#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/core_names.h>
-#include <openssl/core_numbers.h>
+#include <openssl/core_dispatch.h>
#include <openssl/provider.h>
#include "ssltestlib.h"
if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
goto end;
- chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
+
+ if (!TEST_ptr(chaincert = X509_new_with_libctx(libctx, NULL)))
+ goto end;
+
+ if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
+ goto end;
BIO_free(certbio);
certbio = NULL;
- if (!TEST_ptr(chaincert))
- goto end;
if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
max_version, &sctx, &cctx, cert,
testresult = 1;
end:
+ BIO_free(certbio);
X509_free(chaincert);
SSL_free(serverssl);
SSL_free(clientssl);
}
#endif
+static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version)
+{
+ size_t i;
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL3_RECORD *rr;
+ void *zbuf;
+
+ static unsigned char cbuf[16000];
+ static unsigned char sbuf[16000];
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx,
+ smeth, cmeth,
+ min_version, max_version,
+ &sctx, &cctx, cert,
+ privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ for (i = 0; i < sizeof(cbuf); i++) {
+ cbuf[i] = i & 0xff;
+ }
+
+ if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
+ goto end;
+
+ if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
+ goto end;
+
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
+ goto end;
+
+ /*
+ * Since we called SSL_peek(), we know the data in the record
+ * layer is a plaintext record. We can gather the pointer to check
+ * for zeroization after SSL_read().
+ */
+ rr = serverssl->rlayer.rrec;
+ zbuf = &rr->data[rr->off];
+ if (!TEST_int_eq(rr->length, sizeof(cbuf)))
+ goto end;
+
+ /*
+ * After SSL_peek() the plaintext must still be stored in the
+ * record.
+ */
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
+ goto end;
+
+ memset(sbuf, 0, sizeof(sbuf));
+ if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
+ goto end;
+
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
+ goto end;
+
+ /* Check if rbuf is cleansed */
+ memset(cbuf, 0, sizeof(cbuf));
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
+static int test_cleanse_plaintext(void)
+{
+#if !defined(OPENSSL_NO_TLS1_2)
+ if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
+ TLS_client_method(),
+ TLS1_2_VERSION,
+ TLS1_2_VERSION)))
+ return 0;
+
+#endif
+
+#if !defined(OPENSSL_NO_TLS1_3)
+ if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
+ TLS_client_method(),
+ TLS1_3_VERSION,
+ TLS1_3_VERSION)))
+ return 0;
+#endif
+
+#if !defined(OPENSSL_NO_DTLS)
+ if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
+ DTLS_client_method(),
+ DTLS1_VERSION,
+ 0)))
+ return 0;
+#endif
+ return 1;
+}
+
#ifndef OPENSSL_NO_OCSP
static int ocsp_server_cb(SSL *s, void *arg)
{
if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
|| !TEST_ptr(id = OCSP_RESPID_new())
|| !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
- || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
- NULL, NULL, NULL))
+ || !TEST_ptr(ocspcert = X509_new_with_libctx(libctx, NULL))
+ || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
|| !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
|| !TEST_true(sk_OCSP_RESPID_push(ids, id)))
goto end;
OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
+ if ((protocols[tst] < TLS1_2_VERSION) &&
+ (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
+ || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
+ goto end;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
NULL))
params[2] = OSSL_PARAM_construct_end();
if (aes128cbc == NULL
|| !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
- || !EVP_MAC_set_ctx_params(hctx, params)
+ || !EVP_MAC_CTX_set_params(hctx, params)
|| !EVP_MAC_init(hctx))
ret = -1;
else
goto out;
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
|| !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
- || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
+ || !TEST_ptr(rootx = X509_new_with_libctx(libctx, NULL))
+ || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
|| !TEST_true(sk_X509_push(chain, rootx)))
goto out;
rootx = NULL;
BIO_free(in);
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
|| !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
- || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
+ || !TEST_ptr(x509 = X509_new_with_libctx(libctx, NULL))
+ || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
goto out;
BIO_free(in);
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
- X509 *xcert, *peer;
+ X509 *xcert;
EVP_PKEY *privpkey;
BIO *in = NULL;
+ BIO *priv_in = NULL;
- /* Check that SSL_get_peer_certificate() returns something sensible */
- peer = SSL_get_peer_certificate(ssl);
- if (!TEST_ptr(peer))
+ /* Check that SSL_get0_peer_certificate() returns something sensible */
+ if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
return 0;
- X509_free(peer);
in = BIO_new_file(cert, "r");
if (!TEST_ptr(in))
return 0;
- xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
- BIO_free(in);
- if (!TEST_ptr(xcert))
- return 0;
-
- in = BIO_new_file(privkey, "r");
- if (!TEST_ptr(in)) {
- X509_free(xcert);
- return 0;
- }
-
- privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
- BIO_free(in);
- if (!TEST_ptr(privpkey)) {
- X509_free(xcert);
- return 0;
- }
+ if (!TEST_ptr(xcert = X509_new_with_libctx(libctx, NULL))
+ || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
+ || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
+ || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey(priv_in, NULL, NULL,
+ NULL)))
+ goto err;
*x509 = xcert;
*pkey = privpkey;
+ BIO_free(in);
+ BIO_free(priv_in);
return 1;
+err:
+ X509_free(xcert);
+ BIO_free(in);
+ BIO_free(priv_in);
+ return 0;
}
static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
+ /* Check that we are not impacted by a provider without any groups */
+ OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
- if (!TEST_ptr(tlsprov))
+ if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
goto end;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
OSSL_PROVIDER_unload(tlsprov);
+ OSSL_PROVIDER_unload(legacyprov);
return testresult;
}
#ifndef OPENSSL_NO_DTLS
ADD_TEST(test_large_message_dtls);
#endif
+ ADD_TEST(test_cleanse_plaintext);
#ifndef OPENSSL_NO_OCSP
ADD_TEST(test_tlsext_status_type);
#endif