_time(SSL_SESSION *sess)
3385{
3386 OSSL_TIME tick_time;
3387
3388 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3389 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3390
3391 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3392}
3393
3394static int ed_gen_cb(SSL *s, void *arg)
3395{
3396 SSL_SESSION *sess = SSL_get0_session(s);
3397
3398 if (sess == NULL)
3399 return 0;
3400
3401 /*
3402 * Artificially give the ticket some age. Just do it for the number of
3403 * tickets we've been told to do.
3404 */
3405 if (artificial_ticket_time == 0)
3406 return 1;
3407 artificial_ticket_time--;
3408
3409 return sub_session_time(sess);
3410}
3411
3412/*
3413 * Helper method to setup objects for early data test. Caller frees objects on
3414 * error.
3415 */
3416static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3417 SSL **serverssl, SSL_SESSION **sess, int idx,
3418 size_t mdsize)
3419{
3420 int artificial = (artificial_ticket_time > 0);
3421
3422 if (*sctx == NULL
3423 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3424 TLS_client_method(),
3425 TLS1_VERSION, 0,
3426 sctx, cctx, cert, privkey)))
3427 return 0;
3428
3429 if (artificial)
3430 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3431
3432 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3433 return 0;
3434
3435 if (idx == 1) {
3436 /* When idx == 1 we repeat the tests with read_ahead set */
3437 SSL_CTX_set_read_ahead(*cctx, 1);
3438 SSL_CTX_set_read_ahead(*sctx, 1);
3439 } else if (idx == 2) {
3440 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3441 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3442 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3443 use_session_cb_cnt = 0;
3444 find_session_cb_cnt = 0;
3445 srvid = pskid;
3446 }
3447
3448 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3449 NULL, NULL)))
3450 return 0;
3451
3452 /*
3453 * For one of the run throughs (doesn't matter which one), we'll try sending
3454 * some SNI data in the initial ClientHello. This will be ignored (because
3455 * there is no SNI cb set up by the server), so it should not impact
3456 * early_data.
3457 */
3458 if (idx == 1
3459 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3460 return 0;
3461
3462 if (idx == 2) {
3463 clientpsk = create_a_psk(*clientssl, mdsize);
3464 if (!TEST_ptr(clientpsk)
3465 /*
3466 * We just choose an arbitrary value for max_early_data which
3467 * should be big enough for testing purposes.
3468 */
3469 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3470 0x100))
3471 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3472 SSL_SESSION_free(clientpsk);
3473 clientpsk = NULL;
3474 return 0;
3475 }
3476 serverpsk = clientpsk;
3477
3478 if (sess != NULL) {
3479 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3480 SSL_SESSION_free(clientpsk);
3481 SSL_SESSION_free(serverpsk);
3482 clientpsk = serverpsk = NULL;
3483 return 0;
3484 }
3485 *sess = clientpsk;
3486 }
3487 return 1;
3488 }
3489
3490 if (sess == NULL)
3491 return 1;
3492
3493 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3494 SSL_ERROR_NONE)))
3495 return 0;
3496
3497 *sess = SSL_get1_session(*clientssl);
3498 SSL_shutdown(*clientssl);
3499 SSL_shutdown(*serverssl);
3500 SSL_free(*serverssl);
3501 SSL_free(*clientssl);
3502 *serverssl = *clientssl = NULL;
3503
3504 /*
3505 * Artificially give the ticket some age to match the artificial age we
3506 * gave it on the server side
3507 */
3508 if (artificial
3509 && !TEST_true(sub_session_time(*sess)))
3510 return 0;
3511
3512 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3513 clientssl, NULL, NULL))
3514 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3515 return 0;
3516
3517 return 1;
3518}
3519
3520static int check_early_data_timeout(OSSL_TIME timer)
3521{
3522 int res = 0;
3523
3524 /*
3525 * Early data is time sensitive. We have an approx 8 second allowance
3526 * between writing the early data and reading it. If we exceed that time
3527 * then this test will fail. This can sometimes (rarely) occur in normal CI
3528 * operation. We can try and detect this and just ignore the result of this
3529 * test if it has taken too long. We assume anything over 7 seconds is too
3530 * long
3531 */
3532 timer = ossl_time_subtract(ossl_time_now(), timer);
3533 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3534 res = TEST_skip("Test took too long, ignoring result");
3535
3536 return res;
3537}
3538
3539static int test_early_data_read_write(int idx)
3540{
3541 SSL_CTX *cctx = NULL, *sctx = NULL;
3542 SSL *clientssl = NULL, *serverssl = NULL;
3543 int testresult = 0;
3544 SSL_SESSION *sess = NULL;
3545 unsigned char buf[20], data[1024];
3546 size_t readbytes, written, eoedlen, rawread, rawwritten;
3547 BIO *rbio;
3548 OSSL_TIME timer;
3549
3550 /* Artificially give the next 2 tickets some age for non PSK sessions */
3551 if (idx != 2)
3552 artificial_ticket_time = 2;
3553 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3554 &serverssl, &sess, idx,
3555 SHA384_DIGEST_LENGTH))) {
3556 artificial_ticket_time = 0;
3557 goto end;
3558 }
3559 artificial_ticket_time = 0;
3560
3561 /* Write and read some early data */
3562 timer = ossl_time_now();
3563 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3564 &written))
3565 || !TEST_size_t_eq(written, strlen(MSG1)))
3566 goto end;
3567
3568 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3569 &readbytes),
3570 SSL_READ_EARLY_DATA_SUCCESS)) {
3571 testresult = check_early_data_timeout(timer);
3572 goto end;
3573 }
3574
3575 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3576 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3577 SSL_EARLY_DATA_ACCEPTED))
3578 goto end;
3579
3580 /*
3581 * Server should be able to write data, and client should be able to
3582 * read it.
3583 */
3584 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3585 &written))
3586 || !TEST_size_t_eq(written, strlen(MSG2))
3587 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3588 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3589 goto end;
3590
3591 /* Even after reading normal data, client should be able write early data */
3592 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3593 &written))
3594 || !TEST_size_t_eq(written, strlen(MSG3)))
3595 goto end;
3596
3597 /* Server should still be able read early data after writing data */
3598 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3599 &readbytes),
3600 SSL_READ_EARLY_DATA_SUCCESS)
3601 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3602 goto end;
3603
3604 /* Write more data from server and read it from client */
3605 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3606 &written))
3607 || !TEST_size_t_eq(written, strlen(MSG4))
3608 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3609 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3610 goto end;
3611
3612 /*
3613 * If client writes normal data it should mean writing early data is no
3614 * longer possible.
3615 */
3616 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3617 || !TEST_size_t_eq(written, strlen(MSG5))
3618 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3619 SSL_EARLY_DATA_ACCEPTED))
3620 goto end;
3621
3622 /*
3623 * At this point the client has written EndOfEarlyData, ClientFinished and
3624 * normal (fully protected) data. We are going to cause a delay between the
3625 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3626 * in the read BIO, and then just put back the EndOfEarlyData message.
3627 */
3628 rbio = SSL_get_rbio(serverssl);
3629 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3630 || !TEST_size_t_lt(rawread, sizeof(data))
3631 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3632 goto end;
3633
3634 /* Record length is in the 4th and 5th bytes of the record header */
3635 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3636 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3637 || !TEST_size_t_eq(rawwritten, eoedlen))
3638 goto end;
3639
3640 /* Server should be told that there is no more early data */
3641 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3642 &readbytes),
3643 SSL_READ_EARLY_DATA_FINISH)
3644 || !TEST_size_t_eq(readbytes, 0))
3645 goto end;
3646
3647 /*
3648 * Server has not finished init yet, so should still be able to write early
3649 * data.
3650 */
3651 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3652 &written))
3653 || !TEST_size_t_eq(written, strlen(MSG6)))
3654 goto end;
3655
3656 /* Push the ClientFinished and the normal data back into the server rbio */
3657 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3658 &rawwritten))
3659 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3660 goto end;
3661
3662 /* Server should be able to read normal data */
3663 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3664 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3665 goto end;
3666
3667 /* Client and server should not be able to write/read early data now */
3668 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3669 &written)))
3670 goto end;
3671 ERR_clear_error();
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes),
3674 SSL_READ_EARLY_DATA_ERROR))
3675 goto end;
3676 ERR_clear_error();
3677
3678 /* Client should be able to read the data sent by the server */
3679 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3680 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3681 goto end;
3682
3683 /*
3684 * Make sure we process the two NewSessionTickets. These arrive
3685 * post-handshake. We attempt reads which we do not expect to return any
3686 * data.
3687 */
3688 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3689 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3690 &readbytes)))
3691 goto end;
3692
3693 /* Server should be able to write normal data */
3694 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3695 || !TEST_size_t_eq(written, strlen(MSG7))
3696 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3697 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3698 goto end;
3699
3700 SSL_SESSION_free(sess);
3701 sess = SSL_get1_session(clientssl);
3702 use_session_cb_cnt = 0;
3703 find_session_cb_cnt = 0;
3704
3705 SSL_shutdown(clientssl);
3706 SSL_shutdown(serverssl);
3707 SSL_free(serverssl);
3708 SSL_free(clientssl);
3709 serverssl = clientssl = NULL;
3710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3711 &clientssl, NULL, NULL))
3712 || !TEST_true(SSL_set_session(clientssl, sess)))
3713 goto end;
3714
3715 /* Write and read some early data */
3716 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3717 &written))
3718 || !TEST_size_t_eq(written, strlen(MSG1))
3719 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3720 &readbytes),
3721 SSL_READ_EARLY_DATA_SUCCESS)
3722 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3723 goto end;
3724
3725 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3726 || !TEST_int_gt(SSL_accept(serverssl), 0))
3727 goto end;
3728
3729 /* Client and server should not be able to write/read early data now */
3730 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3731 &written)))
3732 goto end;
3733 ERR_clear_error();
3734 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3735 &readbytes),
3736 SSL_READ_EARLY_DATA_ERROR))
3737 goto end;
3738 ERR_clear_error();
3739
3740 /* Client and server should be able to write/read normal data */
3741 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3742 || !TEST_size_t_eq(written, strlen(MSG5))
3743 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3744 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3745 goto end;
3746
3747 testresult = 1;
3748
3749 end:
3750 SSL_SESSION_free(sess);
3751 SSL_SESSION_free(clientpsk);
3752 SSL_SESSION_free(serverpsk);
3753 clientpsk = serverpsk = NULL;
3754 SSL_free(serverssl);
3755 SSL_free(clientssl);
3756 SSL_CTX_free(sctx);
3757 SSL_CTX_free(cctx);
3758 return testresult;
3759}
3760
3761static int allow_ed_cb_called = 0;
3762
3763static int allow_early_data_cb(SSL *s, void *arg)
3764{
3765 int *usecb = (int *)arg;
3766
3767 allow_ed_cb_called++;
3768
3769 if (*usecb == 1)
3770 return 0;
3771
3772 return 1;
3773}
3774
3775/*
3776 * idx == 0: Standard early_data setup
3777 * idx == 1: early_data setup using read_ahead
3778 * usecb == 0: Don't use a custom early data callback
3779 * usecb == 1: Use a custom early data callback and reject the early data
3780 * usecb == 2: Use a custom early data callback and accept the early data
3781 * confopt == 0: Configure anti-replay directly
3782 * confopt == 1: Configure anti-replay using SSL_CONF
3783 */
3784static int test_early_data_replay_int(int idx, int usecb, int confopt)
3785{
3786 SSL_CTX *cctx = NULL, *sctx = NULL;
3787 SSL *clientssl = NULL, *serverssl = NULL;
3788 int testresult = 0;
3789 SSL_SESSION *sess = NULL;
3790 size_t readbytes, written;
3791 unsigned char buf[20];
3792 OSSL_TIME timer;
3793
3794 allow_ed_cb_called = 0;
3795
3796 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3797 TLS_client_method(), TLS1_VERSION, 0,
3798 &sctx, &cctx, cert, privkey)))
3799 return 0;
3800
3801 if (usecb > 0) {
3802 if (confopt == 0) {
3803 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3804 } else {
3805 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3806
3807 if (!TEST_ptr(confctx))
3808 goto end;
3809 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3810 | SSL_CONF_FLAG_SERVER);
3811 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3812 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3813 2)) {
3814 SSL_CONF_CTX_free(confctx);
3815 goto end;
3816 }
3817 SSL_CONF_CTX_free(confctx);
3818 }
3819 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3820 }
3821
3822 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3823 &serverssl, &sess, idx,
3824 SHA384_DIGEST_LENGTH)))
3825 goto end;
3826
3827 /*
3828 * The server is configured to accept early data. Create a connection to
3829 * "use up" the ticket
3830 */
3831 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3832 || !TEST_true(SSL_session_reused(clientssl)))
3833 goto end;
3834
3835 SSL_shutdown(clientssl);
3836 SSL_shutdown(serverssl);
3837 SSL_free(serverssl);
3838 SSL_free(clientssl);
3839 serverssl = clientssl = NULL;
3840
3841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3842 &clientssl, NULL, NULL))
3843 || !TEST_true(SSL_set_session(clientssl, sess)))
3844 goto end;
3845
3846 /* Write and read some early data */
3847 timer = ossl_time_now();
3848 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3849 &written))
3850 || !TEST_size_t_eq(written, strlen(MSG1)))
3851 goto end;
3852
3853 if (usecb <= 1) {
3854 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3855 &readbytes),
3856 SSL_READ_EARLY_DATA_FINISH)
3857 /*
3858 * The ticket was reused, so the we should have rejected the
3859 * early data
3860 */
3861 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3862 SSL_EARLY_DATA_REJECTED))
3863 goto end;
3864 } else {
3865 /* In this case the callback decides to accept the early data */
3866 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3867 &readbytes),
3868 SSL_READ_EARLY_DATA_SUCCESS)) {
3869 testresult = check_early_data_timeout(timer);
3870 goto end;
3871 }
3872 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3873 /*
3874 * Server will have sent its flight so client can now send
3875 * end of early data and complete its half of the handshake
3876 */
3877 || !TEST_int_gt(SSL_connect(clientssl), 0)
3878 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3879 &readbytes),
3880 SSL_READ_EARLY_DATA_FINISH)
3881 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3882 SSL_EARLY_DATA_ACCEPTED))
3883 goto end;
3884 }
3885
3886 /* Complete the connection */
3887 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3888 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3889 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3890 goto end;
3891
3892 testresult = 1;
3893
3894 end:
3895 SSL_SESSION_free(sess);
3896 SSL_SESSION_free(clientpsk);
3897 SSL_SESSION_free(serverpsk);
3898 clientpsk = serverpsk = NULL;
3899 SSL_free(serverssl);
3900 SSL_free(clientssl);
3901 SSL_CTX_free(sctx);
3902 SSL_CTX_free(cctx);
3903 return testresult;
3904}
3905
3906static int test_early_data_replay(int idx)
3907{
3908 int ret = 1, usecb, confopt;
3909
3910 for (usecb = 0; usecb < 3; usecb++) {
3911 for (confopt = 0; confopt < 2; confopt++)
3912 ret &= test_early_data_replay_int(idx, usecb, confopt);
3913 }
3914
3915 return ret;
3916}
3917
3918static const char *ciphersuites[] = {
3919 "TLS_AES_128_CCM_8_SHA256",
3920 "TLS_AES_128_GCM_SHA256",
3921 "TLS_AES_256_GCM_SHA384",
3922 "TLS_AES_128_CCM_SHA256",
3923#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3924 "TLS_CHACHA20_POLY1305_SHA256",
3925#else
3926 NULL,
3927#endif
3928#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3929 "TLS_SHA256_SHA256",
3930 "TLS_SHA384_SHA384"
3931#endif
3932};
3933
3934/*
3935 * Helper function to test that a server attempting to read early data can
3936 * handle a connection from a client where the early data should be skipped.
3937 * testtype: 0 == No HRR
3938 * testtype: 1 == HRR
3939 * testtype: 2 == HRR, invalid early_data sent after HRR
3940 * testtype: 3 == recv_max_early_data set to 0
3941 */
3942static int early_data_skip_helper(int testtype, int cipher, int idx)
3943{
3944 SSL_CTX *cctx = NULL, *sctx = NULL;
3945 SSL *clientssl = NULL, *serverssl = NULL;
3946 int testresult = 0;
3947 SSL_SESSION *sess = NULL;
3948 unsigned char buf[20];
3949 size_t readbytes, written;
3950
3951 if (is_fips && cipher >= 4)
3952 return 1;
3953
3954 if (ciphersuites[cipher] == NULL)
3955 return TEST_skip("Cipher not supported");
3956
3957 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3958 TLS_client_method(),
3959 TLS1_VERSION, 0,
3960 &sctx, &cctx, cert, privkey)))
3961 goto end;
3962
3963 if (cipher == 0 || cipher == 5 || cipher == 6) {
3964 SSL_CTX_set_security_level(sctx, 0);
3965 SSL_CTX_set_security_level(cctx, 0);
3966 }
3967
3968 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3969 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3970 goto end;
3971
3972 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3973 &serverssl, &sess, idx,
3974 (cipher == 2 || cipher == 6)
3975 ? SHA384_DIGEST_LENGTH
3976 : SHA256_DIGEST_LENGTH)))
3977 goto end;
3978
3979 if (testtype == 1 || testtype == 2) {
3980 /* Force an HRR to occur */
3981#if defined(OPENSSL_NO_EC)
3982 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3983 goto end;
3984#else
3985 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3986 goto end;
3987#endif
3988 } else if (idx == 2) {
3989 /*
3990 * We force early_data rejection by ensuring the PSK identity is
3991 * unrecognised
3992 */
3993 srvid = "Dummy Identity";
3994 } else {
3995 /*
3996 * Deliberately corrupt the creation time. We take 20 seconds off the
3997 * time. It could be any value as long as it is not within tolerance.
3998 * This should mean the ticket is rejected.
3999 */
4000 if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4001 goto end;
4002 }
4003
4004 if (testtype == 3
4005 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4006 goto end;
4007
4008 /* Write some early data */
4009 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4010 &written))
4011 || !TEST_size_t_eq(written, strlen(MSG1)))
4012 goto end;
4013
4014 /* Server should reject the early data */
4015 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4016 &readbytes),
4017 SSL_READ_EARLY_DATA_FINISH)
4018 || !TEST_size_t_eq(readbytes, 0)
4019 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4020 SSL_EARLY_DATA_REJECTED))
4021 goto end;
4022
4023 switch (testtype) {
4024 case 0:
4025 /* Nothing to do */
4026 break;
4027
4028 case 1:
4029 /*
4030 * Finish off the handshake. We perform the same writes and reads as
4031 * further down but we expect them to fail due to the incomplete
4032 * handshake.
4033 */
4034 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4035 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4036 &readbytes)))
4037 goto end;
4038 break;
4039
4040 case 2:
4041 {
4042 BIO *wbio = SSL_get_wbio(clientssl);
4043 /* A record that will appear as bad early_data */
4044 const unsigned char bad_early_data[] = {
4045 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4046 };
4047
4048 /*
4049 * We force the client to attempt a write. This will fail because
4050 * we're still in the handshake. It will cause the second
4051 * ClientHello to be sent.
4052 */
4053 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4054 &written)))
4055 goto end;
4056
4057 /*
4058 * Inject some early_data after the second ClientHello. This should
4059 * cause the server to fail
4060 */
4061 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4062 sizeof(bad_early_data), &written)))
4063 goto end;
4064 }
4065 /* fallthrough */
4066
4067 case 3:
4068 /*
4069 * This client has sent more early_data than we are willing to skip
4070 * (case 3) or sent invalid early_data (case 2) so the connection should
4071 * abort.
4072 */
4073 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4074 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4075 goto end;
4076
4077 /* Connection has failed - nothing more to do */
4078 testresult = 1;
4079 goto end;
4080
4081 default:
4082 TEST_error("Invalid test type");
4083 goto end;
4084 }
4085
4086 ERR_clear_error();
4087 /*
4088 * Should be able to send normal data despite rejection of early data. The
4089 * early_data should be skipped.
4090 */
4091 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4092 || !TEST_size_t_eq(written, strlen(MSG2))
4093 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4094 SSL_EARLY_DATA_REJECTED)
4095 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4096 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4097 goto end;
4098
4099 /*
4100 * Failure to decrypt early data records should not leave spurious errors
4101 * on the error stack
4102 */
4103 if (!TEST_long_eq(ERR_peek_error(), 0))
4104 goto end;
4105
4106 testresult = 1;
4107
4108 end:
4109 SSL_SESSION_free(clientpsk);
4110 SSL_SESSION_free(serverpsk);
4111 clientpsk = serverpsk = NULL;
4112 SSL_SESSION_free(sess);
4113 SSL_free(serverssl);
4114 SSL_free(clientssl);
4115 SSL_CTX_free(sctx);
4116 SSL_CTX_free(cctx);
4117 return testresult;
4118}
4119
4120/*
4121 * Test that a server attempting to read early data can handle a connection
4122 * from a client where the early data is not acceptable.
4123 */
4124static int test_early_data_skip(int idx)
4125{
4126 return early_data_skip_helper(0,
4127 idx % OSSL_NELEM(ciphersuites),
4128 idx / OSSL_NELEM(ciphersuites));
4129}
4130
4131/*
4132 * Test that a server attempting to read early data can handle a connection
4133 * from a client where an HRR occurs.
4134 */
4135static int test_early_data_skip_hrr(int idx)
4136{
4137 return early_data_skip_helper(1,
4138 idx % OSSL_NELEM(ciphersuites),
4139 idx / OSSL_NELEM(ciphersuites));
4140}
4141
4142/*
4143 * Test that a server attempting to read early data can handle a connection
4144 * from a client where an HRR occurs and correctly fails if early_data is sent
4145 * after the HRR
4146 */
4147static int test_early_data_skip_hrr_fail(int idx)
4148{
4149 return early_data_skip_helper(2,
4150 idx % OSSL_NELEM(ciphersuites),
4151 idx / OSSL_NELEM(ciphersuites));
4152}
4153
4154/*
4155 * Test that a server attempting to read early data will abort if it tries to
4156 * skip over too much.
4157 */
4158static int test_early_data_skip_abort(int idx)
4159{
4160 return early_data_skip_helper(3,
4161 idx % OSSL_NELEM(ciphersuites),
4162 idx / OSSL_NELEM(ciphersuites));
4163}
4164
4165/*
4166 * Test that a server attempting to read early data can handle a connection
4167 * from a client that doesn't send any.
4168 */
4169static int test_early_data_not_sent(int idx)
4170{
4171 SSL_CTX *cctx = NULL, *sctx = NULL;
4172 SSL *clientssl = NULL, *serverssl = NULL;
4173 int testresult = 0;
4174 SSL_SESSION *sess = NULL;
4175 unsigned char buf[20];
4176 size_t readbytes, written;
4177
4178 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4179 &serverssl, &sess, idx,
4180 SHA384_DIGEST_LENGTH)))
4181 goto end;
4182
4183 /* Write some data - should block due to handshake with server */
4184 SSL_set_connect_state(clientssl);
4185 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4186 goto end;
4187
4188 /* Server should detect that early data has not been sent */
4189 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4190 &readbytes),
4191 SSL_READ_EARLY_DATA_FINISH)
4192 || !TEST_size_t_eq(readbytes, 0)
4193 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4194 SSL_EARLY_DATA_NOT_SENT)
4195 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4196 SSL_EARLY_DATA_NOT_SENT))
4197 goto end;
4198
4199 /* Continue writing the message we started earlier */
4200 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4201 || !TEST_size_t_eq(written, strlen(MSG1))
4202 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4203 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4204 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4205 || !TEST_size_t_eq(written, strlen(MSG2)))
4206 goto end;
4207
4208 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4209 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4210 goto end;
4211
4212 testresult = 1;
4213
4214 end:
4215 SSL_SESSION_free(sess);
4216 SSL_SESSION_free(clientpsk);
4217 SSL_SESSION_free(serverpsk);
4218 clientpsk = serverpsk = NULL;
4219 SSL_free(serverssl);
4220 SSL_free(clientssl);
4221 SSL_CTX_free(sctx);
4222 SSL_CTX_free(cctx);
4223 return testresult;
4224}
4225
4226static const char *servalpn;
4227
4228static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4229 unsigned char *outlen, const unsigned char *in,
4230 unsigned int inlen, void *arg)
4231{
4232 unsigned int protlen = 0;
4233 const unsigned char *prot;
4234
4235 for (prot = in; prot < in + inlen; prot += protlen) {
4236 protlen = *prot++;
4237 if (in + inlen < prot + protlen)
4238 return SSL_TLSEXT_ERR_NOACK;
4239
4240 if (protlen == strlen(servalpn)
4241 && memcmp(prot, servalpn, protlen) == 0) {
4242 *out = prot;
4243 *outlen = protlen;
4244 return SSL_TLSEXT_ERR_OK;
4245 }
4246 }
4247
4248 return SSL_TLSEXT_ERR_NOACK;
4249}
4250
4251/* Test that a PSK can be used to send early_data */
4252static int test_early_data_psk(int idx)
4253{
4254 SSL_CTX *cctx = NULL, *sctx = NULL;
4255 SSL *clientssl = NULL, *serverssl = NULL;
4256 int testresult = 0;
4257 SSL_SESSION *sess = NULL;
4258 unsigned char alpnlist[] = {
4259 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4260 'l', 'p', 'n'
4261 };
4262#define GOODALPNLEN 9
4263#define BADALPNLEN 8
4264#define GOODALPN (alpnlist)
4265#define BADALPN (alpnlist + GOODALPNLEN)
4266 int err = 0;
4267 unsigned char buf[20];
4268 size_t readbytes, written;
4269 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4270 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4271
4272 /* We always set this up with a final parameter of "2" for PSK */
4273 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4274 &serverssl, &sess, 2,
4275 SHA384_DIGEST_LENGTH)))
4276 goto end;
4277
4278 servalpn = "goodalpn";
4279
4280 /*
4281 * Note: There is no test for inconsistent SNI with late client detection.
4282 * This is because servers do not acknowledge SNI even if they are using
4283 * it in a resumption handshake - so it is not actually possible for a
4284 * client to detect a problem.
4285 */
4286 switch (idx) {
4287 case 0:
4288 /* Set inconsistent SNI (early client detection) */
4289 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4290 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4291 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4292 goto end;
4293 break;
4294
4295 case 1:
4296 /* Set inconsistent ALPN (early client detection) */
4297 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4298 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4299 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4300 GOODALPNLEN))
4301 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4302 BADALPNLEN)))
4303 goto end;
4304 break;
4305
4306 case 2:
4307 /*
4308 * Set invalid protocol version. Technically this affects PSKs without
4309 * early_data too, but we test it here because it is similar to the
4310 * SNI/ALPN consistency tests.
4311 */
4312 err = SSL_R_BAD_PSK;
4313 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4314 goto end;
4315 break;
4316
4317 case 3:
4318 /*
4319 * Set inconsistent SNI (server side). In this case the connection
4320 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4321 * is associated with each handshake - not the session. Therefore it
4322 * should not matter that we used a different server name last time.
4323 */
4324 SSL_SESSION_free(serverpsk);
4325 serverpsk = SSL_SESSION_dup(clientpsk);
4326 if (!TEST_ptr(serverpsk)
4327 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4328 goto end;
4329 /* Fall through */
4330 case 4:
4331 /* Set consistent SNI */
4332 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4333 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4334 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4335 hostname_cb)))
4336 goto end;
4337 break;
4338
4339 case 5:
4340 /*
4341 * Set inconsistent ALPN (server detected). In this case the connection
4342 * will succeed but reject early_data.
4343 */
4344 servalpn = "badalpn";
4345 edstatus = SSL_EARLY_DATA_REJECTED;
4346 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4347 /* Fall through */
4348 case 6:
4349 /*
4350 * Set consistent ALPN.
4351 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4352 * accepts a list of protos (each one length prefixed).
4353 * SSL_set1_alpn_selected accepts a single protocol (not length
4354 * prefixed)
4355 */
4356 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4357 GOODALPNLEN - 1))
4358 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4359 GOODALPNLEN)))
4360 goto end;
4361
4362 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4363 break;
4364
4365 case 7:
4366 /* Set inconsistent ALPN (late client detection) */
4367 SSL_SESSION_free(serverpsk);
4368 serverpsk = SSL_SESSION_dup(clientpsk);
4369 if (!TEST_ptr(serverpsk)
4370 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4371 BADALPN + 1,
4372 BADALPNLEN - 1))
4373 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4374 GOODALPN + 1,
4375 GOODALPNLEN - 1))
4376 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4377 sizeof(alpnlist))))
4378 goto end;
4379 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4380 edstatus = SSL_EARLY_DATA_ACCEPTED;
4381 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4382 /* SSL_connect() call should fail */
4383 connectres = -1;
4384 break;
4385
4386 default:
4387 TEST_error("Bad test index");
4388 goto end;
4389 }
4390
4391 SSL_set_connect_state(clientssl);
4392 if (err != 0) {
4393 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4394 &written))
4395 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4396 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4397 goto end;
4398 } else {
4399 OSSL_TIME timer = ossl_time_now();
4400
4401 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4402 &written)))
4403 goto end;
4404
4405 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4406 &readbytes), readearlyres)) {
4407 testresult = check_early_data_timeout(timer);
4408 goto end;
4409 }
4410
4411 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4412 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4413 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4414 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4415 goto end;
4416 }
4417
4418 testresult = 1;
4419
4420 end:
4421 SSL_SESSION_free(sess);
4422 SSL_SESSION_free(clientpsk);
4423 SSL_SESSION_free(serverpsk);
4424 clientpsk = serverpsk = NULL;
4425 SSL_free(serverssl);
4426 SSL_free(clientssl);
4427 SSL_CTX_free(sctx);
4428 SSL_CTX_free(cctx);
4429 return testresult;
4430}
4431
4432/*
4433 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4434 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4435 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4436 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4437 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4438 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4439 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4440 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4441 */
4442static int test_early_data_psk_with_all_ciphers(int idx)
4443{
4444 SSL_CTX *cctx = NULL, *sctx = NULL;
4445 SSL *clientssl = NULL, *serverssl = NULL;
4446 int testresult = 0;
4447 SSL_SESSION *sess = NULL;
4448 unsigned char buf[20];
4449 size_t readbytes, written;
4450 const SSL_CIPHER *cipher;
4451 OSSL_TIME timer;
4452 const char *cipher_str[] = {
4453 TLS1_3_RFC_AES_128_GCM_SHA256,
4454 TLS1_3_RFC_AES_256_GCM_SHA384,
4455# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4456 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4457# else
4458 NULL,
4459# endif
4460 TLS1_3_RFC_AES_128_CCM_SHA256,
4461 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4462# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4463 TLS1_3_RFC_SHA256_SHA256,
4464 TLS1_3_RFC_SHA384_SHA384
4465#else
4466 NULL,
4467 NULL
4468#endif
4469 };
4470 const unsigned char *cipher_bytes[] = {
4471 TLS13_AES_128_GCM_SHA256_BYTES,
4472 TLS13_AES_256_GCM_SHA384_BYTES,
4473# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4474 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4475# else
4476 NULL,
4477# endif
4478 TLS13_AES_128_CCM_SHA256_BYTES,
4479 TLS13_AES_128_CCM_8_SHA256_BYTES,
4480# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4481 TLS13_SHA256_SHA256_BYTES,
4482 TLS13_SHA384_SHA384_BYTES
4483#else
4484 NULL,
4485 NULL
4486#endif
4487 };
4488
4489 if (cipher_str[idx] == NULL)
4490 return 1;
4491 /*
4492 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4493 * as currently FIPS module does not support them.
4494 */
4495 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4496 return 1;
4497
4498 /* We always set this up with a final parameter of "2" for PSK */
4499 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4500 &serverssl, &sess, 2,
4501 SHA384_DIGEST_LENGTH)))
4502 goto end;
4503
4504 if (idx == 4 || idx == 5 || idx == 6) {
4505 /*
4506 * CCM8 ciphers are considered low security due to their short tag.
4507 * Integrity-only cipher do not provide any confidentiality.
4508 */
4509 SSL_set_security_level(clientssl, 0);
4510 SSL_set_security_level(serverssl, 0);
4511 }
4512
4513 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4514 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4515 goto end;
4516
4517 /*
4518 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4519 * and assigns to both client and server with incremented reference
4520 * and the same instance is updated in 'sess'.
4521 * So updating ciphersuite in 'sess' which will get reflected in
4522 * PSK handshake using psk use sess and find sess cb.
4523 */
4524 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4525 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4526 goto end;
4527
4528 SSL_set_connect_state(clientssl);
4529 timer = ossl_time_now();
4530 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4531 &written)))
4532 goto end;
4533
4534 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4535 &readbytes),
4536 SSL_READ_EARLY_DATA_SUCCESS)) {
4537 testresult = check_early_data_timeout(timer);
4538 goto end;
4539 }
4540
4541 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4542 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4543 SSL_EARLY_DATA_ACCEPTED)
4544 || !TEST_int_eq(SSL_connect(clientssl), 1)
4545 || !TEST_int_eq(SSL_accept(serverssl), 1))
4546 goto end;
4547
4548 /* Send some normal data from client to server */
4549 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4550 || !TEST_size_t_eq(written, strlen(MSG2)))
4551 goto end;
4552
4553 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4554 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4555 goto end;
4556
4557 testresult = 1;
4558 end:
4559 SSL_SESSION_free(sess);
4560 SSL_SESSION_free(clientpsk);
4561 SSL_SESSION_free(serverpsk);
4562 clientpsk = serverpsk = NULL;
4563 if (clientssl != NULL)
4564 SSL_shutdown(clientssl);
4565 if (serverssl != NULL)
4566 SSL_shutdown(serverssl);
4567 SSL_free(serverssl);
4568 SSL_free(clientssl);
4569 SSL_CTX_free(sctx);
4570 SSL_CTX_free(cctx);
4571 return testresult;
4572}
4573
4574/*
4575 * Test that a server that doesn't try to read early data can handle a
4576 * client sending some.
4577 */
4578static int test_early_data_not_expected(int idx)
4579{
4580 SSL_CTX *cctx = NULL, *sctx = NULL;
4581 SSL *clientssl = NULL, *serverssl = NULL;
4582 int testresult = 0;
4583 SSL_SESSION *sess = NULL;
4584 unsigned char buf[20];
4585 size_t readbytes, written;
4586
4587 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4588 &serverssl, &sess, idx,
4589 SHA384_DIGEST_LENGTH)))
4590 goto end;
4591
4592 /* Write some early data */
4593 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4594 &written)))
4595 goto end;
4596
4597 /*
4598 * Server should skip over early data and then block waiting for client to
4599 * continue handshake
4600 */
4601 if (!TEST_int_le(SSL_accept(serverssl), 0)
4602 || !TEST_int_gt(SSL_connect(clientssl), 0)
4603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4604 SSL_EARLY_DATA_REJECTED)
4605 || !TEST_int_gt(SSL_accept(serverssl), 0)
4606 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4607 SSL_EARLY_DATA_REJECTED))
4608 goto end;
4609
4610 /* Send some normal data from client to server */
4611 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4612 || !TEST_size_t_eq(written, strlen(MSG2)))
4613 goto end;
4614
4615 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4616 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4617 goto end;
4618
4619 testresult = 1;
4620
4621 end:
4622 SSL_SESSION_free(sess);
4623 SSL_SESSION_free(clientpsk);
4624 SSL_SESSION_free(serverpsk);
4625 clientpsk = serverpsk = NULL;
4626 SSL_free(serverssl);
4627 SSL_free(clientssl);
4628 SSL_CTX_free(sctx);
4629 SSL_CTX_free(cctx);
4630 return testresult;
4631}
4632
4633
4634# ifndef OPENSSL_NO_TLS1_2
4635/*
4636 * Test that a server attempting to read early data can handle a connection
4637 * from a TLSv1.2 client.
4638 */
4639static int test_early_data_tls1_2(int idx)
4640{
4641 SSL_CTX *cctx = NULL, *sctx = NULL;
4642 SSL *clientssl = NULL, *serverssl = NULL;
4643 int testresult = 0;
4644 unsigned char buf[20];
4645 size_t readbytes, written;
4646
4647 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4648 &serverssl, NULL, idx,
4649 SHA384_DIGEST_LENGTH)))
4650 goto end;
4651
4652 /* Write some data - should block due to handshake with server */
4653 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4654 SSL_set_connect_state(clientssl);
4655 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4656 goto end;
4657
4658 /*
4659 * Server should do TLSv1.2 handshake. First it will block waiting for more
4660 * messages from client after ServerDone. Then SSL_read_early_data should
4661 * finish and detect that early data has not been sent
4662 */
4663 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4664 &readbytes),
4665 SSL_READ_EARLY_DATA_ERROR))
4666 goto end;
4667
4668 /*
4669 * Continue writing the message we started earlier. Will still block waiting
4670 * for the CCS/Finished from server
4671 */
4672 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4673 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4674 &readbytes),
4675 SSL_READ_EARLY_DATA_FINISH)
4676 || !TEST_size_t_eq(readbytes, 0)
4677 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4678 SSL_EARLY_DATA_NOT_SENT))
4679 goto end;
4680
4681 /* Continue writing the message we started earlier */
4682 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4683 || !TEST_size_t_eq(written, strlen(MSG1))
4684 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4685 SSL_EARLY_DATA_NOT_SENT)
4686 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4687 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4688 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4689 || !TEST_size_t_eq(written, strlen(MSG2))
4690 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4691 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4692 goto end;
4693
4694 testresult = 1;
4695
4696 end:
4697 SSL_SESSION_free(clientpsk);
4698 SSL_SESSION_free(serverpsk);
4699 clientpsk = serverpsk = NULL;
4700 SSL_free(serverssl);
4701 SSL_free(clientssl);
4702 SSL_CTX_free(sctx);
4703 SSL_CTX_free(cctx);
4704
4705 return testresult;
4706}
4707# endif /* OPENSSL_NO_TLS1_2 */
4708
4709/*
4710 * Test configuring the TLSv1.3 ciphersuites
4711 *
4712 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4713 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4714 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4715 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4716 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4717 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4718 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4719 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4720 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4721 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4722 */
4723static int test_set_ciphersuite(int idx)
4724{
4725 SSL_CTX *cctx = NULL, *sctx = NULL;
4726 SSL *clientssl = NULL, *serverssl = NULL;
4727 int testresult = 0;
4728
4729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4730 TLS_client_method(), TLS1_VERSION, 0,
4731 &sctx, &cctx, cert, privkey))
4732 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4733 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4734 goto end;
4735
4736 if (idx >=4 && idx <= 7) {
4737 /* SSL_CTX explicit cipher list */
4738 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4739 goto end;
4740 }
4741
4742 if (idx == 0 || idx == 4) {
4743 /* Default ciphersuite */
4744 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4745 "TLS_AES_128_GCM_SHA256")))
4746 goto end;
4747 } else if (idx == 1 || idx == 5) {
4748 /* Non default ciphersuite */
4749 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4750 "TLS_AES_128_CCM_SHA256")))
4751 goto end;
4752 }
4753
4754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4755 &clientssl, NULL, NULL)))
4756 goto end;
4757
4758 if (idx == 8 || idx == 9) {
4759 /* SSL explicit cipher list */
4760 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4761 goto end;
4762 }
4763
4764 if (idx == 2 || idx == 6 || idx == 8) {
4765 /* Default ciphersuite */
4766 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4767 "TLS_AES_128_GCM_SHA256")))
4768 goto end;
4769 } else if (idx == 3 || idx == 7 || idx == 9) {
4770 /* Non default ciphersuite */
4771 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4772 "TLS_AES_128_CCM_SHA256")))
4773 goto end;
4774 }
4775
4776 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4777 goto end;
4778
4779 testresult = 1;
4780
4781 end:
4782 SSL_free(serverssl);
4783 SSL_free(clientssl);
4784 SSL_CTX_free(sctx);
4785 SSL_CTX_free(cctx);
4786
4787 return testresult;
4788}
4789
4790static int test_ciphersuite_change(void)
4791{
4792 SSL_CTX *cctx = NULL, *sctx = NULL;
4793 SSL *clientssl = NULL, *serverssl = NULL;
4794 SSL_SESSION *clntsess = NULL;
4795 int testresult = 0;
4796 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4797
4798 /* Create a session based on SHA-256 */
4799 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4800 TLS_client_method(), TLS1_VERSION, 0,
4801 &sctx, &cctx, cert, privkey))
4802 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4803 "TLS_AES_128_GCM_SHA256:"
4804 "TLS_AES_256_GCM_SHA384:"
4805 "TLS_AES_128_CCM_SHA256"))
4806 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4807 "TLS_AES_128_GCM_SHA256")))
4808 goto end;
4809
4810 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4811 NULL, NULL))
4812 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4813 SSL_ERROR_NONE)))
4814 goto end;
4815
4816 clntsess = SSL_get1_session(clientssl);
4817 /* Save for later */
4818 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4819 SSL_shutdown(clientssl);
4820 SSL_shutdown(serverssl);
4821 SSL_free(serverssl);
4822 SSL_free(clientssl);
4823 serverssl = clientssl = NULL;
4824
4825 /* Check we can resume a session with a different SHA-256 ciphersuite */
4826 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4827 "TLS_AES_128_CCM_SHA256"))
4828 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4829 &clientssl, NULL, NULL))
4830 || !TEST_true(SSL_set_session(clientssl, clntsess))
4831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4832 SSL_ERROR_NONE))
4833 || !TEST_true(SSL_session_reused(clientssl)))
4834 goto end;
4835
4836 SSL_SESSION_free(clntsess);
4837 clntsess = SSL_get1_session(clientssl);
4838 SSL_shutdown(clientssl);
4839 SSL_shutdown(serverssl);
4840 SSL_free(serverssl);
4841 SSL_free(clientssl);
4842 serverssl = clientssl = NULL;
4843
4844 /*
4845 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4846 * succeeds but does not resume.
4847 */
4848 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4849 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4850 NULL, NULL))
4851 || !TEST_true(SSL_set_session(clientssl, clntsess))
4852 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4853 SSL_ERROR_SSL))
4854 || !TEST_false(SSL_session_reused(clientssl)))
4855 goto end;
4856
4857 SSL_SESSION_free(clntsess);
4858 clntsess = NULL;
4859 SSL_shutdown(clientssl);
4860 SSL_shutdown(serverssl);
4861 SSL_free(serverssl);
4862 SSL_free(clientssl);
4863 serverssl = clientssl = NULL;
4864
4865 /* Create a session based on SHA384 */
4866 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4867 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4868 &clientssl, NULL, NULL))
4869 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4870 SSL_ERROR_NONE)))
4871 goto end;
4872
4873 clntsess = SSL_get1_session(clientssl);
4874 SSL_shutdown(clientssl);
4875 SSL_shutdown(serverssl);
4876 SSL_free(serverssl);
4877 SSL_free(clientssl);
4878 serverssl = clientssl = NULL;
4879
4880 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4881 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4882 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4883 "TLS_AES_256_GCM_SHA384"))
4884 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4885 NULL, NULL))
4886 || !TEST_true(SSL_set_session(clientssl, clntsess))
4887 /*
4888 * We use SSL_ERROR_WANT_READ below so that we can pause the
4889 * connection after the initial ClientHello has been sent to
4890 * enable us to make some session changes.
4891 */
4892 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4893 SSL_ERROR_WANT_READ)))
4894 goto end;
4895
4896 /* Trick the client into thinking this session is for a different digest */
4897 clntsess->cipher = aes_128_gcm_sha256;
4898 clntsess->cipher_id = clntsess->cipher->id;
4899
4900 /*
4901 * Continue the previously started connection. Server has selected a SHA-384
4902 * ciphersuite, but client thinks the session is for SHA-256, so it should
4903 * bail out.
4904 */
4905 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4906 SSL_ERROR_SSL))
4907 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4908 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4909 goto end;
4910
4911 testresult = 1;
4912
4913 end:
4914 SSL_SESSION_free(clntsess);
4915 SSL_free(serverssl);
4916 SSL_free(clientssl);
4917 SSL_CTX_free(sctx);
4918 SSL_CTX_free(cctx);
4919
4920 return testresult;
4921}
4922
4923/*
4924 * Test TLSv1.3 Key exchange
4925 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4926 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4927 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4928 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4929 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4930 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4931 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4932 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4933 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4934 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4935 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4936 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4937 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4938 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4939 */
4940# ifndef OPENSSL_NO_EC
4941static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4942 NID_secp521r1,
4943# ifndef OPENSSL_NO_ECX
4944 NID_X25519, NID_X448
4945# endif
4946 };
4947# endif
4948# ifndef OPENSSL_NO_DH
4949static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4950 NID_ffdhe6144, NID_ffdhe8192};
4951# endif
4952static int test_key_exchange(int idx)
4953{
4954 SSL_CTX *sctx = NULL, *cctx = NULL;
4955 SSL *serverssl = NULL, *clientssl = NULL;
4956 int testresult = 0;
4957 int kexch_alg;
4958 int *kexch_groups = &kexch_alg;
4959 int kexch_groups_size = 1;
4960 int max_version = TLS1_3_VERSION;
4961 char *kexch_name0 = NULL;
4962
4963 switch (idx) {
4964# ifndef OPENSSL_NO_EC
4965# ifndef OPENSSL_NO_TLS1_2
4966 case 12:
4967 max_version = TLS1_2_VERSION;
4968# endif
4969 /* Fall through */
4970 case 0:
4971 kexch_groups = ecdhe_kexch_groups;
4972 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4973 kexch_name0 = "secp256r1";
4974 break;
4975 case 1:
4976 kexch_alg = NID_X9_62_prime256v1;
4977 kexch_name0 = "secp256r1";
4978 break;
4979 case 2:
4980 kexch_alg = NID_secp384r1;
4981 kexch_name0 = "secp384r1";
4982 break;
4983 case 3:
4984 kexch_alg = NID_secp521r1;
4985 kexch_name0 = "secp521r1";
4986 break;
4987# ifndef OPENSSL_NO_ECX
4988 case 4:
4989 if (is_fips)
4990 return TEST_skip("X25519 might not be supported by fips provider.");
4991 kexch_alg = NID_X25519;
4992 kexch_name0 = "x25519";
4993 break;
4994 case 5:
4995 if (is_fips)
4996 return TEST_skip("X448 might not be supported by fips provider.");
4997 kexch_alg = NID_X448;
4998 kexch_name0 = "x448";
4999 break;
5000# endif
5001# endif
5002# ifndef OPENSSL_NO_DH
5003# ifndef OPENSSL_NO_TLS1_2
5004 case 13:
5005 max_version = TLS1_2_VERSION;
5006 kexch_name0 = "ffdhe2048";
5007# endif
5008 /* Fall through */
5009 case 6:
5010 kexch_groups = ffdhe_kexch_groups;
5011 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5012 kexch_name0 = "ffdhe2048";
5013 break;
5014 case 7:
5015 kexch_alg = NID_ffdhe2048;
5016 kexch_name0 = "ffdhe2048";
5017 break;
5018 case 8:
5019 kexch_alg = NID_ffdhe3072;
5020 kexch_name0 = "ffdhe3072";
5021 break;
5022 case 9:
5023 kexch_alg = NID_ffdhe4096;
5024 kexch_name0 = "ffdhe4096";
5025 break;
5026 case 10:
5027 kexch_alg = NID_ffdhe6144;
5028 kexch_name0 = "ffdhe6144";
5029 break;
5030 case 11:
5031 kexch_alg = NID_ffdhe8192;
5032 kexch_name0 = "ffdhe8192";
5033 break;
5034# endif
5035 default:
5036 /* We're skipping this test */
5037 return 1;
5038 }
5039
5040 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5041 TLS_client_method(), TLS1_VERSION,
5042 max_version, &sctx, &cctx, cert,
5043 privkey)))
5044 goto end;
5045
5046 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5047 TLS1_3_RFC_AES_128_GCM_SHA256)))
5048 goto end;
5049
5050 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5051 TLS1_3_RFC_AES_128_GCM_SHA256)))
5052 goto end;
5053
5054 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5055 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5056 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5057 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5058 goto end;
5059
5060 /*
5061 * Must include an EC ciphersuite so that we send supported groups in
5062 * TLSv1.2
5063 */
5064# ifndef OPENSSL_NO_TLS1_2
5065 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5066 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5067 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5068 goto end;
5069# endif
5070
5071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5072 NULL, NULL)))
5073 goto end;
5074
5075 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5076 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5077 goto end;
5078
5079 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5080 goto end;
5081
5082 /*
5083 * If Handshake succeeds the negotiated kexch alg should be the first one in
5084 * configured, except in the case of FFDHE groups (idx 13), which are
5085 * TLSv1.3 only so we expect no shared group to exist.
5086 */
5087 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5088 idx == 13 ? 0 : kexch_groups[0]))
5089 goto end;
5090
5091 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5092 kexch_name0))
5093 goto end;
5094
5095 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5096 if (idx != 13) {
5097 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5098 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5099 goto end;
5100 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5101 goto end;
5102 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5103 goto end;
5104 }
5105
5106 testresult = 1;
5107 end:
5108 SSL_free(serverssl);
5109 SSL_free(clientssl);
5110 SSL_CTX_free(sctx);
5111 SSL_CTX_free(cctx);
5112 return testresult;
5113}
5114
5115# if !defined(OPENSSL_NO_TLS1_2) \
5116 && !defined(OPENSSL_NO_EC) \
5117 && !defined(OPENSSL_NO_DH)
5118static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5119 int isecdhe, int idx)
5120{
5121 int kexch_alg;
5122 int *kexch_groups = &kexch_alg;
5123 int numec, numff;
5124
5125 numec = OSSL_NELEM(ecdhe_kexch_groups);
5126 numff = OSSL_NELEM(ffdhe_kexch_groups);
5127 if (isecdhe)
5128 kexch_alg = ecdhe_kexch_groups[idx];
5129 else
5130 kexch_alg = ffdhe_kexch_groups[idx];
5131
5132 if (clientmulti) {
5133 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5134 return 0;
5135 if (isecdhe) {
5136 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5137 numec)))
5138 return 0;
5139 } else {
5140 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5141 numff)))
5142 return 0;
5143 }
5144 } else {
5145 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5146 return 0;
5147 if (isecdhe) {
5148 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5149 numec)))
5150 return 0;
5151 } else {
5152 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5153 numff)))
5154 return 0;
5155 }
5156 }
5157 return 1;
5158}
5159
5160/*-
5161 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5162 * Run through both the ECDHE and FFDHE group lists used in the previous
5163 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5164 * confirming the expected result; then perform a resumption handshake
5165 * while offering the same group list, and another resumption handshake
5166 * offering a different group list. The returned value should be the
5167 * negotiated group for the initial handshake; for TLS 1.3 resumption
5168 * handshakes the returned value will be negotiated on the resumption
5169 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5170 * be cached in the session from the original handshake, regardless of what
5171 * was offered in the resumption ClientHello.
5172 *
5173 * Using E for the number of EC groups and F for the number of FF groups:
5174 * E tests of ECDHE with TLS 1.3, server only has one group
5175 * F tests of FFDHE with TLS 1.3, server only has one group
5176 * E tests of ECDHE with TLS 1.2, server only has one group
5177 * F tests of FFDHE with TLS 1.2, server only has one group
5178 * E tests of ECDHE with TLS 1.3, client sends only one group
5179 * F tests of FFDHE with TLS 1.3, client sends only one group
5180 * E tests of ECDHE with TLS 1.2, client sends only one group
5181 * F tests of FFDHE with TLS 1.2, client sends only one group
5182 */
5183static int test_negotiated_group(int idx)
5184{
5185 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5186 int expectednid;
5187 SSL_CTX *sctx = NULL, *cctx = NULL;
5188 SSL *serverssl = NULL, *clientssl = NULL;
5189 SSL_SESSION *origsess = NULL;
5190 int testresult = 0;
5191 int kexch_alg;
5192 int max_version = TLS1_3_VERSION;
5193
5194 numec = OSSL_NELEM(ecdhe_kexch_groups);
5195 numff = OSSL_NELEM(ffdhe_kexch_groups);
5196 numgroups = numec + numff;
5197 clientmulti = (idx < 2 * numgroups);
5198 idx = idx % (2 * numgroups);
5199 istls13 = (idx < numgroups);
5200 idx = idx % numgroups;
5201 isecdhe = (idx < numec);
5202 if (!isecdhe)
5203 idx -= numec;
5204 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5205 if (isecdhe)
5206 kexch_alg = ecdhe_kexch_groups[idx];
5207 else
5208 kexch_alg = ffdhe_kexch_groups[idx];
5209 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5210 if (!istls13 && !isecdhe)
5211 expectednid = NID_undef;
5212 else
5213 expectednid = kexch_alg;
5214
5215 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5216 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5217
5218 if (!istls13)
5219 max_version = TLS1_2_VERSION;
5220
5221 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5222 TLS_client_method(), TLS1_VERSION,
5223 max_version, &sctx, &cctx, cert,
5224 privkey)))
5225 goto end;
5226
5227 /*
5228 * Force (EC)DHE ciphers for TLS 1.2.
5229 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5230 */
5231 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5232 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5233 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5234 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5235 goto end;
5236 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5237 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5238 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5239 goto end;
5240
5241 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5242 NULL, NULL)))
5243 goto end;
5244
5245 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5246 idx)))
5247 goto end;
5248
5249 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5250 goto end;
5251
5252 /* Initial handshake; always the configured one */
5253 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5254 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5255 goto end;
5256
5257 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5258 goto end;
5259
5260 SSL_shutdown(clientssl);
5261 SSL_shutdown(serverssl);
5262 SSL_free(serverssl);
5263 SSL_free(clientssl);
5264 serverssl = clientssl = NULL;
5265
5266 /* First resumption attempt; use the same config as initial handshake */
5267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5268 NULL, NULL))
5269 || !TEST_true(SSL_set_session(clientssl, origsess))
5270 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5271 isecdhe, idx)))
5272 goto end;
5273
5274 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5275 || !TEST_true(SSL_session_reused(clientssl)))
5276 goto end;
5277
5278 /* Still had better agree, since nothing changed... */
5279 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5280 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5281 goto end;
5282
5283 SSL_shutdown(clientssl);
5284 SSL_shutdown(serverssl);
5285 SSL_free(serverssl);
5286 SSL_free(clientssl);
5287 serverssl = clientssl = NULL;
5288
5289 /*-
5290 * Second resumption attempt
5291 * The party that picks one group changes it, which we effectuate by
5292 * changing 'idx' and updating what we expect.
5293 */
5294 if (idx == 0)
5295 idx = 1;
5296 else
5297 idx--;
5298 if (istls13) {
5299 if (isecdhe)
5300 expectednid = ecdhe_kexch_groups[idx];
5301 else
5302 expectednid = ffdhe_kexch_groups[idx];
5303 /* Verify that we are changing what we expect. */
5304 if (!TEST_int_ne(expectednid, kexch_alg))
5305 goto end;
5306 } else {
5307 /* TLS 1.2 only supports named groups for ECDHE. */
5308 if (isecdhe)
5309 expectednid = kexch_alg;
5310 else
5311 expectednid = 0;
5312 }
5313 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5314 NULL, NULL))
5315 || !TEST_true(SSL_set_session(clientssl, origsess))
5316 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5317 isecdhe, idx)))
5318 goto end;
5319
5320 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5321 || !TEST_true(SSL_session_reused(clientssl)))
5322 goto end;
5323
5324 /* Check that we get what we expected */
5325 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5326 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5327 goto end;
5328
5329 testresult = 1;
5330 end:
5331 SSL_free(serverssl);
5332 SSL_free(clientssl);
5333 SSL_CTX_free(sctx);
5334 SSL_CTX_free(cctx);
5335 SSL_SESSION_free(origsess);
5336 return testresult;
5337}
5338# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5339
5340/*
5341 * Test TLSv1.3 Cipher Suite
5342 * Test 0 = Set TLS1.3 cipher on context
5343 * Test 1 = Set TLS1.3 cipher on SSL
5344 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5345 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5346 */
5347static int test_tls13_ciphersuite(int idx)
5348{
5349 SSL_CTX *sctx = NULL, *cctx = NULL;
5350 SSL *serverssl = NULL, *clientssl = NULL;
5351 static const struct {
5352 const char *ciphername;
5353 int fipscapable;
5354 int low_security;
5355 } t13_ciphers[] = {
5356 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5357 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5358 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5359# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5360 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5361 { TLS1_3_RFC_AES_256_GCM_SHA384
5362 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5363# endif
5364 /* CCM8 ciphers are considered low security due to their short tag */
5365 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5366 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
5367# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5368 /* Integrity-only cipher do not provide any confidentiality */
5369 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5370 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5371# endif
5372 };
5373 const char *t13_cipher = NULL;
5374 const char *t12_cipher = NULL;
5375 const char *negotiated_scipher;
5376 const char *negotiated_ccipher;
5377 int set_at_ctx = 0;
5378 int set_at_ssl = 0;
5379 int testresult = 0;
5380 int max_ver;
5381 size_t i;
5382
5383 switch (idx) {
5384 case 0:
5385 set_at_ctx = 1;
5386 break;
5387 case 1:
5388 set_at_ssl = 1;
5389 break;
5390 case 2:
5391 set_at_ctx = 1;
5392 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5393 break;
5394 case 3:
5395 set_at_ssl = 1;
5396 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5397 break;
5398 }
5399
5400 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5401# ifdef OPENSSL_NO_TLS1_2
5402 if (max_ver == TLS1_2_VERSION)
5403 continue;
5404# endif
5405 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5406 if (is_fips && !t13_ciphers[i].fipscapable)
5407 continue;
5408 t13_cipher = t13_ciphers[i].ciphername;
5409 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5410 TLS_client_method(),
5411 TLS1_VERSION, max_ver,
5412 &sctx, &cctx, cert, privkey)))
5413 goto end;
5414
5415 if (t13_ciphers[i].low_security) {
5416 SSL_CTX_set_security_level(sctx, 0);
5417 SSL_CTX_set_security_level(cctx, 0);
5418 }
5419
5420 if (set_at_ctx) {
5421 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5422 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5423 goto end;
5424 if (t12_cipher != NULL) {
5425 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5426 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5427 t12_cipher)))
5428 goto end;
5429 }
5430 }
5431
5432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5433 &clientssl, NULL, NULL)))
5434 goto end;
5435
5436 if (set_at_ssl) {
5437 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5438 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5439 goto end;
5440 if (t12_cipher != NULL) {
5441 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5442 || !TEST_true(SSL_set_cipher_list(clientssl,
5443 t12_cipher)))
5444 goto end;
5445 }
5446 }
5447
5448 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5449 SSL_ERROR_NONE)))
5450 goto end;
5451
5452 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5453 serverssl));
5454 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5455 clientssl));
5456 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5457 goto end;
5458
5459 /*
5460 * TEST_strn_eq is used below because t13_cipher can contain
5461 * multiple ciphersuites
5462 */
5463 if (max_ver == TLS1_3_VERSION
5464 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5465 strlen(negotiated_scipher)))
5466 goto end;
5467
5468# ifndef OPENSSL_NO_TLS1_2
5469 /* Below validation is not done when t12_cipher is NULL */
5470 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5471 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5472 goto end;
5473# endif
5474
5475 SSL_free(serverssl);
5476 serverssl = NULL;
5477 SSL_free(clientssl);
5478 clientssl = NULL;
5479 SSL_CTX_free(sctx);
5480 sctx = NULL;
5481 SSL_CTX_free(cctx);
5482 cctx = NULL;
5483 }
5484 }
5485
5486 testresult = 1;
5487 end:
5488 SSL_free(serverssl);
5489 SSL_free(clientssl);
5490 SSL_CTX_free(sctx);
5491 SSL_CTX_free(cctx);
5492 return testresult;
5493}
5494
5495/*
5496 * Test TLSv1.3 PSKs
5497 * Test 0 = Test new style callbacks
5498 * Test 1 = Test both new and old style callbacks
5499 * Test 2 = Test old style callbacks
5500 * Test 3 = Test old style callbacks with no certificate
5501 */
5502static int test_tls13_psk(int idx)
5503{
5504 SSL_CTX *sctx = NULL, *cctx = NULL;
5505 SSL *serverssl = NULL, *clientssl = NULL;
5506 const SSL_CIPHER *cipher = NULL;
5507 const unsigned char key[] = {
5508 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5509 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5510 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5511 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5512 };
5513 int testresult = 0;
5514
5515 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5516 TLS_client_method(), TLS1_VERSION, 0,
5517 &sctx, &cctx, idx == 3 ? NULL : cert,
5518 idx == 3 ? NULL : privkey)))
5519 goto end;
5520
5521 if (idx != 3) {
5522 /*
5523 * We use a ciphersuite with SHA256 to ease testing old style PSK
5524 * callbacks which will always default to SHA256. This should not be
5525 * necessary if we have no cert/priv key. In that case the server should
5526 * prefer SHA256 automatically.
5527 */
5528 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5529 "TLS_AES_128_GCM_SHA256")))
5530 goto end;
5531 } else {
5532 /*
5533 * As noted above the server should prefer SHA256 automatically. However
5534 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5535 * code works even if we are testing with only the FIPS provider loaded.
5536 */
5537 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5538 "TLS_AES_256_GCM_SHA384:"
5539 "TLS_AES_128_GCM_SHA256")))
5540 goto end;
5541 }
5542
5543 /*
5544 * Test 0: New style callbacks only
5545 * Test 1: New and old style callbacks (only the new ones should be used)
5546 * Test 2: Old style callbacks only
5547 */
5548 if (idx == 0 || idx == 1) {
5549 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5550 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5551 }
5552#ifndef OPENSSL_NO_PSK
5553 if (idx >= 1) {
5554 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5555 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5556 }
5557#endif
5558 srvid = pskid;
5559 use_session_cb_cnt = 0;
5560 find_session_cb_cnt = 0;
5561 psk_client_cb_cnt = 0;
5562 psk_server_cb_cnt = 0;
5563
5564 if (idx != 3) {
5565 /*
5566 * Check we can create a connection if callback decides not to send a
5567 * PSK
5568 */
5569 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5570 NULL, NULL))
5571 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5572 SSL_ERROR_NONE))
5573 || !TEST_false(SSL_session_reused(clientssl))
5574 || !TEST_false(SSL_session_reused(serverssl)))
5575 goto end;
5576
5577 if (idx == 0 || idx == 1) {
5578 if (!TEST_true(use_session_cb_cnt == 1)
5579 || !TEST_true(find_session_cb_cnt == 0)
5580 /*
5581 * If no old style callback then below should be 0
5582 * otherwise 1
5583 */
5584 || !TEST_true(psk_client_cb_cnt == idx)
5585 || !TEST_true(psk_server_cb_cnt == 0))
5586 goto end;
5587 } else {
5588 if (!TEST_true(use_session_cb_cnt == 0)
5589 || !TEST_true(find_session_cb_cnt == 0)
5590 || !TEST_true(psk_client_cb_cnt == 1)
5591 || !TEST_true(psk_server_cb_cnt == 0))
5592 goto end;
5593 }
5594
5595 shutdown_ssl_connection(serverssl, clientssl);
5596 serverssl = clientssl = NULL;
5597 use_session_cb_cnt = psk_client_cb_cnt = 0;
5598 }
5599
5600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5601 NULL, NULL)))
5602 goto end;
5603
5604 /* Create the PSK */
5605 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5606 clientpsk = SSL_SESSION_new();
5607 if (!TEST_ptr(clientpsk)
5608 || !TEST_ptr(cipher)
5609 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5610 sizeof(key)))
5611 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5612 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5613 TLS1_3_VERSION))
5614 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5615 goto end;
5616 serverpsk = clientpsk;
5617
5618 /* Check we can create a connection and the PSK is used */
5619 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5620 || !TEST_true(SSL_session_reused(clientssl))
5621 || !TEST_true(SSL_session_reused(serverssl)))
5622 goto end;
5623
5624 if (idx == 0 || idx == 1) {
5625 if (!TEST_true(use_session_cb_cnt == 1)
5626 || !TEST_true(find_session_cb_cnt == 1)
5627 || !TEST_true(psk_client_cb_cnt == 0)
5628 || !TEST_true(psk_server_cb_cnt == 0))
5629 goto end;
5630 } else {
5631 if (!TEST_true(use_session_cb_cnt == 0)
5632 || !TEST_true(find_session_cb_cnt == 0)
5633 || !TEST_true(psk_client_cb_cnt == 1)
5634 || !TEST_true(psk_server_cb_cnt == 1))
5635 goto end;
5636 }
5637
5638 shutdown_ssl_connection(serverssl, clientssl);
5639 serverssl = clientssl = NULL;
5640 use_session_cb_cnt = find_session_cb_cnt = 0;
5641 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5642
5643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5644 NULL, NULL)))
5645 goto end;
5646
5647 /* Force an HRR */
5648#if defined(OPENSSL_NO_EC)
5649 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5650 goto end;
5651#else
5652 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5653 goto end;
5654#endif
5655
5656 /*
5657 * Check we can create a connection, the PSK is used and the callbacks are
5658 * called twice.
5659 */
5660 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5661 || !TEST_true(SSL_session_reused(clientssl))
5662 || !TEST_true(SSL_session_reused(serverssl)))
5663 goto end;
5664
5665 if (idx == 0 || idx == 1) {
5666 if (!TEST_true(use_session_cb_cnt == 2)
5667 || !TEST_true(find_session_cb_cnt == 2)
5668 || !TEST_true(psk_client_cb_cnt == 0)
5669 || !TEST_true(psk_server_cb_cnt == 0))
5670 goto end;
5671 } else {
5672 if (!TEST_true(use_session_cb_cnt == 0)
5673 || !TEST_true(find_session_cb_cnt == 0)
5674 || !TEST_true(psk_client_cb_cnt == 2)
5675 || !TEST_true(psk_server_cb_cnt == 2))
5676 goto end;
5677 }
5678
5679 shutdown_ssl_connection(serverssl, clientssl);
5680 serverssl = clientssl = NULL;
5681 use_session_cb_cnt = find_session_cb_cnt = 0;
5682 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5683
5684 if (idx != 3) {
5685 /*
5686 * Check that if the server rejects the PSK we can still connect, but with
5687 * a full handshake
5688 */
5689 srvid = "Dummy Identity";
5690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5691 NULL, NULL))
5692 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5693 SSL_ERROR_NONE))
5694 || !TEST_false(SSL_session_reused(clientssl))
5695 || !TEST_false(SSL_session_reused(serverssl)))
5696 goto end;
5697
5698 if (idx == 0 || idx == 1) {
5699 if (!TEST_true(use_session_cb_cnt == 1)
5700 || !TEST_true(find_session_cb_cnt == 1)
5701 || !TEST_true(psk_client_cb_cnt == 0)
5702 /*
5703 * If no old style callback then below should be 0
5704 * otherwise 1
5705 */
5706 || !TEST_true(psk_server_cb_cnt == idx))
5707 goto end;
5708 } else {
5709 if (!TEST_true(use_session_cb_cnt == 0)
5710 || !TEST_true(find_session_cb_cnt == 0)
5711 || !TEST_true(psk_client_cb_cnt == 1)
5712 || !TEST_true(psk_server_cb_cnt == 1))
5713 goto end;
5714 }
5715
5716 shutdown_ssl_connection(serverssl, clientssl);
5717 serverssl = clientssl = NULL;
5718 }
5719 testresult = 1;
5720
5721 end:
5722 SSL_SESSION_free(clientpsk);
5723 SSL_SESSION_free(serverpsk);
5724 clientpsk = serverpsk = NULL;
5725 SSL_free(serverssl);
5726 SSL_free(clientssl);
5727 SSL_CTX_free(sctx);
5728 SSL_CTX_free(cctx);
5729 return testresult;
5730}
5731
5732#ifndef OSSL_NO_USABLE_TLS1_3
5733/*
5734 * Test TLS1.3 connection establishment succeeds with various configurations of
5735 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5736 * The verification of whether the right KEX mode is chosen is not covered by
5737 * this test but by `test_tls13kexmodes`.
5738 *
5739 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5740 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5741 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5742 */
5743static int test_tls13_no_dhe_kex(const int idx)
5744{
5745 SSL_CTX *sctx = NULL, *cctx = NULL;
5746 SSL *serverssl = NULL, *clientssl = NULL;
5747 int testresult = 0;
5748 size_t j;
5749 SSL_SESSION *saved_session;
5750
5751 int server_allow_no_dhe = (idx & 1) != 0;
5752 int server_prefer_no_dhe = (idx & 2) != 0;
5753 int client_allow_no_dhe = (idx & 4) != 0;
5754
5755 uint64_t server_options = 0
5756 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5757 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5758
5759 uint64_t client_options = 0
5760 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5761
5762 new_called = 0;
5763 do_cache = 1;
5764
5765 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5766 TLS_client_method(), TLS1_3_VERSION, 0,
5767 &sctx, &cctx, cert, privkey)))
5768 goto end;
5769
5770 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5771 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5772
5773 SSL_CTX_set_options(sctx, server_options);
5774 SSL_CTX_set_options(cctx, client_options);
5775
5776 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5777
5778 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5779 &clientssl, NULL, NULL)))
5780 goto end;
5781
5782 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5783 SSL_ERROR_NONE))
5784 /* Check we got the number of tickets we were expecting */
5785 || !TEST_int_eq(2, new_called))
5786 goto end;
5787
5788 /* We'll reuse the last ticket. */
5789 saved_session = sesscache[new_called - 1];
5790
5791 SSL_shutdown(clientssl);
5792 SSL_shutdown(serverssl);
5793 SSL_free(serverssl);
5794 SSL_free(clientssl);
5795 SSL_CTX_free(cctx);
5796 clientssl = serverssl = NULL;
5797 cctx = NULL;
5798
5799 /*
5800 * Now we resume with the last ticket we created.
5801 */
5802
5803 /* The server context already exists, so we only create the client. */
5804 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5805 TLS_client_method(), TLS1_3_VERSION, 0,
5806 NULL, &cctx, cert, privkey)))
5807 goto end;
5808
5809 SSL_CTX_set_options(cctx, client_options);
5810
5811 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5812 &clientssl, NULL, NULL))
5813 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5814 goto end;
5815
5816 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5817 SSL_ERROR_NONE)))
5818 goto end;
5819
5820 /*
5821 * Make sure, the session was resumed.
5822 */
5823 if (!TEST_true(SSL_session_reused(clientssl)))
5824 goto end;
5825
5826 SSL_shutdown(clientssl);
5827 SSL_shutdown(serverssl);
5828
5829 testresult = 1;
5830
5831 end:
5832 SSL_free(serverssl);
5833 SSL_free(clientssl);
5834 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5835 SSL_SESSION_free(sesscache[j]);
5836 sesscache[j] = NULL;
5837 }
5838 SSL_CTX_free(sctx);
5839 SSL_CTX_free(cctx);
5840
5841 return testresult;
5842}
5843#endif /* OSSL_NO_USABLE_TLS1_3 */
5844
5845static unsigned char cookie_magic_value[] = "cookie magic";
5846
5847static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5848 unsigned int *cookie_len)
5849{
5850 /*
5851 * Not suitable as a real cookie generation function but good enough for
5852 * testing!
5853 */
5854 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5855 *cookie_len = sizeof(cookie_magic_value) - 1;
5856
5857 return 1;
5858}
5859
5860static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5861 unsigned int cookie_len)
5862{
5863 if (cookie_len == sizeof(cookie_magic_value) - 1
5864 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5865 return 1;
5866
5867 return 0;
5868}
5869
5870static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5871 size_t *cookie_len)
5872{
5873 unsigned int temp;
5874 int res = generate_cookie_callback(ssl, cookie, &temp);
5875 *cookie_len = temp;
5876 return res;
5877}
5878
5879static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5880 size_t cookie_len)
5881{
5882 return verify_cookie_callback(ssl, cookie, cookie_len);
5883}
5884
5885static int test_stateless(void)
5886{
5887 SSL_CTX *sctx = NULL, *cctx = NULL;
5888 SSL *serverssl = NULL, *clientssl = NULL;
5889 int testresult = 0;
5890
5891 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5892 TLS_client_method(), TLS1_VERSION, 0,
5893 &sctx, &cctx, cert, privkey)))
5894 goto end;
5895
5896 /* The arrival of CCS messages can confuse the test */
5897 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5898
5899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5900 NULL, NULL))
5901 /* Send the first ClientHello */
5902 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5903 SSL_ERROR_WANT_READ))
5904 /*
5905 * This should fail with a -1 return because we have no callbacks
5906 * set up
5907 */
5908 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5909 goto end;
5910
5911 /* Fatal error so abandon the connection from this client */
5912 SSL_free(clientssl);
5913 clientssl = NULL;
5914
5915 /* Set up the cookie generation and verification callbacks */
5916 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5917 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5918
5919 /*
5920 * Create a new connection from the client (we can reuse the server SSL
5921 * object).
5922 */
5923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5924 NULL, NULL))
5925 /* Send the first ClientHello */
5926 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5927 SSL_ERROR_WANT_READ))
5928 /* This should fail because there is no cookie */
5929 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5930 goto end;
5931
5932 /* Abandon the connection from this client */
5933 SSL_free(clientssl);
5934 clientssl = NULL;
5935
5936 /*
5937 * Now create a connection from a new client but with the same server SSL
5938 * object
5939 */
5940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5941 NULL, NULL))
5942 /* Send the first ClientHello */
5943 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5944 SSL_ERROR_WANT_READ))
5945 /* This should fail because there is no cookie */
5946 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5947 /* Send the second ClientHello */
5948 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5949 SSL_ERROR_WANT_READ))
5950 /* This should succeed because a cookie is now present */
5951 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5952 /* Complete the connection */
5953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5954 SSL_ERROR_NONE)))
5955 goto end;
5956
5957 shutdown_ssl_connection(serverssl, clientssl);
5958 serverssl = clientssl = NULL;
5959 testresult = 1;
5960
5961 end:
5962 SSL_free(serverssl);
5963 SSL_free(clientssl);
5964 SSL_CTX_free(sctx);
5965 SSL_CTX_free(cctx);
5966 return testresult;
5967
5968}
5969#endif /* OSSL_NO_USABLE_TLS1_3 */
5970
5971static int clntaddoldcb = 0;
5972static int clntparseoldcb = 0;
5973static int srvaddoldcb = 0;
5974static int srvparseoldcb = 0;
5975static int clntaddnewcb = 0;
5976static int clntparsenewcb = 0;
5977static int srvaddnewcb = 0;
5978static int srvparsenewcb = 0;
5979static int snicb = 0;
5980
5981#define TEST_EXT_TYPE1 0xff00
5982
5983static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5984 size_t *outlen, int *al, void *add_arg)
5985{
5986 int *server = (int *)add_arg;
5987 unsigned char *data;
5988
5989 if (SSL_is_server(s))
5990 srvaddoldcb++;
5991 else
5992 clntaddoldcb++;
5993
5994 if (*server != SSL_is_server(s)
5995 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5996 return -1;
5997
5998 *data = 1;
5999 *out = data;
6000 *outlen = sizeof(char);
6001 return 1;
6002}
6003
6004static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6005 void *add_arg)
6006{
6007 OPENSSL_free((unsigned char *)out);
6008}
6009
6010static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6011 size_t inlen, int *al, void *parse_arg)
6012{
6013 int *server = (int *)parse_arg;
6014
6015 if (SSL_is_server(s))
6016 srvparseoldcb++;
6017 else
6018 clntparseoldcb++;
6019
6020 if (*server != SSL_is_server(s)
6021 || inlen != sizeof(char)
6022 || *in != 1)
6023 return -1;
6024
6025 return 1;
6026}
6027
6028static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6029 const unsigned char **out, size_t *outlen, X509 *x,
6030 size_t chainidx, int *al, void *add_arg)
6031{
6032 int *server = (int *)add_arg;
6033 unsigned char *data;
6034
6035 if (SSL_is_server(s))
6036 srvaddnewcb++;
6037 else
6038 clntaddnewcb++;
6039
6040 if (*server != SSL_is_server(s)
6041 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6042 return -1;
6043
6044 *data = 1;
6045 *out = data;
6046 *outlen = sizeof(*data);
6047 return 1;
6048}
6049
6050static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6051 const unsigned char *out, void *add_arg)
6052{
6053 OPENSSL_free((unsigned char *)out);
6054}
6055
6056static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6057 const unsigned char *in, size_t inlen, X509 *x,
6058 size_t chainidx, int *al, void *parse_arg)
6059{
6060 int *server = (int *)parse_arg;
6061
6062 if (SSL_is_server(s))
6063 srvparsenewcb++;
6064 else
6065 clntparsenewcb++;
6066
6067 if (*server != SSL_is_server(s)
6068 || inlen != sizeof(char) || *in != 1)
6069 return -1;
6070
6071 return 1;
6072}
6073
6074static int sni_cb(SSL *s, int *al, void *arg)
6075{
6076 SSL_CTX *ctx = (SSL_CTX *)arg;
6077
6078 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6079 *al = SSL_AD_INTERNAL_ERROR;
6080 return SSL_TLSEXT_ERR_ALERT_FATAL;
6081 }
6082 snicb++;
6083 return SSL_TLSEXT_ERR_OK;
6084}
6085
6086static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6087{
6088 return 1;
6089}
6090
6091/*
6092 * Custom call back tests.
6093 * Test 0: Old style callbacks in TLSv1.2
6094 * Test 1: New style callbacks in TLSv1.2
6095 * Test 2: New style callbacks in TLSv1.2 with SNI
6096 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6097 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6098 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6099 */
6100static int test_custom_exts(int tst)
6101{
6102 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6103 SSL *clientssl = NULL, *serverssl = NULL;
6104 int testresult = 0;
6105 static int server = 1;
6106 static int client = 0;
6107 SSL_SESSION *sess = NULL;
6108 unsigned int context;
6109
6110#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6111 /* Skip tests for TLSv1.2 and below in this case */
6112 if (tst < 3)
6113 return 1;
6114#endif
6115
6116 /* Reset callback counters */
6117 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6118 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6119 snicb = 0;
6120
6121 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6122 TLS_client_method(), TLS1_VERSION, 0,
6123 &sctx, &cctx, cert, privkey)))
6124 goto end;
6125
6126 if (tst == 2
6127 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6128 TLS1_VERSION, 0,
6129 &sctx2, NULL, cert, privkey)))
6130 goto end;
6131
6132
6133 if (tst < 3) {
6134 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6135 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6136 if (sctx2 != NULL)
6137 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6138 }
6139
6140 if (tst == 5) {
6141 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6142 | SSL_EXT_TLS1_3_CERTIFICATE;
6143 SSL_CTX_set_verify(sctx,
6144 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6145 verify_cb);
6146 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6147 SSL_FILETYPE_PEM), 1)
6148 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6149 SSL_FILETYPE_PEM), 1)
6150 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6151 goto end;
6152 } else if (tst == 4) {
6153 context = SSL_EXT_CLIENT_HELLO
6154 | SSL_EXT_TLS1_2_SERVER_HELLO
6155 | SSL_EXT_TLS1_3_SERVER_HELLO
6156 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6157 | SSL_EXT_TLS1_3_CERTIFICATE
6158 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6159 } else {
6160 context = SSL_EXT_CLIENT_HELLO
6161 | SSL_EXT_TLS1_2_SERVER_HELLO
6162 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6163 }
6164
6165 /* Create a client side custom extension */
6166 if (tst == 0) {
6167 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6168 old_add_cb, old_free_cb,
6169 &client, old_parse_cb,
6170 &client)))
6171 goto end;
6172 } else {
6173 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6174 new_add_cb, new_free_cb,
6175 &client, new_parse_cb, &client)))
6176 goto end;
6177 }
6178
6179 /* Should not be able to add duplicates */
6180 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6181 old_add_cb, old_free_cb,
6182 &client, old_parse_cb,
6183 &client))
6184 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6185 context, new_add_cb,
6186 new_free_cb, &client,
6187 new_parse_cb, &client)))
6188 goto end;
6189
6190 /* Create a server side custom extension */
6191 if (tst == 0) {
6192 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6193 old_add_cb, old_free_cb,
6194 &server, old_parse_cb,
6195 &server)))
6196 goto end;
6197 } else {
6198 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6199 new_add_cb, new_free_cb,
6200 &server, new_parse_cb, &server)))
6201 goto end;
6202 if (sctx2 != NULL
6203 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6204 context, new_add_cb,
6205 new_free_cb, &server,
6206 new_parse_cb, &server)))
6207 goto end;
6208 }
6209
6210 /* Should not be able to add duplicates */
6211 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6212 old_add_cb, old_free_cb,
6213 &server, old_parse_cb,
6214 &server))
6215 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6216 context, new_add_cb,
6217 new_free_cb, &server,
6218 new_parse_cb, &server)))
6219 goto end;
6220
6221 if (tst == 2) {
6222 /* Set up SNI */
6223 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6224 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6225 goto end;
6226 }
6227
6228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6229 &clientssl, NULL, NULL))
6230 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6231 SSL_ERROR_NONE)))
6232 goto end;
6233
6234 if (tst == 0) {
6235 if (clntaddoldcb != 1
6236 || clntparseoldcb != 1
6237 || srvaddoldcb != 1
6238 || srvparseoldcb != 1)
6239 goto end;
6240 } else if (tst == 1 || tst == 2 || tst == 3) {
6241 if (clntaddnewcb != 1
6242 || clntparsenewcb != 1
6243 || srvaddnewcb != 1
6244 || srvparsenewcb != 1
6245 || (tst != 2 && snicb != 0)
6246 || (tst == 2 && snicb != 1))
6247 goto end;
6248 } else if (tst == 5) {
6249 if (clntaddnewcb != 1
6250 || clntparsenewcb != 1
6251 || srvaddnewcb != 1
6252 || srvparsenewcb != 1)
6253 goto end;
6254 } else {
6255 /* In this case there 2 NewSessionTicket messages created */
6256 if (clntaddnewcb != 1
6257 || clntparsenewcb != 5
6258 || srvaddnewcb != 5
6259 || srvparsenewcb != 1)
6260 goto end;
6261 }
6262
6263 sess = SSL_get1_session(clientssl);
6264 SSL_shutdown(clientssl);
6265 SSL_shutdown(serverssl);
6266 SSL_free(serverssl);
6267 SSL_free(clientssl);
6268 serverssl = clientssl = NULL;
6269
6270 if (tst == 3 || tst == 5) {
6271 /* We don't bother with the resumption aspects for these tests */
6272 testresult = 1;
6273 goto end;
6274 }
6275
6276 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6277 NULL, NULL))
6278 || !TEST_true(SSL_set_session(clientssl, sess))
6279 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6280 SSL_ERROR_NONE)))
6281 goto end;
6282
6283 /*
6284 * For a resumed session we expect to add the ClientHello extension. For the
6285 * old style callbacks we ignore it on the server side because they set
6286 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6287 * them.
6288 */
6289 if (tst == 0) {
6290 if (clntaddoldcb != 2
6291 || clntparseoldcb != 1
6292 || srvaddoldcb != 1
6293 || srvparseoldcb != 1)
6294 goto end;
6295 } else if (tst == 1 || tst == 2 || tst == 3) {
6296 if (clntaddnewcb != 2
6297 || clntparsenewcb != 2
6298 || srvaddnewcb != 2
6299 || srvparsenewcb != 2)
6300 goto end;
6301 } else {
6302 /*
6303 * No Certificate message extensions in the resumption handshake,
6304 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6305 */
6306 if (clntaddnewcb != 2
6307 || clntparsenewcb != 8
6308 || srvaddnewcb != 8
6309 || srvparsenewcb != 2)
6310 goto end;
6311 }
6312
6313 testresult = 1;
6314
6315end:
6316 SSL_SESSION_free(sess);
6317 SSL_free(serverssl);
6318 SSL_free(clientssl);
6319 SSL_CTX_free(sctx2);
6320 SSL_CTX_free(sctx);
6321 SSL_CTX_free(cctx);
6322 return testresult;
6323}
6324
6325#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6326
6327#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6328 | SSL_EXT_CLIENT_HELLO \
6329 | SSL_EXT_TLS1_2_SERVER_HELLO \
6330 | SSL_EXT_IGNORE_ON_RESUMPTION)
6331
6332#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6333 | SSL_EXT_TLS1_2_SERVER_HELLO \
6334 | SSL_EXT_CLIENT_HELLO)
6335
6336#define SERVERINFO_CUSTOM \
6337 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6338 0x00, 0x03, \
6339 0x04, 0x05, 0x06 \
6340
6341static const unsigned char serverinfo_custom_tls13[] = {
6342 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6343 SERVERINFO_CUSTOM
6344};
6345static const unsigned char serverinfo_custom_v2[] = {
6346 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6347 SERVERINFO_CUSTOM
6348};
6349static const unsigned char serverinfo_custom_v1[] = {
6350 SERVERINFO_CUSTOM
6351};
6352static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6353static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6354static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6355
6356static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6357 unsigned int context,
6358 const unsigned char *in,
6359 size_t inlen, X509 *x,
6360 size_t chainidx, int *al,
6361 void *parse_arg)
6362{
6363 const size_t len = serverinfo_custom_v1_len;
6364 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6365 int *p_cb_result = (int*)parse_arg;
6366 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6367 return 1;
6368}
6369
6370static int test_serverinfo_custom(const int idx)
6371{
6372 SSL_CTX *sctx = NULL, *cctx = NULL;
6373 SSL *clientssl = NULL, *serverssl = NULL;
6374 int testresult = 0;
6375 int cb_result = 0;
6376
6377 /*
6378 * Following variables are set in the switch statement
6379 * according to the test iteration.
6380 * Default values do not make much sense: test would fail with them.
6381 */
6382 int serverinfo_version = 0;
6383 int protocol_version = 0;
6384 unsigned int extension_context = 0;
6385 const unsigned char *si = NULL;
6386 size_t si_len = 0;
6387
6388 const int call_use_serverinfo_ex = idx > 0;
6389 switch (idx) {
6390 case 0: /* FALLTHROUGH */
6391 case 1:
6392 serverinfo_version = SSL_SERVERINFOV1;
6393 protocol_version = TLS1_2_VERSION;
6394 extension_context = SYNTHV1CONTEXT;
6395 si = serverinfo_custom_v1;
6396 si_len = serverinfo_custom_v1_len;
6397 break;
6398 case 2:
6399 serverinfo_version = SSL_SERVERINFOV2;
6400 protocol_version = TLS1_2_VERSION;
6401 extension_context = SYNTHV1CONTEXT;
6402 si = serverinfo_custom_v2;
6403 si_len = serverinfo_custom_v2_len;
6404 break;
6405 case 3:
6406 serverinfo_version = SSL_SERVERINFOV2;
6407 protocol_version = TLS1_3_VERSION;
6408 extension_context = TLS13CONTEXT;
6409 si = serverinfo_custom_tls13;
6410 si_len = serverinfo_custom_tls13_len;
6411 break;
6412 }
6413
6414 if (!TEST_true(create_ssl_ctx_pair(libctx,
6415 TLS_method(),
6416 TLS_method(),
6417 protocol_version,
6418 protocol_version,
6419 &sctx, &cctx, cert, privkey)))
6420 goto end;
6421
6422 if (call_use_serverinfo_ex) {
6423 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6424 si, si_len)))
6425 goto end;
6426 } else {
6427 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6428 goto end;
6429 }
6430
6431 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6432 extension_context,
6433 NULL, NULL, NULL,
6434 serverinfo_custom_parse_cb,
6435 &cb_result))
6436 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6437 NULL, NULL))
6438 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6439 SSL_ERROR_NONE))
6440 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6441 goto end;
6442
6443 if (!TEST_true(cb_result))
6444 goto end;
6445
6446 testresult = 1;
6447
6448 end:
6449 SSL_free(serverssl);
6450 SSL_free(clientssl);
6451 SSL_CTX_free(sctx);
6452 SSL_CTX_free(cctx);
6453
6454 return testresult;
6455}
6456#endif
6457
6458/*
6459 * Test that SSL_export_keying_material() produces expected results. There are
6460 * no test vectors so all we do is test that both sides of the communication
6461 * produce the same results for different protocol versions.
6462 */
6463#define SMALL_LABEL_LEN 10
6464#define LONG_LABEL_LEN 249
6465static int test_export_key_mat(int tst)
6466{
6467 int testresult = 0;
6468 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6469 SSL *clientssl = NULL, *serverssl = NULL;
6470 const char label[LONG_LABEL_LEN + 1] = "test label";
6471 const unsigned char context[] = "context";
6472 const unsigned char *emptycontext = NULL;
6473 unsigned char longcontext[1280];
6474 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6475 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6476 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6477 size_t labellen;
6478 const int protocols[] = {
6479 TLS1_VERSION,
6480 TLS1_1_VERSION,
6481 TLS1_2_VERSION,
6482 TLS1_3_VERSION,
6483 TLS1_3_VERSION,
6484 TLS1_3_VERSION
6485 };
6486
6487#ifdef OPENSSL_NO_TLS1
6488 if (tst == 0)
6489 return 1;
6490#endif
6491#ifdef OPENSSL_NO_TLS1_1
6492 if (tst == 1)
6493 return 1;
6494#endif
6495 if (is_fips && (tst == 0 || tst == 1))
6496 return 1;
6497#ifdef OPENSSL_NO_TLS1_2
6498 if (tst == 2)
6499 return 1;
6500#endif
6501#ifdef OSSL_NO_USABLE_TLS1_3
6502 if (tst >= 3)
6503 return 1;
6504#endif
6505 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6506 TLS_client_method(), TLS1_VERSION, 0,
6507 &sctx, &cctx, cert, privkey)))
6508 goto end;
6509
6510 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6511 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6512 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6513 if ((protocols[tst] < TLS1_2_VERSION) &&
6514 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6515 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6516 goto end;
6517
6518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6519 NULL)))
6520 goto end;
6521
6522 /*
6523 * Premature call of SSL_export_keying_material should just fail.
6524 */
6525 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6526 sizeof(ckeymat1), label,
6527 SMALL_LABEL_LEN + 1, context,
6528 sizeof(context) - 1, 1), 0))
6529 goto end;
6530
6531 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6532 SSL_ERROR_NONE)))
6533 goto end;
6534
6535 if (tst == 5) {
6536 /*
6537 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6538 * go over that.
6539 */
6540 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6541 sizeof(ckeymat1), label,
6542 LONG_LABEL_LEN + 1, context,
6543 sizeof(context) - 1, 1), 0))
6544 goto end;
6545
6546 testresult = 1;
6547 goto end;
6548 } else if (tst == 4) {
6549 labellen = LONG_LABEL_LEN;
6550 } else {
6551 labellen = SMALL_LABEL_LEN;
6552 }
6553
6554 memset(longcontext, 1, sizeof(longcontext));
6555
6556 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6557 sizeof(ckeymat1), label,
6558 labellen, context,
6559 sizeof(context) - 1, 1), 1)
6560 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6561 sizeof(ckeymat2), label,
6562 labellen,
6563 emptycontext,
6564 0, 1), 1)
6565 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6566 sizeof(ckeymat3), label,
6567 labellen,
6568 NULL, 0, 0), 1)
6569 || (test_longcontext
6570 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6571 ckeymat4,
6572 sizeof(ckeymat4), label,
6573 labellen,
6574 longcontext,
6575 sizeof(longcontext), 1),
6576 1))
6577 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6578 sizeof(skeymat1), label,
6579 labellen,
6580 context,
6581 sizeof(context) -1, 1),
6582 1)
6583 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6584 sizeof(skeymat2), label,
6585 labellen,
6586 emptycontext,
6587 0, 1), 1)
6588 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6589 sizeof(skeymat3), label,
6590 labellen,
6591 NULL, 0, 0), 1)
6592 || (test_longcontext
6593 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6594 sizeof(skeymat4), label,
6595 labellen,
6596 longcontext,
6597 sizeof(longcontext), 1),
6598 1))
6599 /*
6600 * Check that both sides created the same key material with the
6601 * same context.
6602 */
6603 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6604 sizeof(skeymat1))
6605 /*
6606 * Check that both sides created the same key material with an
6607 * empty context.
6608 */
6609 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6610 sizeof(skeymat2))
6611 /*
6612 * Check that both sides created the same key material without a
6613 * context.
6614 */
6615 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6616 sizeof(skeymat3))
6617 /*
6618 * Check that both sides created the same key material with a
6619 * long context.
6620 */
6621 || (test_longcontext
6622 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6623 sizeof(skeymat4)))
6624 /* Different contexts should produce different results */
6625 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6626 sizeof(ckeymat2)))
6627 goto end;
6628
6629 /*
6630 * Check that an empty context and no context produce different results in
6631 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6632 */
6633 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6634 sizeof(ckeymat3)))
6635 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6636 sizeof(ckeymat3))))
6637 goto end;
6638
6639 testresult = 1;
6640
6641 end:
6642 SSL_free(serverssl);
6643 SSL_free(clientssl);
6644 SSL_CTX_free(sctx2);
6645 SSL_CTX_free(sctx);
6646 SSL_CTX_free(cctx);
6647
6648 return testresult;
6649}
6650
6651#ifndef OSSL_NO_USABLE_TLS1_3
6652/*
6653 * Test that SSL_export_keying_material_early() produces expected
6654 * results. There are no test vectors so all we do is test that both
6655 * sides of the communication produce the same results for different
6656 * protocol versions.
6657 */
6658static int test_export_key_mat_early(int idx)
6659{
6660 static const char label[] = "test label";
6661 static const unsigned char context[] = "context";
6662 int testresult = 0;
6663 SSL_CTX *cctx = NULL, *sctx = NULL;
6664 SSL *clientssl = NULL, *serverssl = NULL;
6665 SSL_SESSION *sess = NULL;
6666 const unsigned char *emptycontext = NULL;
6667 unsigned char ckeymat1[80], ckeymat2[80];
6668 unsigned char skeymat1[80], skeymat2[80];
6669 unsigned char buf[1];
6670 size_t readbytes, written;
6671
6672 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6673 &sess, idx, SHA384_DIGEST_LENGTH)))
6674 goto end;
6675
6676 /* Here writing 0 length early data is enough. */
6677 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6678 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6679 &readbytes),
6680 SSL_READ_EARLY_DATA_ERROR)
6681 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6682 SSL_EARLY_DATA_ACCEPTED))
6683 goto end;
6684
6685 if (!TEST_int_eq(SSL_export_keying_material_early(
6686 clientssl, ckeymat1, sizeof(ckeymat1), label,
6687 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6688 || !TEST_int_eq(SSL_export_keying_material_early(
6689 clientssl, ckeymat2, sizeof(ckeymat2), label,
6690 sizeof(label) - 1, emptycontext, 0), 1)
6691 || !TEST_int_eq(SSL_export_keying_material_early(
6692 serverssl, skeymat1, sizeof(skeymat1), label,
6693 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6694 || !TEST_int_eq(SSL_export_keying_material_early(
6695 serverssl, skeymat2, sizeof(skeymat2), label,
6696 sizeof(label) - 1, emptycontext, 0), 1)
6697 /*
6698 * Check that both sides created the same key material with the
6699 * same context.
6700 */
6701 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6702 sizeof(skeymat1))
6703 /*
6704 * Check that both sides created the same key material with an
6705 * empty context.
6706 */
6707 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6708 sizeof(skeymat2))
6709 /* Different contexts should produce different results */
6710 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6711 sizeof(ckeymat2)))
6712 goto end;
6713
6714 testresult = 1;
6715
6716 end:
6717 SSL_SESSION_free(sess);
6718 SSL_SESSION_free(clientpsk);
6719 SSL_SESSION_free(serverpsk);
6720 clientpsk = serverpsk = NULL;
6721 SSL_free(serverssl);
6722 SSL_free(clientssl);
6723 SSL_CTX_free(sctx);
6724 SSL_CTX_free(cctx);
6725
6726 return testresult;
6727}
6728
6729#define NUM_KEY_UPDATE_MESSAGES 40
6730/*
6731 * Test KeyUpdate.
6732 */
6733static int test_key_update(void)
6734{
6735 SSL_CTX *cctx = NULL, *sctx = NULL;
6736 SSL *clientssl = NULL, *serverssl = NULL;
6737 int testresult = 0, i, j;
6738 char buf[20];
6739 static char *mess = "A test message";
6740
6741 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6742 TLS_client_method(),
6743 TLS1_3_VERSION,
6744 0,
6745 &sctx, &cctx, cert, privkey))
6746 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6747 NULL, NULL))
6748 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6749 SSL_ERROR_NONE)))
6750 goto end;
6751
6752 for (j = 0; j < 2; j++) {
6753 /* Send lots of KeyUpdate messages */
6754 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6755 if (!TEST_true(SSL_key_update(clientssl,
6756 (j == 0)
6757 ? SSL_KEY_UPDATE_NOT_REQUESTED
6758 : SSL_KEY_UPDATE_REQUESTED))
6759 || !TEST_true(SSL_do_handshake(clientssl)))
6760 goto end;
6761 }
6762
6763 /* Check that sending and receiving app data is ok */
6764 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6765 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6766 strlen(mess)))
6767 goto end;
6768
6769 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6770 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6771 strlen(mess)))
6772 goto end;
6773 }
6774
6775 testresult = 1;
6776
6777 end:
6778 SSL_free(serverssl);
6779 SSL_free(clientssl);
6780 SSL_CTX_free(sctx);
6781 SSL_CTX_free(cctx);
6782
6783 return testresult;
6784}
6785
6786/*
6787 * Test we can handle a KeyUpdate (update requested) message while
6788 * write data is pending in peer.
6789 * Test 0: Client sends KeyUpdate while Server is writing
6790 * Test 1: Server sends KeyUpdate while Client is writing
6791 */
6792static int test_key_update_peer_in_write(int tst)
6793{
6794 SSL_CTX *cctx = NULL, *sctx = NULL;
6795 SSL *clientssl = NULL, *serverssl = NULL;
6796 int testresult = 0;
6797 char buf[20];
6798 static char *mess = "A test message";
6799 BIO *bretry = BIO_new(bio_s_always_retry());
6800 BIO *tmp = NULL;
6801 SSL *peerupdate = NULL, *peerwrite = NULL;
6802
6803 if (!TEST_ptr(bretry)
6804 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6805 TLS_client_method(),
6806 TLS1_3_VERSION,
6807 0,
6808 &sctx, &cctx, cert, privkey))
6809 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6810 NULL, NULL))
6811 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6812 SSL_ERROR_NONE)))
6813 goto end;
6814
6815 peerupdate = tst == 0 ? clientssl : serverssl;
6816 peerwrite = tst == 0 ? serverssl : clientssl;
6817
6818 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6819 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6820 goto end;
6821
6822 /* Swap the writing endpoint's write BIO to force a retry */
6823 tmp = SSL_get_wbio(peerwrite);
6824 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6825 tmp = NULL;
6826 goto end;
6827 }
6828 SSL_set0_wbio(peerwrite, bretry);
6829 bretry = NULL;
6830
6831 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6832 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6833 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6834 || !TEST_true(SSL_want_write(peerwrite))
6835 || !TEST_true(SSL_net_write_desired(peerwrite)))
6836 goto end;
6837
6838 /* Reinstate the original writing endpoint's write BIO */
6839 SSL_set0_wbio(peerwrite, tmp);
6840 tmp = NULL;
6841
6842 /* Now read some data - we will read the key update */
6843 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6844 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6845 || !TEST_true(SSL_want_read(peerwrite))
6846 || !TEST_true(SSL_net_read_desired(peerwrite)))
6847 goto end;
6848
6849 /*
6850 * Complete the write we started previously and read it from the other
6851 * endpoint
6852 */
6853 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6854 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6855 goto end;
6856
6857 /* Write more data to ensure we send the KeyUpdate message back */
6858 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6859 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6860 goto end;
6861
6862 if (!TEST_false(SSL_net_read_desired(peerwrite))
6863 || !TEST_false(SSL_net_write_desired(peerwrite))
6864 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6865 goto end;
6866
6867 testresult = 1;
6868
6869 end:
6870 SSL_free(serverssl);
6871 SSL_free(clientssl);
6872 SSL_CTX_free(sctx);
6873 SSL_CTX_free(cctx);
6874 BIO_free(bretry);
6875 BIO_free(tmp);
6876
6877 return testresult;
6878}
6879
6880/*
6881 * Test we can handle a KeyUpdate (update requested) message while
6882 * peer read data is pending after peer accepted keyupdate(the msg header
6883 * had been read 5 bytes).
6884 * Test 0: Client sends KeyUpdate while Server is reading
6885 * Test 1: Server sends KeyUpdate while Client is reading
6886 */
6887static int test_key_update_peer_in_read(int tst)
6888{
6889 SSL_CTX *cctx = NULL, *sctx = NULL;
6890 SSL *clientssl = NULL, *serverssl = NULL;
6891 int testresult = 0;
6892 char prbuf[515], lwbuf[515] = {0};
6893 static char *mess = "A test message";
6894 BIO *lbio = NULL, *pbio = NULL;
6895 SSL *local = NULL, *peer = NULL;
6896
6897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6898 TLS_client_method(),
6899 TLS1_3_VERSION,
6900 0,
6901 &sctx, &cctx, cert, privkey))
6902 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6903 NULL, NULL))
6904 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6905 SSL_ERROR_NONE)))
6906 goto end;
6907
6908 local = tst == 0 ? clientssl : serverssl;
6909 peer = tst == 0 ? serverssl : clientssl;
6910
6911 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6912 goto end;
6913
6914 SSL_set_bio(local, lbio, lbio);
6915 SSL_set_bio(peer, pbio, pbio);
6916
6917 /*
6918 * we first write keyupdate msg then appdata in local
6919 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6920 * lwbuf app data msg size + key updata msg size > 512(the size of
6921 * the bio pair buffer)
6922 */
6923 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6924 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6925 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6926 goto end;
6927
6928 /*
6929 * first read keyupdate msg in peer in peer
6930 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6931 */
6932 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6933 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6934 goto end;
6935
6936 /* Now write some data in peer - we will write the key update */
6937 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6938 goto end;
6939
6940 /*
6941 * write data in local previously that we will complete
6942 * read data in peer previously that we will complete
6943 */
6944 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6945 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6946 goto end;
6947
6948 /* check that sending and receiving appdata ok */
6949 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6950 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6951 goto end;
6952
6953 testresult = 1;
6954
6955 end:
6956 SSL_free(serverssl);
6957 SSL_free(clientssl);
6958 SSL_CTX_free(sctx);
6959 SSL_CTX_free(cctx);
6960
6961 return testresult;
6962}
6963
6964/*
6965 * Test we can't send a KeyUpdate (update requested) message while
6966 * local write data is pending.
6967 * Test 0: Client sends KeyUpdate while Client is writing
6968 * Test 1: Server sends KeyUpdate while Server is writing
6969 */
6970static int test_key_update_local_in_write(int tst)
6971{
6972 SSL_CTX *cctx = NULL, *sctx = NULL;
6973 SSL *clientssl = NULL, *serverssl = NULL;
6974 int testresult = 0;
6975 char buf[20];
6976 static char *mess = "A test message";
6977 BIO *bretry = BIO_new(bio_s_always_retry());
6978 BIO *tmp = NULL;
6979 SSL *local = NULL, *peer = NULL;
6980
6981 if (!TEST_ptr(bretry)
6982 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6983 TLS_client_method(),
6984 TLS1_3_VERSION,
6985 0,
6986 &sctx, &cctx, cert, privkey))
6987 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6988 NULL, NULL))
6989 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6990 SSL_ERROR_NONE)))
6991 goto end;
6992
6993 local = tst == 0 ? clientssl : serverssl;
6994 peer = tst == 0 ? serverssl : clientssl;
6995
6996 /* Swap the writing endpoint's write BIO to force a retry */
6997 tmp = SSL_get_wbio(local);
6998 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6999 tmp = NULL;
7000 goto end;
7001 }
7002 SSL_set0_wbio(local, bretry);
7003 bretry = NULL;
7004
7005 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7006 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7007 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7008 goto end;
7009
7010 /* Reinstate the original writing endpoint's write BIO */
7011 SSL_set0_wbio(local, tmp);
7012 tmp = NULL;
7013
7014 /* SSL_key_update will fail, because writing in local*/
7015 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7016 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7017 goto end;
7018
7019 ERR_clear_error();
7020 /* write data in local previously that we will complete */
7021 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7022 goto end;
7023
7024 /* SSL_key_update will succeed because there is no pending write data */
7025 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7026 || !TEST_int_eq(SSL_do_handshake(local), 1))
7027 goto end;
7028
7029 /*
7030 * we write some appdata in local
7031 * read data in peer - we will read the keyupdate msg
7032 */
7033 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7034 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7035 goto end;
7036
7037 /* Write more peer more data to ensure we send the keyupdate message back */
7038 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7039 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7040 goto end;
7041
7042 testresult = 1;
7043
7044 end:
7045 SSL_free(serverssl);
7046 SSL_free(clientssl);
7047 SSL_CTX_free(sctx);
7048 SSL_CTX_free(cctx);
7049 BIO_free(bretry);
7050 BIO_free(tmp);
7051
7052 return testresult;
7053}
7054
7055/*
7056 * Test we can handle a KeyUpdate (update requested) message while
7057 * local read data is pending(the msg header had been read 5 bytes).
7058 * Test 0: Client sends KeyUpdate while Client is reading
7059 * Test 1: Server sends KeyUpdate while Server is reading
7060 */
7061static int test_key_update_local_in_read(int tst)
7062{
7063 SSL_CTX *cctx = NULL, *sctx = NULL;
7064 SSL *clientssl = NULL, *serverssl = NULL;
7065 int testresult = 0;
7066 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7067 static char *mess = "A test message";
7068 BIO *lbio = NULL, *pbio = NULL;
7069 SSL *local = NULL, *peer = NULL;
7070
7071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7072 TLS_client_method(),
7073 TLS1_3_VERSION,
7074 0,
7075 &sctx, &cctx, cert, privkey))
7076 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7077 NULL, NULL))
7078 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7079 SSL_ERROR_NONE)))
7080 goto end;
7081
7082 local = tst == 0 ? clientssl : serverssl;
7083 peer = tst == 0 ? serverssl : clientssl;
7084
7085 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7086 goto end;
7087
7088 SSL_set_bio(local, lbio, lbio);
7089 SSL_set_bio(peer, pbio, pbio);
7090
7091 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7092 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7093 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7094 goto end;
7095
7096 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7097 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7098 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7099 goto end;
7100
7101 /* SSL_do_handshake will send keyupdate msg */
7102 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7103 || !TEST_int_eq(SSL_do_handshake(local), 1))
7104 goto end;
7105
7106 /*
7107 * write data in peer previously that we will complete
7108 * read data in local previously that we will complete
7109 */
7110 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7111 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7112 goto end;
7113
7114 /*
7115 * write data in local
7116 * read data in peer - we will read the key update
7117 */
7118 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7119 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7120 goto end;
7121
7122 /* Write more peer data to ensure we send the keyupdate message back */
7123 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7124 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7125 goto end;
7126
7127 testresult = 1;
7128
7129 end:
7130 SSL_free(serverssl);
7131 SSL_free(clientssl);
7132 SSL_CTX_free(sctx);
7133 SSL_CTX_free(cctx);
7134
7135 return testresult;
7136}
7137#endif /* OSSL_NO_USABLE_TLS1_3 */
7138
7139/*
7140 * Test clearing a connection via SSL_clear(), or resetting it via
7141 * SSL_set_connect_state()/SSL_set_accept_state()
7142 * Test 0: SSL_set_connect_state, TLSv1.3
7143 * Test 1: SSL_set_connect_state, TLSv1.2
7144 * Test 2: SSL_set_accept_state, TLSv1.3
7145 * Test 3: SSL_set_accept_state, TLSv1.2
7146 * Test 4: SSL_clear (client), TLSv1.3
7147 * Test 5: SSL_clear (client), TLSv1.2
7148 * Test 6: SSL_clear (server), TLSv1.3
7149 * Test 7: SSL_clear (server), TLSv1.2
7150 */
7151static int test_ssl_clear(int idx)
7152{
7153 SSL_CTX *cctx = NULL, *sctx = NULL;
7154 SSL *clientssl = NULL, *serverssl = NULL;
7155 SSL *writer, *reader;
7156 int testresult = 0;
7157 int tls12test, servertest, cleartest;
7158 size_t written, readbytes;
7159 const char *msg = "Hello World";
7160 unsigned char buf[5];
7161
7162 tls12test = idx & 1;
7163 idx >>= 1;
7164 servertest = idx & 1;
7165 idx >>= 1;
7166 cleartest = idx & 1;
7167
7168#ifdef OPENSSL_NO_TLS1_2
7169 if (tls12test == 1)
7170 return TEST_skip("No TLSv1.2 in this build");
7171#endif
7172
7173 /* Create an initial connection */
7174 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7175 TLS_client_method(), TLS1_VERSION, 0,
7176 &sctx, &cctx, cert, privkey))
7177 || (tls12test
7178 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7179 TLS1_2_VERSION)))
7180 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7181 &clientssl, NULL, NULL))
7182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7183 SSL_ERROR_NONE)))
7184 goto end;
7185
7186 if (servertest) {
7187 writer = clientssl;
7188 reader = serverssl;
7189 } else {
7190 writer = serverssl;
7191 reader = clientssl;
7192 }
7193
7194 /* Write some data */
7195 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7196 || written != strlen(msg))
7197 goto end;
7198
7199 /*
7200 * Read a partial record. The remaining buffered data should be cleared by
7201 * the subsequent clear/reset
7202 */
7203 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7204 || readbytes != sizeof(buf))
7205 goto end;
7206
7207 SSL_shutdown(clientssl);
7208 SSL_shutdown(serverssl);
7209
7210 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7211 if (servertest) {
7212 if (cleartest) {
7213 if (!TEST_true(SSL_clear(serverssl)))
7214 goto end;
7215 } else {
7216 SSL_set_accept_state(serverssl);
7217 }
7218 /*
7219 * A peculiarity of SSL_clear() is that it does not clear the session.
7220 * This is intended behaviour so that a client can create a new
7221 * connection and reuse the session. But this doesn't make much sense
7222 * on the server side - and causes incorrect behaviour due to the
7223 * handshake failing (even though the documentation does say SSL_clear()
7224 * is supposed to work on the server side). We clear the session
7225 * explicitly - although note that the documentation for
7226 * SSL_set_session() says that its only useful for clients!
7227 */
7228 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7229 goto end;
7230 SSL_free(clientssl);
7231 clientssl = NULL;
7232 } else {
7233 if (cleartest) {
7234 if (!TEST_true(SSL_clear(clientssl)))
7235 goto end;
7236 } else {
7237 SSL_set_connect_state(clientssl);
7238 }
7239 SSL_free(serverssl);
7240 serverssl = NULL;
7241 }
7242
7243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7244 NULL, NULL))
7245 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7246 SSL_ERROR_NONE))
7247 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7248 goto end;
7249
7250 SSL_shutdown(clientssl);
7251 SSL_shutdown(serverssl);
7252
7253 testresult = 1;
7254
7255 end:
7256 SSL_free(serverssl);
7257 SSL_free(clientssl);
7258 SSL_CTX_free(sctx);
7259 SSL_CTX_free(cctx);
7260
7261 return testresult;
7262}
7263
7264/* Parse CH and retrieve any MFL extension value if present */
7265static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7266{
7267 long len;
7268 unsigned char *data;
7269 PACKET pkt, pkt2, pkt3;
7270 unsigned int MFL_code = 0, type = 0;
7271
7272 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7273 goto end;
7274
7275 memset(&pkt, 0, sizeof(pkt));
7276 memset(&pkt2, 0, sizeof(pkt2));
7277 memset(&pkt3, 0, sizeof(pkt3));
7278
7279 if (!TEST_long_gt(len, 0)
7280 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7281 /* Skip the record header */
7282 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7283 /* Skip the handshake message header */
7284 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7285 /* Skip client version and random */
7286 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7287 + SSL3_RANDOM_SIZE))
7288 /* Skip session id */
7289 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7290 /* Skip ciphers */
7291 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7292 /* Skip compression */
7293 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7294 /* Extensions len */
7295 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7296 goto end;
7297
7298 /* Loop through all extensions */
7299 while (PACKET_remaining(&pkt2)) {
7300 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7301 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7302 goto end;
7303
7304 if (type == TLSEXT_TYPE_max_fragment_length) {
7305 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7306 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7307 goto end;
7308
7309 *mfl_codemfl_code = MFL_code;
7310 return 1;
7311 }
7312 }
7313
7314 end:
7315 return 0;
7316}
7317
7318/* Maximum-Fragment-Length TLS extension mode to test */
7319static const unsigned char max_fragment_len_test[] = {
7320 TLSEXT_max_fragment_length_512,
7321 TLSEXT_max_fragment_length_1024,
7322 TLSEXT_max_fragment_length_2048,
7323 TLSEXT_max_fragment_length_4096
7324};
7325
7326static int test_max_fragment_len_ext(int idx_tst)
7327{
7328 SSL_CTX *ctx = NULL;
7329 SSL *con = NULL;
7330 int testresult = 0, MFL_mode = 0;
7331 BIO *rbio, *wbio;
7332
7333 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7334 TLS1_VERSION, 0, NULL, &ctx, NULL,
7335 NULL)))
7336 return 0;
7337
7338 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7339 ctx, max_fragment_len_test[idx_tst])))
7340 goto end;
7341
7342 con = SSL_new(ctx);
7343 if (!TEST_ptr(con))
7344 goto end;
7345
7346 rbio = BIO_new(BIO_s_mem());
7347 wbio = BIO_new(BIO_s_mem());
7348 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7349 BIO_free(rbio);
7350 BIO_free(wbio);
7351 goto end;
7352 }
7353
7354 SSL_set_bio(con, rbio, wbio);
7355
7356 if (!TEST_int_le(SSL_connect(con), 0)) {
7357 /* This shouldn't succeed because we don't have a server! */
7358 goto end;
7359 }
7360
7361 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7362 /* no MFL in client hello */
7363 goto end;
7364 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7365 goto end;
7366
7367 testresult = 1;
7368
7369end:
7370 SSL_free(con);
7371 SSL_CTX_free(ctx);
7372
7373 return testresult;
7374}
7375
7376#ifndef OSSL_NO_USABLE_TLS1_3
7377static int test_pha_key_update(void)
7378{
7379 SSL_CTX *cctx = NULL, *sctx = NULL;
7380 SSL *clientssl = NULL, *serverssl = NULL;
7381 int testresult = 0;
7382
7383 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7384 TLS_client_method(), TLS1_VERSION, 0,
7385 &sctx, &cctx, cert, privkey)))
7386 return 0;
7387
7388 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7389 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7390 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7391 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7392 goto end;
7393
7394 SSL_CTX_set_post_handshake_auth(cctx, 1);
7395
7396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7397 NULL, NULL)))
7398 goto end;
7399
7400 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7401 SSL_ERROR_NONE)))
7402 goto end;
7403
7404 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7405 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7406 goto end;
7407
7408 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7409 goto end;
7410
7411 /* Start handshake on the server */
7412 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7413 goto end;
7414
7415 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7416 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7417 SSL_ERROR_NONE)))
7418 goto end;
7419
7420 SSL_shutdown(clientssl);
7421 SSL_shutdown(serverssl);
7422
7423 testresult = 1;
7424
7425 end:
7426 SSL_free(serverssl);
7427 SSL_free(clientssl);
7428 SSL_CTX_free(sctx);
7429 SSL_CTX_free(cctx);
7430 return testresult;
7431}
7432#endif
7433
7434#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7435
7436static SRP_VBASE *vbase = NULL;
7437
7438static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7439{
7440 int ret = SSL3_AL_FATAL;
7441 char *username;
7442 SRP_user_pwd *user = NULL;
7443
7444 username = SSL_get_srp_username(s);
7445 if (username == NULL) {
7446 *ad = SSL_AD_INTERNAL_ERROR;
7447 goto err;
7448 }
7449
7450 user = SRP_VBASE_get1_by_user(vbase, username);
7451 if (user == NULL) {
7452 *ad = SSL_AD_INTERNAL_ERROR;
7453 goto err;
7454 }
7455
7456 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7457 user->info) <= 0) {
7458 *ad = SSL_AD_INTERNAL_ERROR;
7459 goto err;
7460 }
7461
7462 ret = 0;
7463
7464 err:
7465 SRP_user_pwd_free(user);
7466 return ret;
7467}
7468
7469static int create_new_vfile(char *userid, char *password, const char *filename)
7470{
7471 char *gNid = NULL;
7472 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7473 TXT_DB *db = NULL;
7474 int ret = 0;
7475 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7476 size_t i;
7477
7478 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7479 goto end;
7480
7481 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7482 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7483 if (!TEST_ptr(gNid))
7484 goto end;
7485
7486 /*
7487 * The only way to create an empty TXT_DB is to provide a BIO with no data
7488 * in it!
7489 */
7490 db = TXT_DB_read(dummy, DB_NUMBER);
7491 if (!TEST_ptr(db))
7492 goto end;
7493
7494 out = BIO_new_file(filename, "w");
7495 if (!TEST_ptr(out))
7496 goto end;
7497
7498 row[DB_srpid] = OPENSSL_strdup(userid);
7499 row[DB_srptype] = OPENSSL_strdup("V");
7500 row[DB_srpgN] = OPENSSL_strdup(gNid);
7501
7502 if (!TEST_ptr(row[DB_srpid])
7503 || !TEST_ptr(row[DB_srptype])
7504 || !TEST_ptr(row[DB_srpgN])
7505 || !TEST_true(TXT_DB_insert(db, row)))
7506 goto end;
7507
7508 row = NULL;
7509
7510 if (TXT_DB_write(out, db) <= 0)
7511 goto end;
7512
7513 ret = 1;
7514 end:
7515 if (row != NULL) {
7516 for (i = 0; i < DB_NUMBER; i++)
7517 OPENSSL_free(row[i]);
7518 }
7519 OPENSSL_free(row);
7520 BIO_free(dummy);
7521 BIO_free(out);
7522 TXT_DB_free(db);
7523
7524 return ret;
7525}
7526
7527static int create_new_vbase(char *userid, char *password)
7528{
7529 BIGNUM *verifier = NULL, *salt = NULL;
7530 const SRP_gN *lgN = NULL;
7531 SRP_user_pwd *user_pwd = NULL;
7532 int ret = 0;
7533
7534 lgN = SRP_get_default_gN(NULL);
7535 if (!TEST_ptr(lgN))
7536 goto end;
7537
7538 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7539 lgN->N, lgN->g, libctx, NULL)))
7540 goto end;
7541
7542 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7543 if (!TEST_ptr(user_pwd))
7544 goto end;
7545
7546 user_pwd->N = lgN->N;
7547 user_pwd->g = lgN->g;
7548 user_pwd->id = OPENSSL_strdup(userid);
7549 if (!TEST_ptr(user_pwd->id))
7550 goto end;
7551
7552 user_pwd->v = verifier;
7553 user_pwd->s = salt;
7554 verifier = salt = NULL;
7555
7556 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7557 goto end;
7558 user_pwd = NULL;
7559
7560 ret = 1;
7561end:
7562 SRP_user_pwd_free(user_pwd);
7563 BN_free(salt);
7564 BN_free(verifier);
7565
7566 return ret;
7567}
7568
7569/*
7570 * SRP tests
7571 *
7572 * Test 0: Simple successful SRP connection, new vbase
7573 * Test 1: Connection failure due to bad password, new vbase
7574 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7575 * Test 3: Connection failure due to bad password, vbase loaded from existing
7576 * file
7577 * Test 4: Simple successful SRP connection, vbase loaded from new file
7578 * Test 5: Connection failure due to bad password, vbase loaded from new file
7579 */
7580static int test_srp(int tst)
7581{
7582 char *userid = "test", *password = "password", *tstsrpfile;
7583 SSL_CTX *cctx = NULL, *sctx = NULL;
7584 SSL *clientssl = NULL, *serverssl = NULL;
7585 int ret, testresult = 0;
7586
7587 vbase = SRP_VBASE_new(NULL);
7588 if (!TEST_ptr(vbase))
7589 goto end;
7590
7591 if (tst == 0 || tst == 1) {
7592 if (!TEST_true(create_new_vbase(userid, password)))
7593 goto end;
7594 } else {
7595 if (tst == 4 || tst == 5) {
7596 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7597 goto end;
7598 tstsrpfile = tmpfilename;
7599 } else {
7600 tstsrpfile = srpvfile;
7601 }
7602 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7603 goto end;
7604 }
7605
7606 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7607 TLS_client_method(), TLS1_VERSION, 0,
7608 &sctx, &cctx, cert, privkey)))
7609 goto end;
7610
7611 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7612 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7613 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7614 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7615 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7616 goto end;
7617
7618 if (tst % 2 == 1) {
7619 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7620 goto end;
7621 } else {
7622 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7623 goto end;
7624 }
7625
7626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7627 NULL, NULL)))
7628 goto end;
7629
7630 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7631 if (ret) {
7632 if (!TEST_true(tst % 2 == 0))
7633 goto end;
7634 } else {
7635 if (!TEST_true(tst % 2 == 1))
7636 goto end;
7637 }
7638
7639 testresult = 1;
7640
7641 end:
7642 SRP_VBASE_free(vbase);
7643 vbase = NULL;
7644 SSL_free(serverssl);
7645 SSL_free(clientssl);
7646 SSL_CTX_free(sctx);
7647 SSL_CTX_free(cctx);
7648
7649 return testresult;
7650}
7651#endif
7652
7653static int info_cb_failed = 0;
7654static int info_cb_offset = 0;
7655static int info_cb_this_state = -1;
7656
7657static struct info_cb_states_st {
7658 int where;
7659 const char *statestr;
7660} info_cb_states[][60] = {
7661 {
7662 /* TLSv1.2 server followed by resumption */
7663 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7664 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7665 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7666 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7667 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7668 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7669 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7670 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7671 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7672 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7673 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7674 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7675 {SSL_CB_EXIT, NULL}, {0, NULL},
7676 }, {
7677 /* TLSv1.2 client followed by resumption */
7678 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7679 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7680 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7681 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7682 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7683 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7684 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7685 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7686 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7687 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7688 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7689 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7690 }, {
7691 /* TLSv1.3 server followed by resumption */
7692 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7693 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7694 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7695 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7696 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7697 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7698 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7699 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7700 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7701 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7702 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7703 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7704 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7705 }, {
7706 /* TLSv1.3 client followed by resumption */
7707 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7708 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7709 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7710 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7711 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7712 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7713 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7714 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7715 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7716 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7717 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7718 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7719 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7720 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7721 {SSL_CB_EXIT, NULL}, {0, NULL},
7722 }, {
7723 /* TLSv1.3 server, early_data */
7724 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7725 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7726 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7727 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7728 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7729 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7730 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7731 {SSL_CB_EXIT, NULL}, {0, NULL},
7732 }, {
7733 /* TLSv1.3 client, early_data */
7734 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7735 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7736 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7737 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7738 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7739 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7740 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7741 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7742 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7743 }, {
7744 /* TLSv1.3 server, certificate compression, followed by resumption */
7745 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7746 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7747 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7748 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7749 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7750 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7751 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7753 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7754 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7755 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7756 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7757 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7758 }, {
7759 /* TLSv1.3 client, certificate compression, followed by resumption */
7760 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7761 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7762 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7763 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7764 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7765 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7766 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7767 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7768 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7769 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7770 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7771 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7772 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7773 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7774 {SSL_CB_EXIT, NULL}, {0, NULL},
7775 }, {
7776 {0, NULL},
7777 }
7778};
7779
7780static void sslapi_info_callback(const SSL *s, int where, int ret)
7781{
7782 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7783
7784 /* We do not ever expect a connection to fail in this test */
7785 if (!TEST_false(ret == 0)) {
7786 info_cb_failed = 1;
7787 return;
7788 }
7789
7790 /*
7791 * Do some sanity checks. We never expect these things to happen in this
7792 * test
7793 */
7794 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7795 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7796 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7797 info_cb_failed = 1;
7798 return;
7799 }
7800
7801 /* Now check we're in the right state */
7802 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7803 info_cb_failed = 1;
7804 return;
7805 }
7806 if ((where & SSL_CB_LOOP) != 0
7807 && !TEST_int_eq(strcmp(SSL_state_string(s),
7808 state[info_cb_this_state].statestr), 0)) {
7809 info_cb_failed = 1;
7810 return;
7811 }
7812
7813 /*
7814 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7815 */
7816 if ((where & SSL_CB_HANDSHAKE_DONE)
7817 && SSL_in_init((SSL *)s) != 0) {
7818 info_cb_failed = 1;
7819 return;
7820 }
7821}
7822
7823/*
7824 * Test the info callback gets called when we expect it to.
7825 *
7826 * Test 0: TLSv1.2, server
7827 * Test 1: TLSv1.2, client
7828 * Test 2: TLSv1.3, server
7829 * Test 3: TLSv1.3, client
7830 * Test 4: TLSv1.3, server, early_data
7831 * Test 5: TLSv1.3, client, early_data
7832 * Test 6: TLSv1.3, server, compressed certificate
7833 * Test 7: TLSv1.3, client, compressed certificate
7834 */
7835static int test_info_callback(int tst)
7836{
7837 SSL_CTX *cctx = NULL, *sctx = NULL;
7838 SSL *clientssl = NULL, *serverssl = NULL;
7839 SSL_SESSION *clntsess = NULL;
7840 int testresult = 0;
7841 int tlsvers;
7842
7843 if (tst < 2) {
7844/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7845#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7846 || !defined(OPENSSL_NO_DH))
7847 tlsvers = TLS1_2_VERSION;
7848#else
7849 return 1;
7850#endif
7851 } else {
7852#ifndef OSSL_NO_USABLE_TLS1_3
7853 tlsvers = TLS1_3_VERSION;
7854#else
7855 return 1;
7856#endif
7857 }
7858
7859 /* Reset globals */
7860 info_cb_failed = 0;
7861 info_cb_this_state = -1;
7862 info_cb_offset = tst;
7863
7864#ifndef OSSL_NO_USABLE_TLS1_3
7865 if (tst >= 4 && tst < 6) {
7866 SSL_SESSION *sess = NULL;
7867 size_t written, readbytes;
7868 unsigned char buf[80];
7869 OSSL_TIME timer;
7870
7871 /* early_data tests */
7872 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7873 &serverssl, &sess, 0,
7874 SHA384_DIGEST_LENGTH)))
7875 goto end;
7876
7877 /* We don't actually need this reference */
7878 SSL_SESSION_free(sess);
7879
7880 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7881 sslapi_info_callback);
7882
7883 /* Write and read some early data and then complete the connection */
7884 timer = ossl_time_now();
7885 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7886 &written))
7887 || !TEST_size_t_eq(written, strlen(MSG1)))
7888 goto end;
7889
7890 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7891 sizeof(buf), &readbytes),
7892 SSL_READ_EARLY_DATA_SUCCESS)) {
7893 testresult = check_early_data_timeout(timer);
7894 goto end;
7895 }
7896
7897 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7898 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7899 SSL_EARLY_DATA_ACCEPTED)
7900 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7901 SSL_ERROR_NONE))
7902 || !TEST_false(info_cb_failed))
7903 goto end;
7904
7905 testresult = 1;
7906 goto end;
7907 }
7908#endif
7909
7910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7911 TLS_client_method(),
7912 tlsvers, tlsvers, &sctx, &cctx, cert,
7913 privkey)))
7914 goto end;
7915
7916 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7917 goto end;
7918
7919 /*
7920 * For even numbered tests we check the server callbacks. For odd numbers we
7921 * check the client.
7922 */
7923 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7924 sslapi_info_callback);
7925 if (tst >= 6) {
7926 if (!SSL_CTX_compress_certs(sctx, 0))
7927 goto end;
7928 }
7929
7930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7931 &clientssl, NULL, NULL))
7932 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7933 SSL_ERROR_NONE))
7934 || !TEST_false(info_cb_failed))
7935 goto end;
7936
7937
7938
7939 clntsess = SSL_get1_session(clientssl);
7940 SSL_shutdown(clientssl);
7941 SSL_shutdown(serverssl);
7942 SSL_free(serverssl);
7943 SSL_free(clientssl);
7944 serverssl = clientssl = NULL;
7945
7946 /* Now do a resumption */
7947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7948 NULL))
7949 || !TEST_true(SSL_set_session(clientssl, clntsess))
7950 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7951 SSL_ERROR_NONE))
7952 || !TEST_true(SSL_session_reused(clientssl))
7953 || !TEST_false(info_cb_failed))
7954 goto end;
7955
7956 testresult = 1;
7957
7958 end:
7959 SSL_free(serverssl);
7960 SSL_free(clientssl);
7961 SSL_SESSION_free(clntsess);
7962 SSL_CTX_free(sctx);
7963 SSL_CTX_free(cctx);
7964 return testresult;
7965}
7966
7967static int test_ssl_pending(int tst)
7968{
7969 SSL_CTX *cctx = NULL, *sctx = NULL;
7970 SSL *clientssl = NULL, *serverssl = NULL;
7971 int testresult = 0;
7972 char msg[] = "A test message";
7973 char buf[5];
7974 size_t written, readbytes;
7975
7976 if (tst == 0) {
7977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7978 TLS_client_method(),
7979 TLS1_VERSION, 0,
7980 &sctx, &cctx, cert, privkey)))
7981 goto end;
7982 } else {
7983#ifndef OPENSSL_NO_DTLS
7984 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7985 DTLS_client_method(),
7986 DTLS1_VERSION, 0,
7987 &sctx, &cctx, cert, privkey)))
7988 goto end;
7989
7990# ifdef OPENSSL_NO_DTLS1_2
7991 /* Not supported in the FIPS provider */
7992 if (is_fips) {
7993 testresult = 1;
7994 goto end;
7995 };
7996 /*
7997 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7998 * level 0
7999 */
8000 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8001 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8002 "DEFAULT:@SECLEVEL=0")))
8003 goto end;
8004# endif
8005#else
8006 return 1;
8007#endif
8008 }
8009
8010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8011 NULL, NULL))
8012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8013 SSL_ERROR_NONE)))
8014 goto end;
8015
8016 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8017 || !TEST_false(SSL_has_pending(clientssl))
8018 || !TEST_int_eq(SSL_pending(serverssl), 0)
8019 || !TEST_false(SSL_has_pending(serverssl))
8020 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8021 || !TEST_size_t_eq(written, sizeof(msg))
8022 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8023 || !TEST_size_t_eq(readbytes, sizeof(buf))
8024 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8025 || !TEST_true(SSL_has_pending(clientssl)))
8026 goto end;
8027
8028 testresult = 1;
8029
8030 end:
8031 SSL_free(serverssl);
8032 SSL_free(clientssl);
8033 SSL_CTX_free(sctx);
8034 SSL_CTX_free(cctx);
8035
8036 return testresult;
8037}
8038
8039static struct {
8040 unsigned int maxprot;
8041 const char *clntciphers;
8042 const char *clnttls13ciphers;
8043 const char *srvrciphers;
8044 const char *srvrtls13ciphers;
8045 const char *shared;
8046 const char *fipsshared;
8047} shared_ciphers_data[] = {
8048/*
8049 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8050 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8051 */
8052#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8053 {
8054 TLS1_2_VERSION,
8055 "AES128-SHA:AES256-SHA",
8056 NULL,
8057 "AES256-SHA:DHE-RSA-AES128-SHA",
8058 NULL,
8059 "AES256-SHA",
8060 "AES256-SHA"
8061 },
8062# if !defined(OPENSSL_NO_CHACHA) \
8063 && !defined(OPENSSL_NO_POLY1305) \
8064 && !defined(OPENSSL_NO_EC)
8065 {
8066 TLS1_2_VERSION,
8067 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8068 NULL,
8069 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8070 NULL,
8071 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8072 "AES128-SHA"
8073 },
8074# endif
8075 {
8076 TLS1_2_VERSION,
8077 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8078 NULL,
8079 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8080 NULL,
8081 "AES128-SHA:AES256-SHA",
8082 "AES128-SHA:AES256-SHA"
8083 },
8084 {
8085 TLS1_2_VERSION,
8086 "AES128-SHA:AES256-SHA",
8087 NULL,
8088 "AES128-SHA:DHE-RSA-AES128-SHA",
8089 NULL,
8090 "AES128-SHA",
8091 "AES128-SHA"
8092 },
8093#endif
8094/*
8095 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8096 * enabled.
8097 */
8098#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8099 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8100 {
8101 TLS1_3_VERSION,
8102 "AES128-SHA:AES256-SHA",
8103 NULL,
8104 "AES256-SHA:AES128-SHA256",
8105 NULL,
8106 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8107 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8108 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8109 },
8110#endif
8111#ifndef OSSL_NO_USABLE_TLS1_3
8112 {
8113 TLS1_3_VERSION,
8114 "AES128-SHA",
8115 "TLS_AES_256_GCM_SHA384",
8116 "AES256-SHA",
8117 "TLS_AES_256_GCM_SHA384",
8118 "TLS_AES_256_GCM_SHA384",
8119 "TLS_AES_256_GCM_SHA384"
8120 },
8121#endif
8122};
8123
8124static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8125{
8126 SSL_CTX *cctx = NULL, *sctx = NULL;
8127 SSL *clientssl = NULL, *serverssl = NULL;
8128 int testresult = 0;
8129 char buf[1024];
8130 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8131
8132 if (!TEST_ptr(tmplibctx))
8133 goto end;
8134
8135 /*
8136 * Regardless of whether we're testing with the FIPS provider loaded into
8137 * libctx, we want one peer to always use the full set of ciphersuites
8138 * available. Therefore we use a separate libctx with the default provider
8139 * loaded into it. We run the same tests twice - once with the client side
8140 * having the full set of ciphersuites and once with the server side.
8141 */
8142 if (clnt) {
8143 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8144 if (!TEST_ptr(cctx))
8145 goto end;
8146 } else {
8147 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8148 if (!TEST_ptr(sctx))
8149 goto end;
8150 }
8151
8152 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8153 TLS_client_method(),
8154 TLS1_VERSION,
8155 shared_ciphers_data[tst].maxprot,
8156 &sctx, &cctx, cert, privkey)))
8157 goto end;
8158
8159 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8160 shared_ciphers_data[tst].clntciphers))
8161 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8162 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8163 shared_ciphers_data[tst].clnttls13ciphers)))
8164 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8165 shared_ciphers_data[tst].srvrciphers))
8166 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8167 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8168 shared_ciphers_data[tst].srvrtls13ciphers))))
8169 goto end;
8170
8171
8172 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8173 NULL, NULL))
8174 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8175 SSL_ERROR_NONE)))
8176 goto end;
8177
8178 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8179 || !TEST_int_eq(strcmp(buf,
8180 is_fips
8181 ? shared_ciphers_data[tst].fipsshared
8182 : shared_ciphers_data[tst].shared),
8183 0)) {
8184 TEST_info("Shared ciphers are: %s\n", buf);
8185 goto end;
8186 }
8187
8188 testresult = 1;
8189
8190 end:
8191 SSL_free(serverssl);
8192 SSL_free(clientssl);
8193 SSL_CTX_free(sctx);
8194 SSL_CTX_free(cctx);
8195 OSSL_LIB_CTX_free(tmplibctx);
8196
8197 return testresult;
8198}
8199
8200static int test_ssl_get_shared_ciphers(int tst)
8201{
8202 return int_test_ssl_get_shared_ciphers(tst, 0)
8203 && int_test_ssl_get_shared_ciphers(tst, 1);
8204}
8205
8206
8207static const char *appdata = "Hello World";
8208static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8209static int tick_key_renew = 0;
8210static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8211
8212static int gen_tick_cb(SSL *s, void *arg)
8213{
8214 gen_tick_called = 1;
8215
8216 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8217 strlen(appdata));
8218}
8219
8220static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8221 const unsigned char *keyname,
8222 size_t keyname_length,
8223 SSL_TICKET_STATUS status,
8224 void *arg)
8225{
8226 void *tickdata;
8227 size_t tickdlen;
8228
8229 dec_tick_called = 1;
8230
8231 if (status == SSL_TICKET_EMPTY)
8232 return SSL_TICKET_RETURN_IGNORE_RENEW;
8233
8234 if (!TEST_true(status == SSL_TICKET_SUCCESS
8235 || status == SSL_TICKET_SUCCESS_RENEW))
8236 return SSL_TICKET_RETURN_ABORT;
8237
8238 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8239 &tickdlen))
8240 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8241 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8242 return SSL_TICKET_RETURN_ABORT;
8243
8244 if (tick_key_cb_called) {
8245 /* Don't change what the ticket key callback wanted to do */
8246 switch (status) {
8247 case SSL_TICKET_NO_DECRYPT:
8248 return SSL_TICKET_RETURN_IGNORE_RENEW;
8249
8250 case SSL_TICKET_SUCCESS:
8251 return SSL_TICKET_RETURN_USE;
8252
8253 case SSL_TICKET_SUCCESS_RENEW:
8254 return SSL_TICKET_RETURN_USE_RENEW;
8255
8256 default:
8257 return SSL_TICKET_RETURN_ABORT;
8258 }
8259 }
8260 return tick_dec_ret;
8261
8262}
8263
8264#ifndef OPENSSL_NO_DEPRECATED_3_0
8265static int tick_key_cb(SSL *s, unsigned char key_name[16],
8266 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8267 HMAC_CTX *hctx, int enc)
8268{
8269 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8270 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8271 EVP_CIPHER *aes128cbc;
8272 EVP_MD *sha256;
8273 int ret;
8274
8275 tick_key_cb_called = 1;
8276
8277 if (tick_key_renew == -1)
8278 return 0;
8279
8280 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8281 if (!TEST_ptr(aes128cbc))
8282 return 0;
8283 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8284 if (!TEST_ptr(sha256)) {
8285 EVP_CIPHER_free(aes128cbc);
8286 return 0;
8287 }
8288
8289 memset(iv, 0, AES_BLOCK_SIZE);
8290 memset(key_name, 0, 16);
8291 if (aes128cbc == NULL
8292 || sha256 == NULL
8293 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8294 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8295 NULL))
8296 ret = -1;
8297 else
8298 ret = tick_key_renew ? 2 : 1;
8299
8300 EVP_CIPHER_free(aes128cbc);
8301 EVP_MD_free(sha256);
8302
8303 return ret;
8304}
8305#endif
8306
8307static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8308 unsigned char iv[EVP_MAX_IV_LENGTH],
8309 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8310{
8311 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8312 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8313 OSSL_PARAM params[2];
8314 EVP_CIPHER *aes128cbc;
8315 int ret;
8316
8317 tick_key_cb_called = 1;
8318
8319 if (tick_key_renew == -1)
8320 return 0;
8321
8322 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8323 if (!TEST_ptr(aes128cbc))
8324 return 0;
8325
8326 memset(iv, 0, AES_BLOCK_SIZE);
8327 memset(key_name, 0, 16);
8328 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8329 "SHA256", 0);
8330 params[1] = OSSL_PARAM_construct_end();
8331 if (aes128cbc == NULL
8332 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8333 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8334 params))
8335 ret = -1;
8336 else
8337 ret = tick_key_renew ? 2 : 1;
8338
8339 EVP_CIPHER_free(aes128cbc);
8340
8341 return ret;
8342}
8343
8344/*
8345 * Test the various ticket callbacks
8346 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8347 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8348 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8349 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8350 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8351 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8352 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8353 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8354 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8355 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8356 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8357 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8358 * Test 12: TLSv1.2, old ticket key callback, no ticket
8359 * Test 13: TLSv1.3, old ticket key callback, no ticket
8360 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8361 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8362 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8363 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8364 * Test 18: TLSv1.2, ticket key callback, no ticket
8365 * Test 19: TLSv1.3, ticket key callback, no ticket
8366 */
8367static int test_ticket_callbacks(int tst)
8368{
8369 SSL_CTX *cctx = NULL, *sctx = NULL;
8370 SSL *clientssl = NULL, *serverssl = NULL;
8371 SSL_SESSION *clntsess = NULL;
8372 int testresult = 0;
8373
8374#ifdef OPENSSL_NO_TLS1_2
8375 if (tst % 2 == 0)
8376 return 1;
8377#endif
8378#ifdef OSSL_NO_USABLE_TLS1_3
8379 if (tst % 2 == 1)
8380 return 1;
8381#endif
8382#ifdef OPENSSL_NO_DEPRECATED_3_0
8383 if (tst >= 8 && tst <= 13)
8384 return 1;
8385#endif
8386
8387 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8388
8389 /* Which tests the ticket key callback should request renewal for */
8390
8391 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8392 tick_key_renew = 1;
8393 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8394 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8395 else
8396 tick_key_renew = 0;
8397
8398 /* Which tests the decrypt ticket callback should request renewal for */
8399 switch (tst) {
8400 case 0:
8401 case 1:
8402 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8403 break;
8404
8405 case 2:
8406 case 3:
8407 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8408 break;
8409
8410 case 4:
8411 case 5:
8412 tick_dec_ret = SSL_TICKET_RETURN_USE;
8413 break;
8414
8415 case 6:
8416 case 7:
8417 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8418 break;
8419
8420 default:
8421 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8422 }
8423
8424 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8425 TLS_client_method(),
8426 TLS1_VERSION,
8427 ((tst % 2) == 0) ? TLS1_2_VERSION
8428 : TLS1_3_VERSION,
8429 &sctx, &cctx, cert, privkey)))
8430 goto end;
8431
8432 /*
8433 * We only want sessions to resume from tickets - not the session cache. So
8434 * switch the cache off.
8435 */
8436 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8437 goto end;
8438
8439 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8440 NULL)))
8441 goto end;
8442
8443 if (tst >= 14) {
8444 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8445 goto end;
8446#ifndef OPENSSL_NO_DEPRECATED_3_0
8447 } else if (tst >= 8) {
8448 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8449 goto end;
8450#endif
8451 }
8452
8453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8454 NULL, NULL))
8455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8456 SSL_ERROR_NONE)))
8457 goto end;
8458
8459 /*
8460 * The decrypt ticket key callback in TLSv1.2 should be called even though
8461 * we have no ticket yet, because it gets called with a status of
8462 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8463 * actually send any ticket data). This does not happen in TLSv1.3 because
8464 * it is not valid to send empty ticket data in TLSv1.3.
8465 */
8466 if (!TEST_int_eq(gen_tick_called, 1)
8467 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8468 goto end;
8469
8470 gen_tick_called = dec_tick_called = 0;
8471
8472 clntsess = SSL_get1_session(clientssl);
8473 SSL_shutdown(clientssl);
8474 SSL_shutdown(serverssl);
8475 SSL_free(serverssl);
8476 SSL_free(clientssl);
8477 serverssl = clientssl = NULL;
8478
8479 /* Now do a resumption */
8480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8481 NULL))
8482 || !TEST_true(SSL_set_session(clientssl, clntsess))
8483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8484 SSL_ERROR_NONE)))
8485 goto end;
8486
8487 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8488 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8489 || tick_key_renew == -1) {
8490 if (!TEST_false(SSL_session_reused(clientssl)))
8491 goto end;
8492 } else {
8493 if (!TEST_true(SSL_session_reused(clientssl)))
8494 goto end;
8495 }
8496
8497 if (!TEST_int_eq(gen_tick_called,
8498 (tick_key_renew
8499 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8500 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8501 ? 1 : 0)
8502 /* There is no ticket to decrypt in tests 13 and 19 */
8503 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8504 goto end;
8505
8506 testresult = 1;
8507
8508 end:
8509 SSL_SESSION_free(clntsess);
8510 SSL_free(serverssl);
8511 SSL_free(clientssl);
8512 SSL_CTX_free(sctx);
8513 SSL_CTX_free(cctx);
8514
8515 return testresult;
8516}
8517
8518/*
8519 * Test incorrect shutdown.
8520 * Test 0: client does not shutdown properly,
8521 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8522 * server should get SSL_ERROR_SSL
8523 * Test 1: client does not shutdown properly,
8524 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8525 * server should get SSL_ERROR_ZERO_RETURN
8526 */
8527static int test_incorrect_shutdown(int tst)
8528{
8529 SSL_CTX *cctx = NULL, *sctx = NULL;
8530 SSL *clientssl = NULL, *serverssl = NULL;
8531 int testresult = 0;
8532 char buf[80];
8533 BIO *c2s;
8534
8535 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8536 TLS_client_method(), 0, 0,
8537 &sctx, &cctx, cert, privkey)))
8538 goto end;
8539
8540 if (tst == 1)
8541 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8542
8543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8544 NULL, NULL)))
8545 goto end;
8546
8547 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8548 SSL_ERROR_NONE)))
8549 goto end;
8550
8551 c2s = SSL_get_rbio(serverssl);
8552 BIO_set_mem_eof_return(c2s, 0);
8553
8554 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8555 goto end;
8556
8557 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8558 goto end;
8559 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8560 goto end;
8561
8562 testresult = 1;
8563
8564 end:
8565 SSL_free(serverssl);
8566 SSL_free(clientssl);
8567 SSL_CTX_free(sctx);
8568 SSL_CTX_free(cctx);
8569
8570 return testresult;
8571}
8572
8573/*
8574 * Test bi-directional shutdown.
8575 * Test 0: TLSv1.2
8576 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8577 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8578 * Test 3: TLSv1.3, pending NewSessionTicket messages
8579 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8580 * sends key update, client reads it
8581 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8582 * sends CertificateRequest, client reads and ignores it
8583 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8584 * doesn't read it
8585 */
8586static int test_shutdown(int tst)
8587{
8588 SSL_CTX *cctx = NULL, *sctx = NULL;
8589 SSL *clientssl = NULL, *serverssl = NULL;
8590 int testresult = 0;
8591 char msg[] = "A test message";
8592 char buf[80];
8593 size_t written, readbytes;
8594 SSL_SESSION *sess;
8595
8596#ifdef OPENSSL_NO_TLS1_2
8597 if (tst <= 1)
8598 return 1;
8599#endif
8600#ifdef OSSL_NO_USABLE_TLS1_3
8601 if (tst >= 2)
8602 return 1;
8603#endif
8604
8605 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8606 TLS_client_method(),
8607 TLS1_VERSION,
8608 (tst <= 1) ? TLS1_2_VERSION
8609 : TLS1_3_VERSION,
8610 &sctx, &cctx, cert, privkey)))
8611 goto end;
8612
8613 if (tst == 5)
8614 SSL_CTX_set_post_handshake_auth(cctx, 1);
8615
8616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8617 NULL, NULL)))
8618 goto end;
8619
8620 if (tst == 3) {
8621 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8622 SSL_ERROR_NONE, 1, 0))
8623 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8624 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8625 goto end;
8626 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8627 SSL_ERROR_NONE))
8628 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8629 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8630 goto end;
8631 }
8632
8633 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8634 goto end;
8635
8636 if (tst >= 4) {
8637 /*
8638 * Reading on the server after the client has sent close_notify should
8639 * fail and provide SSL_ERROR_ZERO_RETURN
8640 */
8641 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8642 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8643 SSL_ERROR_ZERO_RETURN)
8644 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8645 SSL_RECEIVED_SHUTDOWN)
8646 /*
8647 * Even though we're shutdown on receive we should still be
8648 * able to write.
8649 */
8650 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8651 goto end;
8652 if (tst == 4
8653 && !TEST_true(SSL_key_update(serverssl,
8654 SSL_KEY_UPDATE_REQUESTED)))
8655 goto end;
8656 if (tst == 5) {
8657 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8658 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8659 goto end;
8660 }
8661 if ((tst == 4 || tst == 5)
8662 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8663 goto end;
8664 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8665 goto end;
8666 if (tst == 4 || tst == 5) {
8667 /* Should still be able to read data from server */
8668 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8669 &readbytes))
8670 || !TEST_size_t_eq(readbytes, sizeof(msg))
8671 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8672 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8673 &readbytes))
8674 || !TEST_size_t_eq(readbytes, sizeof(msg))
8675 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8676 goto end;
8677 }
8678 }
8679
8680 /* Writing on the client after sending close_notify shouldn't be possible */
8681 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8682 goto end;
8683
8684 if (tst < 4) {
8685 /*
8686 * For these tests the client has sent close_notify but it has not yet
8687 * been received by the server. The server has not sent close_notify
8688 * yet.
8689 */
8690 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8691 /*
8692 * Writing on the server after sending close_notify shouldn't
8693 * be possible.
8694 */
8695 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8696 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8697 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8698 || !TEST_true(SSL_SESSION_is_resumable(sess))
8699 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8700 goto end;
8701 } else if (tst == 4 || tst == 5) {
8702 /*
8703 * In this test the client has sent close_notify and it has been
8704 * received by the server which has responded with a close_notify. The
8705 * client needs to read the close_notify sent by the server.
8706 */
8707 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8708 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8709 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8710 goto end;
8711 } else {
8712 /*
8713 * tst == 6
8714 *
8715 * The client has sent close_notify and is expecting a close_notify
8716 * back, but instead there is application data first. The shutdown
8717 * should fail with a fatal error.
8718 */
8719 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8720 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8721 goto end;
8722 }
8723
8724 testresult = 1;
8725
8726 end:
8727 SSL_free(serverssl);
8728 SSL_free(clientssl);
8729 SSL_CTX_free(sctx);
8730 SSL_CTX_free(cctx);
8731
8732 return testresult;
8733}
8734
8735/*
8736 * Test that sending close_notify alerts works correctly in the case of a
8737 * retryable write failure.
8738 */
8739static int test_async_shutdown(void)
8740{
8741 SSL_CTX *cctx = NULL, *sctx = NULL;
8742 SSL *clientssl = NULL, *serverssl = NULL;
8743 int testresult = 0;
8744 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8745
8746 if (!TEST_ptr(bretry))
8747 goto end;
8748
8749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8750 TLS_client_method(),
8751 0, 0,
8752 &sctx, &cctx, cert, privkey)))
8753 goto end;
8754
8755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8756 NULL)))
8757 goto end;
8758
8759 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8760 goto end;
8761
8762 /* Close write side of clientssl */
8763 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8764 goto end;
8765
8766 tmp = SSL_get_wbio(serverssl);
8767 if (!TEST_true(BIO_up_ref(tmp))) {
8768 tmp = NULL;
8769 goto end;
8770 }
8771 SSL_set0_wbio(serverssl, bretry);
8772 bretry = NULL;
8773
8774 /* First server shutdown should fail because of a retrable write failure */
8775 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8776 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8777 goto end;
8778
8779 /* Second server shutdown should fail for the same reason */
8780 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8781 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8782 goto end;
8783
8784 SSL_set0_wbio(serverssl, tmp);
8785 tmp = NULL;
8786
8787 /* Third server shutdown should send close_notify */
8788 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8789 goto end;
8790
8791 /* Fourth server shutdown should read close_notify from client and finish */
8792 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8793 goto end;
8794
8795 /* Client should also successfully fully shutdown */
8796 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8797 goto end;
8798
8799 testresult = 1;
8800 end:
8801 SSL_free(serverssl);
8802 SSL_free(clientssl);
8803 SSL_CTX_free(sctx);
8804 SSL_CTX_free(cctx);
8805 BIO_free(bretry);
8806 BIO_free(tmp);
8807
8808 return testresult;
8809}
8810
8811#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8812static int cert_cb_cnt;
8813
8814static int cert_cb(SSL *s, void *arg)
8815{
8816 SSL_CTX *ctx = (SSL_CTX *)arg;
8817 BIO *in = NULL;
8818 EVP_PKEY *pkey = NULL;
8819 X509 *x509 = NULL, *rootx = NULL;
8820 STACK_OF(X509) *chain = NULL;
8821 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8822 int ret = 0;
8823
8824 if (cert_cb_cnt == 0) {
8825 /* Suspend the handshake */
8826 cert_cb_cnt++;
8827 return -1;
8828 } else if (cert_cb_cnt == 1) {
8829 /*
8830 * Update the SSL_CTX, set the certificate and private key and then
8831 * continue the handshake normally.
8832 */
8833 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8834 return 0;
8835
8836 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8837 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8838 SSL_FILETYPE_PEM))
8839 || !TEST_true(SSL_check_private_key(s)))
8840 return 0;
8841 cert_cb_cnt++;
8842 return 1;
8843 } else if (cert_cb_cnt == 3) {
8844 int rv;
8845
8846 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8847 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8848 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8849 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8850 goto out;
8851 chain = sk_X509_new_null();
8852 if (!TEST_ptr(chain))
8853 goto out;
8854 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8855 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8856 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8857 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8858 || !TEST_true(sk_X509_push(chain, rootx)))
8859 goto out;
8860 rootx = NULL;
8861 BIO_free(in);
8862 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8863 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8864 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8865 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8866 goto out;
8867 BIO_free(in);
8868 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8869 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8870 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8871 NULL, NULL,
8872 libctx, NULL)))
8873 goto out;
8874 rv = SSL_check_chain(s, x509, pkey, chain);
8875 /*
8876 * If the cert doesn't show as valid here (e.g., because we don't
8877 * have any shared sigalgs), then we will not set it, and there will
8878 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8879 * will cause tls_choose_sigalgs() to fail the connection.
8880 */
8881 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8882 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8883 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8884 goto out;
8885 }
8886
8887 ret = 1;
8888 }
8889
8890 /* Abort the handshake */
8891 out:
8892 OPENSSL_free(ecdsacert);
8893 OPENSSL_free(ecdsakey);
8894 OPENSSL_free(rootfile);
8895 BIO_free(in);
8896 EVP_PKEY_free(pkey);
8897 X509_free(x509);
8898 X509_free(rootx);
8899 OSSL_STACK_OF_X509_free(chain);
8900 return ret;
8901}
8902
8903/*
8904 * Test the certificate callback.
8905 * Test 0: Callback fails
8906 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8907 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8908 * Test 3: Success - Call SSL_check_chain from the callback
8909 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8910 * chain
8911 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8912 */
8913static int test_cert_cb_int(int prot, int tst)
8914{
8915 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8916 SSL *clientssl = NULL, *serverssl = NULL;
8917 int testresult = 0, ret;
8918
8919#ifdef OPENSSL_NO_EC
8920 /* We use an EC cert in these tests, so we skip in a no-ec build */
8921 if (tst >= 3)
8922 return 1;
8923#endif
8924
8925 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8926 TLS_client_method(),
8927 TLS1_VERSION,
8928 prot,
8929 &sctx, &cctx, NULL, NULL)))
8930 goto end;
8931
8932 if (tst == 0)
8933 cert_cb_cnt = -1;
8934 else if (tst >= 3)
8935 cert_cb_cnt = 3;
8936 else
8937 cert_cb_cnt = 0;
8938
8939 if (tst == 2) {
8940 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8941 if (!TEST_ptr(snictx))
8942 goto end;
8943 }
8944
8945 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8946
8947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8948 NULL, NULL)))
8949 goto end;
8950
8951 if (tst == 4) {
8952 /*
8953 * We cause SSL_check_chain() to fail by specifying sig_algs that
8954 * the chain doesn't meet (the root uses an RSA cert)
8955 */
8956 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8957 "ecdsa_secp256r1_sha256")))
8958 goto end;
8959 } else if (tst == 5) {
8960 /*
8961 * We cause SSL_check_chain() to fail by specifying sig_algs that
8962 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8963 */
8964 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8965 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8966 goto end;
8967 }
8968
8969 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8970 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8971 || (tst > 0
8972 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8973 goto end;
8974 }
8975
8976 testresult = 1;
8977
8978 end:
8979 SSL_free(serverssl);
8980 SSL_free(clientssl);
8981 SSL_CTX_free(sctx);
8982 SSL_CTX_free(cctx);
8983 SSL_CTX_free(snictx);
8984
8985 return testresult;
8986}
8987#endif
8988
8989static int test_cert_cb(int tst)
8990{
8991 int testresult = 1;
8992
8993#ifndef OPENSSL_NO_TLS1_2
8994 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8995#endif
8996#ifndef OSSL_NO_USABLE_TLS1_3
8997 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8998#endif
8999
9000 return testresult;
9001}
9002
9003static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9004{
9005 X509 *xcert;
9006 EVP_PKEY *privpkey;
9007 BIO *in = NULL;
9008 BIO *priv_in = NULL;
9009
9010 /* Check that SSL_get0_peer_certificate() returns something sensible */
9011 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9012 return 0;
9013
9014 in = BIO_new_file(cert, "r");
9015 if (!TEST_ptr(in))
9016 return 0;
9017
9018 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9019 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9020 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9021 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9022 NULL, NULL,
9023 libctx, NULL)))
9024 goto err;
9025
9026 *x509 = xcert;
9027 *pkey = privpkey;
9028
9029 BIO_free(in);
9030 BIO_free(priv_in);
9031 return 1;
9032err:
9033 X509_free(xcert);
9034 BIO_free(in);
9035 BIO_free(priv_in);
9036 return 0;
9037}
9038
9039static int test_client_cert_cb(int tst)
9040{
9041 SSL_CTX *cctx = NULL, *sctx = NULL;
9042 SSL *clientssl = NULL, *serverssl = NULL;
9043 int testresult = 0;
9044
9045#ifdef OPENSSL_NO_TLS1_2
9046 if (tst == 0)
9047 return 1;
9048#endif
9049#ifdef OSSL_NO_USABLE_TLS1_3
9050 if (tst == 1)
9051 return 1;
9052#endif
9053
9054 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9055 TLS_client_method(),
9056 TLS1_VERSION,
9057 tst == 0 ? TLS1_2_VERSION
9058 : TLS1_3_VERSION,
9059 &sctx, &cctx, cert, privkey)))
9060 goto end;
9061
9062 /*
9063 * Test that setting a client_cert_cb results in a client certificate being
9064 * sent.
9065 */
9066 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9067 SSL_CTX_set_verify(sctx,
9068 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9069 verify_cb);
9070
9071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9072 NULL, NULL))
9073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9074 SSL_ERROR_NONE)))
9075 goto end;
9076
9077 testresult = 1;
9078
9079 end:
9080 SSL_free(serverssl);
9081 SSL_free(clientssl);
9082 SSL_CTX_free(sctx);
9083 SSL_CTX_free(cctx);
9084
9085 return testresult;
9086}
9087
9088#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9089/*
9090 * Test setting certificate authorities on both client and server.
9091 *
9092 * Test 0: SSL_CTX_set0_CA_list() only
9093 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9094 * Test 2: Only SSL_CTX_set_client_CA_list()
9095 */
9096static int test_ca_names_int(int prot, int tst)
9097{
9098 SSL_CTX *cctx = NULL, *sctx = NULL;
9099 SSL *clientssl = NULL, *serverssl = NULL;
9100 int testresult = 0;
9101 size_t i;
9102 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9103 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9104 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9105 const STACK_OF(X509_NAME) *sktmp = NULL;
9106
9107 for (i = 0; i < OSSL_NELEM(name); i++) {
9108 name[i] = X509_NAME_new();
9109 if (!TEST_ptr(name[i])
9110 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9111 MBSTRING_ASC,
9112 (unsigned char *)
9113 strnames[i],
9114 -1, -1, 0)))
9115 goto end;
9116 }
9117
9118 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9119 TLS_client_method(),
9120 TLS1_VERSION,
9121 prot,
9122 &sctx, &cctx, cert, privkey)))
9123 goto end;
9124
9125 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9126
9127 if (tst == 0 || tst == 1) {
9128 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9129 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9130 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9131 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9132 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9133 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9134 goto end;
9135
9136 SSL_CTX_set0_CA_list(sctx, sk1);
9137 SSL_CTX_set0_CA_list(cctx, sk2);
9138 sk1 = sk2 = NULL;
9139 }
9140 if (tst == 1 || tst == 2) {
9141 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9142 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9143 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9144 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9145 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9146 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9147 goto end;
9148
9149 SSL_CTX_set_client_CA_list(sctx, sk1);
9150 SSL_CTX_set_client_CA_list(cctx, sk2);
9151 sk1 = sk2 = NULL;
9152 }
9153
9154 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9155 NULL, NULL))
9156 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9157 SSL_ERROR_NONE)))
9158 goto end;
9159
9160 /*
9161 * We only expect certificate authorities to have been sent to the server
9162 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9163 */
9164 sktmp = SSL_get0_peer_CA_list(serverssl);
9165 if (prot == TLS1_3_VERSION
9166 && (tst == 0 || tst == 1)) {
9167 if (!TEST_ptr(sktmp)
9168 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9169 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9170 name[0]), 0)
9171 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9172 name[1]), 0))
9173 goto end;
9174 } else if (!TEST_ptr_null(sktmp)) {
9175 goto end;
9176 }
9177
9178 /*
9179 * In all tests we expect certificate authorities to have been sent to the
9180 * client. However, SSL_set_client_CA_list() should override
9181 * SSL_set0_CA_list()
9182 */
9183 sktmp = SSL_get0_peer_CA_list(clientssl);
9184 if (!TEST_ptr(sktmp)
9185 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9186 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9187 name[tst == 0 ? 0 : 2]), 0)
9188 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9189 name[tst == 0 ? 1 : 3]), 0))
9190 goto end;
9191
9192 testresult = 1;
9193
9194 end:
9195 SSL_free(serverssl);
9196 SSL_free(clientssl);
9197 SSL_CTX_free(sctx);
9198 SSL_CTX_free(cctx);
9199 for (i = 0; i < OSSL_NELEM(name); i++)
9200 X509_NAME_free(name[i]);
9201 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9202 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9203
9204 return testresult;
9205}
9206#endif
9207
9208static int test_ca_names(int tst)
9209{
9210 int testresult = 1;
9211
9212#ifndef OPENSSL_NO_TLS1_2
9213 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9214#endif
9215#ifndef OSSL_NO_USABLE_TLS1_3
9216 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9217#endif
9218
9219 return testresult;
9220}
9221
9222#ifndef OPENSSL_NO_TLS1_2
9223static const char *multiblock_cipherlist_data[]=
9224{
9225 "AES128-SHA",
9226 "AES128-SHA256",
9227 "AES256-SHA",
9228 "AES256-SHA256",
9229};
9230
9231/* Reduce the fragment size - so the multiblock test buffer can be small */
9232# define MULTIBLOCK_FRAGSIZE 512
9233
9234static int test_multiblock_write(int test_index)
9235{
9236 static const char *fetchable_ciphers[]=
9237 {
9238 "AES-128-CBC-HMAC-SHA1",
9239 "AES-128-CBC-HMAC-SHA256",
9240 "AES-256-CBC-HMAC-SHA1",
9241 "AES-256-CBC-HMAC-SHA256"
9242 };
9243 const char *cipherlist = multiblock_cipherlist_data[test_index];
9244 const SSL_METHOD *smeth = TLS_server_method();
9245 const SSL_METHOD *cmeth = TLS_client_method();
9246 int min_version = TLS1_VERSION;
9247 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9248 SSL_CTX *cctx = NULL, *sctx = NULL;
9249 SSL *clientssl = NULL, *serverssl = NULL;
9250 int testresult = 0;
9251
9252 /*
9253 * Choose a buffer large enough to perform a multi-block operation
9254 * i.e: write_len >= 4 * frag_size
9255 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9256 */
9257 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9258 unsigned char buf[sizeof(msg)], *p = buf;
9259 size_t readbytes, written, len;
9260 EVP_CIPHER *ciph = NULL;
9261
9262 /*
9263 * Check if the cipher exists before attempting to use it since it only has
9264 * a hardware specific implementation.
9265 */
9266 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9267 if (ciph == NULL) {
9268 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9269 return 1;
9270 }
9271 EVP_CIPHER_free(ciph);
9272
9273 /* Set up a buffer with some data that will be sent to the client */
9274 RAND_bytes(msg, sizeof(msg));
9275
9276 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9277 max_version, &sctx, &cctx, cert,
9278 privkey)))
9279 goto end;
9280
9281 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9282 goto end;
9283
9284 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9285 NULL, NULL)))
9286 goto end;
9287
9288 /* settings to force it to use AES-CBC-HMAC_SHA */
9289 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9290 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9291 goto end;
9292
9293 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9294 goto end;
9295
9296 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9297 || !TEST_size_t_eq(written, sizeof(msg)))
9298 goto end;
9299
9300 len = written;
9301 while (len > 0) {
9302 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9303 goto end;
9304 p += readbytes;
9305 len -= readbytes;
9306 }
9307 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9308 goto end;
9309
9310 testresult = 1;
9311end:
9312 SSL_free(serverssl);
9313 SSL_free(clientssl);
9314 SSL_CTX_free(sctx);
9315 SSL_CTX_free(cctx);
9316
9317 return testresult;
9318}
9319#endif /* OPENSSL_NO_TLS1_2 */
9320
9321static int test_session_timeout(int test)
9322{
9323 /*
9324 * Test session ordering and timeout
9325 * Can't explicitly test performance of the new code,
9326 * but can test to see if the ordering of the sessions
9327 * are correct, and they are removed as expected
9328 */
9329 SSL_SESSION *early = NULL;
9330 SSL_SESSION *middle = NULL;
9331 SSL_SESSION *late = NULL;
9332 SSL_CTX *ctx;
9333 int testresult = 0;
9334 time_t now = time(NULL);
9335#define TIMEOUT 10
9336
9337 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9338 || !TEST_ptr(early = SSL_SESSION_new())
9339 || !TEST_ptr(middle = SSL_SESSION_new())
9340 || !TEST_ptr(late = SSL_SESSION_new()))
9341 goto end;
9342
9343 /* assign unique session ids */
9344 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9345 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9346 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9347 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9348 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9349 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9350
9351 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9352 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9353 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9354 goto end;
9355
9356 /* Make sure they are all added */
9357 if (!TEST_ptr(early->prev)
9358 || !TEST_ptr(middle->prev)
9359 || !TEST_ptr(late->prev))
9360 goto end;
9361
9362 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9363 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9364 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9365 goto end;
9366
9367 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9368 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9369 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9370 goto end;
9371
9372 /* Make sure they are all still there */
9373 if (!TEST_ptr(early->prev)
9374 || !TEST_ptr(middle->prev)
9375 || !TEST_ptr(late->prev))
9376 goto end;
9377
9378 /* Make sure they are in the expected order */
9379 if (!TEST_ptr_eq(late->next, middle)
9380 || !TEST_ptr_eq(middle->next, early)
9381 || !TEST_ptr_eq(early->prev, middle)
9382 || !TEST_ptr_eq(middle->prev, late))
9383 goto end;
9384
9385 /* This should remove "early" */
9386 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9387 if (!TEST_ptr_null(early->prev)
9388 || !TEST_ptr(middle->prev)
9389 || !TEST_ptr(late->prev))
9390 goto end;
9391
9392 /* This should remove "middle" */
9393 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9394 if (!TEST_ptr_null(early->prev)
9395 || !TEST_ptr_null(middle->prev)
9396 || !TEST_ptr(late->prev))
9397 goto end;
9398
9399 /* This should remove "late" */
9400 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9401 if (!TEST_ptr_null(early->prev)
9402 || !TEST_ptr_null(middle->prev)
9403 || !TEST_ptr_null(late->prev))
9404 goto end;
9405
9406 /* Add them back in again */
9407 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9408 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9409 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9410 goto end;
9411
9412 /* Make sure they are all added */
9413 if (!TEST_ptr(early->prev)
9414 || !TEST_ptr(middle->prev)
9415 || !TEST_ptr(late->prev))
9416 goto end;
9417
9418 /* This should remove all of them */
9419 SSL_CTX_flush_sessions_ex(ctx, 0);
9420 if (!TEST_ptr_null(early->prev)
9421 || !TEST_ptr_null(middle->prev)
9422 || !TEST_ptr_null(late->prev))
9423 goto end;
9424
9425 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9426 | SSL_CTX_get_session_cache_mode(ctx));
9427
9428 /* make sure |now| is NOT equal to the current time */
9429 now -= 10;
9430 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
9431 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9432 || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
9433 goto end;
9434
9435 testresult = 1;
9436 end:
9437 SSL_CTX_free(ctx);
9438 SSL_SESSION_free(early);
9439 SSL_SESSION_free(middle);
9440 SSL_SESSION_free(late);
9441 return testresult;
9442}
9443
9444/*
9445 * Test that a session cache overflow works as expected
9446 * Test 0: TLSv1.3, timeout on new session later than old session
9447 * Test 1: TLSv1.2, timeout on new session later than old session
9448 * Test 2: TLSv1.3, timeout on new session earlier than old session
9449 * Test 3: TLSv1.2, timeout on new session earlier than old session
9450 */
9451#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9452static int test_session_cache_overflow(int idx)
9453{
9454 SSL_CTX *sctx = NULL, *cctx = NULL;
9455 SSL *serverssl = NULL, *clientssl = NULL;
9456 int testresult = 0;
9457 SSL_SESSION *sess = NULL;
9458
9459#ifdef OSSL_NO_USABLE_TLS1_3
9460 /* If no TLSv1.3 available then do nothing in this case */
9461 if (idx % 2 == 0)
9462 return TEST_skip("No TLSv1.3 available");
9463#endif
9464#ifdef OPENSSL_NO_TLS1_2
9465 /* If no TLSv1.2 available then do nothing in this case */
9466 if (idx % 2 == 1)
9467 return TEST_skip("No TLSv1.2 available");
9468#endif
9469
9470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9471 TLS_client_method(), TLS1_VERSION,
9472 (idx % 2 == 0) ? TLS1_3_VERSION
9473 : TLS1_2_VERSION,
9474 &sctx, &cctx, cert, privkey))
9475 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9476 goto end;
9477
9478 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9479 get_sess_val = NULL;
9480
9481 SSL_CTX_sess_set_cache_size(sctx, 1);
9482
9483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9484 NULL, NULL)))
9485 goto end;
9486
9487 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9488 goto end;
9489
9490 if (idx > 1) {
9491 sess = SSL_get_session(serverssl);
9492 if (!TEST_ptr(sess))
9493 goto end;
9494
9495 /*
9496 * Cause this session to have a longer timeout than the next session to
9497 * be added.
9498 */
9499 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9500 sess = NULL;
9501 goto end;
9502 }
9503 sess = NULL;
9504 }
9505
9506 SSL_shutdown(serverssl);
9507 SSL_shutdown(clientssl);
9508 SSL_free(serverssl);
9509 SSL_free(clientssl);
9510 serverssl = clientssl = NULL;
9511
9512 /*
9513 * Session cache size is 1 and we already populated the cache with a session
9514 * so the next connection should cause an overflow.
9515 */
9516
9517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9518 NULL, NULL)))
9519 goto end;
9520
9521 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9522 goto end;
9523
9524 /*
9525 * The session we just negotiated may have been already removed from the
9526 * internal cache - but we will return it anyway from our external cache.
9527 */
9528 get_sess_val = SSL_get_session(serverssl);
9529 if (!TEST_ptr(get_sess_val))
9530 goto end;
9531 sess = SSL_get1_session(clientssl);
9532 if (!TEST_ptr(sess))
9533 goto end;
9534
9535 SSL_shutdown(serverssl);
9536 SSL_shutdown(clientssl);
9537 SSL_free(serverssl);
9538 SSL_free(clientssl);
9539 serverssl = clientssl = NULL;
9540
9541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9542 NULL, NULL)))
9543 goto end;
9544
9545 if (!TEST_true(SSL_set_session(clientssl, sess)))
9546 goto end;
9547
9548 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9549 goto end;
9550
9551 testresult = 1;
9552
9553 end:
9554 SSL_free(serverssl);
9555 SSL_free(clientssl);
9556 SSL_CTX_free(sctx);
9557 SSL_CTX_free(cctx);
9558 SSL_SESSION_free(sess);
9559
9560 return testresult;
9561}
9562#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9563
9564/*
9565 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9566 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9567 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9568 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9569 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9570 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9571 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9572 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9573 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9574 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9575 */
9576static int test_servername(int tst)
9577{
9578 SSL_CTX *cctx = NULL, *sctx = NULL;
9579 SSL *clientssl = NULL, *serverssl = NULL;
9580 int testresult = 0;
9581 SSL_SESSION *sess = NULL;
9582 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9583
9584#ifdef OPENSSL_NO_TLS1_2
9585 if (tst <= 4)
9586 return 1;
9587#endif
9588#ifdef OSSL_NO_USABLE_TLS1_3
9589 if (tst >= 5)
9590 return 1;
9591#endif
9592
9593 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9594 TLS_client_method(),
9595 TLS1_VERSION,
9596 (tst <= 4) ? TLS1_2_VERSION
9597 : TLS1_3_VERSION,
9598 &sctx, &cctx, cert, privkey))
9599 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9600 NULL, NULL)))
9601 goto end;
9602
9603 if (tst != 1 && tst != 6) {
9604 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9605 hostname_cb)))
9606 goto end;
9607 }
9608
9609 if (tst != 3 && tst != 8) {
9610 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9611 goto end;
9612 sexpectedhost = cexpectedhost = "goodhost";
9613 }
9614
9615 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9616 goto end;
9617
9618 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9619 cexpectedhost)
9620 || !TEST_str_eq(SSL_get_servername(serverssl,
9621 TLSEXT_NAMETYPE_host_name),
9622 sexpectedhost))
9623 goto end;
9624
9625 /* Now repeat with a resumption handshake */
9626
9627 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9628 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9629 || !TEST_true(SSL_SESSION_is_resumable(sess))
9630 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9631 goto end;
9632
9633 SSL_free(clientssl);
9634 SSL_free(serverssl);
9635 clientssl = serverssl = NULL;
9636
9637 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9638 NULL)))
9639 goto end;
9640
9641 if (!TEST_true(SSL_set_session(clientssl, sess)))
9642 goto end;
9643
9644 sexpectedhost = cexpectedhost = "goodhost";
9645 if (tst == 2 || tst == 7) {
9646 /* Set an inconsistent hostname */
9647 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9648 goto end;
9649 /*
9650 * In TLSv1.2 we expect the hostname from the original handshake, in
9651 * TLSv1.3 we expect the hostname from this handshake
9652 */
9653 if (tst == 7)
9654 sexpectedhost = cexpectedhost = "altgoodhost";
9655
9656 if (!TEST_str_eq(SSL_get_servername(clientssl,
9657 TLSEXT_NAMETYPE_host_name),
9658 "altgoodhost"))
9659 goto end;
9660 } else if (tst == 4 || tst == 9) {
9661 /*
9662 * A TLSv1.3 session does not associate a session with a servername,
9663 * but a TLSv1.2 session does.
9664 */
9665 if (tst == 9)
9666 sexpectedhost = cexpectedhost = NULL;
9667
9668 if (!TEST_str_eq(SSL_get_servername(clientssl,
9669 TLSEXT_NAMETYPE_host_name),
9670 cexpectedhost))
9671 goto end;
9672 } else {
9673 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9674 goto end;
9675 /*
9676 * In a TLSv1.2 resumption where the hostname was not acknowledged
9677 * we expect the hostname on the server to be empty. On the client we
9678 * return what was requested in this case.
9679 *
9680 * Similarly if the client didn't set a hostname on an original TLSv1.2
9681 * session but is now, the server hostname will be empty, but the client
9682 * is as we set it.
9683 */
9684 if (tst == 1 || tst == 3)
9685 sexpectedhost = NULL;
9686
9687 if (!TEST_str_eq(SSL_get_servername(clientssl,
9688 TLSEXT_NAMETYPE_host_name),
9689 "goodhost"))
9690 goto end;
9691 }
9692
9693 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9694 goto end;
9695
9696 if (!TEST_true(SSL_session_reused(clientssl))
9697 || !TEST_true(SSL_session_reused(serverssl))
9698 || !TEST_str_eq(SSL_get_servername(clientssl,
9699 TLSEXT_NAMETYPE_host_name),
9700 cexpectedhost)
9701 || !TEST_str_eq(SSL_get_servername(serverssl,
9702 TLSEXT_NAMETYPE_host_name),
9703 sexpectedhost))
9704 goto end;
9705
9706 testresult = 1;
9707
9708 end:
9709 SSL_SESSION_free(sess);
9710 SSL_free(serverssl);
9711 SSL_free(clientssl);
9712 SSL_CTX_free(sctx);
9713 SSL_CTX_free(cctx);
9714
9715 return testresult;
9716}
9717
9718static int test_unknown_sigalgs_groups(void)
9719{
9720 int ret = 0;
9721 SSL_CTX *ctx = NULL;
9722
9723 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9724 goto end;
9725
9726 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9727 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9728 0))
9729 goto end;
9730 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9731 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9732 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9733 goto end;
9734
9735 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9736 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9737 0))
9738 goto end;
9739 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9740 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9741 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9742 goto end;
9743
9744 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9745 "nonexistent"),
9746 0))
9747 goto end;
9748
9749 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9750 "?nonexistent1:?nonexistent2:?nonexistent3"),
9751 0))
9752 goto end;
9753
9754#ifndef OPENSSL_NO_EC
9755 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9756 "P-256:nonexistent"),
9757 0))
9758 goto end;
9759
9760 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9761 "P-384:?nonexistent:?P-521"),
9762 0))
9763 goto end;
9764 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9765 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9766 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9767 goto end;
9768#endif
9769
9770 ret = 1;
9771 end:
9772 SSL_CTX_free(ctx);
9773 return ret;
9774}
9775
9776#if !defined(OPENSSL_NO_EC) \
9777 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9778/*
9779 * Test that if signature algorithms are not available, then we do not offer or
9780 * accept them.
9781 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9782 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9783 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9784 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9785 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9786 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9787 */
9788static int test_sigalgs_available(int idx)
9789{
9790 SSL_CTX *cctx = NULL, *sctx = NULL;
9791 SSL *clientssl = NULL, *serverssl = NULL;
9792 int testresult = 0;
9793 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9794 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9795 OSSL_PROVIDER *filterprov = NULL;
9796 int sig, hash;
9797
9798 if (!TEST_ptr(tmpctx))
9799 goto end;
9800
9801 if (idx != 0 && idx != 3) {
9802 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9803 filter_provider_init)))
9804 goto end;
9805
9806 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9807 if (!TEST_ptr(filterprov))
9808 goto end;
9809
9810 if (idx < 3) {
9811 /*
9812 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9813 * or accepted for the peer that uses this libctx. Note that libssl
9814 * *requires* SHA2-256 to be available so we cannot disable that. We
9815 * also need SHA1 for our certificate.
9816 */
9817 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9818 "SHA2-256:SHA1")))
9819 goto end;
9820 } else {
9821 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9822 "ECDSA"))
9823# ifdef OPENSSL_NO_ECX
9824 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9825# else
9826 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9827 "EC:X25519:X448"))
9828# endif
9829 )
9830 goto end;
9831 }
9832
9833 if (idx == 1 || idx == 4)
9834 clientctx = tmpctx;
9835 else
9836 serverctx = tmpctx;
9837 }
9838
9839 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9840 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9841 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9842 goto end;
9843
9844 if (idx != 5) {
9845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9846 TLS_client_method(),
9847 TLS1_VERSION,
9848 0,
9849 &sctx, &cctx, cert, privkey)))
9850 goto end;
9851 } else {
9852 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9853 TLS_client_method(),
9854 TLS1_VERSION,
9855 0,
9856 &sctx, &cctx, cert2, privkey2)))
9857 goto end;
9858 }
9859
9860 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9861 if (idx < 4) {
9862 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9863 "ECDHE-RSA-AES128-GCM-SHA256")))
9864 goto end;
9865 } else {
9866 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9867 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9868 goto end;
9869 }
9870
9871 if (idx < 3) {
9872 if (!SSL_CTX_set1_sigalgs_list(cctx,
9873 "rsa_pss_rsae_sha384"
9874 ":rsa_pss_rsae_sha256")
9875 || !SSL_CTX_set1_sigalgs_list(sctx,
9876 "rsa_pss_rsae_sha384"
9877 ":rsa_pss_rsae_sha256"))
9878 goto end;
9879 } else {
9880 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9881 || !SSL_CTX_set1_sigalgs_list(sctx,
9882 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9883 goto end;
9884 }
9885
9886 if (idx != 5
9887 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9888 SSL_FILETYPE_PEM), 1)
9889 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9890 privkey2,
9891 SSL_FILETYPE_PEM), 1)
9892 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9893 goto end;
9894
9895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9896 NULL, NULL)))
9897 goto end;
9898
9899 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9900 goto end;
9901
9902 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9903 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9904 NULL, NULL),
9905 (idx == 0 || idx == 3) ? 2 : 1))
9906 goto end;
9907
9908 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9909 goto end;
9910
9911 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9912 : NID_rsassaPss))
9913 goto end;
9914
9915 testresult = filter_provider_check_clean_finish();
9916
9917 end:
9918 SSL_free(serverssl);
9919 SSL_free(clientssl);
9920 SSL_CTX_free(sctx);
9921 SSL_CTX_free(cctx);
9922 OSSL_PROVIDER_unload(filterprov);
9923 OSSL_LIB_CTX_free(tmpctx);
9924
9925 return testresult;
9926}
9927#endif /*
9928 * !defined(OPENSSL_NO_EC) \
9929 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9930 */
9931
9932#ifndef OPENSSL_NO_TLS1_3
9933/* This test can run in TLSv1.3 even if ec and dh are disabled */
9934static int test_pluggable_group(int idx)
9935{
9936 SSL_CTX *cctx = NULL, *sctx = NULL;
9937 SSL *clientssl = NULL, *serverssl = NULL;
9938 int testresult = 0;
9939 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9940 /* Check that we are not impacted by a provider without any groups */
9941 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9942 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9943
9944 if (!TEST_ptr(tlsprov))
9945 goto end;
9946
9947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9948 TLS_client_method(),
9949 TLS1_3_VERSION,
9950 TLS1_3_VERSION,
9951 &sctx, &cctx, cert, privkey))
9952 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9953 NULL, NULL)))
9954 goto end;
9955
9956 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9957 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9958 /* removing a single algorithm from the list makes the test pass */
9959 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9960 goto end;
9961
9962 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9963 goto end;
9964
9965 if (!TEST_str_eq(group_name,
9966 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9967 goto end;
9968
9969 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9970 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9971 goto end;
9972
9973 testresult = 1;
9974
9975 end:
9976 SSL_free(serverssl);
9977 SSL_free(clientssl);
9978 SSL_CTX_free(sctx);
9979 SSL_CTX_free(cctx);
9980 OSSL_PROVIDER_unload(tlsprov);
9981 OSSL_PROVIDER_unload(legacyprov);
9982
9983 return testresult;
9984}
9985
9986/*
9987 * This function triggers encode, decode and sign functions
9988 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9989 * creating private key and certificate files for use in TLS testing.
9990 */
9991static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9992{
9993 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9994 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9995 EVP_PKEY *pkey = NULL;
9996 X509 *x509 = X509_new();
9997 X509_NAME *name = NULL;
9998 BIO *keybio = NULL, *certbio = NULL;
9999 int ret = 1;
10000
10001 if (!TEST_ptr(evpctx)
10002 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
10003 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10004 || !TEST_ptr(pkey)
10005 || !TEST_ptr(x509)
10006 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10007 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10008 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10009 || !TEST_true(X509_set_pubkey(x509, pkey))
10010 || !TEST_ptr(name = X509_get_subject_name(x509))
10011 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10012 (unsigned char *)"CH", -1, -1, 0))
10013 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10014 (unsigned char *)"test.org", -1, -1, 0))
10015 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10016 (unsigned char *)"localhost", -1, -1, 0))
10017 || !TEST_true(X509_set_issuer_name(x509, name))
10018 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10019 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10020 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10021 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10022 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10023 ret = 0;
10024
10025 EVP_PKEY_free(pkey);
10026 X509_free(x509);
10027 EVP_PKEY_CTX_free(evpctx);
10028 BIO_free(keybio);
10029 BIO_free(certbio);
10030 return ret;
10031}
10032
10033/*
10034 * Test that signature algorithms loaded via the provider interface can
10035 * correctly establish a TLS (1.3) connection.
10036 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10037 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10038 * Test 2: Test 0 using RPK
10039 * Test 3: Test 1 using RPK
10040 */
10041static int test_pluggable_signature(int idx)
10042{
10043 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10044 SSL_CTX *cctx = NULL, *sctx = NULL;
10045 SSL *clientssl = NULL, *serverssl = NULL;
10046 int testresult = 0;
10047 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10048 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10049 char *certfilename = "tls-prov-cert.pem";
10050 char *privkeyfilename = "tls-prov-key.pem";
10051 int sigidx = idx % 2;
10052 int rpkidx = idx / 2;
10053
10054 /* create key and certificate for the different algorithm types */
10055 if (!TEST_ptr(tlsprov)
10056 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10057 goto end;
10058
10059 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10060 TLS_client_method(),
10061 TLS1_3_VERSION,
10062 TLS1_3_VERSION,
10063 &sctx, &cctx, certfilename, privkeyfilename))
10064 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10065 NULL, NULL)))
10066 goto end;
10067
10068 /* Enable RPK for server cert */
10069 if (rpkidx) {
10070 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10071 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10072 goto end;
10073 }
10074
10075 /* This is necessary to pass minimal setup w/o other groups configured */
10076 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10077 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10078 goto end;
10079
10080 /*
10081 * If this connection gets established, it must have been completed
10082 * via the tls-provider-implemented "hmacsig" algorithm, testing
10083 * both sign and verify functions during handshake.
10084 */
10085 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10086 goto end;
10087
10088 /* If using RPK, make sure we got one */
10089 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10090 goto end;
10091
10092 testresult = 1;
10093
10094 end:
10095 SSL_free(serverssl);
10096 SSL_free(clientssl);
10097 SSL_CTX_free(sctx);
10098 SSL_CTX_free(cctx);
10099 OSSL_PROVIDER_unload(tlsprov);
10100 OSSL_PROVIDER_unload(defaultprov);
10101
10102 return testresult;
10103}
10104#endif
10105
10106#ifndef OPENSSL_NO_TLS1_2
10107static int test_ssl_dup(void)
10108{
10109 SSL_CTX *cctx = NULL, *sctx = NULL;
10110 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10111 int testresult = 0;
10112 BIO *rbio = NULL, *wbio = NULL;
10113
10114 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10115 TLS_client_method(),
10116 0,
10117 0,
10118 &sctx, &cctx, cert, privkey)))
10119 goto end;
10120
10121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10122 NULL, NULL)))
10123 goto end;
10124
10125 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10126 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10127 goto end;
10128
10129 client2ssl = SSL_dup(clientssl);
10130 rbio = SSL_get_rbio(clientssl);
10131 if (!TEST_ptr(rbio)
10132 || !TEST_true(BIO_up_ref(rbio)))
10133 goto end;
10134 SSL_set0_rbio(client2ssl, rbio);
10135 rbio = NULL;
10136
10137 wbio = SSL_get_wbio(clientssl);
10138 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10139 goto end;
10140 SSL_set0_wbio(client2ssl, wbio);
10141 rbio = NULL;
10142
10143 if (!TEST_ptr(client2ssl)
10144 /* Handshake not started so pointers should be different */
10145 || !TEST_ptr_ne(clientssl, client2ssl))
10146 goto end;
10147
10148 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10149 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10150 goto end;
10151
10152 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10153 goto end;
10154
10155 SSL_free(clientssl);
10156 clientssl = SSL_dup(client2ssl);
10157 if (!TEST_ptr(clientssl)
10158 /* Handshake has finished so pointers should be the same */
10159 || !TEST_ptr_eq(clientssl, client2ssl))
10160 goto end;
10161
10162 testresult = 1;
10163
10164 end:
10165 SSL_free(serverssl);
10166 SSL_free(clientssl);
10167 SSL_free(client2ssl);
10168 SSL_CTX_free(sctx);
10169 SSL_CTX_free(cctx);
10170
10171 return testresult;
10172}
10173
10174static int secret_cb(SSL *s, void *secretin, int *secret_len,
10175 STACK_OF(SSL_CIPHER) *peer_ciphers,
10176 const SSL_CIPHER **cipher, void *arg)
10177{
10178 int i;
10179 unsigned char *secret = secretin;
10180
10181 /* Just use a fixed master secret */
10182 for (i = 0; i < *secret_len; i++)
10183 secret[i] = 0xff;
10184
10185 /* We don't set a preferred cipher */
10186
10187 return 1;
10188}
10189
10190/*
10191 * Test the session_secret_cb which is designed for use with EAP-FAST
10192 */
10193static int test_session_secret_cb(void)
10194{
10195 SSL_CTX *cctx = NULL, *sctx = NULL;
10196 SSL *clientssl = NULL, *serverssl = NULL;
10197 SSL_SESSION *secret_sess = NULL;
10198 int testresult = 0;
10199
10200 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10201 TLS_client_method(),
10202 0,
10203 0,
10204 &sctx, &cctx, cert, privkey)))
10205 goto end;
10206
10207 /* Create an initial connection and save the session */
10208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10209 NULL, NULL)))
10210 goto end;
10211
10212 /* session_secret_cb does not support TLSv1.3 */
10213 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10214 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10215 goto end;
10216
10217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10218 goto end;
10219
10220 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10221 goto end;
10222
10223 shutdown_ssl_connection(serverssl, clientssl);
10224 serverssl = clientssl = NULL;
10225
10226 /* Resume the earlier session */
10227 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10228 NULL, NULL)))
10229 goto end;
10230
10231 /*
10232 * No session ids for EAP-FAST - otherwise the state machine gets very
10233 * confused.
10234 */
10235 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10236 goto end;
10237
10238 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10239 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10240 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10241 NULL))
10242 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10243 NULL))
10244 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10245 goto end;
10246
10247 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10248 goto end;
10249
10250 testresult = 1;
10251
10252 end:
10253 SSL_SESSION_free(secret_sess);
10254 SSL_free(serverssl);
10255 SSL_free(clientssl);
10256 SSL_CTX_free(sctx);
10257 SSL_CTX_free(cctx);
10258
10259 return testresult;
10260}
10261
10262# ifndef OPENSSL_NO_DH
10263
10264static EVP_PKEY *tmp_dh_params = NULL;
10265
10266/* Helper function for the test_set_tmp_dh() tests */
10267static EVP_PKEY *get_tmp_dh_params(void)
10268{
10269 if (tmp_dh_params == NULL) {
10270 BIGNUM *p = NULL;
10271 OSSL_PARAM_BLD *tmpl = NULL;
10272 EVP_PKEY_CTX *pctx = NULL;
10273 OSSL_PARAM *params = NULL;
10274 EVP_PKEY *dhpkey = NULL;
10275
10276 p = BN_get_rfc3526_prime_2048(NULL);
10277 if (!TEST_ptr(p))
10278 goto end;
10279
10280 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10281 if (!TEST_ptr(pctx)
10282 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10283 goto end;
10284
10285 tmpl = OSSL_PARAM_BLD_new();
10286 if (!TEST_ptr(tmpl)
10287 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10288 OSSL_PKEY_PARAM_FFC_P,
10289 p))
10290 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10291 OSSL_PKEY_PARAM_FFC_G,
10292 2)))
10293 goto end;
10294
10295 params = OSSL_PARAM_BLD_to_param(tmpl);
10296 if (!TEST_ptr(params)
10297 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10298 EVP_PKEY_KEY_PARAMETERS,
10299 params), 1))
10300 goto end;
10301
10302 tmp_dh_params = dhpkey;
10303 end:
10304 BN_free(p);
10305 EVP_PKEY_CTX_free(pctx);
10306 OSSL_PARAM_BLD_free(tmpl);
10307 OSSL_PARAM_free(params);
10308 }
10309
10310 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10311 return NULL;
10312
10313 return tmp_dh_params;
10314}
10315
10316# ifndef OPENSSL_NO_DEPRECATED_3_0
10317/* Callback used by test_set_tmp_dh() */
10318static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10319{
10320 EVP_PKEY *dhpkey = get_tmp_dh_params();
10321 DH *ret = NULL;
10322
10323 if (!TEST_ptr(dhpkey))
10324 return NULL;
10325
10326 /*
10327 * libssl does not free the returned DH, so we free it now knowing that even
10328 * after we free dhpkey, there will still be a reference to the owning
10329 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10330 * of time we need it for.
10331 */
10332 ret = EVP_PKEY_get1_DH(dhpkey);
10333 DH_free(ret);
10334
10335 EVP_PKEY_free(dhpkey);
10336
10337 return ret;
10338}
10339# endif
10340
10341/*
10342 * Test the various methods for setting temporary DH parameters
10343 *
10344 * Test 0: Default (no auto) setting
10345 * Test 1: Explicit SSL_CTX auto off
10346 * Test 2: Explicit SSL auto off
10347 * Test 3: Explicit SSL_CTX auto on
10348 * Test 4: Explicit SSL auto on
10349 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10350 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10351 *
10352 * The following are testing deprecated APIs, so we only run them if available
10353 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10354 * Test 8: Explicit SSL auto off, custom DH params via DH
10355 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10356 * Test 10: Explicit SSL auto off, custom DH params via callback
10357 */
10358static int test_set_tmp_dh(int idx)
10359{
10360 SSL_CTX *cctx = NULL, *sctx = NULL;
10361 SSL *clientssl = NULL, *serverssl = NULL;
10362 int testresult = 0;
10363 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10364 int expected = (idx <= 2) ? 0 : 1;
10365 EVP_PKEY *dhpkey = NULL;
10366# ifndef OPENSSL_NO_DEPRECATED_3_0
10367 DH *dh = NULL;
10368# else
10369
10370 if (idx >= 7)
10371 return 1;
10372# endif
10373
10374 if (idx >= 5 && idx <= 8) {
10375 dhpkey = get_tmp_dh_params();
10376 if (!TEST_ptr(dhpkey))
10377 goto end;
10378 }
10379# ifndef OPENSSL_NO_DEPRECATED_3_0
10380 if (idx == 7 || idx == 8) {
10381 dh = EVP_PKEY_get1_DH(dhpkey);
10382 if (!TEST_ptr(dh))
10383 goto end;
10384 }
10385# endif
10386
10387 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10388 TLS_client_method(),
10389 0,
10390 0,
10391 &sctx, &cctx, cert, privkey)))
10392 goto end;
10393
10394 if ((idx & 1) == 1) {
10395 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10396 goto end;
10397 }
10398
10399 if (idx == 5) {
10400 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10401 goto end;
10402 dhpkey = NULL;
10403 }
10404# ifndef OPENSSL_NO_DEPRECATED_3_0
10405 else if (idx == 7) {
10406 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10407 goto end;
10408 } else if (idx == 9) {
10409 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10410 }
10411# endif
10412
10413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10414 NULL, NULL)))
10415 goto end;
10416
10417 if ((idx & 1) == 0 && idx != 0) {
10418 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10419 goto end;
10420 }
10421 if (idx == 6) {
10422 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10423 goto end;
10424 dhpkey = NULL;
10425 }
10426# ifndef OPENSSL_NO_DEPRECATED_3_0
10427 else if (idx == 8) {
10428 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10429 goto end;
10430 } else if (idx == 10) {
10431 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10432 }
10433# endif
10434
10435 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10436 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10437 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10438 goto end;
10439
10440 /*
10441 * If autoon then we should succeed. Otherwise we expect failure because
10442 * there are no parameters
10443 */
10444 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10445 SSL_ERROR_NONE), expected))
10446 goto end;
10447
10448 testresult = 1;
10449
10450 end:
10451# ifndef OPENSSL_NO_DEPRECATED_3_0
10452 DH_free(dh);
10453# endif
10454 SSL_free(serverssl);
10455 SSL_free(clientssl);
10456 SSL_CTX_free(sctx);
10457 SSL_CTX_free(cctx);
10458 EVP_PKEY_free(dhpkey);
10459
10460 return testresult;
10461}
10462
10463/*
10464 * Test the auto DH keys are appropriately sized
10465 */
10466static int test_dh_auto(int idx)
10467{
10468 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10469 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10470 SSL *clientssl = NULL, *serverssl = NULL;
10471 int testresult = 0;
10472 EVP_PKEY *tmpkey = NULL;
10473 char *thiscert = NULL, *thiskey = NULL;
10474 size_t expdhsize = 0;
10475 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10476
10477 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10478 goto end;
10479
10480 switch (idx) {
10481 case 0:
10482 /* The FIPS provider doesn't support this DH size - so we ignore it */
10483 if (is_fips) {
10484 testresult = 1;
10485 goto end;
10486 }
10487 thiscert = cert1024;
10488 thiskey = privkey1024;
10489 expdhsize = 1024;
10490 SSL_CTX_set_security_level(sctx, 1);
10491 SSL_CTX_set_security_level(cctx, 1);
10492 break;
10493 case 1:
10494 /* 2048 bit prime */
10495 thiscert = cert;
10496 thiskey = privkey;
10497 expdhsize = 2048;
10498 break;
10499 case 2:
10500 thiscert = cert3072;
10501 thiskey = privkey3072;
10502 expdhsize = 3072;
10503 break;
10504 case 3:
10505 thiscert = cert4096;
10506 thiskey = privkey4096;
10507 expdhsize = 4096;
10508 break;
10509 case 4:
10510 thiscert = cert8192;
10511 thiskey = privkey8192;
10512 expdhsize = 8192;
10513 break;
10514 /* No certificate cases */
10515 case 5:
10516 /* The FIPS provider doesn't support this DH size - so we ignore it */
10517 if (is_fips) {
10518 testresult = 1;
10519 goto end;
10520 }
10521 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10522 expdhsize = 1024;
10523 break;
10524 case 6:
10525 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10526 expdhsize = 3072;
10527 break;
10528 default:
10529 TEST_error("Invalid text index");
10530 goto end;
10531 }
10532
10533 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10534 NULL,
10535 0,
10536 0,
10537 &sctx, &cctx, thiscert, thiskey)))
10538 goto end;
10539
10540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10541 NULL, NULL)))
10542 goto end;
10543
10544 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10545 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10546 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10547 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10548 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10549 goto end;
10550
10551 /*
10552 * Send the server's first flight. At this point the server has created the
10553 * temporary DH key but hasn't finished using it yet. Once used it is
10554 * removed, so we cannot test it.
10555 */
10556 if (!TEST_int_le(SSL_connect(clientssl), 0)
10557 || !TEST_int_le(SSL_accept(serverssl), 0))
10558 goto end;
10559
10560 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10561 goto end;
10562 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10563 goto end;
10564
10565 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10566 goto end;
10567
10568 testresult = 1;
10569
10570 end:
10571 SSL_free(serverssl);
10572 SSL_free(clientssl);
10573 SSL_CTX_free(sctx);
10574 SSL_CTX_free(cctx);
10575 EVP_PKEY_free(tmpkey);
10576
10577 return testresult;
10578
10579}
10580# endif /* OPENSSL_NO_DH */
10581#endif /* OPENSSL_NO_TLS1_2 */
10582
10583#ifndef OSSL_NO_USABLE_TLS1_3
10584/*
10585 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10586 * that it works even without a certificate configured for the original
10587 * SSL_CTX
10588 */
10589static int test_sni_tls13(void)
10590{
10591 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10592 SSL *clientssl = NULL, *serverssl = NULL;
10593 int testresult = 0;
10594
10595 /* Reset callback counter */
10596 snicb = 0;
10597
10598 /* Create an initial SSL_CTX with no certificate configured */
10599 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10600 if (!TEST_ptr(sctx))
10601 goto end;
10602 /* Require TLSv1.3 as a minimum */
10603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10604 TLS_client_method(), TLS1_3_VERSION, 0,
10605 &sctx2, &cctx, cert, privkey)))
10606 goto end;
10607
10608 /* Set up SNI */
10609 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10610 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10611 goto end;
10612
10613 /*
10614 * Connection should still succeed because the final SSL_CTX has the right
10615 * certificates configured.
10616 */
10617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10618 &clientssl, NULL, NULL))
10619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10620 SSL_ERROR_NONE)))
10621 goto end;
10622
10623 /* We should have had the SNI callback called exactly once */
10624 if (!TEST_int_eq(snicb, 1))
10625 goto end;
10626
10627 testresult = 1;
10628
10629end:
10630 SSL_free(serverssl);
10631 SSL_free(clientssl);
10632 SSL_CTX_free(sctx2);
10633 SSL_CTX_free(sctx);
10634 SSL_CTX_free(cctx);
10635 return testresult;
10636}
10637
10638/*
10639 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10640 * 0 = TLSv1.2
10641 * 1 = TLSv1.3
10642 */
10643static int test_ticket_lifetime(int idx)
10644{
10645 SSL_CTX *cctx = NULL, *sctx = NULL;
10646 SSL *clientssl = NULL, *serverssl = NULL;
10647 int testresult = 0;
10648 int version = TLS1_3_VERSION;
10649
10650#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10651#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10652
10653 if (idx == 0) {
10654#ifdef OPENSSL_NO_TLS1_2
10655 return TEST_skip("TLS 1.2 is disabled.");
10656#else
10657 version = TLS1_2_VERSION;
10658#endif
10659 }
10660
10661 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10662 TLS_client_method(), version, version,
10663 &sctx, &cctx, cert, privkey)))
10664 goto end;
10665
10666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10667 &clientssl, NULL, NULL)))
10668 goto end;
10669
10670 /*
10671 * Set the timeout to be more than 1 week
10672 * make sure the returned value is the default
10673 */
10674 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10675 SSL_get_default_timeout(serverssl)))
10676 goto end;
10677
10678 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10679 goto end;
10680
10681 if (idx == 0) {
10682 /* TLSv1.2 uses the set value */
10683 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10684 goto end;
10685 } else {
10686 /* TLSv1.3 uses the limited value */
10687 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10688 goto end;
10689 }
10690 testresult = 1;
10691
10692end:
10693 SSL_free(serverssl);
10694 SSL_free(clientssl);
10695 SSL_CTX_free(sctx);
10696 SSL_CTX_free(cctx);
10697 return testresult;
10698}
10699#endif
10700/*
10701 * Test that setting an ALPN does not violate RFC
10702 */
10703static int test_set_alpn(void)
10704{
10705 SSL_CTX *ctx = NULL;
10706 SSL *ssl = NULL;
10707 int testresult = 0;
10708
10709 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10710 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10711 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10712 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10713 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10714 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10715
10716 /* Create an initial SSL_CTX with no certificate configured */
10717 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10718 if (!TEST_ptr(ctx))
10719 goto end;
10720
10721 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10722 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10723 goto end;
10724 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10725 goto end;
10726 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10727 goto end;
10728 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10729 goto end;
10730 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10731 goto end;
10732 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10733 goto end;
10734 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10735 goto end;
10736 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10737 goto end;
10738 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10739 goto end;
10740
10741 ssl = SSL_new(ctx);
10742 if (!TEST_ptr(ssl))
10743 goto end;
10744
10745 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10746 goto end;
10747 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10748 goto end;
10749 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10750 goto end;
10751 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10752 goto end;
10753 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10754 goto end;
10755 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10756 goto end;
10757 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10758 goto end;
10759 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10760 goto end;
10761 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10762 goto end;
10763
10764 testresult = 1;
10765
10766end:
10767 SSL_free(ssl);
10768 SSL_CTX_free(ctx);
10769 return testresult;
10770}
10771
10772/*
10773 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10774 */
10775static int test_set_verify_cert_store_ssl_ctx(void)
10776{
10777 SSL_CTX *ctx = NULL;
10778 int testresult = 0;
10779 X509_STORE *store = NULL, *new_store = NULL,
10780 *cstore = NULL, *new_cstore = NULL;
10781
10782 /* Create an initial SSL_CTX. */
10783 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10784 if (!TEST_ptr(ctx))
10785 goto end;
10786
10787 /* Retrieve verify store pointer. */
10788 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10789 goto end;
10790
10791 /* Retrieve chain store pointer. */
10792 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10793 goto end;
10794
10795 /* We haven't set any yet, so this should be NULL. */
10796 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10797 goto end;
10798
10799 /* Create stores. We use separate stores so pointers are different. */
10800 new_store = X509_STORE_new();
10801 if (!TEST_ptr(new_store))
10802 goto end;
10803
10804 new_cstore = X509_STORE_new();
10805 if (!TEST_ptr(new_cstore))
10806 goto end;
10807
10808 /* Set stores. */
10809 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10810 goto end;
10811
10812 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10813 goto end;
10814
10815 /* Should be able to retrieve the same pointer. */
10816 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10817 goto end;
10818
10819 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10820 goto end;
10821
10822 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10823 goto end;
10824
10825 /* Should be able to unset again. */
10826 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10827 goto end;
10828
10829 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10830 goto end;
10831
10832 /* Should now be NULL. */
10833 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10834 goto end;
10835
10836 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10837 goto end;
10838
10839 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10840 goto end;
10841
10842 testresult = 1;
10843
10844end:
10845 X509_STORE_free(new_store);
10846 X509_STORE_free(new_cstore);
10847 SSL_CTX_free(ctx);
10848 return testresult;
10849}
10850
10851/*
10852 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10853 */
10854static int test_set_verify_cert_store_ssl(void)
10855{
10856 SSL_CTX *ctx = NULL;
10857 SSL *ssl = NULL;
10858 int testresult = 0;
10859 X509_STORE *store = NULL, *new_store = NULL,
10860 *cstore = NULL, *new_cstore = NULL;
10861
10862 /* Create an initial SSL_CTX. */
10863 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10864 if (!TEST_ptr(ctx))
10865 goto end;
10866
10867 /* Create an SSL object. */
10868 ssl = SSL_new(ctx);
10869 if (!TEST_ptr(ssl))
10870 goto end;
10871
10872 /* Retrieve verify store pointer. */
10873 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10874 goto end;
10875
10876 /* Retrieve chain store pointer. */
10877 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10878 goto end;
10879
10880 /* We haven't set any yet, so this should be NULL. */
10881 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10882 goto end;
10883
10884 /* Create stores. We use separate stores so pointers are different. */
10885 new_store = X509_STORE_new();
10886 if (!TEST_ptr(new_store))
10887 goto end;
10888
10889 new_cstore = X509_STORE_new();
10890 if (!TEST_ptr(new_cstore))
10891 goto end;
10892
10893 /* Set stores. */
10894 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10895 goto end;
10896
10897 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10898 goto end;
10899
10900 /* Should be able to retrieve the same pointer. */
10901 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10902 goto end;
10903
10904 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10905 goto end;
10906
10907 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10908 goto end;
10909
10910 /* Should be able to unset again. */
10911 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10912 goto end;
10913
10914 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10915 goto end;
10916
10917 /* Should now be NULL. */
10918 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10919 goto end;
10920
10921 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10922 goto end;
10923
10924 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10925 goto end;
10926
10927 testresult = 1;
10928
10929end:
10930 X509_STORE_free(new_store);
10931 X509_STORE_free(new_cstore);
10932 SSL_free(ssl);
10933 SSL_CTX_free(ctx);
10934 return testresult;
10935}
10936
10937
10938static int test_inherit_verify_param(void)
10939{
10940 int testresult = 0;
10941
10942 SSL_CTX *ctx = NULL;
10943 X509_VERIFY_PARAM *cp = NULL;
10944 SSL *ssl = NULL;
10945 X509_VERIFY_PARAM *sp = NULL;
10946 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10947
10948 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10949 if (!TEST_ptr(ctx))
10950 goto end;
10951
10952 cp = SSL_CTX_get0_param(ctx);
10953 if (!TEST_ptr(cp))
10954 goto end;
10955 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10956 goto end;
10957
10958 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10959
10960 ssl = SSL_new(ctx);
10961 if (!TEST_ptr(ssl))
10962 goto end;
10963
10964 sp = SSL_get0_param(ssl);
10965 if (!TEST_ptr(sp))
10966 goto end;
10967 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10968 goto end;
10969
10970 testresult = 1;
10971
10972 end:
10973 SSL_free(ssl);
10974 SSL_CTX_free(ctx);
10975
10976 return testresult;
10977}
10978
10979static int test_load_dhfile(void)
10980{
10981#ifndef OPENSSL_NO_DH
10982 int testresult = 0;
10983
10984 SSL_CTX *ctx = NULL;
10985 SSL_CONF_CTX *cctx = NULL;
10986
10987 if (dhfile == NULL)
10988 return 1;
10989
10990 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10991 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10992 goto end;
10993
10994 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10995 SSL_CONF_CTX_set_flags(cctx,
10996 SSL_CONF_FLAG_CERTIFICATE
10997 | SSL_CONF_FLAG_SERVER
10998 | SSL_CONF_FLAG_FILE);
10999
11000 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11001 goto end;
11002
11003 testresult = 1;
11004end:
11005 SSL_CONF_CTX_free(cctx);
11006 SSL_CTX_free(ctx);
11007
11008 return testresult;
11009#else
11010 return TEST_skip("DH not supported by this build");
11011#endif
11012}
11013
11014#ifndef OSSL_NO_USABLE_TLS1_3
11015/* Test that read_ahead works across a key change */
11016static int test_read_ahead_key_change(void)
11017{
11018 SSL_CTX *cctx = NULL, *sctx = NULL;
11019 SSL *clientssl = NULL, *serverssl = NULL;
11020 int testresult = 0;
11021 char *msg = "Hello World";
11022 size_t written, readbytes;
11023 char buf[80];
11024 int i;
11025
11026 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11027 TLS_client_method(), TLS1_3_VERSION, 0,
11028 &sctx, &cctx, cert, privkey)))
11029 goto end;
11030
11031 SSL_CTX_set_read_ahead(sctx, 1);
11032
11033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11034 &clientssl, NULL, NULL)))
11035 goto end;
11036
11037 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11038 goto end;
11039
11040 /* Write some data, send a key update, write more data */
11041 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11042 || !TEST_size_t_eq(written, strlen(msg)))
11043 goto end;
11044
11045 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11046 goto end;
11047
11048 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11049 || !TEST_size_t_eq(written, strlen(msg)))
11050 goto end;
11051
11052 /*
11053 * Since read_ahead is on the first read below should read the record with
11054 * the first app data, the second record with the key update message, and
11055 * the third record with the app data all in one go. We should be able to
11056 * still process the read_ahead data correctly even though it crosses
11057 * epochs
11058 */
11059 for (i = 0; i < 2; i++) {
11060 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11061 &readbytes)))
11062 goto end;
11063
11064 buf[readbytes] = '\0';
11065 if (!TEST_str_eq(buf, msg))
11066 goto end;
11067 }
11068
11069 testresult = 1;
11070
11071end:
11072 SSL_free(serverssl);
11073 SSL_free(clientssl);
11074 SSL_CTX_free(sctx);
11075 SSL_CTX_free(cctx);
11076 return testresult;
11077}
11078
11079static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11080{
11081 int *called = arg;
11082
11083 switch ((*called)++) {
11084 case 0:
11085 /* Add some padding to first record */
11086 return 512;
11087 case 1:
11088 /* Maximally pad the second record */
11089 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11090 case 2:
11091 /*
11092 * Exceeding the maximum padding should be fine. It should just pad to
11093 * the maximum anyway
11094 */
11095 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11096 case 3:
11097 /*
11098 * Very large padding should also be ok. Should just pad to the maximum
11099 * allowed
11100 */
11101 return SIZE_MAX;
11102 default:
11103 return 0;
11104 }
11105}
11106
11107/*
11108 * Test that setting record padding in TLSv1.3 works as expected
11109 * Test 0: Record padding callback on the SSL_CTX
11110 * Test 1: Record padding callback on the SSL
11111 * Test 2: Record block padding on the SSL_CTX
11112 * Test 3: Record block padding on the SSL
11113 * Test 4: Extended record block padding on the SSL_CTX
11114 * Test 5: Extended record block padding on the SSL
11115 */
11116static int test_tls13_record_padding(int idx)
11117{
11118 SSL_CTX *cctx = NULL, *sctx = NULL;
11119 SSL *clientssl = NULL, *serverssl = NULL;
11120 int testresult = 0;
11121 char *msg = "Hello World";
11122 size_t written, readbytes;
11123 char buf[80];
11124 int i;
11125 int called = 0;
11126
11127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11128 TLS_client_method(), TLS1_3_VERSION, 0,
11129 &sctx, &cctx, cert, privkey)))
11130 goto end;
11131
11132 if (idx == 0) {
11133 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11134 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11135 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11136 goto end;
11137 } else if (idx == 2) {
11138 /* Exceeding the max plain length should fail */
11139 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11140 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11141 goto end;
11142 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11143 goto end;
11144 } else if (idx == 4) {
11145 /* pad only handshake/alert messages */
11146 if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11147 goto end;
11148 }
11149
11150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11151 &clientssl, NULL, NULL)))
11152 goto end;
11153
11154 if (idx == 1) {
11155 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11156 SSL_set_record_padding_callback_arg(clientssl, &called);
11157 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11158 goto end;
11159 } else if (idx == 3) {
11160 /* Exceeding the max plain length should fail */
11161 if (!TEST_false(SSL_set_block_padding(clientssl,
11162 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11163 goto end;
11164 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11165 goto end;
11166 } else if (idx == 5) {
11167 /* Exceeding the max plain length should fail */
11168 if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11169 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11170 goto end;
11171 /* pad server and client handshake only */
11172 if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11173 goto end;
11174 if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11175 goto end;
11176 }
11177
11178 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11179 goto end;
11180
11181 called = 0;
11182 /*
11183 * Write some data, then check we can read it. Do this four times to check
11184 * we can continue to write and read padded data after the initial record
11185 * padding has been added. We don't actually check that the padding has
11186 * been applied to the record - just that we can continue to communicate
11187 * normally and that the callback has been called (if appropriate).
11188 */
11189 for (i = 0; i < 4; i++) {
11190 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11191 || !TEST_size_t_eq(written, strlen(msg)))
11192 goto end;
11193
11194 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11195 &readbytes))
11196 || !TEST_size_t_eq(written, readbytes))
11197 goto end;
11198
11199 buf[readbytes] = '\0';
11200 if (!TEST_str_eq(buf, msg))
11201 goto end;
11202 }
11203
11204 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11205 goto end;
11206
11207 testresult = 1;
11208end:
11209 SSL_free(serverssl);
11210 SSL_free(clientssl);
11211 SSL_CTX_free(sctx);
11212 SSL_CTX_free(cctx);
11213 return testresult;
11214}
11215#endif /* OSSL_NO_USABLE_TLS1_3 */
11216
11217#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11218/*
11219 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11220 * support this yet. The only pipeline capable cipher that we have is in the
11221 * dasync engine (providers don't support this yet), so we have to use
11222 * deprecated APIs for this test.
11223 *
11224 * Test 0: Client has pipelining enabled, server does not
11225 * Test 1: Server has pipelining enabled, client does not
11226 * Test 2: Client has pipelining enabled, server does not: not enough data to
11227 * fill all the pipelines
11228 * Test 3: Client has pipelining enabled, server does not: not enough data to
11229 * fill all the pipelines by more than a full pipeline's worth
11230 * Test 4: Client has pipelining enabled, server does not: more data than all
11231 * the available pipelines can take
11232 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11233 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11234 * is created)
11235 */
11236static int test_pipelining(int idx)
11237{
11238 SSL_CTX *cctx = NULL, *sctx = NULL;
11239 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11240 int testresult = 0, numreads;
11241 /* A 55 byte message */
11242 unsigned char *msg = (unsigned char *)
11243 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11244 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11245 size_t expectedreads;
11246 unsigned char *buf = NULL;
11247 ENGINE *e = NULL;
11248
11249 if (idx != 6) {
11250 e = load_dasync();
11251 if (e == NULL)
11252 return 0;
11253 }
11254
11255 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11256 TLS_client_method(), 0,
11257 TLS1_2_VERSION, &sctx, &cctx, cert,
11258 privkey)))
11259 goto end;
11260
11261 if (idx == 6) {
11262 e = load_dasync();
11263 if (e == NULL)
11264 goto end;
11265 /* Now act like test 0 */
11266 idx = 0;
11267 }
11268
11269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11270 &clientssl, NULL, NULL)))
11271 goto end;
11272
11273 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11274 goto end;
11275
11276 /* peera is always configured for pipelining, while peerb is not. */
11277 if (idx == 1) {
11278 peera = serverssl;
11279 peerb = clientssl;
11280
11281 } else {
11282 peera = clientssl;
11283 peerb = serverssl;
11284 }
11285
11286 if (idx == 5) {
11287 numpipes = 2;
11288 /* Maximum allowed fragment size */
11289 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11290 msglen = fragsize * numpipes;
11291 msg = OPENSSL_malloc(msglen);
11292 if (!TEST_ptr(msg))
11293 goto end;
11294 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11295 goto end;
11296 } else if (idx == 4) {
11297 msglen = 55;
11298 } else {
11299 msglen = 50;
11300 }
11301 if (idx == 2)
11302 msglen -= 2; /* Send 2 less bytes */
11303 else if (idx == 3)
11304 msglen -= 12; /* Send 12 less bytes */
11305
11306 buf = OPENSSL_malloc(msglen);
11307 if (!TEST_ptr(buf))
11308 goto end;
11309
11310 if (idx == 5) {
11311 /*
11312 * Test that setting a split send fragment longer than the maximum
11313 * allowed fails
11314 */
11315 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11316 goto end;
11317 }
11318
11319 /*
11320 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11321 * (50 bytes in total). This is a ridiculously small number of bytes -
11322 * but sufficient for our purposes
11323 */
11324 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11325 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11326 goto end;
11327
11328 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11329 goto end;
11330
11331 /* Write some data from peera to peerb */
11332 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11333 || !TEST_size_t_eq(written, msglen))
11334 goto end;
11335
11336 /*
11337 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11338 * have been used - except in test 3 where only |numpipes - 1| pipelines
11339 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11340 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11341 * expect this to be read in |numpipes| or |numpipes - 1| separate
11342 * SSL_read_ex calls. In the case of test 4, there is then one additional
11343 * read for left over data that couldn't fit in the previous pipelines
11344 */
11345 for (offset = 0, numreads = 0;
11346 offset < msglen;
11347 offset += readbytes, numreads++) {
11348 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11349 msglen - offset, &readbytes)))
11350 goto end;
11351 }
11352
11353 expectedreads = idx == 4 ? numpipes + 1
11354 : (idx == 3 ? numpipes - 1 : numpipes);
11355 if (!TEST_mem_eq(msg, msglen, buf, offset)
11356 || !TEST_int_eq(numreads, expectedreads))
11357 goto end;
11358
11359 /*
11360 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11361 * chunks to exercise the read pipelining code on peera.
11362 */
11363 for (offset = 0; offset < msglen; offset += fragsize) {
11364 size_t sendlen = msglen - offset;
11365
11366 if (sendlen > fragsize)
11367 sendlen = fragsize;
11368 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11369 || !TEST_size_t_eq(written, sendlen))
11370 goto end;
11371 }
11372
11373 /*
11374 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11375 * separate chunks (depending on which test we are running). If the
11376 * pipelining is working then we expect peera to read up to numpipes chunks
11377 * and process them in parallel, giving back the complete result in a single
11378 * call to SSL_read_ex
11379 */
11380 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11381 || !TEST_size_t_le(readbytes, msglen))
11382 goto end;
11383
11384 if (idx == 4) {
11385 size_t readbytes2;
11386
11387 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11388 msglen - readbytes, &readbytes2)))
11389 goto end;
11390 readbytes += readbytes2;
11391 if (!TEST_size_t_le(readbytes, msglen))
11392 goto end;
11393 }
11394
11395 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11396 goto end;
11397
11398 testresult = 1;
11399end:
11400 SSL_free(serverssl);
11401 SSL_free(clientssl);
11402 SSL_CTX_free(sctx);
11403 SSL_CTX_free(cctx);
11404 if (e != NULL) {
11405 ENGINE_unregister_ciphers(e);
11406 ENGINE_finish(e);
11407 ENGINE_free(e);
11408 }
11409 OPENSSL_free(buf);
11410 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11411 OPENSSL_free(msg);
11412 return testresult;
11413}
11414#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11415
11416static int check_version_string(SSL *s, int version)
11417{
11418 const char *verstr = NULL;
11419
11420 switch (version) {
11421 case SSL3_VERSION:
11422 verstr = "SSLv3";
11423 break;
11424 case TLS1_VERSION:
11425 verstr = "TLSv1";
11426 break;
11427 case TLS1_1_VERSION:
11428 verstr = "TLSv1.1";
11429 break;
11430 case TLS1_2_VERSION:
11431 verstr = "TLSv1.2";
11432 break;
11433 case TLS1_3_VERSION:
11434 verstr = "TLSv1.3";
11435 break;
11436 case DTLS1_VERSION:
11437 verstr = "DTLSv1";
11438 break;
11439 case DTLS1_2_VERSION:
11440 verstr = "DTLSv1.2";
11441 }
11442
11443 return TEST_str_eq(verstr, SSL_get_version(s));
11444}
11445
11446/*
11447 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11448 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11449 * test_version() in quicapitest.c which does the same thing for QUIC
11450 * connections.
11451 */
11452static int test_version(int idx)
11453{
11454 SSL_CTX *cctx = NULL, *sctx = NULL;
11455 SSL *clientssl = NULL, *serverssl = NULL;
11456 int testresult = 0, version;
11457 const SSL_METHOD *servmeth = TLS_server_method();
11458 const SSL_METHOD *clientmeth = TLS_client_method();
11459
11460 switch (idx) {
11461#if !defined(OPENSSL_NO_SSL3)
11462 case 0:
11463 version = SSL3_VERSION;
11464 break;
11465#endif
11466#if !defined(OPENSSL_NO_TLS1)
11467 case 1:
11468 version = TLS1_VERSION;
11469 break;
11470#endif
11471#if !defined(OPENSSL_NO_TLS1_2)
11472 case 2:
11473 version = TLS1_2_VERSION;
11474 break;
11475#endif
11476#if !defined(OSSL_NO_USABLE_TLS1_3)
11477 case 3:
11478 version = TLS1_3_VERSION;
11479 break;
11480#endif
11481#if !defined(OPENSSL_NO_DTLS1)
11482 case 4:
11483 version = DTLS1_VERSION;
11484 break;
11485#endif
11486#if !defined(OPENSSL_NO_DTLS1_2)
11487 case 5:
11488 version = DTLS1_2_VERSION;
11489 break;
11490#endif
11491 /*
11492 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11493 * We also don't support DTLS1_BAD_VER since we have no server support for
11494 * that.
11495 */
11496 default:
11497 TEST_skip("Unsupported protocol version");
11498 return 1;
11499 }
11500
11501 if (is_fips
11502 && (version == SSL3_VERSION
11503 || version == TLS1_VERSION
11504 || version == DTLS1_VERSION)) {
11505 TEST_skip("Protocol version not supported with FIPS");
11506 return 1;
11507 }
11508
11509#if !defined(OPENSSL_NO_DTLS)
11510 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11511 servmeth = DTLS_server_method();
11512 clientmeth = DTLS_client_method();
11513 }
11514#endif
11515
11516 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11517 version, &sctx, &cctx, cert, privkey)))
11518 goto end;
11519
11520 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11521 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11522 "DEFAULT:@SECLEVEL=0")))
11523 goto end;
11524
11525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11526 &clientssl, NULL, NULL)))
11527 goto end;
11528
11529 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11530 goto end;
11531
11532 if (!TEST_int_eq(SSL_version(serverssl), version)
11533 || !TEST_int_eq(SSL_version(clientssl), version)
11534 || !TEST_true(check_version_string(serverssl, version))
11535 || !TEST_true(check_version_string(clientssl, version)))
11536 goto end;
11537
11538 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11539 if (!TEST_true(SSL_is_dtls(serverssl))
11540 || !TEST_true(SSL_is_dtls(clientssl))
11541 || !TEST_false(SSL_is_tls(serverssl))
11542 || !TEST_false(SSL_is_tls(clientssl))
11543 || !TEST_false(SSL_is_quic(serverssl))
11544 || !TEST_false(SSL_is_quic(clientssl)))
11545 goto end;
11546 } else {
11547 if (!TEST_true(SSL_is_tls(serverssl))
11548 || !TEST_true(SSL_is_tls(clientssl))
11549 || !TEST_false(SSL_is_dtls(serverssl))
11550 || !TEST_false(SSL_is_dtls(clientssl))
11551 || !TEST_false(SSL_is_quic(serverssl))
11552 || !TEST_false(SSL_is_quic(clientssl)))
11553 goto end;
11554 }
11555
11556 testresult = 1;
11557end:
11558 SSL_free(serverssl);
11559 SSL_free(clientssl);
11560 SSL_CTX_free(sctx);
11561 SSL_CTX_free(cctx);
11562 return testresult;
11563}
11564
11565/*
11566 * Test that the SSL_rstate_string*() APIs return sane results
11567 */
11568static int test_rstate_string(void)
11569{
11570 SSL_CTX *cctx = NULL, *sctx = NULL;
11571 SSL *clientssl = NULL, *serverssl = NULL;
11572 int testresult = 0, version;
11573 const SSL_METHOD *servmeth = TLS_server_method();
11574 const SSL_METHOD *clientmeth = TLS_client_method();
11575 size_t written, readbytes;
11576 unsigned char buf[2];
11577 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11578 SSL3_RT_APPLICATION_DATA,
11579 TLS1_2_VERSION_MAJOR,
11580 0, /* To be filled in later */
11581 0,
11582 1
11583 };
11584
11585 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11586 0, &sctx, &cctx, cert, privkey)))
11587 goto end;
11588
11589 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11590 &clientssl, NULL, NULL)))
11591 goto end;
11592
11593 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11594 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11595 goto end;
11596
11597 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11598 goto end;
11599
11600 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11601 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11602 goto end;
11603
11604 /* Fill in the correct version for the record header */
11605 version = SSL_version(serverssl);
11606 if (version == TLS1_3_VERSION)
11607 version = TLS1_2_VERSION;
11608 dummyheader[2] = version & 0xff;
11609
11610 /*
11611 * Send a dummy header. If we continued to read the body as well this
11612 * would fail with a bad record mac, but we're not going to go that far.
11613 */
11614 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11615 sizeof(dummyheader), &written))
11616 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11617 goto end;
11618
11619 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11620 goto end;
11621
11622 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11623 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11624 goto end;
11625
11626 testresult = 1;
11627end:
11628 SSL_free(serverssl);
11629 SSL_free(clientssl);
11630 SSL_CTX_free(sctx);
11631 SSL_CTX_free(cctx);
11632 return testresult;
11633}
11634
11635/*
11636 * Force a write retry during handshaking. We test various combinations of
11637 * scenarios. We test a large certificate message which will fill the buffering
11638 * BIO used in the handshake. We try with client auth on and off. Finally we
11639 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11640 * to indicate retry via -1 - but sometimes BIOs don't do that.
11641 *
11642 * Test 0: Standard certificate message
11643 * Test 1: Large certificate message
11644 * Test 2: Standard cert, verify peer
11645 * Test 3: Large cert, verify peer
11646 * Test 4: Standard cert, BIO returns 0 on retry
11647 * Test 5: Large cert, BIO returns 0 on retry
11648 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11649 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11650 * Test 8-15: Repeat of above with TLSv1.2
11651 */
11652static int test_handshake_retry(int idx)
11653{
11654 SSL_CTX *cctx = NULL, *sctx = NULL;
11655 SSL *clientssl = NULL, *serverssl = NULL;
11656 int testresult = 0;
11657 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11658 int maxversion = 0;
11659
11660 if (!TEST_ptr(bretry))
11661 goto end;
11662
11663#ifndef OPENSSL_NO_TLS1_2
11664 if ((idx & 8) == 8)
11665 maxversion = TLS1_2_VERSION;
11666#else
11667 if ((idx & 8) == 8)
11668 return TEST_skip("No TLSv1.2");
11669#endif
11670
11671 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11672 TLS_client_method(), 0, maxversion,
11673 &sctx, &cctx, cert, privkey)))
11674 goto end;
11675
11676 /*
11677 * Add a large amount of data to fill the buffering BIO used by the SSL
11678 * object
11679 */
11680 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11681 goto end;
11682
11683 /*
11684 * We don't actually configure a client cert, but neither do we fail if one
11685 * isn't present.
11686 */
11687 if ((idx & 2) == 2)
11688 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11689
11690 if ((idx & 4) == 4)
11691 set_always_retry_err_val(0);
11692
11693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11694 &clientssl, NULL, NULL)))
11695 goto end;
11696
11697 tmp = SSL_get_wbio(serverssl);
11698 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11699 tmp = NULL;
11700 goto end;
11701 }
11702 SSL_set0_wbio(serverssl, bretry);
11703 bretry = NULL;
11704
11705 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11706 goto end;
11707
11708 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11709 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11710 goto end;
11711
11712 /* Restore a BIO that will let the write succeed */
11713 SSL_set0_wbio(serverssl, tmp);
11714 tmp = NULL;
11715
11716 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11717 goto end;
11718
11719 testresult = 1;
11720end:
11721 SSL_free(serverssl);
11722 SSL_free(clientssl);
11723 SSL_CTX_free(sctx);
11724 SSL_CTX_free(cctx);
11725 BIO_free(bretry);
11726 BIO_free(tmp);
11727 set_always_retry_err_val(-1);
11728 return testresult;
11729}
11730
11731/*
11732 * Test that receiving retries when writing application data works as expected
11733 */
11734static int test_data_retry(void)
11735{
11736 SSL_CTX *cctx = NULL, *sctx = NULL;
11737 SSL *clientssl = NULL, *serverssl = NULL;
11738 int testresult = 0;
11739 unsigned char inbuf[1200], outbuf[1200];
11740 size_t i;
11741 BIO *tmp = NULL;
11742 BIO *bretry = BIO_new(bio_s_maybe_retry());
11743 size_t written, readbytes, totread = 0;
11744
11745 if (!TEST_ptr(bretry))
11746 goto end;
11747
11748 for (i = 0; i < sizeof(inbuf); i++)
11749 inbuf[i] = (unsigned char)(0xff & i);
11750 memset(outbuf, 0, sizeof(outbuf));
11751
11752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11753 TLS_client_method(), 0, 0, &sctx, &cctx,
11754 cert, privkey)))
11755 goto end;
11756
11757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11758 NULL)))
11759 goto end;
11760
11761 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11762 goto end;
11763
11764 /* Smallest possible max send fragment is 512 */
11765 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11766 goto end;
11767
11768 tmp = SSL_get_wbio(clientssl);
11769 if (!TEST_ptr(tmp))
11770 goto end;
11771 if (!TEST_true(BIO_up_ref(tmp)))
11772 goto end;
11773 BIO_push(bretry, tmp);
11774 tmp = NULL;
11775 SSL_set0_wbio(clientssl, bretry);
11776 if (!BIO_up_ref(bretry)) {
11777 bretry = NULL;
11778 goto end;
11779 }
11780
11781 for (i = 0; i < 3; i++) {
11782 /* We expect this call to make no progress and indicate retry */
11783 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11784 goto end;
11785 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11786 goto end;
11787
11788 /* Allow one write to progress, but the next one to signal retry */
11789 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11790 NULL)))
11791 goto end;
11792
11793 if (i == 2)
11794 break;
11795
11796 /*
11797 * This call will hopefully make progress but will still indicate retry
11798 * because there is more data than will fit into a single record.
11799 */
11800 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11801 goto end;
11802 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11803 goto end;
11804 }
11805
11806 /* The final call should write the last chunk of data and succeed */
11807 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11808 goto end;
11809 /* Read all the data available */
11810 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11811 &readbytes))
11812 totread += readbytes;
11813 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11814 goto end;
11815
11816 testresult = 1;
11817end:
11818 SSL_free(serverssl);
11819 SSL_free(clientssl);
11820 SSL_CTX_free(sctx);
11821 SSL_CTX_free(cctx);
11822 BIO_free_all(bretry);
11823 BIO_free(tmp);
11824 return testresult;
11825}
11826
11827struct resume_servername_cb_data {
11828 int i;
11829 SSL_CTX *cctx;
11830 SSL_CTX *sctx;
11831 SSL_SESSION *sess;
11832 int recurse;
11833};
11834
11835/*
11836 * Servername callback. We use it here to run another complete handshake using
11837 * the same session - and mark the session as not_resuamble at the end
11838 */
11839static int resume_servername_cb(SSL *s, int *ad, void *arg)
11840{
11841 struct resume_servername_cb_data *cbdata = arg;
11842 SSL *serverssl = NULL, *clientssl = NULL;
11843 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11844
11845 if (cbdata->recurse)
11846 return SSL_TLSEXT_ERR_ALERT_FATAL;
11847
11848 if ((cbdata->i % 3) != 1)
11849 return SSL_TLSEXT_ERR_OK;
11850
11851 cbdata->recurse = 1;
11852
11853 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11854 &clientssl, NULL, NULL))
11855 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11856 goto end;
11857
11858 ERR_set_mark();
11859 /*
11860 * We expect this to fail - because the servername cb will fail. This will
11861 * mark the session as not_resumable.
11862 */
11863 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11864 ERR_clear_last_mark();
11865 goto end;
11866 }
11867 ERR_pop_to_mark();
11868
11869 ret = SSL_TLSEXT_ERR_OK;
11870 end:
11871 SSL_free(serverssl);
11872 SSL_free(clientssl);
11873 cbdata->recurse = 0;
11874 return ret;
11875}
11876/*
11877 * Test multiple resumptions and cache size handling
11878 * Test 0: TLSv1.3 (max_early_data set)
11879 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11880 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11881 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11882 * Test 4: TLSv1.2
11883 */
11884static int test_multi_resume(int idx)
11885{
11886 SSL_CTX *sctx = NULL, *cctx = NULL;
11887 SSL *serverssl = NULL, *clientssl = NULL;
11888 SSL_SESSION *sess = NULL;
11889 int max_version = TLS1_3_VERSION;
11890 int i, testresult = 0;
11891 struct resume_servername_cb_data cbdata;
11892
11893#if defined(OPENSSL_NO_TLS1_2)
11894 if (idx == 4)
11895 return TEST_skip("TLSv1.2 is disabled in this build");
11896#else
11897 if (idx == 4)
11898 max_version = TLS1_2_VERSION;
11899#endif
11900#if defined(OSSL_NO_USABLE_TLS1_3)
11901 if (idx != 4)
11902 return TEST_skip("No usable TLSv1.3 in this build");
11903#endif
11904
11905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11906 TLS_client_method(), TLS1_VERSION,
11907 max_version, &sctx, &cctx, cert,
11908 privkey)))
11909 goto end;
11910
11911 /*
11912 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11913 * replay protection), or if SSL_OP_NO_TICKET is in use
11914 */
11915 if (idx == 0 || idx == 2) {
11916 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11917 goto end;
11918 }
11919 if (idx == 1 || idx == 2 || idx == 3)
11920 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11921
11922 SSL_CTX_sess_set_cache_size(sctx, 5);
11923
11924 if (idx == 3) {
11925 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11926 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11927 cbdata.cctx = cctx;
11928 cbdata.sctx = sctx;
11929 cbdata.recurse = 0;
11930 }
11931
11932 for (i = 0; i < 30; i++) {
11933 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11934 NULL, NULL))
11935 || !TEST_true(SSL_set_session(clientssl, sess)))
11936 goto end;
11937
11938 /*
11939 * Check simultaneous resumes. We pause the connection part way through
11940 * the handshake by (mis)using the servername_cb. The pause occurs after
11941 * session resumption has already occurred, but before any session
11942 * tickets have been issued. While paused we run another complete
11943 * handshake resuming the same session.
11944 */
11945 if (idx == 3) {
11946 cbdata.i = i;
11947 cbdata.sess = sess;
11948 }
11949
11950 /*
11951 * Recreate a bug where dynamically changing the max_early_data value
11952 * can cause sessions in the session cache which cannot be deleted.
11953 */
11954 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11955 SSL_set_max_early_data(serverssl, 0);
11956
11957 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11958 goto end;
11959
11960 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11961 if (!TEST_false(SSL_session_reused(clientssl)))
11962 goto end;
11963 } else {
11964 if (!TEST_true(SSL_session_reused(clientssl)))
11965 goto end;
11966 }
11967 SSL_SESSION_free(sess);
11968
11969 /* Do a full handshake, followed by two resumptions */
11970 if ((i % 3) == 2) {
11971 sess = NULL;
11972 } else {
11973 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11974 goto end;
11975 }
11976
11977 SSL_shutdown(clientssl);
11978 SSL_shutdown(serverssl);
11979 SSL_free(serverssl);
11980 SSL_free(clientssl);
11981 serverssl = clientssl = NULL;
11982 }
11983
11984 /* We should never exceed the session cache size limit */
11985 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11986 goto end;
11987
11988 testresult = 1;
11989 end:
11990 SSL_free(serverssl);
11991 SSL_free(clientssl);
11992 SSL_CTX_free(sctx);
11993 SSL_CTX_free(cctx);
11994 SSL_SESSION_free(sess);
11995 return testresult;
11996}
11997
11998static struct next_proto_st {
11999 int serverlen;
12000 unsigned char server[40];
12001 int clientlen;
12002 unsigned char client[40];
12003 int expected_ret;
12004 size_t selectedlen;
12005 unsigned char selected[40];
12006} next_proto_tests[] = {
12007 {
12008 4, { 3, 'a', 'b', 'c' },
12009 4, { 3, 'a', 'b', 'c' },
12010 OPENSSL_NPN_NEGOTIATED,
12011 3, { 'a', 'b', 'c' }
12012 },
12013 {
12014 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12015 4, { 3, 'a', 'b', 'c' },
12016 OPENSSL_NPN_NEGOTIATED,
12017 3, { 'a', 'b', 'c' }
12018 },
12019 {
12020 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
12021 4, { 3, 'a', 'b', 'c' },
12022 OPENSSL_NPN_NEGOTIATED,
12023 3, { 'a', 'b', 'c' }
12024 },
12025 {
12026 4, { 3, 'a', 'b', 'c' },
12027 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
12028 OPENSSL_NPN_NEGOTIATED,
12029 3, { 'a', 'b', 'c' }
12030 },
12031 {
12032 4, { 3, 'a', 'b', 'c' },
12033 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12034 OPENSSL_NPN_NEGOTIATED,
12035 3, { 'a', 'b', 'c' }
12036 },
12037 {
12038 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
12039 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12040 OPENSSL_NPN_NEGOTIATED,
12041 3, { 'a', 'b', 'c' }
12042 },
12043 {
12044 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
12045 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12046 OPENSSL_NPN_NEGOTIATED,
12047 3, { 'a', 'b', 'c' }
12048 },
12049 {
12050 4, { 3, 'b', 'c', 'd' },
12051 4, { 3, 'a', 'b', 'c' },
12052 OPENSSL_NPN_NO_OVERLAP,
12053 3, { 'a', 'b', 'c' }
12054 },
12055 {
12056 0, { 0 },
12057 4, { 3, 'a', 'b', 'c' },
12058 OPENSSL_NPN_NO_OVERLAP,
12059 3, { 'a', 'b', 'c' }
12060 },
12061 {
12062 -1, { 0 },
12063 4, { 3, 'a', 'b', 'c' },
12064 OPENSSL_NPN_NO_OVERLAP,
12065 3, { 'a', 'b', 'c' }
12066 },
12067 {
12068 4, { 3, 'a', 'b', 'c' },
12069 0, { 0 },
12070 OPENSSL_NPN_NO_OVERLAP,
12071 0, { 0 }
12072 },
12073 {
12074 4, { 3, 'a', 'b', 'c' },
12075 -1, { 0 },
12076 OPENSSL_NPN_NO_OVERLAP,
12077 0, { 0 }
12078 },
12079 {
12080 3, { 3, 'a', 'b', 'c' },
12081 4, { 3, 'a', 'b', 'c' },
12082 OPENSSL_NPN_NO_OVERLAP,
12083 3, { 'a', 'b', 'c' }
12084 },
12085 {
12086 4, { 3, 'a', 'b', 'c' },
12087 3, { 3, 'a', 'b', 'c' },
12088 OPENSSL_NPN_NO_OVERLAP,
12089 0, { 0 }
12090 }
12091};
12092
12093static int test_select_next_proto(int idx)
12094{
12095 struct next_proto_st *np = &next_proto_tests[idx];
12096 int ret = 0;
12097 unsigned char *out, *client, *server;
12098 unsigned char outlen;
12099 unsigned int clientlen, serverlen;
12100
12101 if (np->clientlen == -1) {
12102 client = NULL;
12103 clientlen = 0;
12104 } else {
12105 client = np->client;
12106 clientlen = (unsigned int)np->clientlen;
12107 }
12108 if (np->serverlen == -1) {
12109 server = NULL;
12110 serverlen = 0;
12111 } else {
12112 server = np->server;
12113 serverlen = (unsigned int)np->serverlen;
12114 }
12115
12116 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12117 client, clientlen),
12118 np->expected_ret))
12119 goto err;
12120
12121 if (np->selectedlen == 0) {
12122 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12123 goto err;
12124 } else {
12125 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12126 goto err;
12127 }
12128
12129 ret = 1;
12130 err:
12131 return ret;
12132}
12133
12134static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
12135static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
12136
12137#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12138static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12139 unsigned int *outlen, void *arg)
12140{
12141 int *idx = (int *)arg;
12142
12143 switch (*idx) {
12144 default:
12145 case 0:
12146 *out = fooprot;
12147 *outlen = sizeof(fooprot);
12148 return SSL_TLSEXT_ERR_OK;
12149
12150 case 1:
12151 *out = NULL;
12152 *outlen = 0;
12153 return SSL_TLSEXT_ERR_OK;
12154
12155 case 2:
12156 return SSL_TLSEXT_ERR_NOACK;
12157 }
12158}
12159
12160static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12161 const unsigned char *in, unsigned int inlen, void *arg)
12162{
12163 int *idx = (int *)arg;
12164
12165 switch (*idx) {
12166 case 0:
12167 case 1:
12168 *out = (unsigned char *)(fooprot + 1);
12169 *outlen = *fooprot;
12170 return SSL_TLSEXT_ERR_OK;
12171
12172 case 3:
12173 *out = (unsigned char *)(barprot + 1);
12174 *outlen = *barprot;
12175 return SSL_TLSEXT_ERR_OK;
12176
12177 case 4:
12178 *outlen = 0;
12179 return SSL_TLSEXT_ERR_OK;
12180
12181 default:
12182 case 2:
12183 return SSL_TLSEXT_ERR_ALERT_FATAL;
12184 }
12185}
12186
12187/*
12188 * Test the NPN callbacks
12189 * Test 0: advert = foo, select = foo
12190 * Test 1: advert = <empty>, select = foo
12191 * Test 2: no advert
12192 * Test 3: advert = foo, select = bar
12193 * Test 4: advert = foo, select = <empty> (should fail)
12194 */
12195static int test_npn(int idx)
12196{
12197 SSL_CTX *sctx = NULL, *cctx = NULL;
12198 SSL *serverssl = NULL, *clientssl = NULL;
12199 int testresult = 0;
12200
12201 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12202 TLS_client_method(), 0, TLS1_2_VERSION,
12203 &sctx, &cctx, cert, privkey)))
12204 goto end;
12205
12206 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12207 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12208
12209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12210 NULL)))
12211 goto end;
12212
12213 if (idx == 4) {
12214 /* We don't allow empty selection of NPN, so this should fail */
12215 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12216 SSL_ERROR_NONE)))
12217 goto end;
12218 } else {
12219 const unsigned char *prot;
12220 unsigned int protlen;
12221
12222 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12223 SSL_ERROR_NONE)))
12224 goto end;
12225
12226 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12227 switch (idx) {
12228 case 0:
12229 case 1:
12230 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12231 goto end;
12232 break;
12233 case 2:
12234 if (!TEST_uint_eq(protlen, 0))
12235 goto end;
12236 break;
12237 case 3:
12238 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12239 goto end;
12240 break;
12241 default:
12242 TEST_error("Should not get here");
12243 goto end;
12244 }
12245 }
12246
12247 testresult = 1;
12248 end:
12249 SSL_free(serverssl);
12250 SSL_free(clientssl);
12251 SSL_CTX_free(sctx);
12252 SSL_CTX_free(cctx);
12253
12254 return testresult;
12255}
12256#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12257
12258static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12259 unsigned char *outlen, const unsigned char *in,
12260 unsigned int inlen, void *arg)
12261{
12262 int *idx = (int *)arg;
12263
12264 switch (*idx) {
12265 case 0:
12266 *out = (unsigned char *)(fooprot + 1);
12267 *outlen = *fooprot;
12268 return SSL_TLSEXT_ERR_OK;
12269
12270 case 2:
12271 *out = (unsigned char *)(barprot + 1);
12272 *outlen = *barprot;
12273 return SSL_TLSEXT_ERR_OK;
12274
12275 case 3:
12276 *outlen = 0;
12277 return SSL_TLSEXT_ERR_OK;
12278
12279 default:
12280 case 1:
12281 return SSL_TLSEXT_ERR_ALERT_FATAL;
12282 }
12283 return 0;
12284}
12285
12286/*
12287 * Test the ALPN callbacks
12288 * Test 0: client = foo, select = foo
12289 * Test 1: client = <empty>, select = none
12290 * Test 2: client = foo, select = bar (should fail)
12291 * Test 3: client = foo, select = <empty> (should fail)
12292 */
12293static int test_alpn(int idx)
12294{
12295 SSL_CTX *sctx = NULL, *cctx = NULL;
12296 SSL *serverssl = NULL, *clientssl = NULL;
12297 int testresult = 0;
12298 const unsigned char *prots = fooprot;
12299 unsigned int protslen = sizeof(fooprot);
12300
12301 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12302 TLS_client_method(), 0, 0,
12303 &sctx, &cctx, cert, privkey)))
12304 goto end;
12305
12306 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
12307
12308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12309 NULL)))
12310 goto end;
12311
12312 if (idx == 1) {
12313 prots = NULL;
12314 protslen = 0;
12315 }
12316
12317 /* SSL_set_alpn_protos returns 0 for success! */
12318 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
12319 goto end;
12320
12321 if (idx == 2 || idx == 3) {
12322 /* We don't allow empty selection of NPN, so this should fail */
12323 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12324 SSL_ERROR_NONE)))
12325 goto end;
12326 } else {
12327 const unsigned char *prot;
12328 unsigned int protlen;
12329
12330 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12331 SSL_ERROR_NONE)))
12332 goto end;
12333
12334 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
12335 switch (idx) {
12336 case 0:
12337 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12338 goto end;
12339 break;
12340 case 1:
12341 if (!TEST_uint_eq(protlen, 0))
12342 goto end;
12343 break;
12344 default:
12345 TEST_error("Should not get here");
12346 goto end;
12347 }
12348 }
12349
12350 testresult = 1;
12351 end:
12352 SSL_free(serverssl);
12353 SSL_free(clientssl);
12354 SSL_CTX_free(sctx);
12355 SSL_CTX_free(cctx);
12356
12357 return testresult;
12358}
12359
12360OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
12361
12362int setup_tests(void)
12363{
12364 char *modulename;
12365 char *configfile;
12366
12367 libctx = OSSL_LIB_CTX_new();
12368 if (!TEST_ptr(libctx))
12369 return 0;
12370
12371 defctxnull = OSSL_PROVIDER_load(NULL, "null");
12372
12373 /*
12374 * Verify that the default and fips providers in the default libctx are not
12375 * available
12376 */
12377 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
12378 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
12379 return 0;
12380
12381 if (!test_skip_common_options()) {
12382 TEST_error("Error parsing test options\n");
12383 return 0;
12384 }
12385
12386 if (!TEST_ptr(certsdir = test_get_argument(0))
12387 || !TEST_ptr(srpvfile = test_get_argument(1))
12388 || !TEST_ptr(tmpfilename = test_get_argument(2))
12389 || !TEST_ptr(modulename = test_get_argument(3))
12390 || !TEST_ptr(configfile = test_get_argument(4))
12391 || !TEST_ptr(dhfile = test_get_argument(5)))
12392 return 0;
12393
12394 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
12395 return 0;
12396
12397 /* Check we have the expected provider available */
12398 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
12399 return 0;
12400
12401 /* Check the default provider is not available */
12402 if (strcmp(modulename, "default") != 0
12403 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
12404 return 0;
12405
12406 if (strcmp(modulename, "fips") == 0) {
12407 OSSL_PROVIDER *prov = NULL;
12408 OSSL_PARAM params[2];
12409
12410 is_fips = 1;
12411
12412 prov = OSSL_PROVIDER_load(libctx, "fips");
12413 if (prov != NULL) {
12414 /* Query the fips provider to check if the check ems option is enabled */
12415 params[0] =
12416 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
12417 &fips_ems_check);
12418 params[1] = OSSL_PARAM_construct_end();
12419 OSSL_PROVIDER_get_params(prov, params);
12420 OSSL_PROVIDER_unload(prov);
12421 }
12422 }
12423
12424 /*
12425 * We add, but don't load the test "tls-provider". We'll load it when we
12426 * need it.
12427 */
12428 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
12429 tls_provider_init)))
12430 return 0;
12431
12432
12433 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
12434#ifdef OPENSSL_NO_CRYPTO_MDEBUG
12435 TEST_error("not supported in this build");
12436 return 0;
12437#else
12438 int i, mcount, rcount, fcount;
12439
12440 for (i = 0; i < 4; i++)
12441 test_export_key_mat(i);
12442 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
12443 test_printf_stdout("malloc %d realloc %d free %d\n",
12444 mcount, rcount, fcount);
12445 return 1;
12446#endif
12447 }
12448
12449 cert = test_mk_file_path(certsdir, "servercert.pem");
12450 if (cert == NULL)
12451 goto err;
12452
12453 privkey = test_mk_file_path(certsdir, "serverkey.pem");
12454 if (privkey == NULL)
12455 goto err;
12456
12457 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
12458 if (cert2 == NULL)
12459 goto err;
12460
12461 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
12462 if (privkey2 == NULL)
12463 goto err;
12464
12465 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
12466 if (cert1024 == NULL)
12467 goto err;
12468
12469 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
12470 if (privkey1024 == NULL)
12471 goto err;
12472
12473 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
12474 if (cert3072 == NULL)
12475 goto err;
12476
12477 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
12478 if (privkey3072 == NULL)
12479 goto err;
12480
12481 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
12482 if (cert4096 == NULL)
12483 goto err;
12484
12485 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
12486 if (privkey4096 == NULL)
12487 goto err;
12488
12489 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
12490 if (cert8192 == NULL)
12491 goto err;
12492
12493 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
12494 if (privkey8192 == NULL)
12495 goto err;
12496
12497 if (fips_ems_check) {
12498#ifndef OPENSSL_NO_TLS1_2
12499 ADD_TEST(test_no_ems);
12500#endif
12501 return 1;
12502 }
12503#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
12504# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
12505 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
12506 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
12507# endif
12508#endif
12509 ADD_TEST(test_large_message_tls);
12510 ADD_TEST(test_large_message_tls_read_ahead);
12511#ifndef OPENSSL_NO_DTLS
12512 ADD_TEST(test_large_message_dtls);
12513#endif
12514 ADD_ALL_TESTS(test_large_app_data, 28);
12515 ADD_TEST(test_cleanse_plaintext);
12516#ifndef OPENSSL_NO_OCSP
12517 ADD_TEST(test_tlsext_status_type);
12518#endif
12519 ADD_TEST(test_session_with_only_int_cache);
12520 ADD_TEST(test_session_with_only_ext_cache);
12521 ADD_TEST(test_session_with_both_cache);
12522 ADD_TEST(test_session_wo_ca_names);
12523#ifndef OSSL_NO_USABLE_TLS1_3
12524 ADD_ALL_TESTS(test_stateful_tickets, 3);
12525 ADD_ALL_TESTS(test_stateless_tickets, 3);
12526 ADD_TEST(test_psk_tickets);
12527 ADD_ALL_TESTS(test_extra_tickets, 6);
12528#endif
12529 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
12530 ADD_TEST(test_ssl_bio_pop_next_bio);
12531 ADD_TEST(test_ssl_bio_pop_ssl_bio);
12532 ADD_TEST(test_ssl_bio_change_rbio);
12533 ADD_TEST(test_ssl_bio_change_wbio);
12534#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
12535 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
12536 ADD_TEST(test_keylog);
12537#endif
12538#ifndef OSSL_NO_USABLE_TLS1_3
12539 ADD_TEST(test_keylog_no_master_key);
12540#endif
12541 ADD_TEST(test_client_cert_verify_cb);
12542 ADD_TEST(test_ssl_build_cert_chain);
12543 ADD_TEST(test_ssl_ctx_build_cert_chain);
12544#ifndef OPENSSL_NO_TLS1_2
12545 ADD_TEST(test_client_hello_cb);
12546 ADD_TEST(test_no_ems);
12547 ADD_TEST(test_ccs_change_cipher);
12548#endif
12549#ifndef OSSL_NO_USABLE_TLS1_3
12550 ADD_ALL_TESTS(test_early_data_read_write, 6);
12551 /*
12552 * We don't do replay tests for external PSK. Replay protection isn't used
12553 * in that scenario.
12554 */
12555 ADD_ALL_TESTS(test_early_data_replay, 2);
12556 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12557 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12558 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12559 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
12560 ADD_ALL_TESTS(test_early_data_not_sent, 3);
12561 ADD_ALL_TESTS(test_early_data_psk, 8);
12562 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
12563 ADD_ALL_TESTS(test_early_data_not_expected, 3);
12564# ifndef OPENSSL_NO_TLS1_2
12565 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
12566# endif
12567#endif
12568#ifndef OSSL_NO_USABLE_TLS1_3
12569 ADD_ALL_TESTS(test_set_ciphersuite, 10);
12570 ADD_TEST(test_ciphersuite_change);
12571 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12572# ifdef OPENSSL_NO_PSK
12573 ADD_ALL_TESTS(test_tls13_psk, 1);
12574# else
12575 ADD_ALL_TESTS(test_tls13_psk, 4);
12576# endif /* OPENSSL_NO_PSK */
12577#ifndef OSSL_NO_USABLE_TLS1_3
12578 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12579#endif /* OSSL_NO_USABLE_TLS1_3 */
12580# ifndef OPENSSL_NO_TLS1_2
12581 /* Test with both TLSv1.3 and 1.2 versions */
12582 ADD_ALL_TESTS(test_key_exchange, 14);
12583# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12584 ADD_ALL_TESTS(test_negotiated_group,
12585 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12586 + OSSL_NELEM(ffdhe_kexch_groups)));
12587# endif
12588# else
12589 /* Test with only TLSv1.3 versions */
12590 ADD_ALL_TESTS(test_key_exchange, 12);
12591# endif
12592 ADD_ALL_TESTS(test_custom_exts, 6);
12593 ADD_TEST(test_stateless);
12594 ADD_TEST(test_pha_key_update);
12595#else
12596 ADD_ALL_TESTS(test_custom_exts, 3);
12597#endif
12598 ADD_ALL_TESTS(test_export_key_mat, 6);
12599#ifndef OSSL_NO_USABLE_TLS1_3
12600 ADD_ALL_TESTS(test_export_key_mat_early, 3);
12601 ADD_TEST(test_key_update);
12602 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12603 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12604 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12605 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
12606#endif
12607 ADD_ALL_TESTS(test_ssl_clear, 8);
12608 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
12609#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12610 ADD_ALL_TESTS(test_srp, 6);
12611#endif
12612#if !defined(OPENSSL_NO_COMP_ALG)
12613 /* Add compression case */
12614 ADD_ALL_TESTS(test_info_callback, 8);
12615#else
12616 ADD_ALL_TESTS(test_info_callback, 6);
12617#endif
12618 ADD_ALL_TESTS(test_ssl_pending, 2);
12619 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
12620 ADD_ALL_TESTS(test_ticket_callbacks, 20);
12621 ADD_ALL_TESTS(test_shutdown, 7);
12622 ADD_TEST(test_async_shutdown);
12623 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
12624 ADD_ALL_TESTS(test_cert_cb, 6);
12625 ADD_ALL_TESTS(test_client_cert_cb, 2);
12626 ADD_ALL_TESTS(test_ca_names, 3);
12627#ifndef OPENSSL_NO_TLS1_2
12628 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12629#endif
12630 ADD_ALL_TESTS(test_servername, 10);
12631 ADD_TEST(test_unknown_sigalgs_groups);
12632#if !defined(OPENSSL_NO_EC) \
12633 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
12634 ADD_ALL_TESTS(test_sigalgs_available, 6);
12635#endif
12636#ifndef OPENSSL_NO_TLS1_3
12637 ADD_ALL_TESTS(test_pluggable_group, 2);
12638 ADD_ALL_TESTS(test_pluggable_signature, 4);
12639#endif
12640#ifndef OPENSSL_NO_TLS1_2
12641 ADD_TEST(test_ssl_dup);
12642 ADD_TEST(test_session_secret_cb);
12643# ifndef OPENSSL_NO_DH
12644 ADD_ALL_TESTS(test_set_tmp_dh, 11);
12645 ADD_ALL_TESTS(test_dh_auto, 7);
12646# endif
12647#endif
12648#ifndef OSSL_NO_USABLE_TLS1_3
12649 ADD_TEST(test_sni_tls13);
12650 ADD_ALL_TESTS(test_ticket_lifetime, 2);
12651#endif
12652 ADD_TEST(test_inherit_verify_param);
12653 ADD_TEST(test_set_alpn);
12654 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12655 ADD_TEST(test_set_verify_cert_store_ssl);
12656 ADD_ALL_TESTS(test_session_timeout, 1);
12657#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12658 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12659#endif
12660 ADD_TEST(test_load_dhfile);
12661#ifndef OSSL_NO_USABLE_TLS1_3
12662 ADD_TEST(test_read_ahead_key_change);
12663 ADD_ALL_TESTS(test_tls13_record_padding, 6);
12664#endif
12665#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12666 ADD_ALL_TESTS(test_serverinfo_custom, 4);
12667#endif
12668#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
12669 ADD_ALL_TESTS(test_pipelining, 7);
12670#endif
12671 ADD_ALL_TESTS(test_version, 6);
12672 ADD_TEST(test_rstate_string);
12673 ADD_ALL_TESTS(test_handshake_retry, 16);
12674 ADD_TEST(test_data_retry);
12675 ADD_ALL_TESTS(test_multi_resume, 5);
12676 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
12677#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12678 ADD_ALL_TESTS(test_npn, 5);
12679#endif
12680 ADD_ALL_TESTS(test_alpn, 4);
12681 return 1;
12682
12683 err:
12684 OPENSSL_free(cert);
12685 OPENSSL_free(privkey);
12686 OPENSSL_free(cert2);
12687 OPENSSL_free(privkey2);
12688 return 0;
12689}
12690
12691void cleanup_tests(void)
12692{
12693# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
12694 EVP_PKEY_free(tmp_dh_params);
12695#endif
12696 OPENSSL_free(cert);
12697 OPENSSL_free(privkey);
12698 OPENSSL_free(cert2);
12699 OPENSSL_free(privkey2);
12700 OPENSSL_free(cert1024);
12701 OPENSSL_free(privkey1024);
12702 OPENSSL_free(cert3072);
12703 OPENSSL_free(privkey3072);
12704 OPENSSL_free(cert4096);
12705 OPENSSL_free(privkey4096);
12706 OPENSSL_free(cert8192);
12707 OPENSSL_free(privkey8192);
12708 bio_s_mempacket_test_free();
12709 bio_s_always_retry_free();
12710 bio_s_maybe_retry_free();
12711 OSSL_PROVIDER_unload(defctxnull);
12712 OSSL_LIB_CTX_free(libctx);
12713}
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette