X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fsslapitest.c;h=788ac4609ef7d7d40f421872f062a011e393ccb9;hp=108d57e4781cd9a6e468ec71ff9d1122e1ddc655;hb=088dfa133561d7613b9391a56ddbce58f32c934a;hpb=fb8c83599e869516552f7c27bdc4dd26947fe657 diff --git a/test/sslapitest.c b/test/sslapitest.c index 108d57e478..788ac4609e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1,7 +1,7 @@ /* * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -22,6 +22,7 @@ #include "testutil.h" #include "testutil/output.h" #include "internal/nelem.h" +#include "internal/ktls.h" #include "../ssl/ssl_locl.h" #ifndef OPENSSL_NO_TLS1_3 @@ -316,7 +317,7 @@ static int test_keylog(void) if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -398,7 +399,7 @@ static int test_keylog_no_master_key(void) error_writing_log = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(sctx, SSL3_RT_MAX_PLAIN_LENGTH))) @@ -544,7 +545,7 @@ static int test_client_hello_cb(void) int testctr = 0, testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); @@ -570,6 +571,51 @@ static int test_client_hello_cb(void) testresult = 1; +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +static int test_no_ems(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS1_2_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Unable to create SSL_CTX pair\n"); + goto end; + } + + SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET); + + if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { + printf("Unable to create SSL objects\n"); + goto end; + } + + if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { + printf("Creating SSL connection failed\n"); + goto end; + } + + if (SSL_get_extms_support(serverssl)) { + printf("Server reports Extended Master Secret support\n"); + goto end; + } + + if (SSL_get_extms_support(clientssl)) { + printf("Client reports Extended Master Secret support\n"); + goto end; + } + testresult = 1; + end: SSL_free(serverssl); SSL_free(clientssl); @@ -656,18 +702,203 @@ static int execute_test_large_message(const SSL_METHOD *smeth, return testresult; } +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \ + && !defined(OPENSSL_NO_SOCK) + +/* sock must be connected */ +static int ktls_chk_platform(int sock) +{ + if (!ktls_enable(sock)) + return 0; + return 1; +} + +static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd) +{ + static char count = 1; + unsigned char cbuf[16000] = {0}; + unsigned char sbuf[16000]; + size_t err = 0; + char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; + + cbuf[0] = count++; + memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + + if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) + goto end; + + while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) { + if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) { + goto end; + } + } + + if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf))) + goto end; + + while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) { + if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) { + goto end; + } + } + + memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + + /* verify the payload */ + if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) + goto end; + + /* ktls is used then kernel sequences are used instead of OpenSSL sequences */ + if (clientssl->mode & SSL_MODE_NO_KTLS_TX) { + if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE, + crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE)) + goto end; + } else { + if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE, + crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE)) + goto end; + } + + if (serverssl->mode & SSL_MODE_NO_KTLS_TX) { + if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE, + srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE)) + goto end; + } else { + if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE, + srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE)) + goto end; + } + + if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE, + srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE)) + goto end; + + return 1; +end: + return 0; +} + +static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int cfd, sfd; + + if (!TEST_true(create_test_sockets(&cfd, &sfd))) + goto end; + + /* Skip this test if the platform does not support ktls */ + if (!ktls_chk_platform(cfd)) + return 1; + + /* Create a session based on SHA-256 */ + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + TLS1_2_VERSION, TLS1_2_VERSION, + &sctx, &cctx, cert, privkey)) + || !TEST_true(SSL_CTX_set_cipher_list(cctx, + "AES128-GCM-SHA256")) + || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, + &clientssl, sfd, cfd))) + goto end; + + if (!cis_ktls_tx) { + if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX))) + goto end; + } + + if (!sis_ktls_tx) { + if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX))) + goto end; + } + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + if (!cis_ktls_tx) { + if (!TEST_false(BIO_get_ktls_send(clientssl->wbio))) + goto end; + } else { + if (!TEST_true(BIO_get_ktls_send(clientssl->wbio))) + goto end; + } + + if (!sis_ktls_tx) { + if (!TEST_false(BIO_get_ktls_send(serverssl->wbio))) + goto end; + } else { + if (!TEST_true(BIO_get_ktls_send(serverssl->wbio))) + goto end; + } + + if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd))) + goto end; + + testresult = 1; +end: + if (clientssl) { + SSL_shutdown(clientssl); + SSL_free(clientssl); + } + if (serverssl) { + SSL_shutdown(serverssl); + SSL_free(serverssl); + } + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + serverssl = clientssl = NULL; + return testresult; +} + +static int test_ktls_client_server(void) +{ + return execute_test_ktls(1, 1); +} + +static int test_ktls_no_client_server(void) +{ + return execute_test_ktls(0, 1); +} + +static int test_ktls_client_no_server(void) +{ + return execute_test_ktls(1, 0); +} + +static int test_ktls_no_client_no_server(void) +{ + return execute_test_ktls(0, 0); +} + +#endif + static int test_large_message_tls(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, - 0); + TLS1_VERSION, 0, 0); } static int test_large_message_tls_read_ahead(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, - 1); + TLS1_VERSION, 0, 1); } #ifndef OPENSSL_NO_DTLS @@ -679,8 +910,7 @@ static int test_large_message_dtls(void) */ return execute_test_large_message(DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, DTLS_MAX_VERSION, - 0); + DTLS1_VERSION, 0, 0); } #endif @@ -740,7 +970,7 @@ static int test_tlsext_status_type(void) BIO *certbio = NULL; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) return 0; @@ -909,7 +1139,7 @@ static int execute_test_session(int maxprot, int use_int_cache, numnewsesstick = 2; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -1257,7 +1487,7 @@ static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, int sess_id_ctx = 1; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, sctx, + TLS1_VERSION, 0, sctx, cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) || !TEST_true(SSL_CTX_set_session_id_context(*sctx, @@ -1457,7 +1687,7 @@ static int test_psk_tickets(void) int sess_id_ctx = 1; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, &sctx, + TLS1_VERSION, 0, &sctx, &cctx, NULL, NULL)) || !TEST_true(SSL_CTX_set_session_id_context(sctx, (void *)&sess_id_ctx, @@ -1583,7 +1813,7 @@ static int test_ssl_set_bio(int idx) } if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -1808,7 +2038,7 @@ static int test_set_sigalgs(int idx) : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -2048,7 +2278,7 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, if (*sctx == NULL && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, sctx, cctx, cert, privkey))) return 0; @@ -2374,7 +2604,7 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt) allow_ed_cb_called = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, &sctx, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -3099,7 +3329,7 @@ static int test_set_ciphersuite(int idx) int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_ciphersuites(sctx, "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) @@ -3169,7 +3399,7 @@ static int test_ciphersuite_change(void) /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")) @@ -3309,7 +3539,7 @@ static int test_tls13_psk(int idx) int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, idx == 3 ? NULL : cert, idx == 3 ? NULL : privkey))) goto end; @@ -3557,7 +3787,7 @@ static int test_stateless(void) int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -3781,13 +4011,13 @@ static int test_custom_exts(int tst) snicb = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; if (tst == 2 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx2, NULL, cert, privkey))) goto end; @@ -4028,20 +4258,25 @@ static int test_serverinfo(int tst) * no test vectors so all we do is test that both sides of the communication * produce the same results for different protocol versions. */ +#define SMALL_LABEL_LEN 10 +#define LONG_LABEL_LEN 249 static int test_export_key_mat(int tst) { int testresult = 0; SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; SSL *clientssl = NULL, *serverssl = NULL; - const char label[] = "test label"; + const char label[LONG_LABEL_LEN + 1] = "test label"; const unsigned char context[] = "context"; const unsigned char *emptycontext = NULL; unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; + size_t labellen; const int protocols[] = { TLS1_VERSION, TLS1_1_VERSION, TLS1_2_VERSION, + TLS1_3_VERSION, + TLS1_3_VERSION, TLS1_3_VERSION }; @@ -4058,11 +4293,11 @@ static int test_export_key_mat(int tst) return 1; #endif #ifdef OPENSSL_NO_TLS1_3 - if (tst == 3) + if (tst >= 3) return 1; #endif if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -4076,33 +4311,52 @@ static int test_export_key_mat(int tst) SSL_ERROR_NONE))) goto end; + if (tst == 5) { + /* + * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we + * go over that. + */ + if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, + sizeof(ckeymat1), label, + LONG_LABEL_LEN + 1, context, + sizeof(context) - 1, 1), 0)) + goto end; + + testresult = 1; + goto end; + } else if (tst == 4) { + labellen = LONG_LABEL_LEN; + } else { + labellen = SMALL_LABEL_LEN; + } + if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, sizeof(ckeymat1), label, - sizeof(label) - 1, context, + labellen, context, sizeof(context) - 1, 1), 1) || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, sizeof(ckeymat2), label, - sizeof(label) - 1, + labellen, emptycontext, 0, 1), 1) || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, sizeof(ckeymat3), label, - sizeof(label) - 1, + labellen, NULL, 0, 0), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, sizeof(skeymat1), label, - sizeof(label) - 1, + labellen, context, sizeof(context) -1, 1), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, sizeof(skeymat2), label, - sizeof(label) - 1, + labellen, emptycontext, 0, 1), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, sizeof(skeymat3), label, - sizeof(label) - 1, + labellen, NULL, 0, 0), 1) /* * Check that both sides created the same key material with the @@ -4131,10 +4385,10 @@ static int test_export_key_mat(int tst) * Check that an empty context and no context produce different results in * protocols less than TLSv1.3. In TLSv1.3 they should be the same. */ - if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, + if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))) - || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, - sizeof(ckeymat3)))) + || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, + sizeof(ckeymat3)))) goto end; testresult = 1; @@ -4241,7 +4495,7 @@ static int test_ssl_clear(int idx) /* Create an initial connection */ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || (idx == 1 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, @@ -4397,7 +4651,7 @@ static int test_pha_key_update(void) int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -4620,7 +4874,7 @@ static int test_srp(int tst) } if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -4710,18 +4964,14 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, - {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, - {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, - {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, + {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, + {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, + {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, + {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, + {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, + {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, + {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 client followed by resumption */ {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, @@ -4729,20 +4979,16 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, + {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, + {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 server, early_data */ {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, @@ -4751,8 +4997,7 @@ static struct info_cb_states_st { {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, + {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 client, early_data */ @@ -4763,9 +5008,8 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { {0, NULL}, } @@ -4804,8 +5048,11 @@ static void sslapi_info_callback(const SSL *s, int where, int ret) return; } - /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */ - if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) { + /* + * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init + */ + if ((where & SSL_CB_HANDSHAKE_DONE) + && SSL_in_init((SSL *)s) != 0) { info_cb_failed = 1; return; } @@ -4949,14 +5196,14 @@ static int test_ssl_pending(int tst) if (tst == 0) { if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS_MAX_VERSION, + TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; } else { #ifndef OPENSSL_NO_DTLS if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, DTLS_MAX_VERSION, + DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; #else @@ -5384,7 +5631,7 @@ static int test_shutdown(int tst) if (tst == 3) { if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE)) + SSL_ERROR_NONE, 1)) || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) || !TEST_false(SSL_SESSION_is_resumable(sess))) goto end; @@ -5821,6 +6068,9 @@ static int test_ca_names(int tst) return testresult; } + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n") + int setup_tests(void) { if (!TEST_ptr(cert = test_get_argument(0)) @@ -5845,6 +6095,13 @@ int setup_tests(void) #endif } +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \ + && !defined(OPENSSL_NO_SOCK) + ADD_TEST(test_ktls_client_server); + ADD_TEST(test_ktls_no_client_server); + ADD_TEST(test_ktls_client_no_server); + ADD_TEST(test_ktls_no_client_no_server); +#endif ADD_TEST(test_large_message_tls); ADD_TEST(test_large_message_tls_read_ahead); #ifndef OPENSSL_NO_DTLS @@ -5875,6 +6132,7 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_client_hello_cb); + ADD_TEST(test_no_ems); #endif #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); @@ -5909,7 +6167,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_custom_exts, 3); #endif ADD_ALL_TESTS(test_serverinfo, 8); - ADD_ALL_TESTS(test_export_key_mat, 4); + ADD_ALL_TESTS(test_export_key_mat, 6); #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); #endif