X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Fsslapitest.c;h=ce903646c106aab76835bcf839ad5b7bdd99fb3b;hp=13ba727c5daa74441a178c02372bb5404f966e0a;hb=e440f51395f10e307f720213bd75393e446024a3;hpb=0de6d66d36dc5f6d46247c63da71b73d7e8e018c diff --git a/test/sslapitest.c b/test/sslapitest.c index 13ba727c5d..ce903646c1 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,7 @@ #include "ssltestlib.h" #include "testutil.h" -#include "e_os.h" +#include "internal/nelem.h" #include "../ssl/ssl_locl.h" static char *cert = NULL; @@ -40,6 +40,7 @@ static X509 *ocspcert = NULL; #endif #define NUM_EXTRA_CERTS 40 +#define CLIENT_VERSION_LEN 2 /* * This structure is used to validate that the correct number of log messages @@ -91,7 +92,7 @@ static void server_keylog_callback(const SSL *ssl, const char *line) /* If the log doesn't fit, error out. */ if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) { - TEST_info("Server og too full"); + TEST_info("Server log too full"); error_writing_log = 1; return; } @@ -253,6 +254,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, return 1; } +#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) static int test_keylog(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -329,6 +331,7 @@ end: return testresult; } +#endif #ifndef OPENSSL_NO_TLS1_3 static int test_keylog_no_master_key(void) @@ -401,7 +404,7 @@ end: #endif #ifndef OPENSSL_NO_TLS1_2 -static int full_early_callback(SSL *s, int *al, void *arg) +static int full_client_hello_callback(SSL *s, int *al, void *arg) { int *ctr = arg; const unsigned char *p; @@ -417,31 +420,32 @@ static int full_early_callback(SSL *s, int *al, void *arg) #ifndef OPENSSL_NO_EC 11, 10, #endif - 35, 13, 22, 23}; + 35, 22, 23, 13}; size_t len; /* Make sure we can defer processing and get called back. */ if ((*ctr)++ == 0) - return -1; + return SSL_CLIENT_HELLO_RETRY; - len = SSL_early_get0_ciphers(s, &p); + len = SSL_client_hello_get0_ciphers(s, &p); if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) - || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1) + || !TEST_size_t_eq( + SSL_client_hello_get0_compression_methods(s, &p), 1) || !TEST_int_eq(*p, 0)) - return 0; - if (!SSL_early_get1_extensions_present(s, &exts, &len)) - return 0; + return SSL_CLIENT_HELLO_ERROR; + if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) + return SSL_CLIENT_HELLO_ERROR; if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { - printf("Early callback expected ClientHello extensions mismatch\n"); + printf("ClientHello callback expected extensions mismatch\n"); OPENSSL_free(exts); - return 0; + return SSL_CLIENT_HELLO_ERROR; } OPENSSL_free(exts); - return 1; + return SSL_CLIENT_HELLO_SUCCESS; } -static int test_early_cb(void) +static int test_client_hello_cb(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -451,7 +455,7 @@ static int test_early_cb(void) TLS_client_method(), &sctx, &cctx, cert, privkey))) goto end; - SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr); + SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); /* The gimpy cipher list we configure can't do TLS 1.3. */ SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); @@ -461,12 +465,13 @@ static int test_early_cb(void) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) || !TEST_false(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_WANT_EARLY)) + SSL_ERROR_WANT_CLIENT_HELLO_CB)) /* * Passing a -1 literal is a hack since * the real value was lost. * */ - || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY) + || !TEST_int_eq(SSL_get_error(serverssl, -1), + SSL_ERROR_WANT_CLIENT_HELLO_CB) || !TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; @@ -757,35 +762,17 @@ static int test_tlsext_status_type(void) } #endif -typedef struct ssl_session_test_fixture { - const char *test_case_name; - int use_ext_cache; - int use_int_cache; -} SSL_SESSION_TEST_FIXTURE; - -static int new_called = 0, remove_called = 0; - -static SSL_SESSION_TEST_FIXTURE -ssl_session_set_up(const char *const test_case_name) -{ - SSL_SESSION_TEST_FIXTURE fixture; - - fixture.test_case_name = test_case_name; - fixture.use_ext_cache = 1; - fixture.use_int_cache = 1; - - new_called = remove_called = 0; - - return fixture; -} - -static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture) -{ -} +#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +static int new_called, remove_called, get_called; static int new_session_cb(SSL *ssl, SSL_SESSION *sess) { new_called++; + /* + * sess has been up-refed for us, but we don't actually need it so free it + * immediately. + */ + SSL_SESSION_free(sess); return 1; } @@ -794,33 +781,48 @@ static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) remove_called++; } -static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) +static SSL_SESSION *get_sess_val = NULL; + +static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len, + int *copy) +{ + get_called++; + *copy = 1; + return get_sess_val; +} + +static int execute_test_session(int maxprot, int use_int_cache, + int use_ext_cache) { SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl1 = NULL, *clientssl1 = NULL; SSL *serverssl2 = NULL, *clientssl2 = NULL; -#ifndef OPENSSL_NO_TLS1_1 +# ifndef OPENSSL_NO_TLS1_1 SSL *serverssl3 = NULL, *clientssl3 = NULL; -#endif +# endif SSL_SESSION *sess1 = NULL, *sess2 = NULL; int testresult = 0; + new_called = remove_called = 0; + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey))) return 0; -#ifndef OPENSSL_NO_TLS1_2 - /* Only allow TLS1.2 so we can force a connection failure later */ - SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION); -#endif + /* + * Only allow the max protocol version so we can force a connection failure + * later + */ + SSL_CTX_set_min_proto_version(cctx, maxprot); + SSL_CTX_set_max_proto_version(cctx, maxprot); /* Set up session cache */ - if (fix.use_ext_cache) { + if (use_ext_cache) { SSL_CTX_sess_set_new_cb(cctx, new_session_cb); SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); } - if (fix.use_int_cache) { + if (use_int_cache) { /* Also covers instance where both are set */ SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); } else { @@ -837,11 +839,48 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) goto end; /* Should fail because it should already be in the cache */ - if (fix.use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) + if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) goto end; - if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) + if (use_ext_cache + && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0))) goto end; + new_called = remove_called = 0; + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, + &clientssl2, NULL, NULL)) + || !TEST_true(SSL_set_session(clientssl2, sess1)) + || !TEST_true(create_ssl_connection(serverssl2, clientssl2, + SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl2))) + goto end; + + if (maxprot == TLS1_3_VERSION) { + /* + * In TLSv1.3 we should have created a new session even though we have + * resumed. The original session should also have been removed. + */ + if (use_ext_cache + && (!TEST_int_eq(new_called, 1) + || !TEST_int_eq(remove_called, 1))) + goto end; + } else { + /* + * In TLSv1.2 we expect to have resumed so no sessions added or + * removed. + */ + if (use_ext_cache + && (!TEST_int_eq(new_called, 0) + || !TEST_int_eq(remove_called, 0))) + goto end; + } + + SSL_SESSION_free(sess1); + if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2))) + goto end; + shutdown_ssl_connection(serverssl2, clientssl2); + serverssl2 = clientssl2 = NULL; + + new_called = remove_called = 0; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) || !TEST_true(create_ssl_connection(serverssl2, clientssl2, @@ -851,60 +890,148 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) goto end; - if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) + if (use_ext_cache + && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0))) goto end; + new_called = remove_called = 0; /* * This should clear sess2 from the cache because it is a "bad" session. * See SSL_set_session() documentation. */ if (!TEST_true(SSL_set_session(clientssl2, sess1))) goto end; - if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) + if (use_ext_cache + && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) goto end; if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) goto end; - if (fix.use_int_cache) { + if (use_int_cache) { /* Should succeeded because it should not already be in the cache */ if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) || !TEST_true(SSL_CTX_remove_session(cctx, sess2))) goto end; - - /* - * This is for the purposes of internal cache testing...ignore the - * counter for external cache - */ - if (fix.use_ext_cache) - remove_called--; } + new_called = remove_called = 0; /* This shouldn't be in the cache so should fail */ if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) goto end; - if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) + if (use_ext_cache + && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) goto end; -#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2) +# if !defined(OPENSSL_NO_TLS1_1) + new_called = remove_called = 0; /* Force a connection failure */ SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) || !TEST_true(SSL_set_session(clientssl3, sess1)) - /* This should fail because of the mismatched protocol versions */ + /* This should fail because of the mismatched protocol versions */ || !TEST_false(create_ssl_connection(serverssl3, clientssl3, SSL_ERROR_NONE))) goto end; /* We should have automatically removed the session from the cache */ - if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) + if (use_ext_cache + && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) goto end; /* Should succeed because it should not already be in the cache */ - if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) + if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2))) goto end; -#endif +# endif + + /* Now do some tests for server side caching */ + if (use_ext_cache) { + SSL_CTX_sess_set_new_cb(cctx, NULL); + SSL_CTX_sess_set_remove_cb(cctx, NULL); + SSL_CTX_sess_set_new_cb(sctx, new_session_cb); + SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb); + SSL_CTX_sess_set_get_cb(sctx, get_session_cb); + get_sess_val = NULL; + } + + SSL_CTX_set_session_cache_mode(cctx, 0); + /* Internal caching is the default on the server side */ + if (!use_int_cache) + SSL_CTX_set_session_cache_mode(sctx, + SSL_SESS_CACHE_SERVER + | SSL_SESS_CACHE_NO_INTERNAL_STORE); + + SSL_free(serverssl1); + SSL_free(clientssl1); + serverssl1 = clientssl1 = NULL; + SSL_free(serverssl2); + SSL_free(clientssl2); + serverssl2 = clientssl2 = NULL; + SSL_SESSION_free(sess1); + sess1 = NULL; + SSL_SESSION_free(sess2); + sess2 = NULL; + + SSL_CTX_set_max_proto_version(sctx, maxprot); + SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); + new_called = remove_called = get_called = 0; + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl1, clientssl1, + SSL_ERROR_NONE)) + || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)) + || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) + goto end; + + /* Should fail because it should already be in the cache */ + if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2))) + goto end; + + if (use_ext_cache) { + SSL_SESSION *tmp = sess2; + + if (!TEST_int_eq(new_called, 1) + || !TEST_int_eq(remove_called, 0) + || !TEST_int_eq(get_called, 0)) + goto end; + /* + * Delete the session from the internal cache to force a lookup from + * the external cache. We take a copy first because + * SSL_CTX_remove_session() also marks the session as non-resumable. + */ + if (use_int_cache) { + if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) + || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) + goto end; + SSL_SESSION_free(sess2); + } + sess2 = tmp; + } + + new_called = remove_called = get_called = 0; + get_sess_val = sess2; + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, + &clientssl2, NULL, NULL)) + || !TEST_true(SSL_set_session(clientssl2, sess1)) + || !TEST_true(create_ssl_connection(serverssl2, clientssl2, + SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl2))) + goto end; + + if (use_ext_cache) { + if (!TEST_int_eq(new_called, 0) + || !TEST_int_eq(remove_called, 0)) + goto end; + + if (maxprot == TLS1_3_VERSION) { + if (!TEST_int_eq(get_called, 0)) + goto end; + } else { + if (!TEST_int_eq(get_called, 1)) + goto end; + } + } testresult = 1; @@ -913,44 +1040,59 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) SSL_free(clientssl1); SSL_free(serverssl2); SSL_free(clientssl2); -#ifndef OPENSSL_NO_TLS1_1 +# ifndef OPENSSL_NO_TLS1_1 SSL_free(serverssl3); SSL_free(clientssl3); -#endif +# endif SSL_SESSION_free(sess1); SSL_SESSION_free(sess2); - - /* - * Check if we need to remove any sessions up-refed for the external cache - */ - if (new_called >= 1) - SSL_SESSION_free(sess1); - if (new_called >= 2) - SSL_SESSION_free(sess2); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; } +#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ static int test_session_with_only_int_cache(void) { - SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); - fixture.use_ext_cache = 0; - EXECUTE_TEST(execute_test_session, ssl_session_tear_down); +#ifndef OPENSSL_NO_TLS1_3 + if (!execute_test_session(TLS1_3_VERSION, 1, 0)) + return 0; +#endif + +#ifndef OPENSSL_NO_TLS1_2 + return execute_test_session(TLS1_2_VERSION, 1, 0); +#else + return 1; +#endif } static int test_session_with_only_ext_cache(void) { - SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); - fixture.use_int_cache = 0; - EXECUTE_TEST(execute_test_session, ssl_session_tear_down); +#ifndef OPENSSL_NO_TLS1_3 + if (!execute_test_session(TLS1_3_VERSION, 0, 1)) + return 0; +#endif + +#ifndef OPENSSL_NO_TLS1_2 + return execute_test_session(TLS1_2_VERSION, 0, 1); +#else + return 1; +#endif } static int test_session_with_both_cache(void) { - SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up); - EXECUTE_TEST(execute_test_session, ssl_session_tear_down); +#ifndef OPENSSL_NO_TLS1_3 + if (!execute_test_session(TLS1_3_VERSION, 1, 1)) + return 0; +#endif + +#ifndef OPENSSL_NO_TLS1_2 + return execute_test_session(TLS1_2_VERSION, 1, 1); +#else + return 1; +#endif } #define USE_NULL 0 @@ -1064,27 +1206,9 @@ static int test_ssl_set_bio(int idx) return testresult; } -typedef struct ssl_bio_test_fixture { - const char *test_case_name; - int pop_ssl; - enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio; -} SSL_BIO_TEST_FIXTURE; +typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t; -static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name) -{ - SSL_BIO_TEST_FIXTURE fixture; - - fixture.test_case_name = test_case_name; - fixture.pop_ssl = 0; - fixture.change_bio = NO_BIO_CHANGE; - return fixture; -} - -static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture) -{ -} - -static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix) +static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) { BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; SSL_CTX *ctx; @@ -1106,17 +1230,17 @@ static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix) BIO_push(sslbio, membio1); /* Verify changing the rbio/wbio directly does not cause leaks */ - if (fix.change_bio != NO_BIO_CHANGE) { + if (change_bio != NO_BIO_CHANGE) { if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) goto end; - if (fix.change_bio == CHANGE_RBIO) + if (change_bio == CHANGE_RBIO) SSL_set0_rbio(ssl, membio2); else SSL_set0_wbio(ssl, membio2); } ssl = NULL; - if (fix.pop_ssl) + if (pop_ssl) BIO_pop(sslbio); else BIO_pop(membio1); @@ -1133,31 +1257,25 @@ static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix) static int test_ssl_bio_pop_next_bio(void) { - SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); - EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); + return execute_test_ssl_bio(0, NO_BIO_CHANGE); } static int test_ssl_bio_pop_ssl_bio(void) { - SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); - fixture.pop_ssl = 1; - EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); + return execute_test_ssl_bio(1, NO_BIO_CHANGE); } static int test_ssl_bio_change_rbio(void) { - SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); - fixture.change_bio = CHANGE_RBIO; - EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); + return execute_test_ssl_bio(0, CHANGE_RBIO); } static int test_ssl_bio_change_wbio(void) { - SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up); - fixture.change_bio = CHANGE_WBIO; - EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down); + return execute_test_ssl_bio(0, CHANGE_WBIO); } +#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) typedef struct { /* The list of sig algs */ const int *list; @@ -1172,25 +1290,25 @@ typedef struct { } sigalgs_list; static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; -#ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; -#endif +# endif static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; static const int invalidlist2[] = {NID_sha256, NID_undef}; static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; static const int invalidlist4[] = {NID_sha256}; static const sigalgs_list testsigalgs[] = { {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, -#ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, -#endif +# endif {NULL, 0, "RSA+SHA256", 1, 1}, -#ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, {NULL, 0, "ECDSA+SHA512", 1, 0}, -#endif +# endif {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, @@ -1286,9 +1404,132 @@ static int test_set_sigalgs(int idx) return testresult; } +#endif #ifndef OPENSSL_NO_TLS1_3 +static SSL_SESSION *clientpsk = NULL; +static SSL_SESSION *serverpsk = NULL; +static const char *pskid = "Identity"; +static const char *srvid; + +static int use_session_cb_cnt = 0; +static int find_session_cb_cnt = 0; +static int psk_client_cb_cnt = 0; +static int psk_server_cb_cnt = 0; + +static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, + size_t *idlen, SSL_SESSION **sess) +{ + switch (++use_session_cb_cnt) { + case 1: + /* The first call should always have a NULL md */ + if (md != NULL) + return 0; + break; + + case 2: + /* The second call should always have an md */ + if (md == NULL) + return 0; + break; + + default: + /* We should only be called a maximum of twice */ + return 0; + } + + if (clientpsk != NULL) + SSL_SESSION_up_ref(clientpsk); + + *sess = clientpsk; + *id = (const unsigned char *)pskid; + *idlen = strlen(pskid); + + return 1; +} + +static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id, + unsigned int max_id_len, + unsigned char *psk, + unsigned int max_psk_len) +{ + unsigned int psklen = 0; + + psk_client_cb_cnt++; + + if (strlen(pskid) + 1 > max_id_len) + return 0; + + /* We should only ever be called a maximum of twice per connection */ + if (psk_client_cb_cnt > 2) + return 0; + + if (clientpsk == NULL) + return 0; + + /* We'll reuse the PSK we set up for TLSv1.3 */ + if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len) + return 0; + psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len); + strncpy(id, pskid, max_id_len); + + return psklen; +} + +static int find_session_cb(SSL *ssl, const unsigned char *identity, + size_t identity_len, SSL_SESSION **sess) +{ + find_session_cb_cnt++; + + /* We should only ever be called a maximum of twice per connection */ + if (find_session_cb_cnt > 2) + return 0; + + if (serverpsk == NULL) + return 0; + + /* Identity should match that set by the client */ + if (strlen(srvid) != identity_len + || strncmp(srvid, (const char *)identity, identity_len) != 0) { + /* No PSK found, continue but without a PSK */ + *sess = NULL; + return 1; + } + + SSL_SESSION_up_ref(serverpsk); + *sess = serverpsk; + + return 1; +} + +static unsigned int psk_server_cb(SSL *ssl, const char *identity, + unsigned char *psk, unsigned int max_psk_len) +{ + unsigned int psklen = 0; + + psk_server_cb_cnt++; + + /* We should only ever be called a maximum of twice per connection */ + if (find_session_cb_cnt > 2) + return 0; + + if (serverpsk == NULL) + return 0; + + /* Identity should match that set by the client */ + if (strcmp(srvid, identity) != 0) { + return 0; + } + + /* We'll reuse the PSK we set up for TLSv1.3 */ + if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len) + return 0; + psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len); + + return psklen; +} + #define MSG1 "Hello" #define MSG2 "World." #define MSG3 "This" @@ -1297,6 +1538,9 @@ static int test_set_sigalgs(int idx) #define MSG6 "test" #define MSG7 "message." +#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") +#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") + /* * Helper method to setup objects for early data test. Caller frees objects on * error. @@ -1306,19 +1550,84 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, { if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), sctx, - cctx, cert, privkey))) + cctx, cert, privkey)) + || !TEST_true(SSL_CTX_set_max_early_data(*sctx, + SSL3_RT_MAX_PLAIN_LENGTH)) + || !TEST_true(SSL_CTX_set_max_early_data(*cctx, + SSL3_RT_MAX_PLAIN_LENGTH))) return 0; - /* When idx == 1 we repeat the tests with read_ahead set */ - if (idx > 0) { + if (idx == 1) { + /* When idx == 1 we repeat the tests with read_ahead set */ SSL_CTX_set_read_ahead(*cctx, 1); SSL_CTX_set_read_ahead(*sctx, 1); + } else if (idx == 2) { + /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */ + SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb); + SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb); + use_session_cb_cnt = 0; + find_session_cb_cnt = 0; + srvid = pskid; } if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl, - NULL, NULL)) - || !TEST_true(create_ssl_connection(*serverssl, *clientssl, - SSL_ERROR_NONE))) + NULL, NULL))) + return 0; + + /* + * For one of the run throughs (doesn't matter which one), we'll try sending + * some SNI data in the initial ClientHello. This will be ignored (because + * there is no SNI cb set up by the server), so it should not impact + * early_data. + */ + if (idx == 1 + && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost"))) + return 0; + + if (idx == 2) { + /* Create the PSK */ + const SSL_CIPHER *cipher = NULL; + const unsigned char key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, + 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, + 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, + 0x2c, 0x2d, 0x2e, 0x2f + }; + + cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES); + clientpsk = SSL_SESSION_new(); + if (!TEST_ptr(clientpsk) + || !TEST_ptr(cipher) + || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, + sizeof(key))) + || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) + || !TEST_true( + SSL_SESSION_set_protocol_version(clientpsk, + TLS1_3_VERSION)) + /* + * We just choose an arbitrary value for max_early_data which + * should be big enough for testing purposes. + */ + || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk, + 0x100)) + || !TEST_true(SSL_SESSION_up_ref(clientpsk))) { + SSL_SESSION_free(clientpsk); + clientpsk = NULL; + return 0; + } + serverpsk = clientpsk; + + if (sess != NULL) + *sess = clientpsk; + return 1; + } + + if (sess == NULL) + return 1; + + if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, + SSL_ERROR_NONE))) return 0; *sess = SSL_get1_session(*clientssl); @@ -1479,8 +1788,12 @@ static int test_early_data_read_write(int idx) || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7))) goto end; - SSL_SESSION_free(sess); + /* We keep the PSK session around if using PSK */ + if (idx != 2) + SSL_SESSION_free(sess); sess = SSL_get1_session(clientssl); + use_session_cb_cnt = 0; + find_session_cb_cnt = 0; SSL_shutdown(clientssl); SSL_shutdown(serverssl); @@ -1527,7 +1840,11 @@ static int test_early_data_read_write(int idx) testresult = 1; end: - SSL_SESSION_free(sess); + if (sess != clientpsk) + SSL_SESSION_free(sess); + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); @@ -1536,10 +1853,10 @@ static int test_early_data_read_write(int idx) } /* - * Test that a server attempting to read early data can handle a connection - * from a client where the early data is not acceptable. + * Helper function to test that a server attempting to read early data can + * handle a connection from a client where the early data should be skipped. */ -static int test_early_data_skip(int idx) +static int early_data_skip_helper(int hrr, int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -1552,13 +1869,25 @@ static int test_early_data_skip(int idx) &serverssl, &sess, idx))) goto end; - /* - * Deliberately corrupt the creation time. We take 20 seconds off the time. - * It could be any value as long as it is not within tolerance. This should - * mean the ticket is rejected. - */ - if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20))) - goto end; + if (hrr) { + /* Force an HRR to occur */ + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) + goto end; + } else if (idx == 2) { + /* + * We force early_data rejection by ensuring the PSK identity is + * unrecognised + */ + srvid = "Dummy Identity"; + } else { + /* + * Deliberately corrupt the creation time. We take 20 seconds off the + * time. It could be any value as long as it is not within tolerance. + * This should mean the ticket is rejected. + */ + if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) + goto end; + } /* Write some early data */ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), @@ -1575,6 +1904,18 @@ static int test_early_data_skip(int idx) SSL_EARLY_DATA_REJECTED)) goto end; + if (hrr) { + /* + * Finish off the handshake. We perform the same writes and reads as + * further down but we expect them to fail due to the incomplete + * handshake. + */ + if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) + || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), + &readbytes))) + goto end; + } + /* Should be able to send normal data despite rejection of early data */ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) || !TEST_size_t_eq(written, strlen(MSG2)) @@ -1587,6 +1928,10 @@ static int test_early_data_skip(int idx) testresult = 1; end: + if (sess != clientpsk) + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; SSL_SESSION_free(sess); SSL_free(serverssl); SSL_free(clientssl); @@ -1595,6 +1940,24 @@ static int test_early_data_skip(int idx) return testresult; } +/* + * Test that a server attempting to read early data can handle a connection + * from a client where the early data is not acceptable. + */ +static int test_early_data_skip(int idx) +{ + return early_data_skip_helper(0, idx); +} + +/* + * Test that a server attempting to read early data can handle a connection + * from a client where an HRR occurs. + */ +static int test_early_data_skip_hrr(int idx) +{ + return early_data_skip_helper(1, idx); +} + /* * Test that a server attempting to read early data can handle a connection * from a client that doesn't send any. @@ -1641,7 +2004,7 @@ static int test_early_data_not_sent(int idx) * Should block due to the NewSessionTicket arrival unless we're using * read_ahead */ - if (idx == 0) { + if (idx != 1) { if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))) goto end; } @@ -1653,7 +2016,10 @@ static int test_early_data_not_sent(int idx) testresult = 1; end: + /* If using PSK then clientpsk and sess are the same */ SSL_SESSION_free(sess); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); @@ -1661,8 +2027,216 @@ static int test_early_data_not_sent(int idx) return testresult; } -/* - * Test that a server that doesn't try to read early data can handle a +static int hostname_cb(SSL *s, int *al, void *arg) +{ + const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + + if (hostname != NULL && strcmp(hostname, "goodhost") == 0) + return SSL_TLSEXT_ERR_OK; + + return SSL_TLSEXT_ERR_NOACK; +} + +static const char *servalpn; + +static int alpn_select_cb(SSL *ssl, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg) +{ + unsigned int protlen = 0; + const unsigned char *prot; + + for (prot = in; prot < in + inlen; prot += protlen) { + protlen = *prot++; + if (in + inlen < prot + protlen) + return SSL_TLSEXT_ERR_NOACK; + + if (protlen == strlen(servalpn) + && memcmp(prot, servalpn, protlen) == 0) { + *out = prot; + *outlen = protlen; + return SSL_TLSEXT_ERR_OK; + } + } + + return SSL_TLSEXT_ERR_NOACK; +} + +/* Test that a PSK can be used to send early_data */ +static int test_early_data_psk(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + SSL_SESSION *sess = NULL; + unsigned char alpnlist[] = { + 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a', + 'l', 'p', 'n' + }; +#define GOODALPNLEN 9 +#define BADALPNLEN 8 +#define GOODALPN (alpnlist) +#define BADALPN (alpnlist + GOODALPNLEN) + int err = 0; + unsigned char buf[20]; + size_t readbytes, written; + int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1; + int edstatus = SSL_EARLY_DATA_ACCEPTED; + + /* We always set this up with a final parameter of "2" for PSK */ + if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, + &serverssl, &sess, 2))) + goto end; + + servalpn = "goodalpn"; + + /* + * Note: There is no test for inconsistent SNI with late client detection. + * This is because servers do not acknowledge SNI even if they are using + * it in a resumption handshake - so it is not actually possible for a + * client to detect a problem. + */ + switch (idx) { + case 0: + /* Set inconsistent SNI (early client detection) */ + err = SSL_R_INCONSISTENT_EARLY_DATA_SNI; + if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) + || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost"))) + goto end; + break; + + case 1: + /* Set inconsistent ALPN (early client detection) */ + err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN; + /* SSL_set_alpn_protos returns 0 for success and 1 for failure */ + if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN, + GOODALPNLEN)) + || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN, + BADALPNLEN))) + goto end; + break; + + case 2: + /* + * Set invalid protocol version. Technically this affects PSKs without + * early_data too, but we test it here because it is similar to the + * SNI/ALPN consistency tests. + */ + err = SSL_R_BAD_PSK; + if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION))) + goto end; + break; + + case 3: + /* + * Set inconsistent SNI (server detected). In this case the connection + * will succeed but reject early_data. + */ + SSL_SESSION_free(serverpsk); + serverpsk = SSL_SESSION_dup(clientpsk); + if (!TEST_ptr(serverpsk) + || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost"))) + goto end; + edstatus = SSL_EARLY_DATA_REJECTED; + readearlyres = SSL_READ_EARLY_DATA_FINISH; + /* Fall through */ + case 4: + /* Set consistent SNI */ + if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) + || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")) + || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, + hostname_cb))) + goto end; + break; + + case 5: + /* + * Set inconsistent ALPN (server detected). In this case the connection + * will succeed but reject early_data. + */ + servalpn = "badalpn"; + edstatus = SSL_EARLY_DATA_REJECTED; + readearlyres = SSL_READ_EARLY_DATA_FINISH; + /* Fall through */ + case 6: + /* + * Set consistent ALPN. + * SSL_set_alpn_protos returns 0 for success and 1 for failure. It + * accepts a list of protos (each one length prefixed). + * SSL_set1_alpn_selected accepts a single protocol (not length + * prefixed) + */ + if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1, + GOODALPNLEN - 1)) + || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN, + GOODALPNLEN))) + goto end; + + SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); + break; + + case 7: + /* Set inconsistent ALPN (late client detection) */ + SSL_SESSION_free(serverpsk); + serverpsk = SSL_SESSION_dup(clientpsk); + if (!TEST_ptr(serverpsk) + || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk, + BADALPN + 1, + BADALPNLEN - 1)) + || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk, + GOODALPN + 1, + GOODALPNLEN - 1)) + || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist, + sizeof(alpnlist)))) + goto end; + SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); + edstatus = SSL_EARLY_DATA_ACCEPTED; + readearlyres = SSL_READ_EARLY_DATA_SUCCESS; + /* SSL_connect() call should fail */ + connectres = -1; + break; + + default: + TEST_error("Bad test index"); + goto end; + } + + SSL_set_connect_state(clientssl); + if (err != 0) { + if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), + &written)) + || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL) + || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err)) + goto end; + } else { + if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), + &written))) + goto end; + + if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), + &readbytes), readearlyres) + || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS + && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) + || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) + || !TEST_int_eq(SSL_connect(clientssl), connectres)) + goto end; + } + + testresult = 1; + + end: + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + +/* + * Test that a server that doesn't try to read early data can handle a * client sending some. */ static int test_early_data_not_expected(int idx) @@ -1674,7 +2248,6 @@ static int test_early_data_not_expected(int idx) unsigned char buf[20]; size_t readbytes, written; - if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx))) goto end; @@ -1709,7 +2282,10 @@ static int test_early_data_not_expected(int idx) testresult = 1; end: + /* If using PSK then clientpsk and sess are the same */ SSL_SESSION_free(sess); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); @@ -1731,19 +2307,8 @@ static int test_early_data_tls1_2(int idx) unsigned char buf[20]; size_t readbytes, written; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) - goto end; - - /* When idx == 1 we repeat the tests with read_ahead set */ - if (idx > 0) { - SSL_CTX_set_read_ahead(cctx, 1); - SSL_CTX_set_read_ahead(sctx, 1); - } - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, - &clientssl, NULL, NULL))) + if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, + &serverssl, NULL, idx))) goto end; /* Write some data - should block due to handshake with server */ @@ -1791,6 +2356,10 @@ static int test_early_data_tls1_2(int idx) testresult = 1; end: + /* If using PSK then clientpsk and sess are the same */ + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); @@ -1829,6 +2398,7 @@ static int test_ciphersuite_change(void) SSL_free(clientssl); serverssl = clientssl = NULL; +# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* Check we can resume a session with a different SHA-256 ciphersuite */ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-CHACHA20-POLY1305-SHA256")) @@ -1847,6 +2417,7 @@ static int test_ciphersuite_change(void) SSL_free(serverssl); SSL_free(clientssl); serverssl = clientssl = NULL; +# endif /* * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites @@ -1891,6 +2462,11 @@ static int test_ciphersuite_change(void) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) || !TEST_true(SSL_set_session(clientssl, clntsess)) + /* + * We use SSL_ERROR_WANT_READ below so that we can pause the + * connection after the initial ClientHello has been sent to + * enable us to make some session changes. + */ || !TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_WANT_READ))) goto end; @@ -1900,8 +2476,9 @@ static int test_ciphersuite_change(void) clntsess->cipher_id = clntsess->cipher->id; /* - * Server has selected a SHA-384 ciphersuite, but client thinks the session - * is for SHA-256, so it should bail out. + * Continue the previously started connection. Server has selected a SHA-384 + * ciphersuite, but client thinks the session is for SHA-256, so it should + * bail out. */ if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_SSL)) @@ -1921,6 +2498,315 @@ static int test_ciphersuite_change(void) return testresult; } +static int test_tls13_psk(int idx) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *serverssl = NULL, *clientssl = NULL; + const SSL_CIPHER *cipher = NULL; + const unsigned char key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, + 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f + }; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), &sctx, + &cctx, cert, privkey))) + goto end; + + /* + * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks + * which will always default to SHA256 + */ + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-128-GCM-SHA256"))) + goto end; + + /* + * Test 0: New style callbacks only + * Test 1: New and old style callbacks (only the new ones should be used) + * Test 2: Old style callbacks only + */ + if (idx == 0 || idx == 1) { + SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); + SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); + } + if (idx == 1 || idx == 2) { + SSL_CTX_set_psk_client_callback(cctx, psk_client_cb); + SSL_CTX_set_psk_server_callback(sctx, psk_server_cb); + } + srvid = pskid; + use_session_cb_cnt = 0; + find_session_cb_cnt = 0; + psk_client_cb_cnt = 0; + psk_server_cb_cnt = 0; + + /* Check we can create a connection if callback decides not to send a PSK */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_false(SSL_session_reused(clientssl)) + || !TEST_false(SSL_session_reused(serverssl))) + goto end; + + if (idx == 0 || idx == 1) { + if (!TEST_true(use_session_cb_cnt == 1) + || !TEST_true(find_session_cb_cnt == 0) + /* + * If no old style callback then below should be 0 + * otherwise 1 + */ + || !TEST_true(psk_client_cb_cnt == idx) + || !TEST_true(psk_server_cb_cnt == 0)) + goto end; + } else { + if (!TEST_true(use_session_cb_cnt == 0) + || !TEST_true(find_session_cb_cnt == 0) + || !TEST_true(psk_client_cb_cnt == 1) + || !TEST_true(psk_server_cb_cnt == 0)) + goto end; + } + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + use_session_cb_cnt = psk_client_cb_cnt = 0; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* Create the PSK */ + cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES); + clientpsk = SSL_SESSION_new(); + if (!TEST_ptr(clientpsk) + || !TEST_ptr(cipher) + || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, + sizeof(key))) + || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) + || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk, + TLS1_3_VERSION)) + || !TEST_true(SSL_SESSION_up_ref(clientpsk))) + goto end; + serverpsk = clientpsk; + + /* Check we can create a connection and the PSK is used */ + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl)) + || !TEST_true(SSL_session_reused(serverssl))) + goto end; + + if (idx == 0 || idx == 1) { + if (!TEST_true(use_session_cb_cnt == 1) + || !TEST_true(find_session_cb_cnt == 1) + || !TEST_true(psk_client_cb_cnt == 0) + || !TEST_true(psk_server_cb_cnt == 0)) + goto end; + } else { + if (!TEST_true(use_session_cb_cnt == 0) + || !TEST_true(find_session_cb_cnt == 0) + || !TEST_true(psk_client_cb_cnt == 1) + || !TEST_true(psk_server_cb_cnt == 1)) + goto end; + } + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + use_session_cb_cnt = find_session_cb_cnt = 0; + psk_client_cb_cnt = psk_server_cb_cnt = 0; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* Force an HRR */ + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) + goto end; + + /* + * Check we can create a connection, the PSK is used and the callbacks are + * called twice. + */ + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl)) + || !TEST_true(SSL_session_reused(serverssl))) + goto end; + + if (idx == 0 || idx == 1) { + if (!TEST_true(use_session_cb_cnt == 2) + || !TEST_true(find_session_cb_cnt == 2) + || !TEST_true(psk_client_cb_cnt == 0) + || !TEST_true(psk_server_cb_cnt == 0)) + goto end; + } else { + if (!TEST_true(use_session_cb_cnt == 0) + || !TEST_true(find_session_cb_cnt == 0) + || !TEST_true(psk_client_cb_cnt == 2) + || !TEST_true(psk_server_cb_cnt == 2)) + goto end; + } + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + use_session_cb_cnt = find_session_cb_cnt = 0; + psk_client_cb_cnt = psk_server_cb_cnt = 0; + + /* + * Check that if the server rejects the PSK we can still connect, but with + * a full handshake + */ + srvid = "Dummy Identity"; + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_false(SSL_session_reused(clientssl)) + || !TEST_false(SSL_session_reused(serverssl))) + goto end; + + if (idx == 0 || idx == 1) { + if (!TEST_true(use_session_cb_cnt == 1) + || !TEST_true(find_session_cb_cnt == 1) + || !TEST_true(psk_client_cb_cnt == 0) + /* + * If no old style callback then below should be 0 + * otherwise 1 + */ + || !TEST_true(psk_server_cb_cnt == idx)) + goto end; + } else { + if (!TEST_true(use_session_cb_cnt == 0) + || !TEST_true(find_session_cb_cnt == 0) + || !TEST_true(psk_client_cb_cnt == 1) + || !TEST_true(psk_server_cb_cnt == 1)) + goto end; + } + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + testresult = 1; + + end: + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + +static unsigned char cookie_magic_value[] = "cookie magic"; + +static int generate_cookie_callback(SSL *ssl, unsigned char *cookie, + unsigned int *cookie_len) +{ + /* + * Not suitable as a real cookie generation function but good enough for + * testing! + */ + memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1); + *cookie_len = sizeof(cookie_magic_value) - 1; + + return 1; +} + +static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, + unsigned int cookie_len) +{ + if (cookie_len == sizeof(cookie_magic_value) - 1 + && memcmp(cookie, cookie_magic_value, cookie_len) == 0) + return 1; + + return 0; +} + +static int test_stateless(void) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *serverssl = NULL, *clientssl = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), &sctx, + &cctx, cert, privkey))) + goto end; + + /* The arrival of CCS messages can confuse the test */ + SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + /* Send the first ClientHello */ + || !TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_WANT_READ)) + /* + * This should fail with a -1 return because we have no callbacks + * set up + */ + || !TEST_int_eq(SSL_stateless(serverssl), -1)) + goto end; + + /* Fatal error so abandon the connection from this client */ + SSL_free(clientssl); + clientssl = NULL; + + /* Set up the cookie generation and verification callbacks */ + SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback); + SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback); + + /* + * Create a new connection from the client (we can reuse the server SSL + * object). + */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + /* Send the first ClientHello */ + || !TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_WANT_READ)) + /* This should fail because there is no cookie */ + || !TEST_int_eq(SSL_stateless(serverssl), 0)) + goto end; + + /* Abandon the connection from this client */ + SSL_free(clientssl); + clientssl = NULL; + + /* + * Now create a connection from a new client but with the same server SSL + * object + */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + /* Send the first ClientHello */ + || !TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_WANT_READ)) + /* This should fail because there is no cookie */ + || !TEST_int_eq(SSL_stateless(serverssl), 0) + /* Send the second ClientHello */ + || !TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_WANT_READ)) + /* This should succeed because a cookie is now present */ + || !TEST_int_eq(SSL_stateless(serverssl), 1) + /* Complete the connection */ + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; + +} #endif /* OPENSSL_NO_TLS1_3 */ static int clntaddoldcb = 0; @@ -2056,6 +2942,12 @@ static int test_custom_exts(int tst) SSL_SESSION *sess = NULL; unsigned int context; +#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) + /* Skip tests for TLSv1.2 and below in this case */ + if (tst < 3) + return 1; +#endif + /* Reset callback counters */ clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0; clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; @@ -2299,17 +3191,437 @@ static int test_serverinfo(int tst) return testresult; } -int test_main(int argc, char *argv[]) +/* + * Test that SSL_export_keying_material() produces expected results. There are + * no test vectors so all we do is test that both sides of the communication + * produce the same results for different protocol versions. + */ +static int test_export_key_mat(int tst) { - int testresult = 1; + int testresult = 0; + SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + const char label[] = "test label"; + const unsigned char context[] = "context"; + const unsigned char *emptycontext = NULL; + unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; + unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; + const int protocols[] = { + TLS1_VERSION, + TLS1_1_VERSION, + TLS1_2_VERSION, + TLS1_3_VERSION + }; + +#ifdef OPENSSL_NO_TLS1 + if (tst == 0) + return 1; +#endif +#ifdef OPENSSL_NO_TLS1_1 + if (tst == 1) + return 1; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (tst == 2) + return 1; +#endif +#ifdef OPENSSL_NO_TLS1_3 + if (tst == 3) + return 1; +#endif + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), &sctx, + &cctx, cert, privkey))) + goto end; - if (argc != 3) { - TEST_error("Wrong argument count"); - return 0; + OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); + SSL_CTX_set_max_proto_version(cctx, protocols[tst]); + SSL_CTX_set_min_proto_version(cctx, protocols[tst]); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, + NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, + sizeof(ckeymat1), label, + sizeof(label) - 1, context, + sizeof(context) - 1, 1), 1) + || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, + sizeof(ckeymat2), label, + sizeof(label) - 1, + emptycontext, + 0, 1), 1) + || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, + sizeof(ckeymat3), label, + sizeof(label) - 1, + NULL, 0, 0), 1) + || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, + sizeof(skeymat1), label, + sizeof(label) - 1, + context, + sizeof(context) -1, 1), + 1) + || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, + sizeof(skeymat2), label, + sizeof(label) - 1, + emptycontext, + 0, 1), 1) + || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, + sizeof(skeymat3), label, + sizeof(label) - 1, + NULL, 0, 0), 1) + /* + * Check that both sides created the same key material with the + * same context. + */ + || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, + sizeof(skeymat1)) + /* + * Check that both sides created the same key material with an + * empty context. + */ + || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, + sizeof(skeymat2)) + /* + * Check that both sides created the same key material without a + * context. + */ + || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3, + sizeof(skeymat3)) + /* Different contexts should produce different results */ + || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, + sizeof(ckeymat2))) + goto end; + + /* + * Check that an empty context and no context produce different results in + * protocols less than TLSv1.3. In TLSv1.3 they should be the same. + */ + if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, + sizeof(ckeymat3))) + || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, + sizeof(ckeymat3)))) + goto end; + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx2); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +#ifndef OPENSSL_NO_TLS1_3 +/* + * Test that SSL_export_keying_material_early() produces expected + * results. There are no test vectors so all we do is test that both + * sides of the communication produce the same results for different + * protocol versions. + */ +static int test_export_key_mat_early(int idx) +{ + static const char label[] = "test label"; + static const unsigned char context[] = "context"; + int testresult = 0; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + SSL_SESSION *sess = NULL; + const unsigned char *emptycontext = NULL; + unsigned char ckeymat1[80], ckeymat2[80]; + unsigned char skeymat1[80], skeymat2[80]; + unsigned char buf[1]; + size_t readbytes, written; + + if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, + &sess, idx))) + goto end; + + /* Here writing 0 length early data is enough. */ + if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) + || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), + &readbytes), + SSL_READ_EARLY_DATA_ERROR) + || !TEST_int_eq(SSL_get_early_data_status(serverssl), + SSL_EARLY_DATA_ACCEPTED)) + goto end; + + if (!TEST_int_eq(SSL_export_keying_material_early( + clientssl, ckeymat1, sizeof(ckeymat1), label, + sizeof(label) - 1, context, sizeof(context) - 1), 1) + || !TEST_int_eq(SSL_export_keying_material_early( + clientssl, ckeymat2, sizeof(ckeymat2), label, + sizeof(label) - 1, emptycontext, 0), 1) + || !TEST_int_eq(SSL_export_keying_material_early( + serverssl, skeymat1, sizeof(skeymat1), label, + sizeof(label) - 1, context, sizeof(context) - 1), 1) + || !TEST_int_eq(SSL_export_keying_material_early( + serverssl, skeymat2, sizeof(skeymat2), label, + sizeof(label) - 1, emptycontext, 0), 1) + /* + * Check that both sides created the same key material with the + * same context. + */ + || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, + sizeof(skeymat1)) + /* + * Check that both sides created the same key material with an + * empty context. + */ + || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, + sizeof(skeymat2)) + /* Different contexts should produce different results */ + || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, + sizeof(ckeymat2))) + goto end; + + testresult = 1; + + end: + if (sess != clientpsk) + SSL_SESSION_free(sess); + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} +#endif /* OPENSSL_NO_TLS1_3 */ + +static int test_ssl_clear(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + +#ifdef OPENSSL_NO_TLS1_2 + if (idx == 1) + return 1; +#endif + + /* Create an initial connection */ + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), &sctx, + &cctx, cert, privkey)) + || (idx == 1 + && !TEST_true(SSL_CTX_set_max_proto_version(cctx, + TLS1_2_VERSION))) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + SSL_shutdown(clientssl); + SSL_shutdown(serverssl); + SSL_free(serverssl); + serverssl = NULL; + + /* Clear clientssl - we're going to reuse the object */ + if (!TEST_true(SSL_clear(clientssl))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl))) + goto end; + + SSL_shutdown(clientssl); + SSL_shutdown(serverssl); + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +/* Parse CH and retrieve any MFL extension value if present */ +static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code) +{ + long len; + unsigned char *data; + PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0}; + unsigned int MFL_code = 0, type = 0; + + if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) ) + goto end; + + if (!TEST_true( PACKET_buf_init( &pkt, data, len ) ) + /* Skip the record header */ + || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH) + /* Skip the handshake message header */ + || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH)) + /* Skip client version and random */ + || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN + + SSL3_RANDOM_SIZE)) + /* Skip session id */ + || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) + /* Skip ciphers */ + || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2)) + /* Skip compression */ + || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) + /* Extensions len */ + || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2))) + goto end; + + /* Loop through all extensions */ + while (PACKET_remaining(&pkt2)) { + if (!TEST_true(PACKET_get_net_2(&pkt2, &type)) + || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3))) + goto end; + + if (type == TLSEXT_TYPE_max_fragment_length) { + if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0) + || !TEST_true(PACKET_get_1(&pkt3, &MFL_code))) + goto end; + + *mfl_codemfl_code = MFL_code; + return 1; + } + } + + end: + return 0; +} + +/* Maximum-Fragment-Length TLS extension mode to test */ +static const unsigned char max_fragment_len_test[] = { + TLSEXT_max_fragment_length_512, + TLSEXT_max_fragment_length_1024, + TLSEXT_max_fragment_length_2048, + TLSEXT_max_fragment_length_4096 +}; + +static int test_max_fragment_len_ext(int idx_tst) +{ + SSL_CTX *ctx; + SSL *con = NULL; + int testresult = 0, MFL_mode = 0; + BIO *rbio, *wbio; + + ctx = SSL_CTX_new(TLS_method()); + if (!TEST_ptr(ctx)) + goto end; + + if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( + ctx, max_fragment_len_test[idx_tst]))) + goto end; + + con = SSL_new(ctx); + if (!TEST_ptr(con)) + goto end; + + rbio = BIO_new(BIO_s_mem()); + wbio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { + BIO_free(rbio); + BIO_free(wbio); + goto end; + } + + SSL_set_bio(con, rbio, wbio); + SSL_set_connect_state(con); + + if (!TEST_int_le(SSL_connect(con), 0)) { + /* This shouldn't succeed because we don't have a server! */ + goto end; } - cert = argv[1]; - privkey = argv[2]; + if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode))) + /* no MFL in client hello */ + goto end; + if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode)) + goto end; + + testresult = 1; + +end: + SSL_free(con); + SSL_CTX_free(ctx); + + return testresult; +} + +#ifndef OPENSSL_NO_TLS1_3 +static int test_pha_key_update(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + &sctx, &cctx, cert, privkey))) + return 0; + + if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION)) + || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION)) + || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION)) + || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) + goto end; + + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + SSL_force_post_handshake_auth(clientssl); + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); + if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) + goto end; + + if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) + goto end; + + /* Start handshake on the server */ + if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)) + goto end; + + /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */ + if (!TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + SSL_shutdown(clientssl); + SSL_shutdown(serverssl); + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} +#endif + +int setup_tests(void) +{ + if (!TEST_ptr(cert = test_get_argument(0)) + || !TEST_ptr(privkey = test_get_argument(1))) + return 0; ADD_TEST(test_large_message_tls); ADD_TEST(test_large_message_tls_read_ahead); @@ -2327,34 +3639,47 @@ int test_main(int argc, char *argv[]) ADD_TEST(test_ssl_bio_pop_ssl_bio); ADD_TEST(test_ssl_bio_change_rbio); ADD_TEST(test_ssl_bio_change_wbio); +#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_TEST(test_keylog); +#endif #ifndef OPENSSL_NO_TLS1_3 ADD_TEST(test_keylog_no_master_key); #endif #ifndef OPENSSL_NO_TLS1_2 - ADD_TEST(test_early_cb); + ADD_TEST(test_client_hello_cb); #endif #ifndef OPENSSL_NO_TLS1_3 - ADD_ALL_TESTS(test_early_data_read_write, 2); - ADD_ALL_TESTS(test_early_data_skip, 2); - ADD_ALL_TESTS(test_early_data_not_sent, 2); - ADD_ALL_TESTS(test_early_data_not_expected, 2); + ADD_ALL_TESTS(test_early_data_read_write, 3); + ADD_ALL_TESTS(test_early_data_skip, 3); + ADD_ALL_TESTS(test_early_data_skip_hrr, 3); + ADD_ALL_TESTS(test_early_data_not_sent, 3); + ADD_ALL_TESTS(test_early_data_psk, 8); + ADD_ALL_TESTS(test_early_data_not_expected, 3); # ifndef OPENSSL_NO_TLS1_2 - ADD_ALL_TESTS(test_early_data_tls1_2, 2); + ADD_ALL_TESTS(test_early_data_tls1_2, 3); # endif #endif #ifndef OPENSSL_NO_TLS1_3 ADD_TEST(test_ciphersuite_change); + ADD_ALL_TESTS(test_tls13_psk, 3); ADD_ALL_TESTS(test_custom_exts, 5); + ADD_TEST(test_stateless); + ADD_TEST(test_pha_key_update); #else ADD_ALL_TESTS(test_custom_exts, 3); #endif ADD_ALL_TESTS(test_serverinfo, 8); + ADD_ALL_TESTS(test_export_key_mat, 4); +#ifndef OPENSSL_NO_TLS1_3 + ADD_ALL_TESTS(test_export_key_mat_early, 3); +#endif + ADD_ALL_TESTS(test_ssl_clear, 2); + ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); + return 1; +} - testresult = run_tests(argv[0]); - +void cleanup_tests(void) +{ bio_s_mempacket_test_free(); - - return testresult; }