sslapitest.c revision 1.1.1.2.2.1
1 /* 2 * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/opensslconf.h> 13 #include <openssl/bio.h> 14 #include <openssl/crypto.h> 15 #include <openssl/ssl.h> 16 #include <openssl/ocsp.h> 17 #include <openssl/srp.h> 18 #include <openssl/txt_db.h> 19 #include <openssl/aes.h> 20 21 #include "ssltestlib.h" 22 #include "testutil.h" 23 #include "testutil/output.h" 24 #include "internal/nelem.h" 25 #include "../ssl/ssl_locl.h" 26 27 #ifndef OPENSSL_NO_TLS1_3 28 29 static SSL_SESSION *clientpsk = NULL; 30 static SSL_SESSION *serverpsk = NULL; 31 static const char *pskid = "Identity"; 32 static const char *srvid; 33 34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 35 size_t *idlen, SSL_SESSION **sess); 36 static int find_session_cb(SSL *ssl, const unsigned char *identity, 37 size_t identity_len, SSL_SESSION **sess); 38 39 static int use_session_cb_cnt = 0; 40 static int find_session_cb_cnt = 0; 41 42 static SSL_SESSION *create_a_psk(SSL *ssl); 43 #endif 44 45 static char *cert = NULL; 46 static char *privkey = NULL; 47 static char *srpvfile = NULL; 48 static char *tmpfilename = NULL; 49 50 #define LOG_BUFFER_SIZE 2048 51 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 52 static size_t server_log_buffer_index = 0; 53 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 54 static size_t client_log_buffer_index = 0; 55 static int error_writing_log = 0; 56 57 #ifndef OPENSSL_NO_OCSP 58 static const unsigned char orespder[] = "Dummy OCSP Response"; 59 static int ocsp_server_called = 0; 60 static int ocsp_client_called = 0; 61 62 static int cdummyarg = 1; 63 static X509 *ocspcert = NULL; 64 #endif 65 66 #define NUM_EXTRA_CERTS 40 67 #define CLIENT_VERSION_LEN 2 68 69 /* 70 * This structure is used to validate that the correct number of log messages 71 * of various types are emitted when emitting secret logs. 72 */ 73 struct sslapitest_log_counts { 74 unsigned int rsa_key_exchange_count; 75 unsigned int master_secret_count; 76 unsigned int client_early_secret_count; 77 unsigned int client_handshake_secret_count; 78 unsigned int server_handshake_secret_count; 79 unsigned int client_application_secret_count; 80 unsigned int server_application_secret_count; 81 unsigned int early_exporter_secret_count; 82 unsigned int exporter_secret_count; 83 }; 84 85 86 static unsigned char serverinfov1[] = { 87 0xff, 0xff, /* Dummy extension type */ 88 0x00, 0x01, /* Extension length is 1 byte */ 89 0xff /* Dummy extension data */ 90 }; 91 92 static unsigned char serverinfov2[] = { 93 0x00, 0x00, 0x00, 94 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */ 95 0xff, 0xff, /* Dummy extension type */ 96 0x00, 0x01, /* Extension length is 1 byte */ 97 0xff /* Dummy extension data */ 98 }; 99 100 static void client_keylog_callback(const SSL *ssl, const char *line) 101 { 102 int line_length = strlen(line); 103 104 /* If the log doesn't fit, error out. */ 105 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) { 106 TEST_info("Client log too full"); 107 error_writing_log = 1; 108 return; 109 } 110 111 strcat(client_log_buffer, line); 112 client_log_buffer_index += line_length; 113 client_log_buffer[client_log_buffer_index++] = '\n'; 114 } 115 116 static void server_keylog_callback(const SSL *ssl, const char *line) 117 { 118 int line_length = strlen(line); 119 120 /* If the log doesn't fit, error out. */ 121 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) { 122 TEST_info("Server log too full"); 123 error_writing_log = 1; 124 return; 125 } 126 127 strcat(server_log_buffer, line); 128 server_log_buffer_index += line_length; 129 server_log_buffer[server_log_buffer_index++] = '\n'; 130 } 131 132 static int compare_hex_encoded_buffer(const char *hex_encoded, 133 size_t hex_length, 134 const uint8_t *raw, 135 size_t raw_length) 136 { 137 size_t i, j; 138 char hexed[3]; 139 140 if (!TEST_size_t_eq(raw_length * 2, hex_length)) 141 return 1; 142 143 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { 144 sprintf(hexed, "%02x", raw[i]); 145 if (!TEST_int_eq(hexed[0], hex_encoded[j]) 146 || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) 147 return 1; 148 } 149 150 return 0; 151 } 152 153 static int test_keylog_output(char *buffer, const SSL *ssl, 154 const SSL_SESSION *session, 155 struct sslapitest_log_counts *expected) 156 { 157 char *token = NULL; 158 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0}; 159 size_t client_random_size = SSL3_RANDOM_SIZE; 160 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0}; 161 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH; 162 unsigned int rsa_key_exchange_count = 0; 163 unsigned int master_secret_count = 0; 164 unsigned int client_early_secret_count = 0; 165 unsigned int client_handshake_secret_count = 0; 166 unsigned int server_handshake_secret_count = 0; 167 unsigned int client_application_secret_count = 0; 168 unsigned int server_application_secret_count = 0; 169 unsigned int early_exporter_secret_count = 0; 170 unsigned int exporter_secret_count = 0; 171 172 for (token = strtok(buffer, " \n"); token != NULL; 173 token = strtok(NULL, " \n")) { 174 if (strcmp(token, "RSA") == 0) { 175 /* 176 * Premaster secret. Tokens should be: 16 ASCII bytes of 177 * hex-encoded encrypted secret, then the hex-encoded pre-master 178 * secret. 179 */ 180 if (!TEST_ptr(token = strtok(NULL, " \n"))) 181 return 0; 182 if (!TEST_size_t_eq(strlen(token), 16)) 183 return 0; 184 if (!TEST_ptr(token = strtok(NULL, " \n"))) 185 return 0; 186 /* 187 * We can't sensibly check the log because the premaster secret is 188 * transient, and OpenSSL doesn't keep hold of it once the master 189 * secret is generated. 190 */ 191 rsa_key_exchange_count++; 192 } else if (strcmp(token, "CLIENT_RANDOM") == 0) { 193 /* 194 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded 195 * client random, then the hex-encoded master secret. 196 */ 197 client_random_size = SSL_get_client_random(ssl, 198 actual_client_random, 199 SSL3_RANDOM_SIZE); 200 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 201 return 0; 202 203 if (!TEST_ptr(token = strtok(NULL, " \n"))) 204 return 0; 205 if (!TEST_size_t_eq(strlen(token), 64)) 206 return 0; 207 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 208 actual_client_random, 209 client_random_size))) 210 return 0; 211 212 if (!TEST_ptr(token = strtok(NULL, " \n"))) 213 return 0; 214 master_key_size = SSL_SESSION_get_master_key(session, 215 actual_master_key, 216 master_key_size); 217 if (!TEST_size_t_ne(master_key_size, 0)) 218 return 0; 219 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token), 220 actual_master_key, 221 master_key_size))) 222 return 0; 223 master_secret_count++; 224 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0 225 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 226 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 227 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 228 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 229 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 230 || strcmp(token, "EXPORTER_SECRET") == 0) { 231 /* 232 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded 233 * client random, and then the hex-encoded secret. In this case, 234 * we treat all of these secrets identically and then just 235 * distinguish between them when counting what we saw. 236 */ 237 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0) 238 client_early_secret_count++; 239 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) 240 client_handshake_secret_count++; 241 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0) 242 server_handshake_secret_count++; 243 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0) 244 client_application_secret_count++; 245 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) 246 server_application_secret_count++; 247 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) 248 early_exporter_secret_count++; 249 else if (strcmp(token, "EXPORTER_SECRET") == 0) 250 exporter_secret_count++; 251 252 client_random_size = SSL_get_client_random(ssl, 253 actual_client_random, 254 SSL3_RANDOM_SIZE); 255 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 256 return 0; 257 258 if (!TEST_ptr(token = strtok(NULL, " \n"))) 259 return 0; 260 if (!TEST_size_t_eq(strlen(token), 64)) 261 return 0; 262 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 263 actual_client_random, 264 client_random_size))) 265 return 0; 266 267 if (!TEST_ptr(token = strtok(NULL, " \n"))) 268 return 0; 269 270 /* 271 * TODO(TLS1.3): test that application traffic secrets are what 272 * we expect */ 273 } else { 274 TEST_info("Unexpected token %s\n", token); 275 return 0; 276 } 277 } 278 279 /* Got what we expected? */ 280 if (!TEST_size_t_eq(rsa_key_exchange_count, 281 expected->rsa_key_exchange_count) 282 || !TEST_size_t_eq(master_secret_count, 283 expected->master_secret_count) 284 || !TEST_size_t_eq(client_early_secret_count, 285 expected->client_early_secret_count) 286 || !TEST_size_t_eq(client_handshake_secret_count, 287 expected->client_handshake_secret_count) 288 || !TEST_size_t_eq(server_handshake_secret_count, 289 expected->server_handshake_secret_count) 290 || !TEST_size_t_eq(client_application_secret_count, 291 expected->client_application_secret_count) 292 || !TEST_size_t_eq(server_application_secret_count, 293 expected->server_application_secret_count) 294 || !TEST_size_t_eq(early_exporter_secret_count, 295 expected->early_exporter_secret_count) 296 || !TEST_size_t_eq(exporter_secret_count, 297 expected->exporter_secret_count)) 298 return 0; 299 return 1; 300 } 301 302 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 303 static int test_keylog(void) 304 { 305 SSL_CTX *cctx = NULL, *sctx = NULL; 306 SSL *clientssl = NULL, *serverssl = NULL; 307 int testresult = 0; 308 struct sslapitest_log_counts expected = {0}; 309 310 /* Clean up logging space */ 311 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 312 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 313 client_log_buffer_index = 0; 314 server_log_buffer_index = 0; 315 error_writing_log = 0; 316 317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 318 TLS_client_method(), 319 TLS1_VERSION, TLS_MAX_VERSION, 320 &sctx, &cctx, cert, privkey))) 321 return 0; 322 323 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */ 324 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 325 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 326 327 /* We also want to ensure that we use RSA-based key exchange. */ 328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA"))) 329 goto end; 330 331 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 332 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 333 goto end; 334 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 336 == client_keylog_callback)) 337 goto end; 338 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 339 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 340 == server_keylog_callback)) 341 goto end; 342 343 /* Now do a handshake and check that the logs have been written to. */ 344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 345 &clientssl, NULL, NULL)) 346 || !TEST_true(create_ssl_connection(serverssl, clientssl, 347 SSL_ERROR_NONE)) 348 || !TEST_false(error_writing_log) 349 || !TEST_int_gt(client_log_buffer_index, 0) 350 || !TEST_int_gt(server_log_buffer_index, 0)) 351 goto end; 352 353 /* 354 * Now we want to test that our output data was vaguely sensible. We 355 * do that by using strtok and confirming that we have more or less the 356 * data we expect. For both client and server, we expect to see one master 357 * secret. The client should also see a RSA key exchange. 358 */ 359 expected.rsa_key_exchange_count = 1; 360 expected.master_secret_count = 1; 361 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 362 SSL_get_session(clientssl), &expected))) 363 goto end; 364 365 expected.rsa_key_exchange_count = 0; 366 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl, 367 SSL_get_session(serverssl), &expected))) 368 goto end; 369 370 testresult = 1; 371 372 end: 373 SSL_free(serverssl); 374 SSL_free(clientssl); 375 SSL_CTX_free(sctx); 376 SSL_CTX_free(cctx); 377 378 return testresult; 379 } 380 #endif 381 382 #ifndef OPENSSL_NO_TLS1_3 383 static int test_keylog_no_master_key(void) 384 { 385 SSL_CTX *cctx = NULL, *sctx = NULL; 386 SSL *clientssl = NULL, *serverssl = NULL; 387 SSL_SESSION *sess = NULL; 388 int testresult = 0; 389 struct sslapitest_log_counts expected = {0}; 390 unsigned char buf[1]; 391 size_t readbytes, written; 392 393 /* Clean up logging space */ 394 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 395 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 396 client_log_buffer_index = 0; 397 server_log_buffer_index = 0; 398 error_writing_log = 0; 399 400 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 401 TLS1_VERSION, TLS_MAX_VERSION, 402 &sctx, &cctx, cert, privkey)) 403 || !TEST_true(SSL_CTX_set_max_early_data(sctx, 404 SSL3_RT_MAX_PLAIN_LENGTH))) 405 return 0; 406 407 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 408 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 409 goto end; 410 411 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 413 == client_keylog_callback)) 414 goto end; 415 416 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 417 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 418 == server_keylog_callback)) 419 goto end; 420 421 /* Now do a handshake and check that the logs have been written to. */ 422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 423 &clientssl, NULL, NULL)) 424 || !TEST_true(create_ssl_connection(serverssl, clientssl, 425 SSL_ERROR_NONE)) 426 || !TEST_false(error_writing_log)) 427 goto end; 428 429 /* 430 * Now we want to test that our output data was vaguely sensible. For this 431 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for 432 * TLSv1.3, but we do expect both client and server to emit keys. 433 */ 434 expected.client_handshake_secret_count = 1; 435 expected.server_handshake_secret_count = 1; 436 expected.client_application_secret_count = 1; 437 expected.server_application_secret_count = 1; 438 expected.exporter_secret_count = 1; 439 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 440 SSL_get_session(clientssl), &expected)) 441 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 442 SSL_get_session(serverssl), 443 &expected))) 444 goto end; 445 446 /* Terminate old session and resume with early data. */ 447 sess = SSL_get1_session(clientssl); 448 SSL_shutdown(clientssl); 449 SSL_shutdown(serverssl); 450 SSL_free(serverssl); 451 SSL_free(clientssl); 452 serverssl = clientssl = NULL; 453 454 /* Reset key log */ 455 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 456 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 457 client_log_buffer_index = 0; 458 server_log_buffer_index = 0; 459 460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 461 &clientssl, NULL, NULL)) 462 || !TEST_true(SSL_set_session(clientssl, sess)) 463 /* Here writing 0 length early data is enough. */ 464 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 465 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 466 &readbytes), 467 SSL_READ_EARLY_DATA_ERROR) 468 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 469 SSL_EARLY_DATA_ACCEPTED) 470 || !TEST_true(create_ssl_connection(serverssl, clientssl, 471 SSL_ERROR_NONE)) 472 || !TEST_true(SSL_session_reused(clientssl))) 473 goto end; 474 475 /* In addition to the previous entries, expect early secrets. */ 476 expected.client_early_secret_count = 1; 477 expected.early_exporter_secret_count = 1; 478 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 479 SSL_get_session(clientssl), &expected)) 480 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 481 SSL_get_session(serverssl), 482 &expected))) 483 goto end; 484 485 testresult = 1; 486 487 end: 488 SSL_SESSION_free(sess); 489 SSL_free(serverssl); 490 SSL_free(clientssl); 491 SSL_CTX_free(sctx); 492 SSL_CTX_free(cctx); 493 494 return testresult; 495 } 496 #endif 497 498 #ifndef OPENSSL_NO_TLS1_2 499 static int full_client_hello_callback(SSL *s, int *al, void *arg) 500 { 501 int *ctr = arg; 502 const unsigned char *p; 503 int *exts; 504 /* We only configure two ciphers, but the SCSV is added automatically. */ 505 #ifdef OPENSSL_NO_EC 506 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff}; 507 #else 508 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0, 509 0x2c, 0x00, 0xff}; 510 #endif 511 const int expected_extensions[] = { 512 #ifndef OPENSSL_NO_EC 513 11, 10, 514 #endif 515 35, 22, 23, 13}; 516 size_t len; 517 518 /* Make sure we can defer processing and get called back. */ 519 if ((*ctr)++ == 0) 520 return SSL_CLIENT_HELLO_RETRY; 521 522 len = SSL_client_hello_get0_ciphers(s, &p); 523 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) 524 || !TEST_size_t_eq( 525 SSL_client_hello_get0_compression_methods(s, &p), 1) 526 || !TEST_int_eq(*p, 0)) 527 return SSL_CLIENT_HELLO_ERROR; 528 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) 529 return SSL_CLIENT_HELLO_ERROR; 530 if (len != OSSL_NELEM(expected_extensions) || 531 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { 532 printf("ClientHello callback expected extensions mismatch\n"); 533 OPENSSL_free(exts); 534 return SSL_CLIENT_HELLO_ERROR; 535 } 536 OPENSSL_free(exts); 537 return SSL_CLIENT_HELLO_SUCCESS; 538 } 539 540 static int test_client_hello_cb(void) 541 { 542 SSL_CTX *cctx = NULL, *sctx = NULL; 543 SSL *clientssl = NULL, *serverssl = NULL; 544 int testctr = 0, testresult = 0; 545 546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 547 TLS1_VERSION, TLS_MAX_VERSION, 548 &sctx, &cctx, cert, privkey))) 549 goto end; 550 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); 551 552 /* The gimpy cipher list we configure can't do TLS 1.3. */ 553 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 554 555 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 556 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")) 557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 558 &clientssl, NULL, NULL)) 559 || !TEST_false(create_ssl_connection(serverssl, clientssl, 560 SSL_ERROR_WANT_CLIENT_HELLO_CB)) 561 /* 562 * Passing a -1 literal is a hack since 563 * the real value was lost. 564 * */ 565 || !TEST_int_eq(SSL_get_error(serverssl, -1), 566 SSL_ERROR_WANT_CLIENT_HELLO_CB) 567 || !TEST_true(create_ssl_connection(serverssl, clientssl, 568 SSL_ERROR_NONE))) 569 goto end; 570 571 testresult = 1; 572 573 end: 574 SSL_free(serverssl); 575 SSL_free(clientssl); 576 SSL_CTX_free(sctx); 577 SSL_CTX_free(cctx); 578 579 return testresult; 580 } 581 #endif 582 583 static int execute_test_large_message(const SSL_METHOD *smeth, 584 const SSL_METHOD *cmeth, 585 int min_version, int max_version, 586 int read_ahead) 587 { 588 SSL_CTX *cctx = NULL, *sctx = NULL; 589 SSL *clientssl = NULL, *serverssl = NULL; 590 int testresult = 0; 591 int i; 592 BIO *certbio = NULL; 593 X509 *chaincert = NULL; 594 int certlen; 595 596 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))) 597 goto end; 598 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 599 BIO_free(certbio); 600 certbio = NULL; 601 if (!TEST_ptr(chaincert)) 602 goto end; 603 604 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, 605 &sctx, &cctx, cert, privkey))) 606 goto end; 607 608 if (read_ahead) { 609 /* 610 * Test that read_ahead works correctly when dealing with large 611 * records 612 */ 613 SSL_CTX_set_read_ahead(cctx, 1); 614 } 615 616 /* 617 * We assume the supplied certificate is big enough so that if we add 618 * NUM_EXTRA_CERTS it will make the overall message large enough. The 619 * default buffer size is requested to be 16k, but due to the way BUF_MEM 620 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this 621 * test we need to have a message larger than that. 622 */ 623 certlen = i2d_X509(chaincert, NULL); 624 OPENSSL_assert(certlen * NUM_EXTRA_CERTS > 625 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); 626 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 627 if (!X509_up_ref(chaincert)) 628 goto end; 629 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 630 X509_free(chaincert); 631 goto end; 632 } 633 } 634 635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 636 NULL, NULL)) 637 || !TEST_true(create_ssl_connection(serverssl, clientssl, 638 SSL_ERROR_NONE))) 639 goto end; 640 641 /* 642 * Calling SSL_clear() first is not required but this tests that SSL_clear() 643 * doesn't leak (when using enable-crypto-mdebug). 644 */ 645 if (!TEST_true(SSL_clear(serverssl))) 646 goto end; 647 648 testresult = 1; 649 end: 650 X509_free(chaincert); 651 SSL_free(serverssl); 652 SSL_free(clientssl); 653 SSL_CTX_free(sctx); 654 SSL_CTX_free(cctx); 655 656 return testresult; 657 } 658 659 static int test_large_message_tls(void) 660 { 661 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 662 TLS1_VERSION, TLS_MAX_VERSION, 663 0); 664 } 665 666 static int test_large_message_tls_read_ahead(void) 667 { 668 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 669 TLS1_VERSION, TLS_MAX_VERSION, 670 1); 671 } 672 673 #ifndef OPENSSL_NO_DTLS 674 static int test_large_message_dtls(void) 675 { 676 /* 677 * read_ahead is not relevant to DTLS because DTLS always acts as if 678 * read_ahead is set. 679 */ 680 return execute_test_large_message(DTLS_server_method(), 681 DTLS_client_method(), 682 DTLS1_VERSION, DTLS_MAX_VERSION, 683 0); 684 } 685 #endif 686 687 #ifndef OPENSSL_NO_OCSP 688 static int ocsp_server_cb(SSL *s, void *arg) 689 { 690 int *argi = (int *)arg; 691 unsigned char *copy = NULL; 692 STACK_OF(OCSP_RESPID) *ids = NULL; 693 OCSP_RESPID *id = NULL; 694 695 if (*argi == 2) { 696 /* In this test we are expecting exactly 1 OCSP_RESPID */ 697 SSL_get_tlsext_status_ids(s, &ids); 698 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 699 return SSL_TLSEXT_ERR_ALERT_FATAL; 700 701 id = sk_OCSP_RESPID_value(ids, 0); 702 if (id == NULL || !OCSP_RESPID_match(id, ocspcert)) 703 return SSL_TLSEXT_ERR_ALERT_FATAL; 704 } else if (*argi != 1) { 705 return SSL_TLSEXT_ERR_ALERT_FATAL; 706 } 707 708 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder)))) 709 return SSL_TLSEXT_ERR_ALERT_FATAL; 710 711 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder)); 712 ocsp_server_called = 1; 713 return SSL_TLSEXT_ERR_OK; 714 } 715 716 static int ocsp_client_cb(SSL *s, void *arg) 717 { 718 int *argi = (int *)arg; 719 const unsigned char *respderin; 720 size_t len; 721 722 if (*argi != 1 && *argi != 2) 723 return 0; 724 725 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 726 if (!TEST_mem_eq(orespder, len, respderin, len)) 727 return 0; 728 729 ocsp_client_called = 1; 730 return 1; 731 } 732 733 static int test_tlsext_status_type(void) 734 { 735 SSL_CTX *cctx = NULL, *sctx = NULL; 736 SSL *clientssl = NULL, *serverssl = NULL; 737 int testresult = 0; 738 STACK_OF(OCSP_RESPID) *ids = NULL; 739 OCSP_RESPID *id = NULL; 740 BIO *certbio = NULL; 741 742 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 743 TLS1_VERSION, TLS_MAX_VERSION, 744 &sctx, &cctx, cert, privkey)) 745 return 0; 746 747 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) 748 goto end; 749 750 /* First just do various checks getting and setting tlsext_status_type */ 751 752 clientssl = SSL_new(cctx); 753 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1) 754 || !TEST_true(SSL_set_tlsext_status_type(clientssl, 755 TLSEXT_STATUSTYPE_ocsp)) 756 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl), 757 TLSEXT_STATUSTYPE_ocsp)) 758 goto end; 759 760 SSL_free(clientssl); 761 clientssl = NULL; 762 763 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp) 764 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) 765 goto end; 766 767 clientssl = SSL_new(cctx); 768 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) 769 goto end; 770 SSL_free(clientssl); 771 clientssl = NULL; 772 773 /* 774 * Now actually do a handshake and check OCSP information is exchanged and 775 * the callbacks get called 776 */ 777 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 778 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 779 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 780 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 782 &clientssl, NULL, NULL)) 783 || !TEST_true(create_ssl_connection(serverssl, clientssl, 784 SSL_ERROR_NONE)) 785 || !TEST_true(ocsp_client_called) 786 || !TEST_true(ocsp_server_called)) 787 goto end; 788 SSL_free(serverssl); 789 SSL_free(clientssl); 790 serverssl = NULL; 791 clientssl = NULL; 792 793 /* Try again but this time force the server side callback to fail */ 794 ocsp_client_called = 0; 795 ocsp_server_called = 0; 796 cdummyarg = 0; 797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 798 &clientssl, NULL, NULL)) 799 /* This should fail because the callback will fail */ 800 || !TEST_false(create_ssl_connection(serverssl, clientssl, 801 SSL_ERROR_NONE)) 802 || !TEST_false(ocsp_client_called) 803 || !TEST_false(ocsp_server_called)) 804 goto end; 805 SSL_free(serverssl); 806 SSL_free(clientssl); 807 serverssl = NULL; 808 clientssl = NULL; 809 810 /* 811 * This time we'll get the client to send an OCSP_RESPID that it will 812 * accept. 813 */ 814 ocsp_client_called = 0; 815 ocsp_server_called = 0; 816 cdummyarg = 2; 817 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 818 &clientssl, NULL, NULL))) 819 goto end; 820 821 /* 822 * We'll just use any old cert for this test - it doesn't have to be an OCSP 823 * specific one. We'll use the server cert. 824 */ 825 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")) 826 || !TEST_ptr(id = OCSP_RESPID_new()) 827 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) 828 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio, 829 NULL, NULL, NULL)) 830 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert)) 831 || !TEST_true(sk_OCSP_RESPID_push(ids, id))) 832 goto end; 833 id = NULL; 834 SSL_set_tlsext_status_ids(clientssl, ids); 835 /* Control has been transferred */ 836 ids = NULL; 837 838 BIO_free(certbio); 839 certbio = NULL; 840 841 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 842 SSL_ERROR_NONE)) 843 || !TEST_true(ocsp_client_called) 844 || !TEST_true(ocsp_server_called)) 845 goto end; 846 847 testresult = 1; 848 849 end: 850 SSL_free(serverssl); 851 SSL_free(clientssl); 852 SSL_CTX_free(sctx); 853 SSL_CTX_free(cctx); 854 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 855 OCSP_RESPID_free(id); 856 BIO_free(certbio); 857 X509_free(ocspcert); 858 ocspcert = NULL; 859 860 return testresult; 861 } 862 #endif 863 864 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 865 static int new_called, remove_called, get_called; 866 867 static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 868 { 869 new_called++; 870 /* 871 * sess has been up-refed for us, but we don't actually need it so free it 872 * immediately. 873 */ 874 SSL_SESSION_free(sess); 875 return 1; 876 } 877 878 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 879 { 880 remove_called++; 881 } 882 883 static SSL_SESSION *get_sess_val = NULL; 884 885 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len, 886 int *copy) 887 { 888 get_called++; 889 *copy = 1; 890 return get_sess_val; 891 } 892 893 static int execute_test_session(int maxprot, int use_int_cache, 894 int use_ext_cache) 895 { 896 SSL_CTX *sctx = NULL, *cctx = NULL; 897 SSL *serverssl1 = NULL, *clientssl1 = NULL; 898 SSL *serverssl2 = NULL, *clientssl2 = NULL; 899 # ifndef OPENSSL_NO_TLS1_1 900 SSL *serverssl3 = NULL, *clientssl3 = NULL; 901 # endif 902 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 903 int testresult = 0, numnewsesstick = 1; 904 905 new_called = remove_called = 0; 906 907 /* TLSv1.3 sends 2 NewSessionTickets */ 908 if (maxprot == TLS1_3_VERSION) 909 numnewsesstick = 2; 910 911 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 912 TLS1_VERSION, TLS_MAX_VERSION, 913 &sctx, &cctx, cert, privkey))) 914 return 0; 915 916 /* 917 * Only allow the max protocol version so we can force a connection failure 918 * later 919 */ 920 SSL_CTX_set_min_proto_version(cctx, maxprot); 921 SSL_CTX_set_max_proto_version(cctx, maxprot); 922 923 /* Set up session cache */ 924 if (use_ext_cache) { 925 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 926 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 927 } 928 if (use_int_cache) { 929 /* Also covers instance where both are set */ 930 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 931 } else { 932 SSL_CTX_set_session_cache_mode(cctx, 933 SSL_SESS_CACHE_CLIENT 934 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 935 } 936 937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 938 NULL, NULL)) 939 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 940 SSL_ERROR_NONE)) 941 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))) 942 goto end; 943 944 /* Should fail because it should already be in the cache */ 945 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) 946 goto end; 947 if (use_ext_cache 948 && (!TEST_int_eq(new_called, numnewsesstick) 949 950 || !TEST_int_eq(remove_called, 0))) 951 goto end; 952 953 new_called = remove_called = 0; 954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 955 &clientssl2, NULL, NULL)) 956 || !TEST_true(SSL_set_session(clientssl2, sess1)) 957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 958 SSL_ERROR_NONE)) 959 || !TEST_true(SSL_session_reused(clientssl2))) 960 goto end; 961 962 if (maxprot == TLS1_3_VERSION) { 963 /* 964 * In TLSv1.3 we should have created a new session even though we have 965 * resumed. Since we attempted a resume we should also have removed the 966 * old ticket from the cache so that we try to only use tickets once. 967 */ 968 if (use_ext_cache 969 && (!TEST_int_eq(new_called, 1) 970 || !TEST_int_eq(remove_called, 1))) 971 goto end; 972 } else { 973 /* 974 * In TLSv1.2 we expect to have resumed so no sessions added or 975 * removed. 976 */ 977 if (use_ext_cache 978 && (!TEST_int_eq(new_called, 0) 979 || !TEST_int_eq(remove_called, 0))) 980 goto end; 981 } 982 983 SSL_SESSION_free(sess1); 984 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2))) 985 goto end; 986 shutdown_ssl_connection(serverssl2, clientssl2); 987 serverssl2 = clientssl2 = NULL; 988 989 new_called = remove_called = 0; 990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 991 &clientssl2, NULL, NULL)) 992 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 993 SSL_ERROR_NONE))) 994 goto end; 995 996 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) 997 goto end; 998 999 if (use_ext_cache 1000 && (!TEST_int_eq(new_called, numnewsesstick) 1001 || !TEST_int_eq(remove_called, 0))) 1002 goto end; 1003 1004 new_called = remove_called = 0; 1005 /* 1006 * This should clear sess2 from the cache because it is a "bad" session. 1007 * See SSL_set_session() documentation. 1008 */ 1009 if (!TEST_true(SSL_set_session(clientssl2, sess1))) 1010 goto end; 1011 if (use_ext_cache 1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1013 goto end; 1014 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) 1015 goto end; 1016 1017 if (use_int_cache) { 1018 /* Should succeeded because it should not already be in the cache */ 1019 if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) 1020 || !TEST_true(SSL_CTX_remove_session(cctx, sess2))) 1021 goto end; 1022 } 1023 1024 new_called = remove_called = 0; 1025 /* This shouldn't be in the cache so should fail */ 1026 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) 1027 goto end; 1028 1029 if (use_ext_cache 1030 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1031 goto end; 1032 1033 # if !defined(OPENSSL_NO_TLS1_1) 1034 new_called = remove_called = 0; 1035 /* Force a connection failure */ 1036 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 1037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, 1038 &clientssl3, NULL, NULL)) 1039 || !TEST_true(SSL_set_session(clientssl3, sess1)) 1040 /* This should fail because of the mismatched protocol versions */ 1041 || !TEST_false(create_ssl_connection(serverssl3, clientssl3, 1042 SSL_ERROR_NONE))) 1043 goto end; 1044 1045 /* We should have automatically removed the session from the cache */ 1046 if (use_ext_cache 1047 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 1048 goto end; 1049 1050 /* Should succeed because it should not already be in the cache */ 1051 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2))) 1052 goto end; 1053 # endif 1054 1055 /* Now do some tests for server side caching */ 1056 if (use_ext_cache) { 1057 SSL_CTX_sess_set_new_cb(cctx, NULL); 1058 SSL_CTX_sess_set_remove_cb(cctx, NULL); 1059 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 1060 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb); 1061 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 1062 get_sess_val = NULL; 1063 } 1064 1065 SSL_CTX_set_session_cache_mode(cctx, 0); 1066 /* Internal caching is the default on the server side */ 1067 if (!use_int_cache) 1068 SSL_CTX_set_session_cache_mode(sctx, 1069 SSL_SESS_CACHE_SERVER 1070 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1071 1072 SSL_free(serverssl1); 1073 SSL_free(clientssl1); 1074 serverssl1 = clientssl1 = NULL; 1075 SSL_free(serverssl2); 1076 SSL_free(clientssl2); 1077 serverssl2 = clientssl2 = NULL; 1078 SSL_SESSION_free(sess1); 1079 sess1 = NULL; 1080 SSL_SESSION_free(sess2); 1081 sess2 = NULL; 1082 1083 SSL_CTX_set_max_proto_version(sctx, maxprot); 1084 if (maxprot == TLS1_2_VERSION) 1085 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 1086 new_called = remove_called = get_called = 0; 1087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 1088 NULL, NULL)) 1089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 1090 SSL_ERROR_NONE)) 1091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)) 1092 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) 1093 goto end; 1094 1095 if (use_int_cache) { 1096 if (maxprot == TLS1_3_VERSION && !use_ext_cache) { 1097 /* 1098 * In TLSv1.3 it should not have been added to the internal cache, 1099 * except in the case where we also have an external cache (in that 1100 * case it gets added to the cache in order to generate remove 1101 * events after timeout). 1102 */ 1103 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2))) 1104 goto end; 1105 } else { 1106 /* Should fail because it should already be in the cache */ 1107 if (!TEST_false(SSL_CTX_add_session(sctx, sess2))) 1108 goto end; 1109 } 1110 } 1111 1112 if (use_ext_cache) { 1113 SSL_SESSION *tmp = sess2; 1114 1115 if (!TEST_int_eq(new_called, numnewsesstick) 1116 || !TEST_int_eq(remove_called, 0) 1117 || !TEST_int_eq(get_called, 0)) 1118 goto end; 1119 /* 1120 * Delete the session from the internal cache to force a lookup from 1121 * the external cache. We take a copy first because 1122 * SSL_CTX_remove_session() also marks the session as non-resumable. 1123 */ 1124 if (use_int_cache && maxprot != TLS1_3_VERSION) { 1125 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) 1126 || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) 1127 goto end; 1128 SSL_SESSION_free(sess2); 1129 } 1130 sess2 = tmp; 1131 } 1132 1133 new_called = remove_called = get_called = 0; 1134 get_sess_val = sess2; 1135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 1136 &clientssl2, NULL, NULL)) 1137 || !TEST_true(SSL_set_session(clientssl2, sess1)) 1138 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 1139 SSL_ERROR_NONE)) 1140 || !TEST_true(SSL_session_reused(clientssl2))) 1141 goto end; 1142 1143 if (use_ext_cache) { 1144 if (!TEST_int_eq(remove_called, 0)) 1145 goto end; 1146 1147 if (maxprot == TLS1_3_VERSION) { 1148 if (!TEST_int_eq(new_called, 1) 1149 || !TEST_int_eq(get_called, 0)) 1150 goto end; 1151 } else { 1152 if (!TEST_int_eq(new_called, 0) 1153 || !TEST_int_eq(get_called, 1)) 1154 goto end; 1155 } 1156 } 1157 1158 testresult = 1; 1159 1160 end: 1161 SSL_free(serverssl1); 1162 SSL_free(clientssl1); 1163 SSL_free(serverssl2); 1164 SSL_free(clientssl2); 1165 # ifndef OPENSSL_NO_TLS1_1 1166 SSL_free(serverssl3); 1167 SSL_free(clientssl3); 1168 # endif 1169 SSL_SESSION_free(sess1); 1170 SSL_SESSION_free(sess2); 1171 SSL_CTX_free(sctx); 1172 SSL_CTX_free(cctx); 1173 1174 return testresult; 1175 } 1176 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 1177 1178 static int test_session_with_only_int_cache(void) 1179 { 1180 #ifndef OPENSSL_NO_TLS1_3 1181 if (!execute_test_session(TLS1_3_VERSION, 1, 0)) 1182 return 0; 1183 #endif 1184 1185 #ifndef OPENSSL_NO_TLS1_2 1186 return execute_test_session(TLS1_2_VERSION, 1, 0); 1187 #else 1188 return 1; 1189 #endif 1190 } 1191 1192 static int test_session_with_only_ext_cache(void) 1193 { 1194 #ifndef OPENSSL_NO_TLS1_3 1195 if (!execute_test_session(TLS1_3_VERSION, 0, 1)) 1196 return 0; 1197 #endif 1198 1199 #ifndef OPENSSL_NO_TLS1_2 1200 return execute_test_session(TLS1_2_VERSION, 0, 1); 1201 #else 1202 return 1; 1203 #endif 1204 } 1205 1206 static int test_session_with_both_cache(void) 1207 { 1208 #ifndef OPENSSL_NO_TLS1_3 1209 if (!execute_test_session(TLS1_3_VERSION, 1, 1)) 1210 return 0; 1211 #endif 1212 1213 #ifndef OPENSSL_NO_TLS1_2 1214 return execute_test_session(TLS1_2_VERSION, 1, 1); 1215 #else 1216 return 1; 1217 #endif 1218 } 1219 1220 #ifndef OPENSSL_NO_TLS1_3 1221 static SSL_SESSION *sesscache[6]; 1222 static int do_cache; 1223 1224 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) 1225 { 1226 if (do_cache) { 1227 sesscache[new_called] = sess; 1228 } else { 1229 /* We don't need the reference to the session, so free it */ 1230 SSL_SESSION_free(sess); 1231 } 1232 new_called++; 1233 1234 return 1; 1235 } 1236 1237 static int post_handshake_verify(SSL *sssl, SSL *cssl) 1238 { 1239 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); 1240 if (!TEST_true(SSL_verify_client_post_handshake(sssl))) 1241 return 0; 1242 1243 /* Start handshake on the server and client */ 1244 if (!TEST_int_eq(SSL_do_handshake(sssl), 1) 1245 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) 1246 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) 1247 || !TEST_true(create_ssl_connection(sssl, cssl, 1248 SSL_ERROR_NONE))) 1249 return 0; 1250 1251 return 1; 1252 } 1253 1254 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, 1255 SSL_CTX **cctx) 1256 { 1257 int sess_id_ctx = 1; 1258 1259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1260 TLS1_VERSION, TLS_MAX_VERSION, sctx, 1261 cctx, cert, privkey)) 1262 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) 1263 || !TEST_true(SSL_CTX_set_session_id_context(*sctx, 1264 (void *)&sess_id_ctx, 1265 sizeof(sess_id_ctx)))) 1266 return 0; 1267 1268 if (stateful) 1269 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET); 1270 1271 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT 1272 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1273 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb); 1274 1275 return 1; 1276 } 1277 1278 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ) 1279 { 1280 SSL *serverssl = NULL, *clientssl = NULL; 1281 int i; 1282 1283 /* Test that we can resume with all the tickets we got given */ 1284 for (i = 0; i < idx * 2; i++) { 1285 new_called = 0; 1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1287 &clientssl, NULL, NULL)) 1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) 1289 goto end; 1290 1291 SSL_set_post_handshake_auth(clientssl, 1); 1292 1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1294 SSL_ERROR_NONE))) 1295 goto end; 1296 1297 /* 1298 * Following a successful resumption we only get 1 ticket. After a 1299 * failed one we should get idx tickets. 1300 */ 1301 if (succ) { 1302 if (!TEST_true(SSL_session_reused(clientssl)) 1303 || !TEST_int_eq(new_called, 1)) 1304 goto end; 1305 } else { 1306 if (!TEST_false(SSL_session_reused(clientssl)) 1307 || !TEST_int_eq(new_called, idx)) 1308 goto end; 1309 } 1310 1311 new_called = 0; 1312 /* After a post-handshake authentication we should get 1 new ticket */ 1313 if (succ 1314 && (!post_handshake_verify(serverssl, clientssl) 1315 || !TEST_int_eq(new_called, 1))) 1316 goto end; 1317 1318 SSL_shutdown(clientssl); 1319 SSL_shutdown(serverssl); 1320 SSL_free(serverssl); 1321 SSL_free(clientssl); 1322 serverssl = clientssl = NULL; 1323 SSL_SESSION_free(sesscache[i]); 1324 sesscache[i] = NULL; 1325 } 1326 1327 return 1; 1328 1329 end: 1330 SSL_free(clientssl); 1331 SSL_free(serverssl); 1332 return 0; 1333 } 1334 1335 static int test_tickets(int stateful, int idx) 1336 { 1337 SSL_CTX *sctx = NULL, *cctx = NULL; 1338 SSL *serverssl = NULL, *clientssl = NULL; 1339 int testresult = 0; 1340 size_t j; 1341 1342 /* idx is the test number, but also the number of tickets we want */ 1343 1344 new_called = 0; 1345 do_cache = 1; 1346 1347 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1348 goto end; 1349 1350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1351 &clientssl, NULL, NULL))) 1352 goto end; 1353 1354 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1355 SSL_ERROR_NONE)) 1356 /* Check we got the number of tickets we were expecting */ 1357 || !TEST_int_eq(idx, new_called)) 1358 goto end; 1359 1360 SSL_shutdown(clientssl); 1361 SSL_shutdown(serverssl); 1362 SSL_free(serverssl); 1363 SSL_free(clientssl); 1364 SSL_CTX_free(sctx); 1365 SSL_CTX_free(cctx); 1366 clientssl = serverssl = NULL; 1367 sctx = cctx = NULL; 1368 1369 /* 1370 * Now we try to resume with the tickets we previously created. The 1371 * resumption attempt is expected to fail (because we're now using a new 1372 * SSL_CTX). We should see idx number of tickets issued again. 1373 */ 1374 1375 /* Stop caching sessions - just count them */ 1376 do_cache = 0; 1377 1378 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1379 goto end; 1380 1381 if (!check_resumption(idx, sctx, cctx, 0)) 1382 goto end; 1383 1384 /* Start again with caching sessions */ 1385 new_called = 0; 1386 do_cache = 1; 1387 SSL_CTX_free(sctx); 1388 SSL_CTX_free(cctx); 1389 sctx = cctx = NULL; 1390 1391 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 1392 goto end; 1393 1394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1395 &clientssl, NULL, NULL))) 1396 goto end; 1397 1398 SSL_set_post_handshake_auth(clientssl, 1); 1399 1400 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1401 SSL_ERROR_NONE)) 1402 /* Check we got the number of tickets we were expecting */ 1403 || !TEST_int_eq(idx, new_called)) 1404 goto end; 1405 1406 /* After a post-handshake authentication we should get new tickets issued */ 1407 if (!post_handshake_verify(serverssl, clientssl) 1408 || !TEST_int_eq(idx * 2, new_called)) 1409 goto end; 1410 1411 SSL_shutdown(clientssl); 1412 SSL_shutdown(serverssl); 1413 SSL_free(serverssl); 1414 SSL_free(clientssl); 1415 serverssl = clientssl = NULL; 1416 1417 /* Stop caching sessions - just count them */ 1418 do_cache = 0; 1419 1420 /* 1421 * Check we can resume with all the tickets we created. This time around the 1422 * resumptions should all be successful. 1423 */ 1424 if (!check_resumption(idx, sctx, cctx, 1)) 1425 goto end; 1426 1427 testresult = 1; 1428 1429 end: 1430 SSL_free(serverssl); 1431 SSL_free(clientssl); 1432 for (j = 0; j < OSSL_NELEM(sesscache); j++) { 1433 SSL_SESSION_free(sesscache[j]); 1434 sesscache[j] = NULL; 1435 } 1436 SSL_CTX_free(sctx); 1437 SSL_CTX_free(cctx); 1438 1439 return testresult; 1440 } 1441 1442 static int test_stateless_tickets(int idx) 1443 { 1444 return test_tickets(0, idx); 1445 } 1446 1447 static int test_stateful_tickets(int idx) 1448 { 1449 return test_tickets(1, idx); 1450 } 1451 1452 static int test_psk_tickets(void) 1453 { 1454 SSL_CTX *sctx = NULL, *cctx = NULL; 1455 SSL *serverssl = NULL, *clientssl = NULL; 1456 int testresult = 0; 1457 int sess_id_ctx = 1; 1458 1459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1460 TLS1_VERSION, TLS_MAX_VERSION, &sctx, 1461 &cctx, NULL, NULL)) 1462 || !TEST_true(SSL_CTX_set_session_id_context(sctx, 1463 (void *)&sess_id_ctx, 1464 sizeof(sess_id_ctx)))) 1465 goto end; 1466 1467 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT 1468 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 1469 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 1470 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 1471 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 1472 use_session_cb_cnt = 0; 1473 find_session_cb_cnt = 0; 1474 srvid = pskid; 1475 new_called = 0; 1476 1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1478 NULL, NULL))) 1479 goto end; 1480 clientpsk = serverpsk = create_a_psk(clientssl); 1481 if (!TEST_ptr(clientpsk)) 1482 goto end; 1483 SSL_SESSION_up_ref(clientpsk); 1484 1485 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1486 SSL_ERROR_NONE)) 1487 || !TEST_int_eq(1, find_session_cb_cnt) 1488 || !TEST_int_eq(1, use_session_cb_cnt) 1489 /* We should always get 1 ticket when using external PSK */ 1490 || !TEST_int_eq(1, new_called)) 1491 goto end; 1492 1493 testresult = 1; 1494 1495 end: 1496 SSL_free(serverssl); 1497 SSL_free(clientssl); 1498 SSL_CTX_free(sctx); 1499 SSL_CTX_free(cctx); 1500 SSL_SESSION_free(clientpsk); 1501 SSL_SESSION_free(serverpsk); 1502 clientpsk = serverpsk = NULL; 1503 1504 return testresult; 1505 } 1506 #endif 1507 1508 #define USE_NULL 0 1509 #define USE_BIO_1 1 1510 #define USE_BIO_2 2 1511 #define USE_DEFAULT 3 1512 1513 #define CONNTYPE_CONNECTION_SUCCESS 0 1514 #define CONNTYPE_CONNECTION_FAIL 1 1515 #define CONNTYPE_NO_CONNECTION 2 1516 1517 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 1518 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) 1519 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) 1520 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) 1521 #else 1522 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 1523 #endif 1524 1525 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \ 1526 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \ 1527 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 1528 1529 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 1530 { 1531 switch (type) { 1532 case USE_NULL: 1533 *res = NULL; 1534 break; 1535 case USE_BIO_1: 1536 *res = bio1; 1537 break; 1538 case USE_BIO_2: 1539 *res = bio2; 1540 break; 1541 } 1542 } 1543 1544 1545 /* 1546 * Tests calls to SSL_set_bio() under various conditions. 1547 * 1548 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with 1549 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We 1550 * then do more tests where we create a successful connection first using our 1551 * standard connection setup functions, and then call SSL_set_bio() with 1552 * various combinations of valid BIOs or NULL. We then repeat these tests 1553 * following a failed connection. In this last case we are looking to check that 1554 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL. 1555 */ 1556 static int test_ssl_set_bio(int idx) 1557 { 1558 SSL_CTX *sctx = NULL, *cctx = NULL; 1559 BIO *bio1 = NULL; 1560 BIO *bio2 = NULL; 1561 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 1562 SSL *serverssl = NULL, *clientssl = NULL; 1563 int initrbio, initwbio, newrbio, newwbio, conntype; 1564 int testresult = 0; 1565 1566 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) { 1567 initrbio = idx % 3; 1568 idx /= 3; 1569 initwbio = idx % 3; 1570 idx /= 3; 1571 newrbio = idx % 3; 1572 idx /= 3; 1573 newwbio = idx % 3; 1574 conntype = CONNTYPE_NO_CONNECTION; 1575 } else { 1576 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS; 1577 initrbio = initwbio = USE_DEFAULT; 1578 newrbio = idx % 2; 1579 idx /= 2; 1580 newwbio = idx % 2; 1581 idx /= 2; 1582 conntype = idx % 2; 1583 } 1584 1585 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1586 TLS1_VERSION, TLS_MAX_VERSION, 1587 &sctx, &cctx, cert, privkey))) 1588 goto end; 1589 1590 if (conntype == CONNTYPE_CONNECTION_FAIL) { 1591 /* 1592 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled 1593 * because we reduced the number of tests in the definition of 1594 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting 1595 * mismatched protocol versions we will force a connection failure. 1596 */ 1597 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION); 1598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 1599 } 1600 1601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1602 NULL, NULL))) 1603 goto end; 1604 1605 if (initrbio == USE_BIO_1 1606 || initwbio == USE_BIO_1 1607 || newrbio == USE_BIO_1 1608 || newwbio == USE_BIO_1) { 1609 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem()))) 1610 goto end; 1611 } 1612 1613 if (initrbio == USE_BIO_2 1614 || initwbio == USE_BIO_2 1615 || newrbio == USE_BIO_2 1616 || newwbio == USE_BIO_2) { 1617 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem()))) 1618 goto end; 1619 } 1620 1621 if (initrbio != USE_DEFAULT) { 1622 setupbio(&irbio, bio1, bio2, initrbio); 1623 setupbio(&iwbio, bio1, bio2, initwbio); 1624 SSL_set_bio(clientssl, irbio, iwbio); 1625 1626 /* 1627 * We want to maintain our own refs to these BIO, so do an up ref for 1628 * each BIO that will have ownership transferred in the SSL_set_bio() 1629 * call 1630 */ 1631 if (irbio != NULL) 1632 BIO_up_ref(irbio); 1633 if (iwbio != NULL && iwbio != irbio) 1634 BIO_up_ref(iwbio); 1635 } 1636 1637 if (conntype != CONNTYPE_NO_CONNECTION 1638 && !TEST_true(create_ssl_connection(serverssl, clientssl, 1639 SSL_ERROR_NONE) 1640 == (conntype == CONNTYPE_CONNECTION_SUCCESS))) 1641 goto end; 1642 1643 setupbio(&nrbio, bio1, bio2, newrbio); 1644 setupbio(&nwbio, bio1, bio2, newwbio); 1645 1646 /* 1647 * We will (maybe) transfer ownership again so do more up refs. 1648 * SSL_set_bio() has some really complicated ownership rules where BIOs have 1649 * already been set! 1650 */ 1651 if (nrbio != NULL 1652 && nrbio != irbio 1653 && (nwbio != iwbio || nrbio != nwbio)) 1654 BIO_up_ref(nrbio); 1655 if (nwbio != NULL 1656 && nwbio != nrbio 1657 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 1658 BIO_up_ref(nwbio); 1659 1660 SSL_set_bio(clientssl, nrbio, nwbio); 1661 1662 testresult = 1; 1663 1664 end: 1665 BIO_free(bio1); 1666 BIO_free(bio2); 1667 1668 /* 1669 * This test is checking that the ref counting for SSL_set_bio is correct. 1670 * If we get here and we did too many frees then we will fail in the above 1671 * functions. If we haven't done enough then this will only be detected in 1672 * a crypto-mdebug build 1673 */ 1674 SSL_free(serverssl); 1675 SSL_free(clientssl); 1676 SSL_CTX_free(sctx); 1677 SSL_CTX_free(cctx); 1678 return testresult; 1679 } 1680 1681 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t; 1682 1683 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) 1684 { 1685 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 1686 SSL_CTX *ctx; 1687 SSL *ssl = NULL; 1688 int testresult = 0; 1689 1690 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())) 1691 || !TEST_ptr(ssl = SSL_new(ctx)) 1692 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl())) 1693 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem()))) 1694 goto end; 1695 1696 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 1697 1698 /* 1699 * If anything goes wrong here then we could leak memory, so this will 1700 * be caught in a crypto-mdebug build 1701 */ 1702 BIO_push(sslbio, membio1); 1703 1704 /* Verify changing the rbio/wbio directly does not cause leaks */ 1705 if (change_bio != NO_BIO_CHANGE) { 1706 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) 1707 goto end; 1708 if (change_bio == CHANGE_RBIO) 1709 SSL_set0_rbio(ssl, membio2); 1710 else 1711 SSL_set0_wbio(ssl, membio2); 1712 } 1713 ssl = NULL; 1714 1715 if (pop_ssl) 1716 BIO_pop(sslbio); 1717 else 1718 BIO_pop(membio1); 1719 1720 testresult = 1; 1721 end: 1722 BIO_free(membio1); 1723 BIO_free(sslbio); 1724 SSL_free(ssl); 1725 SSL_CTX_free(ctx); 1726 1727 return testresult; 1728 } 1729 1730 static int test_ssl_bio_pop_next_bio(void) 1731 { 1732 return execute_test_ssl_bio(0, NO_BIO_CHANGE); 1733 } 1734 1735 static int test_ssl_bio_pop_ssl_bio(void) 1736 { 1737 return execute_test_ssl_bio(1, NO_BIO_CHANGE); 1738 } 1739 1740 static int test_ssl_bio_change_rbio(void) 1741 { 1742 return execute_test_ssl_bio(0, CHANGE_RBIO); 1743 } 1744 1745 static int test_ssl_bio_change_wbio(void) 1746 { 1747 return execute_test_ssl_bio(0, CHANGE_WBIO); 1748 } 1749 1750 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 1751 typedef struct { 1752 /* The list of sig algs */ 1753 const int *list; 1754 /* The length of the list */ 1755 size_t listlen; 1756 /* A sigalgs list in string format */ 1757 const char *liststr; 1758 /* Whether setting the list should succeed */ 1759 int valid; 1760 /* Whether creating a connection with the list should succeed */ 1761 int connsuccess; 1762 } sigalgs_list; 1763 1764 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 1765 # ifndef OPENSSL_NO_EC 1766 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 1767 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 1768 # endif 1769 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 1770 static const int invalidlist2[] = {NID_sha256, NID_undef}; 1771 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 1772 static const int invalidlist4[] = {NID_sha256}; 1773 static const sigalgs_list testsigalgs[] = { 1774 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 1775 # ifndef OPENSSL_NO_EC 1776 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 1777 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 1778 # endif 1779 {NULL, 0, "RSA+SHA256", 1, 1}, 1780 # ifndef OPENSSL_NO_EC 1781 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 1782 {NULL, 0, "ECDSA+SHA512", 1, 0}, 1783 # endif 1784 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 1785 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 1786 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 1787 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 1788 {NULL, 0, "RSA", 0, 0}, 1789 {NULL, 0, "SHA256", 0, 0}, 1790 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 1791 {NULL, 0, "Invalid", 0, 0} 1792 }; 1793 1794 static int test_set_sigalgs(int idx) 1795 { 1796 SSL_CTX *cctx = NULL, *sctx = NULL; 1797 SSL *clientssl = NULL, *serverssl = NULL; 1798 int testresult = 0; 1799 const sigalgs_list *curr; 1800 int testctx; 1801 1802 /* Should never happen */ 1803 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2)) 1804 return 0; 1805 1806 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 1807 curr = testctx ? &testsigalgs[idx] 1808 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 1809 1810 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 1811 TLS1_VERSION, TLS_MAX_VERSION, 1812 &sctx, &cctx, cert, privkey))) 1813 return 0; 1814 1815 /* 1816 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it 1817 * for TLSv1.2 for now until we add a new API. 1818 */ 1819 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 1820 1821 if (testctx) { 1822 int ret; 1823 1824 if (curr->list != NULL) 1825 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 1826 else 1827 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 1828 1829 if (!ret) { 1830 if (curr->valid) 1831 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx); 1832 else 1833 testresult = 1; 1834 goto end; 1835 } 1836 if (!curr->valid) { 1837 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx); 1838 goto end; 1839 } 1840 } 1841 1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1843 &clientssl, NULL, NULL))) 1844 goto end; 1845 1846 if (!testctx) { 1847 int ret; 1848 1849 if (curr->list != NULL) 1850 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 1851 else 1852 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 1853 if (!ret) { 1854 if (curr->valid) 1855 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx); 1856 else 1857 testresult = 1; 1858 goto end; 1859 } 1860 if (!curr->valid) 1861 goto end; 1862 } 1863 1864 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 1865 SSL_ERROR_NONE), 1866 curr->connsuccess)) 1867 goto end; 1868 1869 testresult = 1; 1870 1871 end: 1872 SSL_free(serverssl); 1873 SSL_free(clientssl); 1874 SSL_CTX_free(sctx); 1875 SSL_CTX_free(cctx); 1876 1877 return testresult; 1878 } 1879 #endif 1880 1881 #ifndef OPENSSL_NO_TLS1_3 1882 static int psk_client_cb_cnt = 0; 1883 static int psk_server_cb_cnt = 0; 1884 1885 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 1886 size_t *idlen, SSL_SESSION **sess) 1887 { 1888 switch (++use_session_cb_cnt) { 1889 case 1: 1890 /* The first call should always have a NULL md */ 1891 if (md != NULL) 1892 return 0; 1893 break; 1894 1895 case 2: 1896 /* The second call should always have an md */ 1897 if (md == NULL) 1898 return 0; 1899 break; 1900 1901 default: 1902 /* We should only be called a maximum of twice */ 1903 return 0; 1904 } 1905 1906 if (clientpsk != NULL) 1907 SSL_SESSION_up_ref(clientpsk); 1908 1909 *sess = clientpsk; 1910 *id = (const unsigned char *)pskid; 1911 *idlen = strlen(pskid); 1912 1913 return 1; 1914 } 1915 1916 #ifndef OPENSSL_NO_PSK 1917 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id, 1918 unsigned int max_id_len, 1919 unsigned char *psk, 1920 unsigned int max_psk_len) 1921 { 1922 unsigned int psklen = 0; 1923 1924 psk_client_cb_cnt++; 1925 1926 if (strlen(pskid) + 1 > max_id_len) 1927 return 0; 1928 1929 /* We should only ever be called a maximum of twice per connection */ 1930 if (psk_client_cb_cnt > 2) 1931 return 0; 1932 1933 if (clientpsk == NULL) 1934 return 0; 1935 1936 /* We'll reuse the PSK we set up for TLSv1.3 */ 1937 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len) 1938 return 0; 1939 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len); 1940 strncpy(id, pskid, max_id_len); 1941 1942 return psklen; 1943 } 1944 #endif /* OPENSSL_NO_PSK */ 1945 1946 static int find_session_cb(SSL *ssl, const unsigned char *identity, 1947 size_t identity_len, SSL_SESSION **sess) 1948 { 1949 find_session_cb_cnt++; 1950 1951 /* We should only ever be called a maximum of twice per connection */ 1952 if (find_session_cb_cnt > 2) 1953 return 0; 1954 1955 if (serverpsk == NULL) 1956 return 0; 1957 1958 /* Identity should match that set by the client */ 1959 if (strlen(srvid) != identity_len 1960 || strncmp(srvid, (const char *)identity, identity_len) != 0) { 1961 /* No PSK found, continue but without a PSK */ 1962 *sess = NULL; 1963 return 1; 1964 } 1965 1966 SSL_SESSION_up_ref(serverpsk); 1967 *sess = serverpsk; 1968 1969 return 1; 1970 } 1971 1972 #ifndef OPENSSL_NO_PSK 1973 static unsigned int psk_server_cb(SSL *ssl, const char *identity, 1974 unsigned char *psk, unsigned int max_psk_len) 1975 { 1976 unsigned int psklen = 0; 1977 1978 psk_server_cb_cnt++; 1979 1980 /* We should only ever be called a maximum of twice per connection */ 1981 if (find_session_cb_cnt > 2) 1982 return 0; 1983 1984 if (serverpsk == NULL) 1985 return 0; 1986 1987 /* Identity should match that set by the client */ 1988 if (strcmp(srvid, identity) != 0) { 1989 return 0; 1990 } 1991 1992 /* We'll reuse the PSK we set up for TLSv1.3 */ 1993 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len) 1994 return 0; 1995 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len); 1996 1997 return psklen; 1998 } 1999 #endif /* OPENSSL_NO_PSK */ 2000 2001 #define MSG1 "Hello" 2002 #define MSG2 "World." 2003 #define MSG3 "This" 2004 #define MSG4 "is" 2005 #define MSG5 "a" 2006 #define MSG6 "test" 2007 #define MSG7 "message." 2008 2009 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") 2010 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") 2011 2012 2013 static SSL_SESSION *create_a_psk(SSL *ssl) 2014 { 2015 const SSL_CIPHER *cipher = NULL; 2016 const unsigned char key[] = { 2017 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 2018 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 2019 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 2020 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 2021 0x2c, 0x2d, 0x2e, 0x2f 2022 }; 2023 SSL_SESSION *sess = NULL; 2024 2025 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); 2026 sess = SSL_SESSION_new(); 2027 if (!TEST_ptr(sess) 2028 || !TEST_ptr(cipher) 2029 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, 2030 sizeof(key))) 2031 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) 2032 || !TEST_true( 2033 SSL_SESSION_set_protocol_version(sess, 2034 TLS1_3_VERSION))) { 2035 SSL_SESSION_free(sess); 2036 return NULL; 2037 } 2038 return sess; 2039 } 2040 2041 /* 2042 * Helper method to setup objects for early data test. Caller frees objects on 2043 * error. 2044 */ 2045 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, 2046 SSL **serverssl, SSL_SESSION **sess, int idx) 2047 { 2048 if (*sctx == NULL 2049 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), 2050 TLS_client_method(), 2051 TLS1_VERSION, TLS_MAX_VERSION, 2052 sctx, cctx, cert, privkey))) 2053 return 0; 2054 2055 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH))) 2056 return 0; 2057 2058 if (idx == 1) { 2059 /* When idx == 1 we repeat the tests with read_ahead set */ 2060 SSL_CTX_set_read_ahead(*cctx, 1); 2061 SSL_CTX_set_read_ahead(*sctx, 1); 2062 } else if (idx == 2) { 2063 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */ 2064 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb); 2065 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb); 2066 use_session_cb_cnt = 0; 2067 find_session_cb_cnt = 0; 2068 srvid = pskid; 2069 } 2070 2071 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl, 2072 NULL, NULL))) 2073 return 0; 2074 2075 /* 2076 * For one of the run throughs (doesn't matter which one), we'll try sending 2077 * some SNI data in the initial ClientHello. This will be ignored (because 2078 * there is no SNI cb set up by the server), so it should not impact 2079 * early_data. 2080 */ 2081 if (idx == 1 2082 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost"))) 2083 return 0; 2084 2085 if (idx == 2) { 2086 clientpsk = create_a_psk(*clientssl); 2087 if (!TEST_ptr(clientpsk) 2088 /* 2089 * We just choose an arbitrary value for max_early_data which 2090 * should be big enough for testing purposes. 2091 */ 2092 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk, 2093 0x100)) 2094 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) { 2095 SSL_SESSION_free(clientpsk); 2096 clientpsk = NULL; 2097 return 0; 2098 } 2099 serverpsk = clientpsk; 2100 2101 if (sess != NULL) { 2102 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) { 2103 SSL_SESSION_free(clientpsk); 2104 SSL_SESSION_free(serverpsk); 2105 clientpsk = serverpsk = NULL; 2106 return 0; 2107 } 2108 *sess = clientpsk; 2109 } 2110 return 1; 2111 } 2112 2113 if (sess == NULL) 2114 return 1; 2115 2116 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, 2117 SSL_ERROR_NONE))) 2118 return 0; 2119 2120 *sess = SSL_get1_session(*clientssl); 2121 SSL_shutdown(*clientssl); 2122 SSL_shutdown(*serverssl); 2123 SSL_free(*serverssl); 2124 SSL_free(*clientssl); 2125 *serverssl = *clientssl = NULL; 2126 2127 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, 2128 clientssl, NULL, NULL)) 2129 || !TEST_true(SSL_set_session(*clientssl, *sess))) 2130 return 0; 2131 2132 return 1; 2133 } 2134 2135 static int test_early_data_read_write(int idx) 2136 { 2137 SSL_CTX *cctx = NULL, *sctx = NULL; 2138 SSL *clientssl = NULL, *serverssl = NULL; 2139 int testresult = 0; 2140 SSL_SESSION *sess = NULL; 2141 unsigned char buf[20], data[1024]; 2142 size_t readbytes, written, eoedlen, rawread, rawwritten; 2143 BIO *rbio; 2144 2145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2146 &serverssl, &sess, idx))) 2147 goto end; 2148 2149 /* Write and read some early data */ 2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2151 &written)) 2152 || !TEST_size_t_eq(written, strlen(MSG1)) 2153 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 2154 sizeof(buf), &readbytes), 2155 SSL_READ_EARLY_DATA_SUCCESS) 2156 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 2157 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2158 SSL_EARLY_DATA_ACCEPTED)) 2159 goto end; 2160 2161 /* 2162 * Server should be able to write data, and client should be able to 2163 * read it. 2164 */ 2165 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2), 2166 &written)) 2167 || !TEST_size_t_eq(written, strlen(MSG2)) 2168 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2169 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2170 goto end; 2171 2172 /* Even after reading normal data, client should be able write early data */ 2173 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3), 2174 &written)) 2175 || !TEST_size_t_eq(written, strlen(MSG3))) 2176 goto end; 2177 2178 /* Server should still be able read early data after writing data */ 2179 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2180 &readbytes), 2181 SSL_READ_EARLY_DATA_SUCCESS) 2182 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3))) 2183 goto end; 2184 2185 /* Write more data from server and read it from client */ 2186 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4), 2187 &written)) 2188 || !TEST_size_t_eq(written, strlen(MSG4)) 2189 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2190 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4))) 2191 goto end; 2192 2193 /* 2194 * If client writes normal data it should mean writing early data is no 2195 * longer possible. 2196 */ 2197 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 2198 || !TEST_size_t_eq(written, strlen(MSG5)) 2199 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2200 SSL_EARLY_DATA_ACCEPTED)) 2201 goto end; 2202 2203 /* 2204 * At this point the client has written EndOfEarlyData, ClientFinished and 2205 * normal (fully protected) data. We are going to cause a delay between the 2206 * arrival of EndOfEarlyData and ClientFinished. We read out all the data 2207 * in the read BIO, and then just put back the EndOfEarlyData message. 2208 */ 2209 rbio = SSL_get_rbio(serverssl); 2210 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread)) 2211 || !TEST_size_t_lt(rawread, sizeof(data)) 2212 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH)) 2213 goto end; 2214 2215 /* Record length is in the 4th and 5th bytes of the record header */ 2216 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]); 2217 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten)) 2218 || !TEST_size_t_eq(rawwritten, eoedlen)) 2219 goto end; 2220 2221 /* Server should be told that there is no more early data */ 2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2223 &readbytes), 2224 SSL_READ_EARLY_DATA_FINISH) 2225 || !TEST_size_t_eq(readbytes, 0)) 2226 goto end; 2227 2228 /* 2229 * Server has not finished init yet, so should still be able to write early 2230 * data. 2231 */ 2232 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6), 2233 &written)) 2234 || !TEST_size_t_eq(written, strlen(MSG6))) 2235 goto end; 2236 2237 /* Push the ClientFinished and the normal data back into the server rbio */ 2238 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen, 2239 &rawwritten)) 2240 || !TEST_size_t_eq(rawwritten, rawread - eoedlen)) 2241 goto end; 2242 2243 /* Server should be able to read normal data */ 2244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2245 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 2246 goto end; 2247 2248 /* Client and server should not be able to write/read early data now */ 2249 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 2250 &written))) 2251 goto end; 2252 ERR_clear_error(); 2253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2254 &readbytes), 2255 SSL_READ_EARLY_DATA_ERROR)) 2256 goto end; 2257 ERR_clear_error(); 2258 2259 /* Client should be able to read the data sent by the server */ 2260 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2261 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6))) 2262 goto end; 2263 2264 /* 2265 * Make sure we process the two NewSessionTickets. These arrive 2266 * post-handshake. We attempt reads which we do not expect to return any 2267 * data. 2268 */ 2269 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2270 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), 2271 &readbytes))) 2272 goto end; 2273 2274 /* Server should be able to write normal data */ 2275 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written)) 2276 || !TEST_size_t_eq(written, strlen(MSG7)) 2277 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2278 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7))) 2279 goto end; 2280 2281 SSL_SESSION_free(sess); 2282 sess = SSL_get1_session(clientssl); 2283 use_session_cb_cnt = 0; 2284 find_session_cb_cnt = 0; 2285 2286 SSL_shutdown(clientssl); 2287 SSL_shutdown(serverssl); 2288 SSL_free(serverssl); 2289 SSL_free(clientssl); 2290 serverssl = clientssl = NULL; 2291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2292 &clientssl, NULL, NULL)) 2293 || !TEST_true(SSL_set_session(clientssl, sess))) 2294 goto end; 2295 2296 /* Write and read some early data */ 2297 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2298 &written)) 2299 || !TEST_size_t_eq(written, strlen(MSG1)) 2300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2301 &readbytes), 2302 SSL_READ_EARLY_DATA_SUCCESS) 2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 2304 goto end; 2305 2306 if (!TEST_int_gt(SSL_connect(clientssl), 0) 2307 || !TEST_int_gt(SSL_accept(serverssl), 0)) 2308 goto end; 2309 2310 /* Client and server should not be able to write/read early data now */ 2311 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 2312 &written))) 2313 goto end; 2314 ERR_clear_error(); 2315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2316 &readbytes), 2317 SSL_READ_EARLY_DATA_ERROR)) 2318 goto end; 2319 ERR_clear_error(); 2320 2321 /* Client and server should be able to write/read normal data */ 2322 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 2323 || !TEST_size_t_eq(written, strlen(MSG5)) 2324 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2325 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 2326 goto end; 2327 2328 testresult = 1; 2329 2330 end: 2331 SSL_SESSION_free(sess); 2332 SSL_SESSION_free(clientpsk); 2333 SSL_SESSION_free(serverpsk); 2334 clientpsk = serverpsk = NULL; 2335 SSL_free(serverssl); 2336 SSL_free(clientssl); 2337 SSL_CTX_free(sctx); 2338 SSL_CTX_free(cctx); 2339 return testresult; 2340 } 2341 2342 static int allow_ed_cb_called = 0; 2343 2344 static int allow_early_data_cb(SSL *s, void *arg) 2345 { 2346 int *usecb = (int *)arg; 2347 2348 allow_ed_cb_called++; 2349 2350 if (*usecb == 1) 2351 return 0; 2352 2353 return 1; 2354 } 2355 2356 /* 2357 * idx == 0: Standard early_data setup 2358 * idx == 1: early_data setup using read_ahead 2359 * usecb == 0: Don't use a custom early data callback 2360 * usecb == 1: Use a custom early data callback and reject the early data 2361 * usecb == 2: Use a custom early data callback and accept the early data 2362 * confopt == 0: Configure anti-replay directly 2363 * confopt == 1: Configure anti-replay using SSL_CONF 2364 */ 2365 static int test_early_data_replay_int(int idx, int usecb, int confopt) 2366 { 2367 SSL_CTX *cctx = NULL, *sctx = NULL; 2368 SSL *clientssl = NULL, *serverssl = NULL; 2369 int testresult = 0; 2370 SSL_SESSION *sess = NULL; 2371 size_t readbytes, written; 2372 unsigned char buf[20]; 2373 2374 allow_ed_cb_called = 0; 2375 2376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 2377 TLS1_VERSION, TLS_MAX_VERSION, &sctx, 2378 &cctx, cert, privkey))) 2379 return 0; 2380 2381 if (usecb > 0) { 2382 if (confopt == 0) { 2383 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY); 2384 } else { 2385 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new(); 2386 2387 if (!TEST_ptr(confctx)) 2388 goto end; 2389 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE 2390 | SSL_CONF_FLAG_SERVER); 2391 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx); 2392 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"), 2393 2)) { 2394 SSL_CONF_CTX_free(confctx); 2395 goto end; 2396 } 2397 SSL_CONF_CTX_free(confctx); 2398 } 2399 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb); 2400 } 2401 2402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2403 &serverssl, &sess, idx))) 2404 goto end; 2405 2406 /* 2407 * The server is configured to accept early data. Create a connection to 2408 * "use up" the ticket 2409 */ 2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 2411 || !TEST_true(SSL_session_reused(clientssl))) 2412 goto end; 2413 2414 SSL_shutdown(clientssl); 2415 SSL_shutdown(serverssl); 2416 SSL_free(serverssl); 2417 SSL_free(clientssl); 2418 serverssl = clientssl = NULL; 2419 2420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2421 &clientssl, NULL, NULL)) 2422 || !TEST_true(SSL_set_session(clientssl, sess))) 2423 goto end; 2424 2425 /* Write and read some early data */ 2426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2427 &written)) 2428 || !TEST_size_t_eq(written, strlen(MSG1))) 2429 goto end; 2430 2431 if (usecb <= 1) { 2432 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2433 &readbytes), 2434 SSL_READ_EARLY_DATA_FINISH) 2435 /* 2436 * The ticket was reused, so the we should have rejected the 2437 * early data 2438 */ 2439 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2440 SSL_EARLY_DATA_REJECTED)) 2441 goto end; 2442 } else { 2443 /* In this case the callback decides to accept the early data */ 2444 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2445 &readbytes), 2446 SSL_READ_EARLY_DATA_SUCCESS) 2447 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) 2448 /* 2449 * Server will have sent its flight so client can now send 2450 * end of early data and complete its half of the handshake 2451 */ 2452 || !TEST_int_gt(SSL_connect(clientssl), 0) 2453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2454 &readbytes), 2455 SSL_READ_EARLY_DATA_FINISH) 2456 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2457 SSL_EARLY_DATA_ACCEPTED)) 2458 goto end; 2459 } 2460 2461 /* Complete the connection */ 2462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 2463 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0) 2464 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0)) 2465 goto end; 2466 2467 testresult = 1; 2468 2469 end: 2470 SSL_SESSION_free(sess); 2471 SSL_SESSION_free(clientpsk); 2472 SSL_SESSION_free(serverpsk); 2473 clientpsk = serverpsk = NULL; 2474 SSL_free(serverssl); 2475 SSL_free(clientssl); 2476 SSL_CTX_free(sctx); 2477 SSL_CTX_free(cctx); 2478 return testresult; 2479 } 2480 2481 static int test_early_data_replay(int idx) 2482 { 2483 int ret = 1, usecb, confopt; 2484 2485 for (usecb = 0; usecb < 3; usecb++) { 2486 for (confopt = 0; confopt < 2; confopt++) 2487 ret &= test_early_data_replay_int(idx, usecb, confopt); 2488 } 2489 2490 return ret; 2491 } 2492 2493 /* 2494 * Helper function to test that a server attempting to read early data can 2495 * handle a connection from a client where the early data should be skipped. 2496 * testtype: 0 == No HRR 2497 * testtype: 1 == HRR 2498 * testtype: 2 == HRR, invalid early_data sent after HRR 2499 * testtype: 3 == recv_max_early_data set to 0 2500 */ 2501 static int early_data_skip_helper(int testtype, int idx) 2502 { 2503 SSL_CTX *cctx = NULL, *sctx = NULL; 2504 SSL *clientssl = NULL, *serverssl = NULL; 2505 int testresult = 0; 2506 SSL_SESSION *sess = NULL; 2507 unsigned char buf[20]; 2508 size_t readbytes, written; 2509 2510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2511 &serverssl, &sess, idx))) 2512 goto end; 2513 2514 if (testtype == 1 || testtype == 2) { 2515 /* Force an HRR to occur */ 2516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 2517 goto end; 2518 } else if (idx == 2) { 2519 /* 2520 * We force early_data rejection by ensuring the PSK identity is 2521 * unrecognised 2522 */ 2523 srvid = "Dummy Identity"; 2524 } else { 2525 /* 2526 * Deliberately corrupt the creation time. We take 20 seconds off the 2527 * time. It could be any value as long as it is not within tolerance. 2528 * This should mean the ticket is rejected. 2529 */ 2530 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) 2531 goto end; 2532 } 2533 2534 if (testtype == 3 2535 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0))) 2536 goto end; 2537 2538 /* Write some early data */ 2539 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2540 &written)) 2541 || !TEST_size_t_eq(written, strlen(MSG1))) 2542 goto end; 2543 2544 /* Server should reject the early data */ 2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2546 &readbytes), 2547 SSL_READ_EARLY_DATA_FINISH) 2548 || !TEST_size_t_eq(readbytes, 0) 2549 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2550 SSL_EARLY_DATA_REJECTED)) 2551 goto end; 2552 2553 switch (testtype) { 2554 case 0: 2555 /* Nothing to do */ 2556 break; 2557 2558 case 1: 2559 /* 2560 * Finish off the handshake. We perform the same writes and reads as 2561 * further down but we expect them to fail due to the incomplete 2562 * handshake. 2563 */ 2564 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 2565 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), 2566 &readbytes))) 2567 goto end; 2568 break; 2569 2570 case 2: 2571 { 2572 BIO *wbio = SSL_get_wbio(clientssl); 2573 /* A record that will appear as bad early_data */ 2574 const unsigned char bad_early_data[] = { 2575 0x17, 0x03, 0x03, 0x00, 0x01, 0x00 2576 }; 2577 2578 /* 2579 * We force the client to attempt a write. This will fail because 2580 * we're still in the handshake. It will cause the second 2581 * ClientHello to be sent. 2582 */ 2583 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), 2584 &written))) 2585 goto end; 2586 2587 /* 2588 * Inject some early_data after the second ClientHello. This should 2589 * cause the server to fail 2590 */ 2591 if (!TEST_true(BIO_write_ex(wbio, bad_early_data, 2592 sizeof(bad_early_data), &written))) 2593 goto end; 2594 } 2595 /* fallthrough */ 2596 2597 case 3: 2598 /* 2599 * This client has sent more early_data than we are willing to skip 2600 * (case 3) or sent invalid early_data (case 2) so the connection should 2601 * abort. 2602 */ 2603 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2604 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL)) 2605 goto end; 2606 2607 /* Connection has failed - nothing more to do */ 2608 testresult = 1; 2609 goto end; 2610 2611 default: 2612 TEST_error("Invalid test type"); 2613 goto end; 2614 } 2615 2616 /* 2617 * Should be able to send normal data despite rejection of early data. The 2618 * early_data should be skipped. 2619 */ 2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 2621 || !TEST_size_t_eq(written, strlen(MSG2)) 2622 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2623 SSL_EARLY_DATA_REJECTED) 2624 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2626 goto end; 2627 2628 testresult = 1; 2629 2630 end: 2631 SSL_SESSION_free(clientpsk); 2632 SSL_SESSION_free(serverpsk); 2633 clientpsk = serverpsk = NULL; 2634 SSL_SESSION_free(sess); 2635 SSL_free(serverssl); 2636 SSL_free(clientssl); 2637 SSL_CTX_free(sctx); 2638 SSL_CTX_free(cctx); 2639 return testresult; 2640 } 2641 2642 /* 2643 * Test that a server attempting to read early data can handle a connection 2644 * from a client where the early data is not acceptable. 2645 */ 2646 static int test_early_data_skip(int idx) 2647 { 2648 return early_data_skip_helper(0, idx); 2649 } 2650 2651 /* 2652 * Test that a server attempting to read early data can handle a connection 2653 * from a client where an HRR occurs. 2654 */ 2655 static int test_early_data_skip_hrr(int idx) 2656 { 2657 return early_data_skip_helper(1, idx); 2658 } 2659 2660 /* 2661 * Test that a server attempting to read early data can handle a connection 2662 * from a client where an HRR occurs and correctly fails if early_data is sent 2663 * after the HRR 2664 */ 2665 static int test_early_data_skip_hrr_fail(int idx) 2666 { 2667 return early_data_skip_helper(2, idx); 2668 } 2669 2670 /* 2671 * Test that a server attempting to read early data will abort if it tries to 2672 * skip over too much. 2673 */ 2674 static int test_early_data_skip_abort(int idx) 2675 { 2676 return early_data_skip_helper(3, idx); 2677 } 2678 2679 /* 2680 * Test that a server attempting to read early data can handle a connection 2681 * from a client that doesn't send any. 2682 */ 2683 static int test_early_data_not_sent(int idx) 2684 { 2685 SSL_CTX *cctx = NULL, *sctx = NULL; 2686 SSL *clientssl = NULL, *serverssl = NULL; 2687 int testresult = 0; 2688 SSL_SESSION *sess = NULL; 2689 unsigned char buf[20]; 2690 size_t readbytes, written; 2691 2692 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2693 &serverssl, &sess, idx))) 2694 goto end; 2695 2696 /* Write some data - should block due to handshake with server */ 2697 SSL_set_connect_state(clientssl); 2698 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 2699 goto end; 2700 2701 /* Server should detect that early data has not been sent */ 2702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2703 &readbytes), 2704 SSL_READ_EARLY_DATA_FINISH) 2705 || !TEST_size_t_eq(readbytes, 0) 2706 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2707 SSL_EARLY_DATA_NOT_SENT) 2708 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2709 SSL_EARLY_DATA_NOT_SENT)) 2710 goto end; 2711 2712 /* Continue writing the message we started earlier */ 2713 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 2714 || !TEST_size_t_eq(written, strlen(MSG1)) 2715 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 2717 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written) 2718 || !TEST_size_t_eq(written, strlen(MSG2))) 2719 goto end; 2720 2721 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 2722 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2723 goto end; 2724 2725 testresult = 1; 2726 2727 end: 2728 SSL_SESSION_free(sess); 2729 SSL_SESSION_free(clientpsk); 2730 SSL_SESSION_free(serverpsk); 2731 clientpsk = serverpsk = NULL; 2732 SSL_free(serverssl); 2733 SSL_free(clientssl); 2734 SSL_CTX_free(sctx); 2735 SSL_CTX_free(cctx); 2736 return testresult; 2737 } 2738 2739 static int hostname_cb(SSL *s, int *al, void *arg) 2740 { 2741 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 2742 2743 if (hostname != NULL && strcmp(hostname, "goodhost") == 0) 2744 return SSL_TLSEXT_ERR_OK; 2745 2746 return SSL_TLSEXT_ERR_NOACK; 2747 } 2748 2749 static const char *servalpn; 2750 2751 static int alpn_select_cb(SSL *ssl, const unsigned char **out, 2752 unsigned char *outlen, const unsigned char *in, 2753 unsigned int inlen, void *arg) 2754 { 2755 unsigned int protlen = 0; 2756 const unsigned char *prot; 2757 2758 for (prot = in; prot < in + inlen; prot += protlen) { 2759 protlen = *prot++; 2760 if (in + inlen < prot + protlen) 2761 return SSL_TLSEXT_ERR_NOACK; 2762 2763 if (protlen == strlen(servalpn) 2764 && memcmp(prot, servalpn, protlen) == 0) { 2765 *out = prot; 2766 *outlen = protlen; 2767 return SSL_TLSEXT_ERR_OK; 2768 } 2769 } 2770 2771 return SSL_TLSEXT_ERR_NOACK; 2772 } 2773 2774 /* Test that a PSK can be used to send early_data */ 2775 static int test_early_data_psk(int idx) 2776 { 2777 SSL_CTX *cctx = NULL, *sctx = NULL; 2778 SSL *clientssl = NULL, *serverssl = NULL; 2779 int testresult = 0; 2780 SSL_SESSION *sess = NULL; 2781 unsigned char alpnlist[] = { 2782 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a', 2783 'l', 'p', 'n' 2784 }; 2785 #define GOODALPNLEN 9 2786 #define BADALPNLEN 8 2787 #define GOODALPN (alpnlist) 2788 #define BADALPN (alpnlist + GOODALPNLEN) 2789 int err = 0; 2790 unsigned char buf[20]; 2791 size_t readbytes, written; 2792 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1; 2793 int edstatus = SSL_EARLY_DATA_ACCEPTED; 2794 2795 /* We always set this up with a final parameter of "2" for PSK */ 2796 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2797 &serverssl, &sess, 2))) 2798 goto end; 2799 2800 servalpn = "goodalpn"; 2801 2802 /* 2803 * Note: There is no test for inconsistent SNI with late client detection. 2804 * This is because servers do not acknowledge SNI even if they are using 2805 * it in a resumption handshake - so it is not actually possible for a 2806 * client to detect a problem. 2807 */ 2808 switch (idx) { 2809 case 0: 2810 /* Set inconsistent SNI (early client detection) */ 2811 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI; 2812 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 2813 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost"))) 2814 goto end; 2815 break; 2816 2817 case 1: 2818 /* Set inconsistent ALPN (early client detection) */ 2819 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN; 2820 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */ 2821 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN, 2822 GOODALPNLEN)) 2823 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN, 2824 BADALPNLEN))) 2825 goto end; 2826 break; 2827 2828 case 2: 2829 /* 2830 * Set invalid protocol version. Technically this affects PSKs without 2831 * early_data too, but we test it here because it is similar to the 2832 * SNI/ALPN consistency tests. 2833 */ 2834 err = SSL_R_BAD_PSK; 2835 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION))) 2836 goto end; 2837 break; 2838 2839 case 3: 2840 /* 2841 * Set inconsistent SNI (server detected). In this case the connection 2842 * will succeed but reject early_data. 2843 */ 2844 SSL_SESSION_free(serverpsk); 2845 serverpsk = SSL_SESSION_dup(clientpsk); 2846 if (!TEST_ptr(serverpsk) 2847 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost"))) 2848 goto end; 2849 edstatus = SSL_EARLY_DATA_REJECTED; 2850 readearlyres = SSL_READ_EARLY_DATA_FINISH; 2851 /* Fall through */ 2852 case 4: 2853 /* Set consistent SNI */ 2854 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 2855 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")) 2856 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 2857 hostname_cb))) 2858 goto end; 2859 break; 2860 2861 case 5: 2862 /* 2863 * Set inconsistent ALPN (server detected). In this case the connection 2864 * will succeed but reject early_data. 2865 */ 2866 servalpn = "badalpn"; 2867 edstatus = SSL_EARLY_DATA_REJECTED; 2868 readearlyres = SSL_READ_EARLY_DATA_FINISH; 2869 /* Fall through */ 2870 case 6: 2871 /* 2872 * Set consistent ALPN. 2873 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It 2874 * accepts a list of protos (each one length prefixed). 2875 * SSL_set1_alpn_selected accepts a single protocol (not length 2876 * prefixed) 2877 */ 2878 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1, 2879 GOODALPNLEN - 1)) 2880 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN, 2881 GOODALPNLEN))) 2882 goto end; 2883 2884 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 2885 break; 2886 2887 case 7: 2888 /* Set inconsistent ALPN (late client detection) */ 2889 SSL_SESSION_free(serverpsk); 2890 serverpsk = SSL_SESSION_dup(clientpsk); 2891 if (!TEST_ptr(serverpsk) 2892 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk, 2893 BADALPN + 1, 2894 BADALPNLEN - 1)) 2895 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk, 2896 GOODALPN + 1, 2897 GOODALPNLEN - 1)) 2898 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist, 2899 sizeof(alpnlist)))) 2900 goto end; 2901 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 2902 edstatus = SSL_EARLY_DATA_ACCEPTED; 2903 readearlyres = SSL_READ_EARLY_DATA_SUCCESS; 2904 /* SSL_connect() call should fail */ 2905 connectres = -1; 2906 break; 2907 2908 default: 2909 TEST_error("Bad test index"); 2910 goto end; 2911 } 2912 2913 SSL_set_connect_state(clientssl); 2914 if (err != 0) { 2915 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2916 &written)) 2917 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL) 2918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err)) 2919 goto end; 2920 } else { 2921 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2922 &written))) 2923 goto end; 2924 2925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 2926 &readbytes), readearlyres) 2927 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS 2928 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 2929 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) 2930 || !TEST_int_eq(SSL_connect(clientssl), connectres)) 2931 goto end; 2932 } 2933 2934 testresult = 1; 2935 2936 end: 2937 SSL_SESSION_free(sess); 2938 SSL_SESSION_free(clientpsk); 2939 SSL_SESSION_free(serverpsk); 2940 clientpsk = serverpsk = NULL; 2941 SSL_free(serverssl); 2942 SSL_free(clientssl); 2943 SSL_CTX_free(sctx); 2944 SSL_CTX_free(cctx); 2945 return testresult; 2946 } 2947 2948 /* 2949 * Test that a server that doesn't try to read early data can handle a 2950 * client sending some. 2951 */ 2952 static int test_early_data_not_expected(int idx) 2953 { 2954 SSL_CTX *cctx = NULL, *sctx = NULL; 2955 SSL *clientssl = NULL, *serverssl = NULL; 2956 int testresult = 0; 2957 SSL_SESSION *sess = NULL; 2958 unsigned char buf[20]; 2959 size_t readbytes, written; 2960 2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 2962 &serverssl, &sess, idx))) 2963 goto end; 2964 2965 /* Write some early data */ 2966 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 2967 &written))) 2968 goto end; 2969 2970 /* 2971 * Server should skip over early data and then block waiting for client to 2972 * continue handshake 2973 */ 2974 if (!TEST_int_le(SSL_accept(serverssl), 0) 2975 || !TEST_int_gt(SSL_connect(clientssl), 0) 2976 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 2977 SSL_EARLY_DATA_REJECTED) 2978 || !TEST_int_gt(SSL_accept(serverssl), 0) 2979 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 2980 SSL_EARLY_DATA_REJECTED)) 2981 goto end; 2982 2983 /* Send some normal data from client to server */ 2984 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 2985 || !TEST_size_t_eq(written, strlen(MSG2))) 2986 goto end; 2987 2988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 2989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 2990 goto end; 2991 2992 testresult = 1; 2993 2994 end: 2995 SSL_SESSION_free(sess); 2996 SSL_SESSION_free(clientpsk); 2997 SSL_SESSION_free(serverpsk); 2998 clientpsk = serverpsk = NULL; 2999 SSL_free(serverssl); 3000 SSL_free(clientssl); 3001 SSL_CTX_free(sctx); 3002 SSL_CTX_free(cctx); 3003 return testresult; 3004 } 3005 3006 3007 # ifndef OPENSSL_NO_TLS1_2 3008 /* 3009 * Test that a server attempting to read early data can handle a connection 3010 * from a TLSv1.2 client. 3011 */ 3012 static int test_early_data_tls1_2(int idx) 3013 { 3014 SSL_CTX *cctx = NULL, *sctx = NULL; 3015 SSL *clientssl = NULL, *serverssl = NULL; 3016 int testresult = 0; 3017 unsigned char buf[20]; 3018 size_t readbytes, written; 3019 3020 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3021 &serverssl, NULL, idx))) 3022 goto end; 3023 3024 /* Write some data - should block due to handshake with server */ 3025 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION); 3026 SSL_set_connect_state(clientssl); 3027 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 3028 goto end; 3029 3030 /* 3031 * Server should do TLSv1.2 handshake. First it will block waiting for more 3032 * messages from client after ServerDone. Then SSL_read_early_data should 3033 * finish and detect that early data has not been sent 3034 */ 3035 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3036 &readbytes), 3037 SSL_READ_EARLY_DATA_ERROR)) 3038 goto end; 3039 3040 /* 3041 * Continue writing the message we started earlier. Will still block waiting 3042 * for the CCS/Finished from server 3043 */ 3044 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3046 &readbytes), 3047 SSL_READ_EARLY_DATA_FINISH) 3048 || !TEST_size_t_eq(readbytes, 0) 3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3050 SSL_EARLY_DATA_NOT_SENT)) 3051 goto end; 3052 3053 /* Continue writing the message we started earlier */ 3054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 3055 || !TEST_size_t_eq(written, strlen(MSG1)) 3056 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 3057 SSL_EARLY_DATA_NOT_SENT) 3058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3059 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 3060 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)) 3061 || !TEST_size_t_eq(written, strlen(MSG2)) 3062 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes) 3063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 3064 goto end; 3065 3066 testresult = 1; 3067 3068 end: 3069 SSL_SESSION_free(clientpsk); 3070 SSL_SESSION_free(serverpsk); 3071 clientpsk = serverpsk = NULL; 3072 SSL_free(serverssl); 3073 SSL_free(clientssl); 3074 SSL_CTX_free(sctx); 3075 SSL_CTX_free(cctx); 3076 3077 return testresult; 3078 } 3079 # endif /* OPENSSL_NO_TLS1_2 */ 3080 3081 /* 3082 * Test configuring the TLSv1.3 ciphersuites 3083 * 3084 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list) 3085 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list) 3086 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list) 3087 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list) 3088 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 3089 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 3090 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list) 3091 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list) 3092 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list) 3093 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list) 3094 */ 3095 static int test_set_ciphersuite(int idx) 3096 { 3097 SSL_CTX *cctx = NULL, *sctx = NULL; 3098 SSL *clientssl = NULL, *serverssl = NULL; 3099 int testresult = 0; 3100 3101 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3102 TLS1_VERSION, TLS_MAX_VERSION, 3103 &sctx, &cctx, cert, privkey)) 3104 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 3105 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) 3106 goto end; 3107 3108 if (idx >=4 && idx <= 7) { 3109 /* SSL_CTX explicit cipher list */ 3110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384"))) 3111 goto end; 3112 } 3113 3114 if (idx == 0 || idx == 4) { 3115 /* Default ciphersuite */ 3116 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3117 "TLS_AES_128_GCM_SHA256"))) 3118 goto end; 3119 } else if (idx == 1 || idx == 5) { 3120 /* Non default ciphersuite */ 3121 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3122 "TLS_AES_128_CCM_SHA256"))) 3123 goto end; 3124 } 3125 3126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3127 &clientssl, NULL, NULL))) 3128 goto end; 3129 3130 if (idx == 8 || idx == 9) { 3131 /* SSL explicit cipher list */ 3132 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))) 3133 goto end; 3134 } 3135 3136 if (idx == 2 || idx == 6 || idx == 8) { 3137 /* Default ciphersuite */ 3138 if (!TEST_true(SSL_set_ciphersuites(clientssl, 3139 "TLS_AES_128_GCM_SHA256"))) 3140 goto end; 3141 } else if (idx == 3 || idx == 7 || idx == 9) { 3142 /* Non default ciphersuite */ 3143 if (!TEST_true(SSL_set_ciphersuites(clientssl, 3144 "TLS_AES_128_CCM_SHA256"))) 3145 goto end; 3146 } 3147 3148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 3149 goto end; 3150 3151 testresult = 1; 3152 3153 end: 3154 SSL_free(serverssl); 3155 SSL_free(clientssl); 3156 SSL_CTX_free(sctx); 3157 SSL_CTX_free(cctx); 3158 3159 return testresult; 3160 } 3161 3162 static int test_ciphersuite_change(void) 3163 { 3164 SSL_CTX *cctx = NULL, *sctx = NULL; 3165 SSL *clientssl = NULL, *serverssl = NULL; 3166 SSL_SESSION *clntsess = NULL; 3167 int testresult = 0; 3168 const SSL_CIPHER *aes_128_gcm_sha256 = NULL; 3169 3170 /* Create a session based on SHA-256 */ 3171 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3172 TLS1_VERSION, TLS_MAX_VERSION, 3173 &sctx, &cctx, cert, privkey)) 3174 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, 3175 "TLS_AES_128_GCM_SHA256")) 3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3177 &clientssl, NULL, NULL)) 3178 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3179 SSL_ERROR_NONE))) 3180 goto end; 3181 3182 clntsess = SSL_get1_session(clientssl); 3183 /* Save for later */ 3184 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess); 3185 SSL_shutdown(clientssl); 3186 SSL_shutdown(serverssl); 3187 SSL_free(serverssl); 3188 SSL_free(clientssl); 3189 serverssl = clientssl = NULL; 3190 3191 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 3192 /* Check we can resume a session with a different SHA-256 ciphersuite */ 3193 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3194 "TLS_CHACHA20_POLY1305_SHA256")) 3195 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3196 NULL, NULL)) 3197 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3198 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3199 SSL_ERROR_NONE)) 3200 || !TEST_true(SSL_session_reused(clientssl))) 3201 goto end; 3202 3203 SSL_SESSION_free(clntsess); 3204 clntsess = SSL_get1_session(clientssl); 3205 SSL_shutdown(clientssl); 3206 SSL_shutdown(serverssl); 3207 SSL_free(serverssl); 3208 SSL_free(clientssl); 3209 serverssl = clientssl = NULL; 3210 # endif 3211 3212 /* 3213 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites 3214 * succeeds but does not resume. 3215 */ 3216 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 3217 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3218 NULL, NULL)) 3219 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3220 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3221 SSL_ERROR_SSL)) 3222 || !TEST_false(SSL_session_reused(clientssl))) 3223 goto end; 3224 3225 SSL_SESSION_free(clntsess); 3226 clntsess = NULL; 3227 SSL_shutdown(clientssl); 3228 SSL_shutdown(serverssl); 3229 SSL_free(serverssl); 3230 SSL_free(clientssl); 3231 serverssl = clientssl = NULL; 3232 3233 /* Create a session based on SHA384 */ 3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 3235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3236 &clientssl, NULL, NULL)) 3237 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3238 SSL_ERROR_NONE))) 3239 goto end; 3240 3241 clntsess = SSL_get1_session(clientssl); 3242 SSL_shutdown(clientssl); 3243 SSL_shutdown(serverssl); 3244 SSL_free(serverssl); 3245 SSL_free(clientssl); 3246 serverssl = clientssl = NULL; 3247 3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3249 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")) 3250 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 3251 "TLS_AES_256_GCM_SHA384")) 3252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3253 NULL, NULL)) 3254 || !TEST_true(SSL_set_session(clientssl, clntsess)) 3255 /* 3256 * We use SSL_ERROR_WANT_READ below so that we can pause the 3257 * connection after the initial ClientHello has been sent to 3258 * enable us to make some session changes. 3259 */ 3260 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3261 SSL_ERROR_WANT_READ))) 3262 goto end; 3263 3264 /* Trick the client into thinking this session is for a different digest */ 3265 clntsess->cipher = aes_128_gcm_sha256; 3266 clntsess->cipher_id = clntsess->cipher->id; 3267 3268 /* 3269 * Continue the previously started connection. Server has selected a SHA-384 3270 * ciphersuite, but client thinks the session is for SHA-256, so it should 3271 * bail out. 3272 */ 3273 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 3274 SSL_ERROR_SSL)) 3275 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), 3276 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)) 3277 goto end; 3278 3279 testresult = 1; 3280 3281 end: 3282 SSL_SESSION_free(clntsess); 3283 SSL_free(serverssl); 3284 SSL_free(clientssl); 3285 SSL_CTX_free(sctx); 3286 SSL_CTX_free(cctx); 3287 3288 return testresult; 3289 } 3290 3291 /* 3292 * Test TLSv1.3 PSKs 3293 * Test 0 = Test new style callbacks 3294 * Test 1 = Test both new and old style callbacks 3295 * Test 2 = Test old style callbacks 3296 * Test 3 = Test old style callbacks with no certificate 3297 */ 3298 static int test_tls13_psk(int idx) 3299 { 3300 SSL_CTX *sctx = NULL, *cctx = NULL; 3301 SSL *serverssl = NULL, *clientssl = NULL; 3302 const SSL_CIPHER *cipher = NULL; 3303 const unsigned char key[] = { 3304 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 3305 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 3306 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 3307 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f 3308 }; 3309 int testresult = 0; 3310 3311 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3312 TLS1_VERSION, TLS_MAX_VERSION, 3313 &sctx, &cctx, idx == 3 ? NULL : cert, 3314 idx == 3 ? NULL : privkey))) 3315 goto end; 3316 3317 if (idx != 3) { 3318 /* 3319 * We use a ciphersuite with SHA256 to ease testing old style PSK 3320 * callbacks which will always default to SHA256. This should not be 3321 * necessary if we have no cert/priv key. In that case the server should 3322 * prefer SHA256 automatically. 3323 */ 3324 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 3325 "TLS_AES_128_GCM_SHA256"))) 3326 goto end; 3327 } 3328 3329 /* 3330 * Test 0: New style callbacks only 3331 * Test 1: New and old style callbacks (only the new ones should be used) 3332 * Test 2: Old style callbacks only 3333 */ 3334 if (idx == 0 || idx == 1) { 3335 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 3336 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 3337 } 3338 #ifndef OPENSSL_NO_PSK 3339 if (idx >= 1) { 3340 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb); 3341 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb); 3342 } 3343 #endif 3344 srvid = pskid; 3345 use_session_cb_cnt = 0; 3346 find_session_cb_cnt = 0; 3347 psk_client_cb_cnt = 0; 3348 psk_server_cb_cnt = 0; 3349 3350 if (idx != 3) { 3351 /* 3352 * Check we can create a connection if callback decides not to send a 3353 * PSK 3354 */ 3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3356 NULL, NULL)) 3357 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3358 SSL_ERROR_NONE)) 3359 || !TEST_false(SSL_session_reused(clientssl)) 3360 || !TEST_false(SSL_session_reused(serverssl))) 3361 goto end; 3362 3363 if (idx == 0 || idx == 1) { 3364 if (!TEST_true(use_session_cb_cnt == 1) 3365 || !TEST_true(find_session_cb_cnt == 0) 3366 /* 3367 * If no old style callback then below should be 0 3368 * otherwise 1 3369 */ 3370 || !TEST_true(psk_client_cb_cnt == idx) 3371 || !TEST_true(psk_server_cb_cnt == 0)) 3372 goto end; 3373 } else { 3374 if (!TEST_true(use_session_cb_cnt == 0) 3375 || !TEST_true(find_session_cb_cnt == 0) 3376 || !TEST_true(psk_client_cb_cnt == 1) 3377 || !TEST_true(psk_server_cb_cnt == 0)) 3378 goto end; 3379 } 3380 3381 shutdown_ssl_connection(serverssl, clientssl); 3382 serverssl = clientssl = NULL; 3383 use_session_cb_cnt = psk_client_cb_cnt = 0; 3384 } 3385 3386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3387 NULL, NULL))) 3388 goto end; 3389 3390 /* Create the PSK */ 3391 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES); 3392 clientpsk = SSL_SESSION_new(); 3393 if (!TEST_ptr(clientpsk) 3394 || !TEST_ptr(cipher) 3395 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, 3396 sizeof(key))) 3397 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) 3398 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk, 3399 TLS1_3_VERSION)) 3400 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) 3401 goto end; 3402 serverpsk = clientpsk; 3403 3404 /* Check we can create a connection and the PSK is used */ 3405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3406 || !TEST_true(SSL_session_reused(clientssl)) 3407 || !TEST_true(SSL_session_reused(serverssl))) 3408 goto end; 3409 3410 if (idx == 0 || idx == 1) { 3411 if (!TEST_true(use_session_cb_cnt == 1) 3412 || !TEST_true(find_session_cb_cnt == 1) 3413 || !TEST_true(psk_client_cb_cnt == 0) 3414 || !TEST_true(psk_server_cb_cnt == 0)) 3415 goto end; 3416 } else { 3417 if (!TEST_true(use_session_cb_cnt == 0) 3418 || !TEST_true(find_session_cb_cnt == 0) 3419 || !TEST_true(psk_client_cb_cnt == 1) 3420 || !TEST_true(psk_server_cb_cnt == 1)) 3421 goto end; 3422 } 3423 3424 shutdown_ssl_connection(serverssl, clientssl); 3425 serverssl = clientssl = NULL; 3426 use_session_cb_cnt = find_session_cb_cnt = 0; 3427 psk_client_cb_cnt = psk_server_cb_cnt = 0; 3428 3429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3430 NULL, NULL))) 3431 goto end; 3432 3433 /* Force an HRR */ 3434 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 3435 goto end; 3436 3437 /* 3438 * Check we can create a connection, the PSK is used and the callbacks are 3439 * called twice. 3440 */ 3441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3442 || !TEST_true(SSL_session_reused(clientssl)) 3443 || !TEST_true(SSL_session_reused(serverssl))) 3444 goto end; 3445 3446 if (idx == 0 || idx == 1) { 3447 if (!TEST_true(use_session_cb_cnt == 2) 3448 || !TEST_true(find_session_cb_cnt == 2) 3449 || !TEST_true(psk_client_cb_cnt == 0) 3450 || !TEST_true(psk_server_cb_cnt == 0)) 3451 goto end; 3452 } else { 3453 if (!TEST_true(use_session_cb_cnt == 0) 3454 || !TEST_true(find_session_cb_cnt == 0) 3455 || !TEST_true(psk_client_cb_cnt == 2) 3456 || !TEST_true(psk_server_cb_cnt == 2)) 3457 goto end; 3458 } 3459 3460 shutdown_ssl_connection(serverssl, clientssl); 3461 serverssl = clientssl = NULL; 3462 use_session_cb_cnt = find_session_cb_cnt = 0; 3463 psk_client_cb_cnt = psk_server_cb_cnt = 0; 3464 3465 if (idx != 3) { 3466 /* 3467 * Check that if the server rejects the PSK we can still connect, but with 3468 * a full handshake 3469 */ 3470 srvid = "Dummy Identity"; 3471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3472 NULL, NULL)) 3473 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3474 SSL_ERROR_NONE)) 3475 || !TEST_false(SSL_session_reused(clientssl)) 3476 || !TEST_false(SSL_session_reused(serverssl))) 3477 goto end; 3478 3479 if (idx == 0 || idx == 1) { 3480 if (!TEST_true(use_session_cb_cnt == 1) 3481 || !TEST_true(find_session_cb_cnt == 1) 3482 || !TEST_true(psk_client_cb_cnt == 0) 3483 /* 3484 * If no old style callback then below should be 0 3485 * otherwise 1 3486 */ 3487 || !TEST_true(psk_server_cb_cnt == idx)) 3488 goto end; 3489 } else { 3490 if (!TEST_true(use_session_cb_cnt == 0) 3491 || !TEST_true(find_session_cb_cnt == 0) 3492 || !TEST_true(psk_client_cb_cnt == 1) 3493 || !TEST_true(psk_server_cb_cnt == 1)) 3494 goto end; 3495 } 3496 3497 shutdown_ssl_connection(serverssl, clientssl); 3498 serverssl = clientssl = NULL; 3499 } 3500 testresult = 1; 3501 3502 end: 3503 SSL_SESSION_free(clientpsk); 3504 SSL_SESSION_free(serverpsk); 3505 clientpsk = serverpsk = NULL; 3506 SSL_free(serverssl); 3507 SSL_free(clientssl); 3508 SSL_CTX_free(sctx); 3509 SSL_CTX_free(cctx); 3510 return testresult; 3511 } 3512 3513 static unsigned char cookie_magic_value[] = "cookie magic"; 3514 3515 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie, 3516 unsigned int *cookie_len) 3517 { 3518 /* 3519 * Not suitable as a real cookie generation function but good enough for 3520 * testing! 3521 */ 3522 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1); 3523 *cookie_len = sizeof(cookie_magic_value) - 1; 3524 3525 return 1; 3526 } 3527 3528 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, 3529 unsigned int cookie_len) 3530 { 3531 if (cookie_len == sizeof(cookie_magic_value) - 1 3532 && memcmp(cookie, cookie_magic_value, cookie_len) == 0) 3533 return 1; 3534 3535 return 0; 3536 } 3537 3538 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, 3539 size_t *cookie_len) 3540 { 3541 unsigned int temp; 3542 int res = generate_cookie_callback(ssl, cookie, &temp); 3543 *cookie_len = temp; 3544 return res; 3545 } 3546 3547 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, 3548 size_t cookie_len) 3549 { 3550 return verify_cookie_callback(ssl, cookie, cookie_len); 3551 } 3552 3553 static int test_stateless(void) 3554 { 3555 SSL_CTX *sctx = NULL, *cctx = NULL; 3556 SSL *serverssl = NULL, *clientssl = NULL; 3557 int testresult = 0; 3558 3559 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3560 TLS1_VERSION, TLS_MAX_VERSION, 3561 &sctx, &cctx, cert, privkey))) 3562 goto end; 3563 3564 /* The arrival of CCS messages can confuse the test */ 3565 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); 3566 3567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3568 NULL, NULL)) 3569 /* Send the first ClientHello */ 3570 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3571 SSL_ERROR_WANT_READ)) 3572 /* 3573 * This should fail with a -1 return because we have no callbacks 3574 * set up 3575 */ 3576 || !TEST_int_eq(SSL_stateless(serverssl), -1)) 3577 goto end; 3578 3579 /* Fatal error so abandon the connection from this client */ 3580 SSL_free(clientssl); 3581 clientssl = NULL; 3582 3583 /* Set up the cookie generation and verification callbacks */ 3584 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback); 3585 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback); 3586 3587 /* 3588 * Create a new connection from the client (we can reuse the server SSL 3589 * object). 3590 */ 3591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3592 NULL, NULL)) 3593 /* Send the first ClientHello */ 3594 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3595 SSL_ERROR_WANT_READ)) 3596 /* This should fail because there is no cookie */ 3597 || !TEST_int_eq(SSL_stateless(serverssl), 0)) 3598 goto end; 3599 3600 /* Abandon the connection from this client */ 3601 SSL_free(clientssl); 3602 clientssl = NULL; 3603 3604 /* 3605 * Now create a connection from a new client but with the same server SSL 3606 * object 3607 */ 3608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3609 NULL, NULL)) 3610 /* Send the first ClientHello */ 3611 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3612 SSL_ERROR_WANT_READ)) 3613 /* This should fail because there is no cookie */ 3614 || !TEST_int_eq(SSL_stateless(serverssl), 0) 3615 /* Send the second ClientHello */ 3616 || !TEST_false(create_ssl_connection(serverssl, clientssl, 3617 SSL_ERROR_WANT_READ)) 3618 /* This should succeed because a cookie is now present */ 3619 || !TEST_int_eq(SSL_stateless(serverssl), 1) 3620 /* Complete the connection */ 3621 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3622 SSL_ERROR_NONE))) 3623 goto end; 3624 3625 shutdown_ssl_connection(serverssl, clientssl); 3626 serverssl = clientssl = NULL; 3627 testresult = 1; 3628 3629 end: 3630 SSL_free(serverssl); 3631 SSL_free(clientssl); 3632 SSL_CTX_free(sctx); 3633 SSL_CTX_free(cctx); 3634 return testresult; 3635 3636 } 3637 #endif /* OPENSSL_NO_TLS1_3 */ 3638 3639 static int clntaddoldcb = 0; 3640 static int clntparseoldcb = 0; 3641 static int srvaddoldcb = 0; 3642 static int srvparseoldcb = 0; 3643 static int clntaddnewcb = 0; 3644 static int clntparsenewcb = 0; 3645 static int srvaddnewcb = 0; 3646 static int srvparsenewcb = 0; 3647 static int snicb = 0; 3648 3649 #define TEST_EXT_TYPE1 0xff00 3650 3651 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 3652 size_t *outlen, int *al, void *add_arg) 3653 { 3654 int *server = (int *)add_arg; 3655 unsigned char *data; 3656 3657 if (SSL_is_server(s)) 3658 srvaddoldcb++; 3659 else 3660 clntaddoldcb++; 3661 3662 if (*server != SSL_is_server(s) 3663 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 3664 return -1; 3665 3666 *data = 1; 3667 *out = data; 3668 *outlen = sizeof(char); 3669 return 1; 3670 } 3671 3672 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 3673 void *add_arg) 3674 { 3675 OPENSSL_free((unsigned char *)out); 3676 } 3677 3678 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 3679 size_t inlen, int *al, void *parse_arg) 3680 { 3681 int *server = (int *)parse_arg; 3682 3683 if (SSL_is_server(s)) 3684 srvparseoldcb++; 3685 else 3686 clntparseoldcb++; 3687 3688 if (*server != SSL_is_server(s) 3689 || inlen != sizeof(char) 3690 || *in != 1) 3691 return -1; 3692 3693 return 1; 3694 } 3695 3696 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context, 3697 const unsigned char **out, size_t *outlen, X509 *x, 3698 size_t chainidx, int *al, void *add_arg) 3699 { 3700 int *server = (int *)add_arg; 3701 unsigned char *data; 3702 3703 if (SSL_is_server(s)) 3704 srvaddnewcb++; 3705 else 3706 clntaddnewcb++; 3707 3708 if (*server != SSL_is_server(s) 3709 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 3710 return -1; 3711 3712 *data = 1; 3713 *out = data; 3714 *outlen = sizeof(*data); 3715 return 1; 3716 } 3717 3718 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context, 3719 const unsigned char *out, void *add_arg) 3720 { 3721 OPENSSL_free((unsigned char *)out); 3722 } 3723 3724 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context, 3725 const unsigned char *in, size_t inlen, X509 *x, 3726 size_t chainidx, int *al, void *parse_arg) 3727 { 3728 int *server = (int *)parse_arg; 3729 3730 if (SSL_is_server(s)) 3731 srvparsenewcb++; 3732 else 3733 clntparsenewcb++; 3734 3735 if (*server != SSL_is_server(s) 3736 || inlen != sizeof(char) || *in != 1) 3737 return -1; 3738 3739 return 1; 3740 } 3741 3742 static int sni_cb(SSL *s, int *al, void *arg) 3743 { 3744 SSL_CTX *ctx = (SSL_CTX *)arg; 3745 3746 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 3747 *al = SSL_AD_INTERNAL_ERROR; 3748 return SSL_TLSEXT_ERR_ALERT_FATAL; 3749 } 3750 snicb++; 3751 return SSL_TLSEXT_ERR_OK; 3752 } 3753 3754 /* 3755 * Custom call back tests. 3756 * Test 0: Old style callbacks in TLSv1.2 3757 * Test 1: New style callbacks in TLSv1.2 3758 * Test 2: New style callbacks in TLSv1.2 with SNI 3759 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE 3760 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST 3761 */ 3762 static int test_custom_exts(int tst) 3763 { 3764 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 3765 SSL *clientssl = NULL, *serverssl = NULL; 3766 int testresult = 0; 3767 static int server = 1; 3768 static int client = 0; 3769 SSL_SESSION *sess = NULL; 3770 unsigned int context; 3771 3772 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) 3773 /* Skip tests for TLSv1.2 and below in this case */ 3774 if (tst < 3) 3775 return 1; 3776 #endif 3777 3778 /* Reset callback counters */ 3779 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0; 3780 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; 3781 snicb = 0; 3782 3783 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 3784 TLS1_VERSION, TLS_MAX_VERSION, 3785 &sctx, &cctx, cert, privkey))) 3786 goto end; 3787 3788 if (tst == 2 3789 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, 3790 TLS1_VERSION, TLS_MAX_VERSION, 3791 &sctx2, NULL, cert, privkey))) 3792 goto end; 3793 3794 3795 if (tst < 3) { 3796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 3797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 3798 if (sctx2 != NULL) 3799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3); 3800 } 3801 3802 if (tst == 4) { 3803 context = SSL_EXT_CLIENT_HELLO 3804 | SSL_EXT_TLS1_2_SERVER_HELLO 3805 | SSL_EXT_TLS1_3_SERVER_HELLO 3806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 3807 | SSL_EXT_TLS1_3_CERTIFICATE 3808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET; 3809 } else { 3810 context = SSL_EXT_CLIENT_HELLO 3811 | SSL_EXT_TLS1_2_SERVER_HELLO 3812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; 3813 } 3814 3815 /* Create a client side custom extension */ 3816 if (tst == 0) { 3817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 3818 old_add_cb, old_free_cb, 3819 &client, old_parse_cb, 3820 &client))) 3821 goto end; 3822 } else { 3823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context, 3824 new_add_cb, new_free_cb, 3825 &client, new_parse_cb, &client))) 3826 goto end; 3827 } 3828 3829 /* Should not be able to add duplicates */ 3830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 3831 old_add_cb, old_free_cb, 3832 &client, old_parse_cb, 3833 &client)) 3834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, 3835 context, new_add_cb, 3836 new_free_cb, &client, 3837 new_parse_cb, &client))) 3838 goto end; 3839 3840 /* Create a server side custom extension */ 3841 if (tst == 0) { 3842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 3843 old_add_cb, old_free_cb, 3844 &server, old_parse_cb, 3845 &server))) 3846 goto end; 3847 } else { 3848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context, 3849 new_add_cb, new_free_cb, 3850 &server, new_parse_cb, &server))) 3851 goto end; 3852 if (sctx2 != NULL 3853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1, 3854 context, new_add_cb, 3855 new_free_cb, &server, 3856 new_parse_cb, &server))) 3857 goto end; 3858 } 3859 3860 /* Should not be able to add duplicates */ 3861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 3862 old_add_cb, old_free_cb, 3863 &server, old_parse_cb, 3864 &server)) 3865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, 3866 context, new_add_cb, 3867 new_free_cb, &server, 3868 new_parse_cb, &server))) 3869 goto end; 3870 3871 if (tst == 2) { 3872 /* Set up SNI */ 3873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 3874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 3875 goto end; 3876 } 3877 3878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3879 &clientssl, NULL, NULL)) 3880 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3881 SSL_ERROR_NONE))) 3882 goto end; 3883 3884 if (tst == 0) { 3885 if (clntaddoldcb != 1 3886 || clntparseoldcb != 1 3887 || srvaddoldcb != 1 3888 || srvparseoldcb != 1) 3889 goto end; 3890 } else if (tst == 1 || tst == 2 || tst == 3) { 3891 if (clntaddnewcb != 1 3892 || clntparsenewcb != 1 3893 || srvaddnewcb != 1 3894 || srvparsenewcb != 1 3895 || (tst != 2 && snicb != 0) 3896 || (tst == 2 && snicb != 1)) 3897 goto end; 3898 } else { 3899 /* In this case there 2 NewSessionTicket messages created */ 3900 if (clntaddnewcb != 1 3901 || clntparsenewcb != 5 3902 || srvaddnewcb != 5 3903 || srvparsenewcb != 1) 3904 goto end; 3905 } 3906 3907 sess = SSL_get1_session(clientssl); 3908 SSL_shutdown(clientssl); 3909 SSL_shutdown(serverssl); 3910 SSL_free(serverssl); 3911 SSL_free(clientssl); 3912 serverssl = clientssl = NULL; 3913 3914 if (tst == 3) { 3915 /* We don't bother with the resumption aspects for this test */ 3916 testresult = 1; 3917 goto end; 3918 } 3919 3920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 3921 NULL, NULL)) 3922 || !TEST_true(SSL_set_session(clientssl, sess)) 3923 || !TEST_true(create_ssl_connection(serverssl, clientssl, 3924 SSL_ERROR_NONE))) 3925 goto end; 3926 3927 /* 3928 * For a resumed session we expect to add the ClientHello extension. For the 3929 * old style callbacks we ignore it on the server side because they set 3930 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore 3931 * them. 3932 */ 3933 if (tst == 0) { 3934 if (clntaddoldcb != 2 3935 || clntparseoldcb != 1 3936 || srvaddoldcb != 1 3937 || srvparseoldcb != 1) 3938 goto end; 3939 } else if (tst == 1 || tst == 2 || tst == 3) { 3940 if (clntaddnewcb != 2 3941 || clntparsenewcb != 2 3942 || srvaddnewcb != 2 3943 || srvparsenewcb != 2) 3944 goto end; 3945 } else { 3946 /* 3947 * No Certificate message extensions in the resumption handshake, 3948 * 2 NewSessionTickets in the initial handshake, 1 in the resumption 3949 */ 3950 if (clntaddnewcb != 2 3951 || clntparsenewcb != 8 3952 || srvaddnewcb != 8 3953 || srvparsenewcb != 2) 3954 goto end; 3955 } 3956 3957 testresult = 1; 3958 3959 end: 3960 SSL_SESSION_free(sess); 3961 SSL_free(serverssl); 3962 SSL_free(clientssl); 3963 SSL_CTX_free(sctx2); 3964 SSL_CTX_free(sctx); 3965 SSL_CTX_free(cctx); 3966 return testresult; 3967 } 3968 3969 /* 3970 * Test loading of serverinfo data in various formats. test_sslmessages actually 3971 * tests to make sure the extensions appear in the handshake 3972 */ 3973 static int test_serverinfo(int tst) 3974 { 3975 unsigned int version; 3976 unsigned char *sibuf; 3977 size_t sibuflen; 3978 int ret, expected, testresult = 0; 3979 SSL_CTX *ctx; 3980 3981 ctx = SSL_CTX_new(TLS_method()); 3982 if (!TEST_ptr(ctx)) 3983 goto end; 3984 3985 if ((tst & 0x01) == 0x01) 3986 version = SSL_SERVERINFOV2; 3987 else 3988 version = SSL_SERVERINFOV1; 3989 3990 if ((tst & 0x02) == 0x02) { 3991 sibuf = serverinfov2; 3992 sibuflen = sizeof(serverinfov2); 3993 expected = (version == SSL_SERVERINFOV2); 3994 } else { 3995 sibuf = serverinfov1; 3996 sibuflen = sizeof(serverinfov1); 3997 expected = (version == SSL_SERVERINFOV1); 3998 } 3999 4000 if ((tst & 0x04) == 0x04) { 4001 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen); 4002 } else { 4003 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen); 4004 4005 /* 4006 * The version variable is irrelevant in this case - it's what is in the 4007 * buffer that matters 4008 */ 4009 if ((tst & 0x02) == 0x02) 4010 expected = 0; 4011 else 4012 expected = 1; 4013 } 4014 4015 if (!TEST_true(ret == expected)) 4016 goto end; 4017 4018 testresult = 1; 4019 4020 end: 4021 SSL_CTX_free(ctx); 4022 4023 return testresult; 4024 } 4025 4026 /* 4027 * Test that SSL_export_keying_material() produces expected results. There are 4028 * no test vectors so all we do is test that both sides of the communication 4029 * produce the same results for different protocol versions. 4030 */ 4031 #define SMALL_LABEL_LEN 10 4032 #define LONG_LABEL_LEN 249 4033 static int test_export_key_mat(int tst) 4034 { 4035 int testresult = 0; 4036 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 4037 SSL *clientssl = NULL, *serverssl = NULL; 4038 const char label[LONG_LABEL_LEN + 1] = "test label"; 4039 const unsigned char context[] = "context"; 4040 const unsigned char *emptycontext = NULL; 4041 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; 4042 unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; 4043 size_t labellen; 4044 const int protocols[] = { 4045 TLS1_VERSION, 4046 TLS1_1_VERSION, 4047 TLS1_2_VERSION, 4048 TLS1_3_VERSION, 4049 TLS1_3_VERSION, 4050 TLS1_3_VERSION 4051 }; 4052 4053 #ifdef OPENSSL_NO_TLS1 4054 if (tst == 0) 4055 return 1; 4056 #endif 4057 #ifdef OPENSSL_NO_TLS1_1 4058 if (tst == 1) 4059 return 1; 4060 #endif 4061 #ifdef OPENSSL_NO_TLS1_2 4062 if (tst == 2) 4063 return 1; 4064 #endif 4065 #ifdef OPENSSL_NO_TLS1_3 4066 if (tst >= 3) 4067 return 1; 4068 #endif 4069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4070 TLS1_VERSION, TLS_MAX_VERSION, 4071 &sctx, &cctx, cert, privkey))) 4072 goto end; 4073 4074 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); 4075 SSL_CTX_set_max_proto_version(cctx, protocols[tst]); 4076 SSL_CTX_set_min_proto_version(cctx, protocols[tst]); 4077 4078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 4079 NULL)) 4080 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4081 SSL_ERROR_NONE))) 4082 goto end; 4083 4084 if (tst == 5) { 4085 /* 4086 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we 4087 * go over that. 4088 */ 4089 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 4090 sizeof(ckeymat1), label, 4091 LONG_LABEL_LEN + 1, context, 4092 sizeof(context) - 1, 1), 0)) 4093 goto end; 4094 4095 testresult = 1; 4096 goto end; 4097 } else if (tst == 4) { 4098 labellen = LONG_LABEL_LEN; 4099 } else { 4100 labellen = SMALL_LABEL_LEN; 4101 } 4102 4103 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, 4104 sizeof(ckeymat1), label, 4105 labellen, context, 4106 sizeof(context) - 1, 1), 1) 4107 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, 4108 sizeof(ckeymat2), label, 4109 labellen, 4110 emptycontext, 4111 0, 1), 1) 4112 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, 4113 sizeof(ckeymat3), label, 4114 labellen, 4115 NULL, 0, 0), 1) 4116 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, 4117 sizeof(skeymat1), label, 4118 labellen, 4119 context, 4120 sizeof(context) -1, 1), 4121 1) 4122 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, 4123 sizeof(skeymat2), label, 4124 labellen, 4125 emptycontext, 4126 0, 1), 1) 4127 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, 4128 sizeof(skeymat3), label, 4129 labellen, 4130 NULL, 0, 0), 1) 4131 /* 4132 * Check that both sides created the same key material with the 4133 * same context. 4134 */ 4135 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 4136 sizeof(skeymat1)) 4137 /* 4138 * Check that both sides created the same key material with an 4139 * empty context. 4140 */ 4141 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 4142 sizeof(skeymat2)) 4143 /* 4144 * Check that both sides created the same key material without a 4145 * context. 4146 */ 4147 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3, 4148 sizeof(skeymat3)) 4149 /* Different contexts should produce different results */ 4150 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 4151 sizeof(ckeymat2))) 4152 goto end; 4153 4154 /* 4155 * Check that an empty context and no context produce different results in 4156 * protocols less than TLSv1.3. In TLSv1.3 they should be the same. 4157 */ 4158 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, 4159 sizeof(ckeymat3))) 4160 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, 4161 sizeof(ckeymat3)))) 4162 goto end; 4163 4164 testresult = 1; 4165 4166 end: 4167 SSL_free(serverssl); 4168 SSL_free(clientssl); 4169 SSL_CTX_free(sctx2); 4170 SSL_CTX_free(sctx); 4171 SSL_CTX_free(cctx); 4172 4173 return testresult; 4174 } 4175 4176 #ifndef OPENSSL_NO_TLS1_3 4177 /* 4178 * Test that SSL_export_keying_material_early() produces expected 4179 * results. There are no test vectors so all we do is test that both 4180 * sides of the communication produce the same results for different 4181 * protocol versions. 4182 */ 4183 static int test_export_key_mat_early(int idx) 4184 { 4185 static const char label[] = "test label"; 4186 static const unsigned char context[] = "context"; 4187 int testresult = 0; 4188 SSL_CTX *cctx = NULL, *sctx = NULL; 4189 SSL *clientssl = NULL, *serverssl = NULL; 4190 SSL_SESSION *sess = NULL; 4191 const unsigned char *emptycontext = NULL; 4192 unsigned char ckeymat1[80], ckeymat2[80]; 4193 unsigned char skeymat1[80], skeymat2[80]; 4194 unsigned char buf[1]; 4195 size_t readbytes, written; 4196 4197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, 4198 &sess, idx))) 4199 goto end; 4200 4201 /* Here writing 0 length early data is enough. */ 4202 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 4203 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4204 &readbytes), 4205 SSL_READ_EARLY_DATA_ERROR) 4206 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4207 SSL_EARLY_DATA_ACCEPTED)) 4208 goto end; 4209 4210 if (!TEST_int_eq(SSL_export_keying_material_early( 4211 clientssl, ckeymat1, sizeof(ckeymat1), label, 4212 sizeof(label) - 1, context, sizeof(context) - 1), 1) 4213 || !TEST_int_eq(SSL_export_keying_material_early( 4214 clientssl, ckeymat2, sizeof(ckeymat2), label, 4215 sizeof(label) - 1, emptycontext, 0), 1) 4216 || !TEST_int_eq(SSL_export_keying_material_early( 4217 serverssl, skeymat1, sizeof(skeymat1), label, 4218 sizeof(label) - 1, context, sizeof(context) - 1), 1) 4219 || !TEST_int_eq(SSL_export_keying_material_early( 4220 serverssl, skeymat2, sizeof(skeymat2), label, 4221 sizeof(label) - 1, emptycontext, 0), 1) 4222 /* 4223 * Check that both sides created the same key material with the 4224 * same context. 4225 */ 4226 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 4227 sizeof(skeymat1)) 4228 /* 4229 * Check that both sides created the same key material with an 4230 * empty context. 4231 */ 4232 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 4233 sizeof(skeymat2)) 4234 /* Different contexts should produce different results */ 4235 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 4236 sizeof(ckeymat2))) 4237 goto end; 4238 4239 testresult = 1; 4240 4241 end: 4242 SSL_SESSION_free(sess); 4243 SSL_SESSION_free(clientpsk); 4244 SSL_SESSION_free(serverpsk); 4245 clientpsk = serverpsk = NULL; 4246 SSL_free(serverssl); 4247 SSL_free(clientssl); 4248 SSL_CTX_free(sctx); 4249 SSL_CTX_free(cctx); 4250 4251 return testresult; 4252 } 4253 4254 #define NUM_KEY_UPDATE_MESSAGES 40 4255 /* 4256 * Test KeyUpdate. 4257 */ 4258 static int test_key_update(void) 4259 { 4260 SSL_CTX *cctx = NULL, *sctx = NULL; 4261 SSL *clientssl = NULL, *serverssl = NULL; 4262 int testresult = 0, i, j; 4263 char buf[20]; 4264 static char *mess = "A test message"; 4265 4266 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 4267 TLS_client_method(), 4268 TLS1_3_VERSION, 4269 0, 4270 &sctx, &cctx, cert, privkey)) 4271 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4272 NULL, NULL)) 4273 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4274 SSL_ERROR_NONE))) 4275 goto end; 4276 4277 for (j = 0; j < 2; j++) { 4278 /* Send lots of KeyUpdate messages */ 4279 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) { 4280 if (!TEST_true(SSL_key_update(clientssl, 4281 (j == 0) 4282 ? SSL_KEY_UPDATE_NOT_REQUESTED 4283 : SSL_KEY_UPDATE_REQUESTED)) 4284 || !TEST_true(SSL_do_handshake(clientssl))) 4285 goto end; 4286 } 4287 4288 /* Check that sending and receiving app data is ok */ 4289 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess)) 4290 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), 4291 strlen(mess))) 4292 goto end; 4293 } 4294 4295 testresult = 1; 4296 4297 end: 4298 SSL_free(serverssl); 4299 SSL_free(clientssl); 4300 SSL_CTX_free(sctx); 4301 SSL_CTX_free(cctx); 4302 4303 return testresult; 4304 } 4305 #endif /* OPENSSL_NO_TLS1_3 */ 4306 4307 static int test_ssl_clear(int idx) 4308 { 4309 SSL_CTX *cctx = NULL, *sctx = NULL; 4310 SSL *clientssl = NULL, *serverssl = NULL; 4311 int testresult = 0; 4312 4313 #ifdef OPENSSL_NO_TLS1_2 4314 if (idx == 1) 4315 return 1; 4316 #endif 4317 4318 /* Create an initial connection */ 4319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4320 TLS1_VERSION, TLS_MAX_VERSION, 4321 &sctx, &cctx, cert, privkey)) 4322 || (idx == 1 4323 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, 4324 TLS1_2_VERSION))) 4325 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4326 &clientssl, NULL, NULL)) 4327 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4328 SSL_ERROR_NONE))) 4329 goto end; 4330 4331 SSL_shutdown(clientssl); 4332 SSL_shutdown(serverssl); 4333 SSL_free(serverssl); 4334 serverssl = NULL; 4335 4336 /* Clear clientssl - we're going to reuse the object */ 4337 if (!TEST_true(SSL_clear(clientssl))) 4338 goto end; 4339 4340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4341 NULL, NULL)) 4342 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4343 SSL_ERROR_NONE)) 4344 || !TEST_true(SSL_session_reused(clientssl))) 4345 goto end; 4346 4347 SSL_shutdown(clientssl); 4348 SSL_shutdown(serverssl); 4349 4350 testresult = 1; 4351 4352 end: 4353 SSL_free(serverssl); 4354 SSL_free(clientssl); 4355 SSL_CTX_free(sctx); 4356 SSL_CTX_free(cctx); 4357 4358 return testresult; 4359 } 4360 4361 /* Parse CH and retrieve any MFL extension value if present */ 4362 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code) 4363 { 4364 long len; 4365 unsigned char *data; 4366 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0}; 4367 unsigned int MFL_code = 0, type = 0; 4368 4369 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) ) 4370 goto end; 4371 4372 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) ) 4373 /* Skip the record header */ 4374 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH) 4375 /* Skip the handshake message header */ 4376 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH)) 4377 /* Skip client version and random */ 4378 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN 4379 + SSL3_RANDOM_SIZE)) 4380 /* Skip session id */ 4381 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 4382 /* Skip ciphers */ 4383 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2)) 4384 /* Skip compression */ 4385 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 4386 /* Extensions len */ 4387 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2))) 4388 goto end; 4389 4390 /* Loop through all extensions */ 4391 while (PACKET_remaining(&pkt2)) { 4392 if (!TEST_true(PACKET_get_net_2(&pkt2, &type)) 4393 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3))) 4394 goto end; 4395 4396 if (type == TLSEXT_TYPE_max_fragment_length) { 4397 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0) 4398 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code))) 4399 goto end; 4400 4401 *mfl_codemfl_code = MFL_code; 4402 return 1; 4403 } 4404 } 4405 4406 end: 4407 return 0; 4408 } 4409 4410 /* Maximum-Fragment-Length TLS extension mode to test */ 4411 static const unsigned char max_fragment_len_test[] = { 4412 TLSEXT_max_fragment_length_512, 4413 TLSEXT_max_fragment_length_1024, 4414 TLSEXT_max_fragment_length_2048, 4415 TLSEXT_max_fragment_length_4096 4416 }; 4417 4418 static int test_max_fragment_len_ext(int idx_tst) 4419 { 4420 SSL_CTX *ctx; 4421 SSL *con = NULL; 4422 int testresult = 0, MFL_mode = 0; 4423 BIO *rbio, *wbio; 4424 4425 ctx = SSL_CTX_new(TLS_method()); 4426 if (!TEST_ptr(ctx)) 4427 goto end; 4428 4429 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( 4430 ctx, max_fragment_len_test[idx_tst]))) 4431 goto end; 4432 4433 con = SSL_new(ctx); 4434 if (!TEST_ptr(con)) 4435 goto end; 4436 4437 rbio = BIO_new(BIO_s_mem()); 4438 wbio = BIO_new(BIO_s_mem()); 4439 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { 4440 BIO_free(rbio); 4441 BIO_free(wbio); 4442 goto end; 4443 } 4444 4445 SSL_set_bio(con, rbio, wbio); 4446 SSL_set_connect_state(con); 4447 4448 if (!TEST_int_le(SSL_connect(con), 0)) { 4449 /* This shouldn't succeed because we don't have a server! */ 4450 goto end; 4451 } 4452 4453 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode))) 4454 /* no MFL in client hello */ 4455 goto end; 4456 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode)) 4457 goto end; 4458 4459 testresult = 1; 4460 4461 end: 4462 SSL_free(con); 4463 SSL_CTX_free(ctx); 4464 4465 return testresult; 4466 } 4467 4468 #ifndef OPENSSL_NO_TLS1_3 4469 static int test_pha_key_update(void) 4470 { 4471 SSL_CTX *cctx = NULL, *sctx = NULL; 4472 SSL *clientssl = NULL, *serverssl = NULL; 4473 int testresult = 0; 4474 4475 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4476 TLS1_VERSION, TLS_MAX_VERSION, 4477 &sctx, &cctx, cert, privkey))) 4478 return 0; 4479 4480 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION)) 4481 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION)) 4482 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION)) 4483 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) 4484 goto end; 4485 4486 SSL_CTX_set_post_handshake_auth(cctx, 1); 4487 4488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4489 NULL, NULL))) 4490 goto end; 4491 4492 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 4493 SSL_ERROR_NONE))) 4494 goto end; 4495 4496 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 4497 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 4498 goto end; 4499 4500 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) 4501 goto end; 4502 4503 /* Start handshake on the server */ 4504 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)) 4505 goto end; 4506 4507 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */ 4508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 4509 SSL_ERROR_NONE))) 4510 goto end; 4511 4512 SSL_shutdown(clientssl); 4513 SSL_shutdown(serverssl); 4514 4515 testresult = 1; 4516 4517 end: 4518 SSL_free(serverssl); 4519 SSL_free(clientssl); 4520 SSL_CTX_free(sctx); 4521 SSL_CTX_free(cctx); 4522 return testresult; 4523 } 4524 #endif 4525 4526 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 4527 4528 static SRP_VBASE *vbase = NULL; 4529 4530 static int ssl_srp_cb(SSL *s, int *ad, void *arg) 4531 { 4532 int ret = SSL3_AL_FATAL; 4533 char *username; 4534 SRP_user_pwd *user = NULL; 4535 4536 username = SSL_get_srp_username(s); 4537 if (username == NULL) { 4538 *ad = SSL_AD_INTERNAL_ERROR; 4539 goto err; 4540 } 4541 4542 user = SRP_VBASE_get1_by_user(vbase, username); 4543 if (user == NULL) { 4544 *ad = SSL_AD_INTERNAL_ERROR; 4545 goto err; 4546 } 4547 4548 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v, 4549 user->info) <= 0) { 4550 *ad = SSL_AD_INTERNAL_ERROR; 4551 goto err; 4552 } 4553 4554 ret = 0; 4555 4556 err: 4557 SRP_user_pwd_free(user); 4558 return ret; 4559 } 4560 4561 static int create_new_vfile(char *userid, char *password, const char *filename) 4562 { 4563 char *gNid = NULL; 4564 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1)); 4565 TXT_DB *db = NULL; 4566 int ret = 0; 4567 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0); 4568 size_t i; 4569 4570 if (!TEST_ptr(dummy) || !TEST_ptr(row)) 4571 goto end; 4572 4573 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt], 4574 &row[DB_srpverifier], NULL, NULL); 4575 if (!TEST_ptr(gNid)) 4576 goto end; 4577 4578 /* 4579 * The only way to create an empty TXT_DB is to provide a BIO with no data 4580 * in it! 4581 */ 4582 db = TXT_DB_read(dummy, DB_NUMBER); 4583 if (!TEST_ptr(db)) 4584 goto end; 4585 4586 out = BIO_new_file(filename, "w"); 4587 if (!TEST_ptr(out)) 4588 goto end; 4589 4590 row[DB_srpid] = OPENSSL_strdup(userid); 4591 row[DB_srptype] = OPENSSL_strdup("V"); 4592 row[DB_srpgN] = OPENSSL_strdup(gNid); 4593 4594 if (!TEST_ptr(row[DB_srpid]) 4595 || !TEST_ptr(row[DB_srptype]) 4596 || !TEST_ptr(row[DB_srpgN]) 4597 || !TEST_true(TXT_DB_insert(db, row))) 4598 goto end; 4599 4600 row = NULL; 4601 4602 if (!TXT_DB_write(out, db)) 4603 goto end; 4604 4605 ret = 1; 4606 end: 4607 if (row != NULL) { 4608 for (i = 0; i < DB_NUMBER; i++) 4609 OPENSSL_free(row[i]); 4610 } 4611 OPENSSL_free(row); 4612 BIO_free(dummy); 4613 BIO_free(out); 4614 TXT_DB_free(db); 4615 4616 return ret; 4617 } 4618 4619 static int create_new_vbase(char *userid, char *password) 4620 { 4621 BIGNUM *verifier = NULL, *salt = NULL; 4622 const SRP_gN *lgN = NULL; 4623 SRP_user_pwd *user_pwd = NULL; 4624 int ret = 0; 4625 4626 lgN = SRP_get_default_gN(NULL); 4627 if (!TEST_ptr(lgN)) 4628 goto end; 4629 4630 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier, 4631 lgN->N, lgN->g))) 4632 goto end; 4633 4634 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd)); 4635 if (!TEST_ptr(user_pwd)) 4636 goto end; 4637 4638 user_pwd->N = lgN->N; 4639 user_pwd->g = lgN->g; 4640 user_pwd->id = OPENSSL_strdup(userid); 4641 if (!TEST_ptr(user_pwd->id)) 4642 goto end; 4643 4644 user_pwd->v = verifier; 4645 user_pwd->s = salt; 4646 verifier = salt = NULL; 4647 4648 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0) 4649 goto end; 4650 user_pwd = NULL; 4651 4652 ret = 1; 4653 end: 4654 SRP_user_pwd_free(user_pwd); 4655 BN_free(salt); 4656 BN_free(verifier); 4657 4658 return ret; 4659 } 4660 4661 /* 4662 * SRP tests 4663 * 4664 * Test 0: Simple successful SRP connection, new vbase 4665 * Test 1: Connection failure due to bad password, new vbase 4666 * Test 2: Simple successful SRP connection, vbase loaded from existing file 4667 * Test 3: Connection failure due to bad password, vbase loaded from existing 4668 * file 4669 * Test 4: Simple successful SRP connection, vbase loaded from new file 4670 * Test 5: Connection failure due to bad password, vbase loaded from new file 4671 */ 4672 static int test_srp(int tst) 4673 { 4674 char *userid = "test", *password = "password", *tstsrpfile; 4675 SSL_CTX *cctx = NULL, *sctx = NULL; 4676 SSL *clientssl = NULL, *serverssl = NULL; 4677 int ret, testresult = 0; 4678 4679 vbase = SRP_VBASE_new(NULL); 4680 if (!TEST_ptr(vbase)) 4681 goto end; 4682 4683 if (tst == 0 || tst == 1) { 4684 if (!TEST_true(create_new_vbase(userid, password))) 4685 goto end; 4686 } else { 4687 if (tst == 4 || tst == 5) { 4688 if (!TEST_true(create_new_vfile(userid, password, tmpfilename))) 4689 goto end; 4690 tstsrpfile = tmpfilename; 4691 } else { 4692 tstsrpfile = srpvfile; 4693 } 4694 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR)) 4695 goto end; 4696 } 4697 4698 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), 4699 TLS1_VERSION, TLS_MAX_VERSION, 4700 &sctx, &cctx, cert, privkey))) 4701 goto end; 4702 4703 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0) 4704 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA")) 4705 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION)) 4706 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) 4707 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0)) 4708 goto end; 4709 4710 if (tst % 2 == 1) { 4711 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0)) 4712 goto end; 4713 } else { 4714 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0)) 4715 goto end; 4716 } 4717 4718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4719 NULL, NULL))) 4720 goto end; 4721 4722 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 4723 if (ret) { 4724 if (!TEST_true(tst % 2 == 0)) 4725 goto end; 4726 } else { 4727 if (!TEST_true(tst % 2 == 1)) 4728 goto end; 4729 } 4730 4731 testresult = 1; 4732 4733 end: 4734 SRP_VBASE_free(vbase); 4735 vbase = NULL; 4736 SSL_free(serverssl); 4737 SSL_free(clientssl); 4738 SSL_CTX_free(sctx); 4739 SSL_CTX_free(cctx); 4740 4741 return testresult; 4742 } 4743 #endif 4744 4745 static int info_cb_failed = 0; 4746 static int info_cb_offset = 0; 4747 static int info_cb_this_state = -1; 4748 4749 static struct info_cb_states_st { 4750 int where; 4751 const char *statestr; 4752 } info_cb_states[][60] = { 4753 { 4754 /* TLSv1.2 server followed by resumption */ 4755 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4756 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 4757 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"}, 4758 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"}, 4759 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"}, 4760 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 4761 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 4762 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 4763 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, 4764 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 4765 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"}, 4766 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 4767 {SSL_CB_EXIT, NULL}, {0, NULL}, 4768 }, { 4769 /* TLSv1.2 client followed by resumption */ 4770 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4771 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 4772 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"}, 4773 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"}, 4774 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, 4775 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 4776 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 4777 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4778 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 4779 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 4780 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 4781 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, 4782 }, { 4783 /* TLSv1.3 server followed by resumption */ 4784 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4785 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 4786 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, 4787 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, 4788 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, 4789 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 4790 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 4791 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4792 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 4793 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 4794 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, 4795 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 4796 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 4797 }, { 4798 /* TLSv1.3 client followed by resumption */ 4799 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4800 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 4801 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, 4802 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, 4803 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 4804 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, 4805 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, 4806 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, 4807 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 4808 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, 4809 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 4810 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 4811 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 4812 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, 4813 {SSL_CB_EXIT, NULL}, {0, NULL}, 4814 }, { 4815 /* TLSv1.3 server, early_data */ 4816 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4817 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 4818 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 4819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 4820 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 4821 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, 4822 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 4823 {SSL_CB_EXIT, NULL}, {0, NULL}, 4824 }, { 4825 /* TLSv1.3 client, early_data */ 4826 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, 4827 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"}, 4828 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 4829 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 4830 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 4831 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, 4832 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 4833 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, 4834 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 4835 }, { 4836 {0, NULL}, 4837 } 4838 }; 4839 4840 static void sslapi_info_callback(const SSL *s, int where, int ret) 4841 { 4842 struct info_cb_states_st *state = info_cb_states[info_cb_offset]; 4843 4844 /* We do not ever expect a connection to fail in this test */ 4845 if (!TEST_false(ret == 0)) { 4846 info_cb_failed = 1; 4847 return; 4848 } 4849 4850 /* 4851 * Do some sanity checks. We never expect these things to happen in this 4852 * test 4853 */ 4854 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0)) 4855 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0) 4856 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) { 4857 info_cb_failed = 1; 4858 return; 4859 } 4860 4861 /* Now check we're in the right state */ 4862 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) { 4863 info_cb_failed = 1; 4864 return; 4865 } 4866 if ((where & SSL_CB_LOOP) != 0 4867 && !TEST_int_eq(strcmp(SSL_state_string(s), 4868 state[info_cb_this_state].statestr), 0)) { 4869 info_cb_failed = 1; 4870 return; 4871 } 4872 4873 /* 4874 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init 4875 */ 4876 if ((where & SSL_CB_HANDSHAKE_DONE) 4877 && SSL_in_init((SSL *)s) != 0) { 4878 info_cb_failed = 1; 4879 return; 4880 } 4881 } 4882 4883 /* 4884 * Test the info callback gets called when we expect it to. 4885 * 4886 * Test 0: TLSv1.2, server 4887 * Test 1: TLSv1.2, client 4888 * Test 2: TLSv1.3, server 4889 * Test 3: TLSv1.3, client 4890 * Test 4: TLSv1.3, server, early_data 4891 * Test 5: TLSv1.3, client, early_data 4892 */ 4893 static int test_info_callback(int tst) 4894 { 4895 SSL_CTX *cctx = NULL, *sctx = NULL; 4896 SSL *clientssl = NULL, *serverssl = NULL; 4897 SSL_SESSION *clntsess = NULL; 4898 int testresult = 0; 4899 int tlsvers; 4900 4901 if (tst < 2) { 4902 /* We need either ECDHE or DHE for the TLSv1.2 test to work */ 4903 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \ 4904 || !defined(OPENSSL_NO_DH)) 4905 tlsvers = TLS1_2_VERSION; 4906 #else 4907 return 1; 4908 #endif 4909 } else { 4910 #ifndef OPENSSL_NO_TLS1_3 4911 tlsvers = TLS1_3_VERSION; 4912 #else 4913 return 1; 4914 #endif 4915 } 4916 4917 /* Reset globals */ 4918 info_cb_failed = 0; 4919 info_cb_this_state = -1; 4920 info_cb_offset = tst; 4921 4922 #ifndef OPENSSL_NO_TLS1_3 4923 if (tst >= 4) { 4924 SSL_SESSION *sess = NULL; 4925 size_t written, readbytes; 4926 unsigned char buf[80]; 4927 4928 /* early_data tests */ 4929 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4930 &serverssl, &sess, 0))) 4931 goto end; 4932 4933 /* We don't actually need this reference */ 4934 SSL_SESSION_free(sess); 4935 4936 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl, 4937 sslapi_info_callback); 4938 4939 /* Write and read some early data and then complete the connection */ 4940 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4941 &written)) 4942 || !TEST_size_t_eq(written, strlen(MSG1)) 4943 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, 4944 sizeof(buf), &readbytes), 4945 SSL_READ_EARLY_DATA_SUCCESS) 4946 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 4947 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4948 SSL_EARLY_DATA_ACCEPTED) 4949 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4950 SSL_ERROR_NONE)) 4951 || !TEST_false(info_cb_failed)) 4952 goto end; 4953 4954 testresult = 1; 4955 goto end; 4956 } 4957 #endif 4958 4959 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 4960 TLS_client_method(), 4961 tlsvers, tlsvers, &sctx, &cctx, cert, 4962 privkey))) 4963 goto end; 4964 4965 /* 4966 * For even numbered tests we check the server callbacks. For odd numbers we 4967 * check the client. 4968 */ 4969 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx, 4970 sslapi_info_callback); 4971 4972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4973 &clientssl, NULL, NULL)) 4974 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4975 SSL_ERROR_NONE)) 4976 || !TEST_false(info_cb_failed)) 4977 goto end; 4978 4979 4980 4981 clntsess = SSL_get1_session(clientssl); 4982 SSL_shutdown(clientssl); 4983 SSL_shutdown(serverssl); 4984 SSL_free(serverssl); 4985 SSL_free(clientssl); 4986 serverssl = clientssl = NULL; 4987 4988 /* Now do a resumption */ 4989 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 4990 NULL)) 4991 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4992 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4993 SSL_ERROR_NONE)) 4994 || !TEST_true(SSL_session_reused(clientssl)) 4995 || !TEST_false(info_cb_failed)) 4996 goto end; 4997 4998 testresult = 1; 4999 5000 end: 5001 SSL_free(serverssl); 5002 SSL_free(clientssl); 5003 SSL_SESSION_free(clntsess); 5004 SSL_CTX_free(sctx); 5005 SSL_CTX_free(cctx); 5006 return testresult; 5007 } 5008 5009 static int test_ssl_pending(int tst) 5010 { 5011 SSL_CTX *cctx = NULL, *sctx = NULL; 5012 SSL *clientssl = NULL, *serverssl = NULL; 5013 int testresult = 0; 5014 char msg[] = "A test message"; 5015 char buf[5]; 5016 size_t written, readbytes; 5017 5018 if (tst == 0) { 5019 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5020 TLS_client_method(), 5021 TLS1_VERSION, TLS_MAX_VERSION, 5022 &sctx, &cctx, cert, privkey))) 5023 goto end; 5024 } else { 5025 #ifndef OPENSSL_NO_DTLS 5026 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), 5027 DTLS_client_method(), 5028 DTLS1_VERSION, DTLS_MAX_VERSION, 5029 &sctx, &cctx, cert, privkey))) 5030 goto end; 5031 #else 5032 return 1; 5033 #endif 5034 } 5035 5036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5037 NULL, NULL)) 5038 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5039 SSL_ERROR_NONE))) 5040 goto end; 5041 5042 if (!TEST_int_eq(SSL_pending(clientssl), 0) 5043 || !TEST_false(SSL_has_pending(clientssl)) 5044 || !TEST_int_eq(SSL_pending(serverssl), 0) 5045 || !TEST_false(SSL_has_pending(serverssl)) 5046 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 5047 || !TEST_size_t_eq(written, sizeof(msg)) 5048 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 5049 || !TEST_size_t_eq(readbytes, sizeof(buf)) 5050 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes)) 5051 || !TEST_true(SSL_has_pending(clientssl))) 5052 goto end; 5053 5054 testresult = 1; 5055 5056 end: 5057 SSL_free(serverssl); 5058 SSL_free(clientssl); 5059 SSL_CTX_free(sctx); 5060 SSL_CTX_free(cctx); 5061 5062 return testresult; 5063 } 5064 5065 static struct { 5066 unsigned int maxprot; 5067 const char *clntciphers; 5068 const char *clnttls13ciphers; 5069 const char *srvrciphers; 5070 const char *srvrtls13ciphers; 5071 const char *shared; 5072 } shared_ciphers_data[] = { 5073 /* 5074 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if 5075 * TLSv1.3 is enabled but TLSv1.2 is disabled. 5076 */ 5077 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 5078 { 5079 TLS1_2_VERSION, 5080 "AES128-SHA:AES256-SHA", 5081 NULL, 5082 "AES256-SHA:DHE-RSA-AES128-SHA", 5083 NULL, 5084 "AES256-SHA" 5085 }, 5086 { 5087 TLS1_2_VERSION, 5088 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA", 5089 NULL, 5090 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA", 5091 NULL, 5092 "AES128-SHA:AES256-SHA" 5093 }, 5094 { 5095 TLS1_2_VERSION, 5096 "AES128-SHA:AES256-SHA", 5097 NULL, 5098 "AES128-SHA:DHE-RSA-AES128-SHA", 5099 NULL, 5100 "AES128-SHA" 5101 }, 5102 #endif 5103 /* 5104 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be 5105 * enabled. 5106 */ 5107 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ 5108 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 5109 { 5110 TLS1_3_VERSION, 5111 "AES128-SHA:AES256-SHA", 5112 NULL, 5113 "AES256-SHA:AES128-SHA256", 5114 NULL, 5115 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" 5116 "TLS_AES_128_GCM_SHA256:AES256-SHA" 5117 }, 5118 #endif 5119 #ifndef OPENSSL_NO_TLS1_3 5120 { 5121 TLS1_3_VERSION, 5122 "AES128-SHA", 5123 "TLS_AES_256_GCM_SHA384", 5124 "AES256-SHA", 5125 "TLS_AES_256_GCM_SHA384", 5126 "TLS_AES_256_GCM_SHA384" 5127 }, 5128 #endif 5129 }; 5130 5131 static int test_ssl_get_shared_ciphers(int tst) 5132 { 5133 SSL_CTX *cctx = NULL, *sctx = NULL; 5134 SSL *clientssl = NULL, *serverssl = NULL; 5135 int testresult = 0; 5136 char buf[1024]; 5137 5138 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5139 TLS_client_method(), 5140 TLS1_VERSION, 5141 shared_ciphers_data[tst].maxprot, 5142 &sctx, &cctx, cert, privkey))) 5143 goto end; 5144 5145 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 5146 shared_ciphers_data[tst].clntciphers)) 5147 || (shared_ciphers_data[tst].clnttls13ciphers != NULL 5148 && !TEST_true(SSL_CTX_set_ciphersuites(cctx, 5149 shared_ciphers_data[tst].clnttls13ciphers))) 5150 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 5151 shared_ciphers_data[tst].srvrciphers)) 5152 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL 5153 && !TEST_true(SSL_CTX_set_ciphersuites(sctx, 5154 shared_ciphers_data[tst].srvrtls13ciphers)))) 5155 goto end; 5156 5157 5158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5159 NULL, NULL)) 5160 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5161 SSL_ERROR_NONE))) 5162 goto end; 5163 5164 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf))) 5165 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) { 5166 TEST_info("Shared ciphers are: %s\n", buf); 5167 goto end; 5168 } 5169 5170 testresult = 1; 5171 5172 end: 5173 SSL_free(serverssl); 5174 SSL_free(clientssl); 5175 SSL_CTX_free(sctx); 5176 SSL_CTX_free(cctx); 5177 5178 return testresult; 5179 } 5180 5181 static const char *appdata = "Hello World"; 5182 static int gen_tick_called, dec_tick_called, tick_key_cb_called; 5183 static int tick_key_renew = 0; 5184 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT; 5185 5186 static int gen_tick_cb(SSL *s, void *arg) 5187 { 5188 gen_tick_called = 1; 5189 5190 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata, 5191 strlen(appdata)); 5192 } 5193 5194 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss, 5195 const unsigned char *keyname, 5196 size_t keyname_length, 5197 SSL_TICKET_STATUS status, 5198 void *arg) 5199 { 5200 void *tickdata; 5201 size_t tickdlen; 5202 5203 dec_tick_called = 1; 5204 5205 if (status == SSL_TICKET_EMPTY) 5206 return SSL_TICKET_RETURN_IGNORE_RENEW; 5207 5208 if (!TEST_true(status == SSL_TICKET_SUCCESS 5209 || status == SSL_TICKET_SUCCESS_RENEW)) 5210 return SSL_TICKET_RETURN_ABORT; 5211 5212 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata, 5213 &tickdlen)) 5214 || !TEST_size_t_eq(tickdlen, strlen(appdata)) 5215 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0)) 5216 return SSL_TICKET_RETURN_ABORT; 5217 5218 if (tick_key_cb_called) { 5219 /* Don't change what the ticket key callback wanted to do */ 5220 switch (status) { 5221 case SSL_TICKET_NO_DECRYPT: 5222 return SSL_TICKET_RETURN_IGNORE_RENEW; 5223 5224 case SSL_TICKET_SUCCESS: 5225 return SSL_TICKET_RETURN_USE; 5226 5227 case SSL_TICKET_SUCCESS_RENEW: 5228 return SSL_TICKET_RETURN_USE_RENEW; 5229 5230 default: 5231 return SSL_TICKET_RETURN_ABORT; 5232 } 5233 } 5234 return tick_dec_ret; 5235 5236 } 5237 5238 static int tick_key_cb(SSL *s, unsigned char key_name[16], 5239 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx, 5240 HMAC_CTX *hctx, int enc) 5241 { 5242 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 5243 const unsigned char tick_hmac_key[16] = "0123456789abcdef"; 5244 5245 tick_key_cb_called = 1; 5246 memset(iv, 0, AES_BLOCK_SIZE); 5247 memset(key_name, 0, 16); 5248 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc) 5249 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), 5250 EVP_sha256(), NULL)) 5251 return -1; 5252 5253 return tick_key_renew ? 2 : 1; 5254 } 5255 5256 /* 5257 * Test the various ticket callbacks 5258 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal 5259 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal 5260 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal 5261 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal 5262 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal 5263 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal 5264 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal 5265 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal 5266 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal 5267 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal 5268 * Test 10: TLSv1.2, ticket key callback, ticket, renewal 5269 * Test 11: TLSv1.3, ticket key callback, ticket, renewal 5270 */ 5271 static int test_ticket_callbacks(int tst) 5272 { 5273 SSL_CTX *cctx = NULL, *sctx = NULL; 5274 SSL *clientssl = NULL, *serverssl = NULL; 5275 SSL_SESSION *clntsess = NULL; 5276 int testresult = 0; 5277 5278 #ifdef OPENSSL_NO_TLS1_2 5279 if (tst % 2 == 0) 5280 return 1; 5281 #endif 5282 #ifdef OPENSSL_NO_TLS1_3 5283 if (tst % 2 == 1) 5284 return 1; 5285 #endif 5286 5287 gen_tick_called = dec_tick_called = tick_key_cb_called = 0; 5288 5289 /* Which tests the ticket key callback should request renewal for */ 5290 if (tst == 10 || tst == 11) 5291 tick_key_renew = 1; 5292 else 5293 tick_key_renew = 0; 5294 5295 /* Which tests the decrypt ticket callback should request renewal for */ 5296 switch (tst) { 5297 case 0: 5298 case 1: 5299 tick_dec_ret = SSL_TICKET_RETURN_IGNORE; 5300 break; 5301 5302 case 2: 5303 case 3: 5304 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW; 5305 break; 5306 5307 case 4: 5308 case 5: 5309 tick_dec_ret = SSL_TICKET_RETURN_USE; 5310 break; 5311 5312 case 6: 5313 case 7: 5314 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW; 5315 break; 5316 5317 default: 5318 tick_dec_ret = SSL_TICKET_RETURN_ABORT; 5319 } 5320 5321 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5322 TLS_client_method(), 5323 TLS1_VERSION, 5324 ((tst % 2) == 0) ? TLS1_2_VERSION 5325 : TLS1_3_VERSION, 5326 &sctx, &cctx, cert, privkey))) 5327 goto end; 5328 5329 /* 5330 * We only want sessions to resume from tickets - not the session cache. So 5331 * switch the cache off. 5332 */ 5333 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF))) 5334 goto end; 5335 5336 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb, 5337 NULL))) 5338 goto end; 5339 5340 if (tst >= 8 5341 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb))) 5342 goto end; 5343 5344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5345 NULL, NULL)) 5346 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5347 SSL_ERROR_NONE))) 5348 goto end; 5349 5350 /* 5351 * The decrypt ticket key callback in TLSv1.2 should be called even though 5352 * we have no ticket yet, because it gets called with a status of 5353 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not 5354 * actually send any ticket data). This does not happen in TLSv1.3 because 5355 * it is not valid to send empty ticket data in TLSv1.3. 5356 */ 5357 if (!TEST_int_eq(gen_tick_called, 1) 5358 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0)) 5359 goto end; 5360 5361 gen_tick_called = dec_tick_called = 0; 5362 5363 clntsess = SSL_get1_session(clientssl); 5364 SSL_shutdown(clientssl); 5365 SSL_shutdown(serverssl); 5366 SSL_free(serverssl); 5367 SSL_free(clientssl); 5368 serverssl = clientssl = NULL; 5369 5370 /* Now do a resumption */ 5371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 5372 NULL)) 5373 || !TEST_true(SSL_set_session(clientssl, clntsess)) 5374 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5375 SSL_ERROR_NONE))) 5376 goto end; 5377 5378 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE 5379 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) { 5380 if (!TEST_false(SSL_session_reused(clientssl))) 5381 goto end; 5382 } else { 5383 if (!TEST_true(SSL_session_reused(clientssl))) 5384 goto end; 5385 } 5386 5387 if (!TEST_int_eq(gen_tick_called, 5388 (tick_key_renew 5389 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 5390 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW) 5391 ? 1 : 0) 5392 || !TEST_int_eq(dec_tick_called, 1)) 5393 goto end; 5394 5395 testresult = 1; 5396 5397 end: 5398 SSL_SESSION_free(clntsess); 5399 SSL_free(serverssl); 5400 SSL_free(clientssl); 5401 SSL_CTX_free(sctx); 5402 SSL_CTX_free(cctx); 5403 5404 return testresult; 5405 } 5406 5407 /* 5408 * Test bi-directional shutdown. 5409 * Test 0: TLSv1.2 5410 * Test 1: TLSv1.2, server continues to read/write after client shutdown 5411 * Test 2: TLSv1.3, no pending NewSessionTicket messages 5412 * Test 3: TLSv1.3, pending NewSessionTicket messages 5413 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server 5414 * sends key update, client reads it 5415 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server 5416 * sends CertificateRequest, client reads and ignores it 5417 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client 5418 * doesn't read it 5419 */ 5420 static int test_shutdown(int tst) 5421 { 5422 SSL_CTX *cctx = NULL, *sctx = NULL; 5423 SSL *clientssl = NULL, *serverssl = NULL; 5424 int testresult = 0; 5425 char msg[] = "A test message"; 5426 char buf[80]; 5427 size_t written, readbytes; 5428 SSL_SESSION *sess; 5429 5430 #ifdef OPENSSL_NO_TLS1_2 5431 if (tst <= 1) 5432 return 1; 5433 #endif 5434 #ifdef OPENSSL_NO_TLS1_3 5435 if (tst >= 2) 5436 return 1; 5437 #endif 5438 5439 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5440 TLS_client_method(), 5441 TLS1_VERSION, 5442 (tst <= 1) ? TLS1_2_VERSION 5443 : TLS1_3_VERSION, 5444 &sctx, &cctx, cert, privkey))) 5445 goto end; 5446 5447 if (tst == 5) 5448 SSL_CTX_set_post_handshake_auth(cctx, 1); 5449 5450 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5451 NULL, NULL))) 5452 goto end; 5453 5454 if (tst == 3) { 5455 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, 5456 SSL_ERROR_NONE, 1)) 5457 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5458 || !TEST_false(SSL_SESSION_is_resumable(sess))) 5459 goto end; 5460 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl, 5461 SSL_ERROR_NONE)) 5462 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5463 || !TEST_true(SSL_SESSION_is_resumable(sess))) { 5464 goto end; 5465 } 5466 5467 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)) 5468 goto end; 5469 5470 if (tst >= 4) { 5471 /* 5472 * Reading on the server after the client has sent close_notify should 5473 * fail and provide SSL_ERROR_ZERO_RETURN 5474 */ 5475 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 5476 || !TEST_int_eq(SSL_get_error(serverssl, 0), 5477 SSL_ERROR_ZERO_RETURN) 5478 || !TEST_int_eq(SSL_get_shutdown(serverssl), 5479 SSL_RECEIVED_SHUTDOWN) 5480 /* 5481 * Even though we're shutdown on receive we should still be 5482 * able to write. 5483 */ 5484 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 5485 goto end; 5486 if (tst == 4 5487 && !TEST_true(SSL_key_update(serverssl, 5488 SSL_KEY_UPDATE_REQUESTED))) 5489 goto end; 5490 if (tst == 5) { 5491 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 5492 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 5493 goto end; 5494 } 5495 if ((tst == 4 || tst == 5) 5496 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 5497 goto end; 5498 if (!TEST_int_eq(SSL_shutdown(serverssl), 1)) 5499 goto end; 5500 if (tst == 4 || tst == 5) { 5501 /* Should still be able to read data from server */ 5502 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 5503 &readbytes)) 5504 || !TEST_size_t_eq(readbytes, sizeof(msg)) 5505 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0) 5506 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 5507 &readbytes)) 5508 || !TEST_size_t_eq(readbytes, sizeof(msg)) 5509 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)) 5510 goto end; 5511 } 5512 } 5513 5514 /* Writing on the client after sending close_notify shouldn't be possible */ 5515 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written))) 5516 goto end; 5517 5518 if (tst < 4) { 5519 /* 5520 * For these tests the client has sent close_notify but it has not yet 5521 * been received by the server. The server has not sent close_notify 5522 * yet. 5523 */ 5524 if (!TEST_int_eq(SSL_shutdown(serverssl), 0) 5525 /* 5526 * Writing on the server after sending close_notify shouldn't 5527 * be possible. 5528 */ 5529 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 5530 || !TEST_int_eq(SSL_shutdown(clientssl), 1) 5531 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5532 || !TEST_true(SSL_SESSION_is_resumable(sess)) 5533 || !TEST_int_eq(SSL_shutdown(serverssl), 1)) 5534 goto end; 5535 } else if (tst == 4 || tst == 5) { 5536 /* 5537 * In this test the client has sent close_notify and it has been 5538 * received by the server which has responded with a close_notify. The 5539 * client needs to read the close_notify sent by the server. 5540 */ 5541 if (!TEST_int_eq(SSL_shutdown(clientssl), 1) 5542 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 5543 || !TEST_true(SSL_SESSION_is_resumable(sess))) 5544 goto end; 5545 } else { 5546 /* 5547 * tst == 6 5548 * 5549 * The client has sent close_notify and is expecting a close_notify 5550 * back, but instead there is application data first. The shutdown 5551 * should fail with a fatal error. 5552 */ 5553 if (!TEST_int_eq(SSL_shutdown(clientssl), -1) 5554 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL)) 5555 goto end; 5556 } 5557 5558 testresult = 1; 5559 5560 end: 5561 SSL_free(serverssl); 5562 SSL_free(clientssl); 5563 SSL_CTX_free(sctx); 5564 SSL_CTX_free(cctx); 5565 5566 return testresult; 5567 } 5568 5569 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) 5570 static int cert_cb_cnt; 5571 5572 static int cert_cb(SSL *s, void *arg) 5573 { 5574 SSL_CTX *ctx = (SSL_CTX *)arg; 5575 5576 if (cert_cb_cnt == 0) { 5577 /* Suspend the handshake */ 5578 cert_cb_cnt++; 5579 return -1; 5580 } else if (cert_cb_cnt == 1) { 5581 /* 5582 * Update the SSL_CTX, set the certificate and private key and then 5583 * continue the handshake normally. 5584 */ 5585 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx))) 5586 return 0; 5587 5588 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM)) 5589 || !TEST_true(SSL_use_PrivateKey_file(s, privkey, 5590 SSL_FILETYPE_PEM)) 5591 || !TEST_true(SSL_check_private_key(s))) 5592 return 0; 5593 cert_cb_cnt++; 5594 return 1; 5595 } 5596 5597 /* Abort the handshake */ 5598 return 0; 5599 } 5600 5601 /* 5602 * Test the certificate callback. 5603 * Test 0: Callback fails 5604 * Test 1: Success - no SSL_set_SSL_CTX() in the callback 5605 * Test 2: Success - SSL_set_SSL_CTX() in the callback 5606 */ 5607 static int test_cert_cb_int(int prot, int tst) 5608 { 5609 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL; 5610 SSL *clientssl = NULL, *serverssl = NULL; 5611 int testresult = 0, ret; 5612 5613 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5614 TLS_client_method(), 5615 TLS1_VERSION, 5616 prot, 5617 &sctx, &cctx, NULL, NULL))) 5618 goto end; 5619 5620 if (tst == 0) 5621 cert_cb_cnt = -1; 5622 else 5623 cert_cb_cnt = 0; 5624 if (tst == 2) 5625 snictx = SSL_CTX_new(TLS_server_method()); 5626 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); 5627 5628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5629 NULL, NULL))) 5630 goto end; 5631 5632 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 5633 if (!TEST_true(tst == 0 ? !ret : ret) 5634 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) { 5635 goto end; 5636 } 5637 5638 testresult = 1; 5639 5640 end: 5641 SSL_free(serverssl); 5642 SSL_free(clientssl); 5643 SSL_CTX_free(sctx); 5644 SSL_CTX_free(cctx); 5645 SSL_CTX_free(snictx); 5646 5647 return testresult; 5648 } 5649 #endif 5650 5651 static int test_cert_cb(int tst) 5652 { 5653 int testresult = 1; 5654 5655 #ifndef OPENSSL_NO_TLS1_2 5656 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); 5657 #endif 5658 #ifndef OPENSSL_NO_TLS1_3 5659 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); 5660 #endif 5661 5662 return testresult; 5663 } 5664 5665 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 5666 { 5667 X509 *xcert, *peer; 5668 EVP_PKEY *privpkey; 5669 BIO *in = NULL; 5670 5671 /* Check that SSL_get_peer_certificate() returns something sensible */ 5672 peer = SSL_get_peer_certificate(ssl); 5673 if (!TEST_ptr(peer)) 5674 return 0; 5675 X509_free(peer); 5676 5677 in = BIO_new_file(cert, "r"); 5678 if (!TEST_ptr(in)) 5679 return 0; 5680 5681 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL); 5682 BIO_free(in); 5683 if (!TEST_ptr(xcert)) 5684 return 0; 5685 5686 in = BIO_new_file(privkey, "r"); 5687 if (!TEST_ptr(in)) { 5688 X509_free(xcert); 5689 return 0; 5690 } 5691 5692 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); 5693 BIO_free(in); 5694 if (!TEST_ptr(privpkey)) { 5695 X509_free(xcert); 5696 return 0; 5697 } 5698 5699 *x509 = xcert; 5700 *pkey = privpkey; 5701 5702 return 1; 5703 } 5704 5705 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) 5706 { 5707 return 1; 5708 } 5709 5710 static int test_client_cert_cb(int tst) 5711 { 5712 SSL_CTX *cctx = NULL, *sctx = NULL; 5713 SSL *clientssl = NULL, *serverssl = NULL; 5714 int testresult = 0; 5715 5716 #ifdef OPENSSL_NO_TLS1_2 5717 if (tst == 0) 5718 return 1; 5719 #endif 5720 #ifdef OPENSSL_NO_TLS1_3 5721 if (tst == 1) 5722 return 1; 5723 #endif 5724 5725 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5726 TLS_client_method(), 5727 TLS1_VERSION, 5728 tst == 0 ? TLS1_2_VERSION 5729 : TLS1_3_VERSION, 5730 &sctx, &cctx, cert, privkey))) 5731 goto end; 5732 5733 /* 5734 * Test that setting a client_cert_cb results in a client certificate being 5735 * sent. 5736 */ 5737 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb); 5738 SSL_CTX_set_verify(sctx, 5739 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 5740 verify_cb); 5741 5742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5743 NULL, NULL)) 5744 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5745 SSL_ERROR_NONE))) 5746 goto end; 5747 5748 testresult = 1; 5749 5750 end: 5751 SSL_free(serverssl); 5752 SSL_free(clientssl); 5753 SSL_CTX_free(sctx); 5754 SSL_CTX_free(cctx); 5755 5756 return testresult; 5757 } 5758 5759 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) 5760 /* 5761 * Test setting certificate authorities on both client and server. 5762 * 5763 * Test 0: SSL_CTX_set0_CA_list() only 5764 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list() 5765 * Test 2: Only SSL_CTX_set_client_CA_list() 5766 */ 5767 static int test_ca_names_int(int prot, int tst) 5768 { 5769 SSL_CTX *cctx = NULL, *sctx = NULL; 5770 SSL *clientssl = NULL, *serverssl = NULL; 5771 int testresult = 0; 5772 size_t i; 5773 X509_NAME *name[] = { NULL, NULL, NULL, NULL }; 5774 char *strnames[] = { "Jack", "Jill", "John", "Joanne" }; 5775 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL; 5776 const STACK_OF(X509_NAME) *sktmp = NULL; 5777 5778 for (i = 0; i < OSSL_NELEM(name); i++) { 5779 name[i] = X509_NAME_new(); 5780 if (!TEST_ptr(name[i]) 5781 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN", 5782 MBSTRING_ASC, 5783 (unsigned char *) 5784 strnames[i], 5785 -1, -1, 0))) 5786 goto end; 5787 } 5788 5789 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), 5790 TLS_client_method(), 5791 TLS1_VERSION, 5792 prot, 5793 &sctx, &cctx, cert, privkey))) 5794 goto end; 5795 5796 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL); 5797 5798 if (tst == 0 || tst == 1) { 5799 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 5800 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0]))) 5801 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1]))) 5802 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 5803 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0]))) 5804 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1])))) 5805 goto end; 5806 5807 SSL_CTX_set0_CA_list(sctx, sk1); 5808 SSL_CTX_set0_CA_list(cctx, sk2); 5809 sk1 = sk2 = NULL; 5810 } 5811 if (tst == 1 || tst == 2) { 5812 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 5813 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2]))) 5814 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3]))) 5815 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 5816 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2]))) 5817 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3])))) 5818 goto end; 5819 5820 SSL_CTX_set_client_CA_list(sctx, sk1); 5821 SSL_CTX_set_client_CA_list(cctx, sk2); 5822 sk1 = sk2 = NULL; 5823 } 5824 5825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5826 NULL, NULL)) 5827 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5828 SSL_ERROR_NONE))) 5829 goto end; 5830 5831 /* 5832 * We only expect certificate authorities to have been sent to the server 5833 * if we are using TLSv1.3 and SSL_set0_CA_list() was used 5834 */ 5835 sktmp = SSL_get0_peer_CA_list(serverssl); 5836 if (prot == TLS1_3_VERSION 5837 && (tst == 0 || tst == 1)) { 5838 if (!TEST_ptr(sktmp) 5839 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 5840 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 5841 name[0]), 0) 5842 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 5843 name[1]), 0)) 5844 goto end; 5845 } else if (!TEST_ptr_null(sktmp)) { 5846 goto end; 5847 } 5848 5849 /* 5850 * In all tests we expect certificate authorities to have been sent to the 5851 * client. However, SSL_set_client_CA_list() should override 5852 * SSL_set0_CA_list() 5853 */ 5854 sktmp = SSL_get0_peer_CA_list(clientssl); 5855 if (!TEST_ptr(sktmp) 5856 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 5857 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 5858 name[tst == 0 ? 0 : 2]), 0) 5859 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 5860 name[tst == 0 ? 1 : 3]), 0)) 5861 goto end; 5862 5863 testresult = 1; 5864 5865 end: 5866 SSL_free(serverssl); 5867 SSL_free(clientssl); 5868 SSL_CTX_free(sctx); 5869 SSL_CTX_free(cctx); 5870 for (i = 0; i < OSSL_NELEM(name); i++) 5871 X509_NAME_free(name[i]); 5872 sk_X509_NAME_pop_free(sk1, X509_NAME_free); 5873 sk_X509_NAME_pop_free(sk2, X509_NAME_free); 5874 5875 return testresult; 5876 } 5877 #endif 5878 5879 static int test_ca_names(int tst) 5880 { 5881 int testresult = 1; 5882 5883 #ifndef OPENSSL_NO_TLS1_2 5884 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); 5885 #endif 5886 #ifndef OPENSSL_NO_TLS1_3 5887 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); 5888 #endif 5889 5890 return testresult; 5891 } 5892 5893 int setup_tests(void) 5894 { 5895 if (!TEST_ptr(cert = test_get_argument(0)) 5896 || !TEST_ptr(privkey = test_get_argument(1)) 5897 || !TEST_ptr(srpvfile = test_get_argument(2)) 5898 || !TEST_ptr(tmpfilename = test_get_argument(3))) 5899 return 0; 5900 5901 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { 5902 #ifdef OPENSSL_NO_CRYPTO_MDEBUG 5903 TEST_error("not supported in this build"); 5904 return 0; 5905 #else 5906 int i, mcount, rcount, fcount; 5907 5908 for (i = 0; i < 4; i++) 5909 test_export_key_mat(i); 5910 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount); 5911 test_printf_stdout("malloc %d realloc %d free %d\n", 5912 mcount, rcount, fcount); 5913 return 1; 5914 #endif 5915 } 5916 5917 ADD_TEST(test_large_message_tls); 5918 ADD_TEST(test_large_message_tls_read_ahead); 5919 #ifndef OPENSSL_NO_DTLS 5920 ADD_TEST(test_large_message_dtls); 5921 #endif 5922 #ifndef OPENSSL_NO_OCSP 5923 ADD_TEST(test_tlsext_status_type); 5924 #endif 5925 ADD_TEST(test_session_with_only_int_cache); 5926 ADD_TEST(test_session_with_only_ext_cache); 5927 ADD_TEST(test_session_with_both_cache); 5928 #ifndef OPENSSL_NO_TLS1_3 5929 ADD_ALL_TESTS(test_stateful_tickets, 3); 5930 ADD_ALL_TESTS(test_stateless_tickets, 3); 5931 ADD_TEST(test_psk_tickets); 5932 #endif 5933 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 5934 ADD_TEST(test_ssl_bio_pop_next_bio); 5935 ADD_TEST(test_ssl_bio_pop_ssl_bio); 5936 ADD_TEST(test_ssl_bio_change_rbio); 5937 ADD_TEST(test_ssl_bio_change_wbio); 5938 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 5939 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 5940 ADD_TEST(test_keylog); 5941 #endif 5942 #ifndef OPENSSL_NO_TLS1_3 5943 ADD_TEST(test_keylog_no_master_key); 5944 #endif 5945 #ifndef OPENSSL_NO_TLS1_2 5946 ADD_TEST(test_client_hello_cb); 5947 #endif 5948 #ifndef OPENSSL_NO_TLS1_3 5949 ADD_ALL_TESTS(test_early_data_read_write, 3); 5950 /* 5951 * We don't do replay tests for external PSK. Replay protection isn't used 5952 * in that scenario. 5953 */ 5954 ADD_ALL_TESTS(test_early_data_replay, 2); 5955 ADD_ALL_TESTS(test_early_data_skip, 3); 5956 ADD_ALL_TESTS(test_early_data_skip_hrr, 3); 5957 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3); 5958 ADD_ALL_TESTS(test_early_data_skip_abort, 3); 5959 ADD_ALL_TESTS(test_early_data_not_sent, 3); 5960 ADD_ALL_TESTS(test_early_data_psk, 8); 5961 ADD_ALL_TESTS(test_early_data_not_expected, 3); 5962 # ifndef OPENSSL_NO_TLS1_2 5963 ADD_ALL_TESTS(test_early_data_tls1_2, 3); 5964 # endif 5965 #endif 5966 #ifndef OPENSSL_NO_TLS1_3 5967 ADD_ALL_TESTS(test_set_ciphersuite, 10); 5968 ADD_TEST(test_ciphersuite_change); 5969 #ifdef OPENSSL_NO_PSK 5970 ADD_ALL_TESTS(test_tls13_psk, 1); 5971 #else 5972 ADD_ALL_TESTS(test_tls13_psk, 4); 5973 #endif /* OPENSSL_NO_PSK */ 5974 ADD_ALL_TESTS(test_custom_exts, 5); 5975 ADD_TEST(test_stateless); 5976 ADD_TEST(test_pha_key_update); 5977 #else 5978 ADD_ALL_TESTS(test_custom_exts, 3); 5979 #endif 5980 ADD_ALL_TESTS(test_serverinfo, 8); 5981 ADD_ALL_TESTS(test_export_key_mat, 6); 5982 #ifndef OPENSSL_NO_TLS1_3 5983 ADD_ALL_TESTS(test_export_key_mat_early, 3); 5984 ADD_TEST(test_key_update); 5985 #endif 5986 ADD_ALL_TESTS(test_ssl_clear, 2); 5987 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); 5988 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 5989 ADD_ALL_TESTS(test_srp, 6); 5990 #endif 5991 ADD_ALL_TESTS(test_info_callback, 6); 5992 ADD_ALL_TESTS(test_ssl_pending, 2); 5993 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); 5994 ADD_ALL_TESTS(test_ticket_callbacks, 12); 5995 ADD_ALL_TESTS(test_shutdown, 7); 5996 ADD_ALL_TESTS(test_cert_cb, 3); 5997 ADD_ALL_TESTS(test_client_cert_cb, 2); 5998 ADD_ALL_TESTS(test_ca_names, 3); 5999 return 1; 6000 } 6001 6002 void cleanup_tests(void) 6003 { 6004 bio_s_mempacket_test_free(); 6005 } 6006
Indexes created Sun Mar 01 05:31:48 UTC 2026