sslapitest.c revision 1.1.1.1
1 /* 2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/opensslconf.h> 13 #include <openssl/bio.h> 14 #include <openssl/crypto.h> 15 #include <openssl/ssl.h> 16 #include <openssl/ocsp.h> 17 18 #include "ssltestlib.h" 19 #include "testutil.h" 20 #include "e_os.h" 21 22 static char *cert = NULL; 23 static char *privkey = NULL; 24 25 #ifndef OPENSSL_NO_OCSP 26 static const unsigned char orespder[] = "Dummy OCSP Response"; 27 static int ocsp_server_called = 0; 28 static int ocsp_client_called = 0; 29 30 static int cdummyarg = 1; 31 static X509 *ocspcert = NULL; 32 #endif 33 34 #define NUM_EXTRA_CERTS 40 35 36 static int execute_test_large_message(const SSL_METHOD *smeth, 37 const SSL_METHOD *cmeth, int read_ahead) 38 { 39 SSL_CTX *cctx = NULL, *sctx = NULL; 40 SSL *clientssl = NULL, *serverssl = NULL; 41 int testresult = 0; 42 int i; 43 BIO *certbio = BIO_new_file(cert, "r"); 44 X509 *chaincert = NULL; 45 int certlen; 46 47 if (certbio == NULL) { 48 printf("Can't load the certificate file\n"); 49 goto end; 50 } 51 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 52 BIO_free(certbio); 53 certbio = NULL; 54 if (chaincert == NULL) { 55 printf("Unable to load certificate for chain\n"); 56 goto end; 57 } 58 59 if (!create_ssl_ctx_pair(smeth, cmeth, &sctx, 60 &cctx, cert, privkey)) { 61 printf("Unable to create SSL_CTX pair\n"); 62 goto end; 63 } 64 65 if(read_ahead) { 66 /* 67 * Test that read_ahead works correctly when dealing with large 68 * records 69 */ 70 SSL_CTX_set_read_ahead(cctx, 1); 71 } 72 73 /* 74 * We assume the supplied certificate is big enough so that if we add 75 * NUM_EXTRA_CERTS it will make the overall message large enough. The 76 * default buffer size is requested to be 16k, but due to the way BUF_MEM 77 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this test 78 * we need to have a message larger than that. 79 */ 80 certlen = i2d_X509(chaincert, NULL); 81 OPENSSL_assert((certlen * NUM_EXTRA_CERTS) 82 > ((SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3)); 83 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 84 if (!X509_up_ref(chaincert)) { 85 printf("Unable to up ref cert\n"); 86 goto end; 87 } 88 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 89 printf("Unable to add extra chain cert %d\n", i); 90 X509_free(chaincert); 91 goto end; 92 } 93 } 94 95 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 96 printf("Unable to create SSL objects\n"); 97 goto end; 98 } 99 100 if (!create_ssl_connection(serverssl, clientssl)) { 101 printf("Unable to create SSL connection\n"); 102 goto end; 103 } 104 105 /* 106 * Calling SSL_clear() first is not required but this tests that SSL_clear() 107 * doesn't leak (when using enable-crypto-mdebug). 108 */ 109 if (!SSL_clear(serverssl)) { 110 printf("Unexpected failure from SSL_clear()\n"); 111 goto end; 112 } 113 114 testresult = 1; 115 end: 116 X509_free(chaincert); 117 SSL_free(serverssl); 118 SSL_free(clientssl); 119 SSL_CTX_free(sctx); 120 SSL_CTX_free(cctx); 121 122 return testresult; 123 } 124 125 static int test_large_message_tls(void) 126 { 127 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 128 0); 129 } 130 131 static int test_large_message_tls_read_ahead(void) 132 { 133 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 134 1); 135 } 136 137 #ifndef OPENSSL_NO_DTLS 138 static int test_large_message_dtls(void) 139 { 140 /* 141 * read_ahead is not relevant to DTLS because DTLS always acts as if 142 * read_ahead is set. 143 */ 144 return execute_test_large_message(DTLS_server_method(), 145 DTLS_client_method(), 0); 146 } 147 #endif 148 149 #ifndef OPENSSL_NO_OCSP 150 static int ocsp_server_cb(SSL *s, void *arg) 151 { 152 int *argi = (int *)arg; 153 unsigned char *orespdercopy = NULL; 154 STACK_OF(OCSP_RESPID) *ids = NULL; 155 OCSP_RESPID *id = NULL; 156 157 if (*argi == 2) { 158 /* In this test we are expecting exactly 1 OCSP_RESPID */ 159 SSL_get_tlsext_status_ids(s, &ids); 160 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 161 return SSL_TLSEXT_ERR_ALERT_FATAL; 162 163 id = sk_OCSP_RESPID_value(ids, 0); 164 if (id == NULL || !OCSP_RESPID_match(id, ocspcert)) 165 return SSL_TLSEXT_ERR_ALERT_FATAL; 166 } else if (*argi != 1) { 167 return SSL_TLSEXT_ERR_ALERT_FATAL; 168 } 169 170 171 orespdercopy = OPENSSL_memdup(orespder, sizeof(orespder)); 172 if (orespdercopy == NULL) 173 return SSL_TLSEXT_ERR_ALERT_FATAL; 174 175 SSL_set_tlsext_status_ocsp_resp(s, orespdercopy, sizeof(orespder)); 176 177 ocsp_server_called = 1; 178 179 return SSL_TLSEXT_ERR_OK; 180 } 181 182 static int ocsp_client_cb(SSL *s, void *arg) 183 { 184 int *argi = (int *)arg; 185 const unsigned char *respderin; 186 size_t len; 187 188 if (*argi != 1 && *argi != 2) 189 return 0; 190 191 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 192 193 if (memcmp(orespder, respderin, len) != 0) 194 return 0; 195 196 ocsp_client_called = 1; 197 198 return 1; 199 } 200 201 static int test_tlsext_status_type(void) 202 { 203 SSL_CTX *cctx = NULL, *sctx = NULL; 204 SSL *clientssl = NULL, *serverssl = NULL; 205 int testresult = 0; 206 STACK_OF(OCSP_RESPID) *ids = NULL; 207 OCSP_RESPID *id = NULL; 208 BIO *certbio = NULL; 209 210 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, 211 &cctx, cert, privkey)) { 212 printf("Unable to create SSL_CTX pair\n"); 213 return 0; 214 } 215 216 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) { 217 printf("Unexpected initial value for " 218 "SSL_CTX_get_tlsext_status_type()\n"); 219 goto end; 220 } 221 222 /* First just do various checks getting and setting tlsext_status_type */ 223 224 clientssl = SSL_new(cctx); 225 if (SSL_get_tlsext_status_type(clientssl) != -1) { 226 printf("Unexpected initial value for SSL_get_tlsext_status_type()\n"); 227 goto end; 228 } 229 230 if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) { 231 printf("Unexpected fail for SSL_set_tlsext_status_type()\n"); 232 goto end; 233 } 234 235 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { 236 printf("Unexpected result for SSL_get_tlsext_status_type()\n"); 237 goto end; 238 } 239 240 SSL_free(clientssl); 241 clientssl = NULL; 242 243 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) { 244 printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n"); 245 goto end; 246 } 247 248 if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) { 249 printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n"); 250 goto end; 251 } 252 253 clientssl = SSL_new(cctx); 254 255 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { 256 printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n"); 257 goto end; 258 } 259 260 SSL_free(clientssl); 261 clientssl = NULL; 262 263 /* 264 * Now actually do a handshake and check OCSP information is exchanged and 265 * the callbacks get called 266 */ 267 268 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 269 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 270 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 271 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 272 273 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 274 printf("Unable to create SSL objects\n"); 275 goto end; 276 } 277 278 if (!create_ssl_connection(serverssl, clientssl)) { 279 printf("Unable to create SSL connection\n"); 280 goto end; 281 } 282 283 if (!ocsp_client_called || !ocsp_server_called) { 284 printf("OCSP callbacks not called\n"); 285 goto end; 286 } 287 288 SSL_free(serverssl); 289 SSL_free(clientssl); 290 serverssl = NULL; 291 clientssl = NULL; 292 293 /* Try again but this time force the server side callback to fail */ 294 ocsp_client_called = 0; 295 ocsp_server_called = 0; 296 cdummyarg = 0; 297 298 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 299 printf("Unable to create SSL objects\n"); 300 goto end; 301 } 302 303 /* This should fail because the callback will fail */ 304 if (create_ssl_connection(serverssl, clientssl)) { 305 printf("Unexpected success creating the connection\n"); 306 goto end; 307 } 308 309 if (ocsp_client_called || ocsp_server_called) { 310 printf("OCSP callbacks successfully called unexpectedly\n"); 311 goto end; 312 } 313 314 SSL_free(serverssl); 315 SSL_free(clientssl); 316 serverssl = NULL; 317 clientssl = NULL; 318 319 /* 320 * This time we'll get the client to send an OCSP_RESPID that it will 321 * accept. 322 */ 323 ocsp_client_called = 0; 324 ocsp_server_called = 0; 325 cdummyarg = 2; 326 327 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 328 printf("Unable to create SSL objects\n"); 329 goto end; 330 } 331 332 /* 333 * We'll just use any old cert for this test - it doesn't have to be an OCSP 334 * specific one. We'll use the server cert. 335 */ 336 certbio = BIO_new_file(cert, "r"); 337 if (certbio == NULL) { 338 printf("Can't load the certificate file\n"); 339 goto end; 340 } 341 id = OCSP_RESPID_new(); 342 ids = sk_OCSP_RESPID_new_null(); 343 ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 344 if (id == NULL || ids == NULL || ocspcert == NULL 345 || !OCSP_RESPID_set_by_key(id, ocspcert) 346 || !sk_OCSP_RESPID_push(ids, id)) { 347 printf("Unable to set OCSP_RESPIDs\n"); 348 goto end; 349 } 350 id = NULL; 351 SSL_set_tlsext_status_ids(clientssl, ids); 352 /* Control has been transferred */ 353 ids = NULL; 354 355 BIO_free(certbio); 356 certbio = NULL; 357 358 if (!create_ssl_connection(serverssl, clientssl)) { 359 printf("Unable to create SSL connection\n"); 360 goto end; 361 } 362 363 if (!ocsp_client_called || !ocsp_server_called) { 364 printf("OCSP callbacks not called\n"); 365 goto end; 366 } 367 368 testresult = 1; 369 370 end: 371 SSL_free(serverssl); 372 SSL_free(clientssl); 373 SSL_CTX_free(sctx); 374 SSL_CTX_free(cctx); 375 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 376 OCSP_RESPID_free(id); 377 BIO_free(certbio); 378 X509_free(ocspcert); 379 ocspcert = NULL; 380 381 return testresult; 382 } 383 #endif /* ndef OPENSSL_NO_OCSP */ 384 385 typedef struct ssl_session_test_fixture { 386 const char *test_case_name; 387 int use_ext_cache; 388 int use_int_cache; 389 } SSL_SESSION_TEST_FIXTURE; 390 391 static int new_called = 0, remove_called = 0; 392 393 static SSL_SESSION_TEST_FIXTURE 394 ssl_session_set_up(const char *const test_case_name) 395 { 396 SSL_SESSION_TEST_FIXTURE fixture; 397 398 fixture.test_case_name = test_case_name; 399 fixture.use_ext_cache = 1; 400 fixture.use_int_cache = 1; 401 402 new_called = remove_called = 0; 403 404 return fixture; 405 } 406 407 static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture) 408 { 409 } 410 411 static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 412 { 413 new_called++; 414 415 return 1; 416 } 417 418 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 419 { 420 remove_called++; 421 } 422 423 static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) 424 { 425 SSL_CTX *sctx = NULL, *cctx = NULL; 426 SSL *serverssl1 = NULL, *clientssl1 = NULL; 427 SSL *serverssl2 = NULL, *clientssl2 = NULL; 428 #ifndef OPENSSL_NO_TLS1_1 429 SSL *serverssl3 = NULL, *clientssl3 = NULL; 430 #endif 431 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 432 int testresult = 0; 433 434 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, 435 &cctx, cert, privkey)) { 436 printf("Unable to create SSL_CTX pair\n"); 437 return 0; 438 } 439 440 #ifndef OPENSSL_NO_TLS1_2 441 /* Only allow TLS1.2 so we can force a connection failure later */ 442 SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION); 443 #endif 444 445 /* Set up session cache */ 446 if (fix.use_ext_cache) { 447 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 448 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 449 } 450 if (fix.use_int_cache) { 451 /* Also covers instance where both are set */ 452 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 453 } else { 454 SSL_CTX_set_session_cache_mode(cctx, 455 SSL_SESS_CACHE_CLIENT 456 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 457 } 458 459 if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL, 460 NULL)) { 461 printf("Unable to create SSL objects\n"); 462 goto end; 463 } 464 465 if (!create_ssl_connection(serverssl1, clientssl1)) { 466 printf("Unable to create SSL connection\n"); 467 goto end; 468 } 469 sess1 = SSL_get1_session(clientssl1); 470 if (sess1 == NULL) { 471 printf("Unexpected NULL session\n"); 472 goto end; 473 } 474 475 if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) { 476 /* Should have failed because it should already be in the cache */ 477 printf("Unexpected success adding session to cache\n"); 478 goto end; 479 } 480 481 if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) { 482 printf("Session not added to cache\n"); 483 goto end; 484 } 485 486 if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) { 487 printf("Unable to create second SSL objects\n"); 488 goto end; 489 } 490 491 if (!create_ssl_connection(serverssl2, clientssl2)) { 492 printf("Unable to create second SSL connection\n"); 493 goto end; 494 } 495 496 sess2 = SSL_get1_session(clientssl2); 497 if (sess2 == NULL) { 498 printf("Unexpected NULL session from clientssl2\n"); 499 goto end; 500 } 501 502 if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) { 503 printf("Remove session callback unexpectedly called\n"); 504 goto end; 505 } 506 507 /* 508 * This should clear sess2 from the cache because it is a "bad" session. See 509 * SSL_set_session() documentation. 510 */ 511 if (!SSL_set_session(clientssl2, sess1)) { 512 printf("Unexpected failure setting session\n"); 513 goto end; 514 } 515 516 if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) { 517 printf("Failed to call callback to remove session\n"); 518 goto end; 519 } 520 521 522 if (SSL_get_session(clientssl2) != sess1) { 523 printf("Unexpected session found\n"); 524 goto end; 525 } 526 527 if (fix.use_int_cache) { 528 if (!SSL_CTX_add_session(cctx, sess2)) { 529 /* 530 * Should have succeeded because it should not already be in the cache 531 */ 532 printf("Unexpected failure adding session to cache\n"); 533 goto end; 534 } 535 536 if (!SSL_CTX_remove_session(cctx, sess2)) { 537 printf("Unexpected failure removing session from cache\n"); 538 goto end; 539 } 540 541 /* This is for the purposes of internal cache testing...ignore the 542 * counter for external cache 543 */ 544 if (fix.use_ext_cache) 545 remove_called--; 546 } 547 548 /* This shouldn't be in the cache so should fail */ 549 if (SSL_CTX_remove_session(cctx, sess2)) { 550 printf("Unexpected success removing session from cache\n"); 551 goto end; 552 } 553 554 if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) { 555 printf("Failed to call callback to remove session #2\n"); 556 goto end; 557 } 558 559 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2) 560 /* Force a connection failure */ 561 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 562 563 if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) { 564 printf("Unable to create third SSL objects\n"); 565 goto end; 566 } 567 568 if (!SSL_set_session(clientssl3, sess1)) { 569 printf("Unable to set session for third connection\n"); 570 goto end; 571 } 572 573 /* This should fail because of the mismatched protocol versions */ 574 if (create_ssl_connection(serverssl3, clientssl3)) { 575 printf("Unable to create third SSL connection\n"); 576 goto end; 577 } 578 579 580 /* We should have automatically removed the session from the cache */ 581 if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) { 582 printf("Failed to call callback to remove session #2\n"); 583 goto end; 584 } 585 586 if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) { 587 /* 588 * Should have succeeded because it should not already be in the cache 589 */ 590 printf("Unexpected failure adding session to cache #2\n"); 591 goto end; 592 } 593 #endif 594 595 testresult = 1; 596 597 end: 598 SSL_free(serverssl1); 599 SSL_free(clientssl1); 600 SSL_free(serverssl2); 601 SSL_free(clientssl2); 602 #ifndef OPENSSL_NO_TLS1_1 603 SSL_free(serverssl3); 604 SSL_free(clientssl3); 605 #endif 606 SSL_SESSION_free(sess1); 607 SSL_SESSION_free(sess2); 608 /* 609 * Check if we need to remove any sessions up-refed for the external cache 610 */ 611 if (new_called >= 1) 612 SSL_SESSION_free(sess1); 613 if (new_called >= 2) 614 SSL_SESSION_free(sess2); 615 SSL_CTX_free(sctx); 616 SSL_CTX_free(cctx); 617 618 return testresult; 619 } 620 621 static int test_session_with_only_int_cache(void) 622 { 623 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 624 625 fixture.use_ext_cache = 0; 626 627 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 628 } 629 630 static int test_session_with_only_ext_cache(void) 631 { 632 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 633 634 fixture.use_int_cache = 0; 635 636 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 637 } 638 639 static int test_session_with_both_cache(void) 640 { 641 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); 642 643 EXECUTE_TEST(execute_test_session, ssl_session_tear_down); 644 } 645 646 #define USE_NULL 0 647 #define USE_BIO_1 1 648 #define USE_BIO_2 2 649 650 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 651 652 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 653 { 654 switch (type) { 655 case USE_NULL: 656 *res = NULL; 657 break; 658 case USE_BIO_1: 659 *res = bio1; 660 break; 661 case USE_BIO_2: 662 *res = bio2; 663 break; 664 } 665 } 666 667 static int test_ssl_set_bio(int idx) 668 { 669 SSL_CTX *ctx = SSL_CTX_new(TLS_method()); 670 BIO *bio1 = NULL; 671 BIO *bio2 = NULL; 672 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 673 SSL *ssl = NULL; 674 int initrbio, initwbio, newrbio, newwbio; 675 int testresult = 0; 676 677 if (ctx == NULL) { 678 printf("Failed to allocate SSL_CTX\n"); 679 goto end; 680 } 681 682 ssl = SSL_new(ctx); 683 if (ssl == NULL) { 684 printf("Failed to allocate SSL object\n"); 685 goto end; 686 } 687 688 initrbio = idx % 3; 689 idx /= 3; 690 initwbio = idx % 3; 691 idx /= 3; 692 newrbio = idx % 3; 693 idx /= 3; 694 newwbio = idx; 695 OPENSSL_assert(newwbio <= 2); 696 697 if (initrbio == USE_BIO_1 || initwbio == USE_BIO_1 || newrbio == USE_BIO_1 698 || newwbio == USE_BIO_1) { 699 bio1 = BIO_new(BIO_s_mem()); 700 if (bio1 == NULL) { 701 printf("Failed to allocate bio1\n"); 702 goto end; 703 } 704 } 705 706 if (initrbio == USE_BIO_2 || initwbio == USE_BIO_2 || newrbio == USE_BIO_2 707 || newwbio == USE_BIO_2) { 708 bio2 = BIO_new(BIO_s_mem()); 709 if (bio2 == NULL) { 710 printf("Failed to allocate bio2\n"); 711 goto end; 712 } 713 } 714 715 setupbio(&irbio, bio1, bio2, initrbio); 716 setupbio(&iwbio, bio1, bio2, initwbio); 717 718 /* 719 * We want to maintain our own refs to these BIO, so do an up ref for each 720 * BIO that will have ownership transferred in the SSL_set_bio() call 721 */ 722 if (irbio != NULL) 723 BIO_up_ref(irbio); 724 if (iwbio != NULL && iwbio != irbio) 725 BIO_up_ref(iwbio); 726 727 SSL_set_bio(ssl, irbio, iwbio); 728 729 setupbio(&nrbio, bio1, bio2, newrbio); 730 setupbio(&nwbio, bio1, bio2, newwbio); 731 732 /* 733 * We will (maybe) transfer ownership again so do more up refs. 734 * SSL_set_bio() has some really complicated ownership rules where BIOs have 735 * already been set! 736 */ 737 if (nrbio != NULL && nrbio != irbio && (nwbio != iwbio || nrbio != nwbio)) 738 BIO_up_ref(nrbio); 739 if (nwbio != NULL && nwbio != nrbio && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 740 BIO_up_ref(nwbio); 741 742 SSL_set_bio(ssl, nrbio, nwbio); 743 744 testresult = 1; 745 746 end: 747 SSL_free(ssl); 748 BIO_free(bio1); 749 BIO_free(bio2); 750 /* 751 * This test is checking that the ref counting for SSL_set_bio is correct. 752 * If we get here and we did too many frees then we will fail in the above 753 * functions. If we haven't done enough then this will only be detected in 754 * a crypto-mdebug build 755 */ 756 SSL_CTX_free(ctx); 757 758 return testresult; 759 } 760 761 typedef struct ssl_bio_test_fixture { 762 const char *test_case_name; 763 int pop_ssl; 764 enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio; 765 } SSL_BIO_TEST_FIXTURE; 766 767 static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name) 768 { 769 SSL_BIO_TEST_FIXTURE fixture; 770 771 fixture.test_case_name = test_case_name; 772 fixture.pop_ssl = 0; 773 fixture.change_bio = NO_BIO_CHANGE; 774 775 return fixture; 776 } 777 778 static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture) 779 { 780 } 781 782 static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix) 783 { 784 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 785 SSL_CTX *ctx = SSL_CTX_new(TLS_method()); 786 SSL *ssl = NULL; 787 int testresult = 0; 788 789 if (ctx == NULL) { 790 printf("Failed to allocate SSL_CTX\n"); 791 return 0; 792 } 793 794 ssl = SSL_new(ctx); 795 if (ssl == NULL) { 796 printf("Failed to allocate SSL object\n"); 797 goto end; 798 } 799 800 sslbio = BIO_new(BIO_f_ssl()); 801 membio1 = BIO_new(BIO_s_mem()); 802 803 if (sslbio == NULL || membio1 == NULL) { 804 printf("Malloc failure creating BIOs\n"); 805 goto end; 806 } 807 808 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 809 810 /* 811 * If anything goes wrong here then we could leak memory, so this will 812 * be caught in a crypto-mdebug build 813 */ 814 BIO_push(sslbio, membio1); 815 816 /* Verify changing the rbio/wbio directly does not cause leaks */ 817 if (fix.change_bio != NO_BIO_CHANGE) { 818 membio2 = BIO_new(BIO_s_mem()); 819 if (membio2 == NULL) { 820 printf("Malloc failure creating membio2\n"); 821 goto end; 822 } 823 if (fix.change_bio == CHANGE_RBIO) 824 SSL_set0_rbio(ssl, membio2); 825 else 826 SSL_set0_wbio(ssl, membio2); 827 } 828 ssl = NULL; 829 830 if (fix.pop_ssl) 831 BIO_pop(sslbio); 832 else 833 BIO_pop(membio1); 834 835 testresult = 1; 836 end: 837 BIO_free(membio1); 838 BIO_free(sslbio); 839 SSL_free(ssl); 840 SSL_CTX_free(ctx); 841 842 return testresult; 843 } 844 845 static int test_ssl_bio_pop_next_bio(void) 846 { 847 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 848 849 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 850 } 851 852 static int test_ssl_bio_pop_ssl_bio(void) 853 { 854 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 855 856 fixture.pop_ssl = 1; 857 858 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 859 } 860 861 static int test_ssl_bio_change_rbio(void) 862 { 863 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 864 865 fixture.change_bio = CHANGE_RBIO; 866 867 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 868 } 869 870 static int test_ssl_bio_change_wbio(void) 871 { 872 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); 873 874 fixture.change_bio = CHANGE_WBIO; 875 876 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); 877 } 878 879 typedef struct { 880 /* The list of sig algs */ 881 const int *list; 882 /* The length of the list */ 883 size_t listlen; 884 /* A sigalgs list in string format */ 885 const char *liststr; 886 /* Whether setting the list should succeed */ 887 int valid; 888 /* Whether creating a connection with the list should succeed */ 889 int connsuccess; 890 } sigalgs_list; 891 892 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 893 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 894 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 895 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 896 static const int invalidlist2[] = {NID_sha256, NID_undef}; 897 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 898 static const int invalidlist4[] = {NID_sha256}; 899 static const sigalgs_list testsigalgs[] = { 900 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 901 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 902 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 903 {NULL, 0, "RSA+SHA256", 1, 1}, 904 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 905 {NULL, 0, "ECDSA+SHA512", 1, 0}, 906 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 907 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 908 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 909 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 910 {NULL, 0, "RSA", 0, 0}, 911 {NULL, 0, "SHA256", 0, 0}, 912 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 913 {NULL, 0, "Invalid", 0, 0}}; 914 915 static int test_set_sigalgs(int idx) 916 { 917 SSL_CTX *cctx = NULL, *sctx = NULL; 918 SSL *clientssl = NULL, *serverssl = NULL; 919 int testresult = 0; 920 const sigalgs_list *curr; 921 int testctx; 922 923 /* Should never happen */ 924 if ((size_t)idx >= OSSL_NELEM(testsigalgs) * 2) 925 return 0; 926 927 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 928 curr = testctx ? &testsigalgs[idx] 929 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 930 931 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, 932 &cctx, cert, privkey)) { 933 printf("Unable to create SSL_CTX pair\n"); 934 return 0; 935 } 936 937 if (testctx) { 938 int ret; 939 if (curr->list != NULL) 940 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 941 else 942 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 943 944 if (!ret) { 945 if (curr->valid) 946 printf("Unexpected failure setting sigalgs in SSL_CTX (%d)\n", 947 idx); 948 else 949 testresult = 1; 950 goto end; 951 } 952 if (!curr->valid) { 953 printf("Unexpected success setting sigalgs in SSL_CTX (%d)\n", idx); 954 goto end; 955 } 956 } 957 958 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 959 printf("Unable to create SSL objects\n"); 960 goto end; 961 } 962 963 if (!testctx) { 964 int ret; 965 966 if (curr->list != NULL) 967 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 968 else 969 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 970 if (!ret) { 971 if (curr->valid) 972 printf("Unexpected failure setting sigalgs in SSL (%d)\n", idx); 973 else 974 testresult = 1; 975 goto end; 976 } 977 if (!curr->valid) { 978 printf("Unexpected success setting sigalgs in SSL (%d)\n", idx); 979 goto end; 980 } 981 } 982 983 if (curr->connsuccess != create_ssl_connection(serverssl, clientssl)) { 984 printf("Unexpected return value creating SSL connection (%d)\n", idx); 985 goto end; 986 } 987 988 testresult = 1; 989 990 end: 991 SSL_free(serverssl); 992 SSL_free(clientssl); 993 SSL_CTX_free(sctx); 994 SSL_CTX_free(cctx); 995 996 return testresult; 997 } 998 999 static int clntaddcb = 0; 1000 static int clntparsecb = 0; 1001 static int srvaddcb = 0; 1002 static int srvparsecb = 0; 1003 static int snicb = 0; 1004 1005 #define TEST_EXT_TYPE1 0xff00 1006 1007 static int add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 1008 size_t *outlen, int *al, void *add_arg) 1009 { 1010 int *server = (int *)add_arg; 1011 unsigned char *data; 1012 1013 if (SSL_is_server(s)) 1014 srvaddcb++; 1015 else 1016 clntaddcb++; 1017 1018 if (*server != SSL_is_server(s) 1019 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 1020 return -1; 1021 1022 *data = 1; 1023 *out = data; 1024 *outlen = sizeof(char); 1025 return 1; 1026 } 1027 1028 static void free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 1029 void *add_arg) 1030 { 1031 OPENSSL_free((unsigned char *)out); 1032 } 1033 1034 static int parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 1035 size_t inlen, int *al, void *parse_arg) 1036 { 1037 int *server = (int *)parse_arg; 1038 1039 if (SSL_is_server(s)) 1040 srvparsecb++; 1041 else 1042 clntparsecb++; 1043 1044 if (*server != SSL_is_server(s) 1045 || inlen != sizeof(char) 1046 || *in != 1) 1047 return -1; 1048 1049 return 1; 1050 } 1051 1052 static int sni_cb(SSL *s, int *al, void *arg) 1053 { 1054 SSL_CTX *ctx = (SSL_CTX *)arg; 1055 1056 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 1057 *al = SSL_AD_INTERNAL_ERROR; 1058 return SSL_TLSEXT_ERR_ALERT_FATAL; 1059 } 1060 snicb++; 1061 return SSL_TLSEXT_ERR_OK; 1062 } 1063 1064 /* 1065 * Custom call back tests. 1066 * Test 0: callbacks in TLSv1.2 1067 * Test 1: callbacks in TLSv1.2 with SNI 1068 */ 1069 static int test_custom_exts(int tst) 1070 { 1071 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 1072 SSL *clientssl = NULL, *serverssl = NULL; 1073 int testresult = 0; 1074 static int server = 1; 1075 static int client = 0; 1076 SSL_SESSION *sess = NULL; 1077 1078 /* Reset callback counters */ 1079 clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0; 1080 snicb = 0; 1081 1082 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, 1083 &cctx, cert, privkey)) { 1084 printf("Unable to create SSL_CTX pair\n"); 1085 goto end; 1086 } 1087 1088 if (tst == 1 1089 && !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL, 1090 cert, privkey)) { 1091 printf("Unable to create SSL_CTX pair (2)\n"); 1092 goto end; 1093 } 1094 1095 /* Create a client side custom extension */ 1096 if (!SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, 1097 &client, parse_cb, &client)) { 1098 printf("Unable to add client custom extension\n"); 1099 goto end; 1100 } 1101 1102 /* Should not be able to add duplicates */ 1103 if (SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, 1104 &client, parse_cb, &client)) { 1105 printf("Unexpected success adding duplicate extension\n"); 1106 goto end; 1107 } 1108 1109 /* Create a server side custom extension */ 1110 if (!SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, 1111 &server, parse_cb, &server)) { 1112 printf("Unable to add server custom extension\n"); 1113 goto end; 1114 } 1115 if (sctx2 != NULL 1116 && !SSL_CTX_add_server_custom_ext(sctx2, TEST_EXT_TYPE1, 1117 add_cb, free_cb, 1118 &server, parse_cb, 1119 &server)) { 1120 printf("Unable to add server custom extension for SNI\n"); 1121 goto end; 1122 } 1123 1124 /* Should not be able to add duplicates */ 1125 if (SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, 1126 &server, parse_cb, &server)) { 1127 printf("Unexpected success adding duplicate extension (2)\n"); 1128 goto end; 1129 } 1130 1131 if (tst == 1) { 1132 /* Set up SNI */ 1133 if (!SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb) 1134 || !SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)) { 1135 printf("Cannot set SNI callbacks\n"); 1136 goto end; 1137 } 1138 } 1139 1140 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) 1141 || !create_ssl_connection(serverssl, clientssl)) { 1142 printf("Cannot create SSL connection\n"); 1143 goto end; 1144 } 1145 1146 if (clntaddcb != 1 1147 || clntparsecb != 1 1148 || srvaddcb != 1 1149 || srvparsecb != 1 1150 || (tst != 1 && snicb != 0) 1151 || (tst == 1 && snicb != 1)) { 1152 printf("Incorrect callback counts\n"); 1153 goto end; 1154 } 1155 1156 sess = SSL_get1_session(clientssl); 1157 SSL_shutdown(clientssl); 1158 SSL_shutdown(serverssl); 1159 SSL_free(serverssl); 1160 SSL_free(clientssl); 1161 serverssl = clientssl = NULL; 1162 1163 if (tst == 1) { 1164 /* We don't bother with the resumption aspects for this test */ 1165 testresult = 1; 1166 goto end; 1167 } 1168 1169 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) 1170 || !SSL_set_session(clientssl, sess) 1171 || !create_ssl_connection(serverssl, clientssl)) { 1172 printf("Cannot create resumption connection\n"); 1173 goto end; 1174 } 1175 1176 /* 1177 * For a resumed session we expect to add the ClientHello extension but we 1178 * should ignore it on the server side. 1179 */ 1180 if (clntaddcb != 2 1181 || clntparsecb != 1 1182 || srvaddcb != 1 1183 || srvparsecb != 1) { 1184 printf("Incorrect resumption callback counts\n"); 1185 goto end; 1186 } 1187 1188 testresult = 1; 1189 1190 end: 1191 SSL_SESSION_free(sess); 1192 SSL_free(serverssl); 1193 SSL_free(clientssl); 1194 SSL_CTX_free(sctx2); 1195 SSL_CTX_free(sctx); 1196 SSL_CTX_free(cctx); 1197 return testresult; 1198 } 1199 1200 int main(int argc, char *argv[]) 1201 { 1202 BIO *err = NULL; 1203 int testresult = 1; 1204 1205 if (argc != 3) { 1206 printf("Invalid argument count\n"); 1207 return 1; 1208 } 1209 1210 cert = argv[1]; 1211 privkey = argv[2]; 1212 1213 err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); 1214 1215 CRYPTO_set_mem_debug(1); 1216 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 1217 1218 ADD_TEST(test_large_message_tls); 1219 ADD_TEST(test_large_message_tls_read_ahead); 1220 #ifndef OPENSSL_NO_DTLS 1221 ADD_TEST(test_large_message_dtls); 1222 #endif 1223 #ifndef OPENSSL_NO_OCSP 1224 ADD_TEST(test_tlsext_status_type); 1225 #endif 1226 ADD_TEST(test_session_with_only_int_cache); 1227 ADD_TEST(test_session_with_only_ext_cache); 1228 ADD_TEST(test_session_with_both_cache); 1229 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 1230 ADD_TEST(test_ssl_bio_pop_next_bio); 1231 ADD_TEST(test_ssl_bio_pop_ssl_bio); 1232 ADD_TEST(test_ssl_bio_change_rbio); 1233 ADD_TEST(test_ssl_bio_change_wbio); 1234 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 1235 ADD_ALL_TESTS(test_custom_exts, 2); 1236 1237 testresult = run_tests(argv[0]); 1238 1239 bio_s_mempacket_test_free(); 1240 1241 #ifndef OPENSSL_NO_CRYPTO_MDEBUG 1242 if (CRYPTO_mem_leaks(err) <= 0) 1243 testresult = 1; 1244 #endif 1245 BIO_free(err); 1246 1247 if (!testresult) 1248 printf("PASS\n"); 1249 1250 return testresult; 1251 } 1252
Indexes created Sun Mar 01 05:31:48 UTC 2026