/* * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include "testutil.h" #include "helpers/ssltestlib.h" #include #define TEST_true_or_end(a) if (!TEST_true(a)) \ goto end; #define TEST_false_or_end(a) if (!TEST_false(a)) \ goto end; #define SERVER_PREFERENCE 1 #define CLIENT_PREFERENCE 0 #define WORK_ON_SSL_OBJECT 1 #define WORK_ON_CONTEXT 0 #define SYNTAX_FAILURE "SYNTAX_FAILURE" #define NEGOTIATION_FAILURE "NEGOTIATION_FAILURE" typedef enum TEST_TYPE { TEST_NEGOTIATION_FAILURE = 0, TEST_NEGOTIATION_SUCCESS = 1, TEST_SYNTAX_FAILURE = 2 } TEST_TYPE; typedef enum SERVER_RESPONSE { HRR = 0, INIT = 1, SH = 2 } SERVER_RESPONSE; static char *cert = NULL; static char *privkey = NULL; struct tls13groupselection_test_st { const char *client_groups; const char *server_groups; const int preference; const char *expected_group; const enum SERVER_RESPONSE expected_server_response; }; static const struct tls13groupselection_test_st tls13groupselection_tests[] = { /* * (A) Test with no explicit key share (backward compatibility) * Key share is implicitly sent for first client group * Test (implicitly) that the key share group is used */ { "secp384r1:secp521r1:X25519:prime256v1:X448", /* test 0 */ "X25519:secp521r1:secp384r1:prime256v1:X448", CLIENT_PREFERENCE, "secp384r1", SH }, { "secp521r1:secp384r1:X25519:prime256v1:X448", /* test 1 */ "X25519:secp521r1:secp384r1:prime256v1:X448", SERVER_PREFERENCE, "secp521r1", SH }, /* * (B) No explicit key share test (backward compatibility) * Key share is implicitly sent for first client group * Check HRR if server does not support key share group */ { "secp521r1:secp384r1:X25519:prime256v1:X448", /* test 2 */ "X25519:secp384r1:prime256v1", CLIENT_PREFERENCE, "secp384r1", HRR }, { "secp521r1:secp384r1:X25519:prime256v1:X448", /* test 3 */ "X25519:secp384r1:prime256v1", SERVER_PREFERENCE, "X25519", HRR }, /* * (C) Explicit key shares, SH tests * Test key share selection as function of client-/server-preference * Test (implicitly) that multiple key shares are generated * Test (implicitly) that multiple tuples don't influence the client * Test (implicitly) that key share prefix doesn't influence the server */ { "secp521r1:secp384r1:*X25519/*prime256v1:X448", /* test 4 */ "secp521r1:*prime256v1:X25519:X448", CLIENT_PREFERENCE, "X25519", SH }, { "secp521r1:secp384r1:*X25519/*prime256v1:X448", /* test 5 */ "secp521r1:*prime256v1:X25519:X448", SERVER_PREFERENCE, "prime256v1", SH }, /* * (D) Explicit key shares, HRR tests * Check that HRR is issued if group in first tuple * is supported but no key share is available for the tuple */ { "secp521r1:secp384r1:*X25519:prime256v1:*X448", /* test 6 */ "secp384r1:secp521r1:prime256v1/X25519:X448", CLIENT_PREFERENCE, "secp521r1", HRR }, { "secp521r1:secp384r1:*X25519:prime256v1:*X448", /* test 7 */ "secp384r1:secp521r1:prime256v1/X25519:X448", SERVER_PREFERENCE, "secp384r1", HRR }, /* * (E) Multiple tuples tests, client without tuple delimiters * Check that second tuple is evaluated if there isn't any match * first tuple */ { "*X25519:prime256v1:*X448", /* test 8 */ "secp521r1:secp384r1/X448:X25519", CLIENT_PREFERENCE, "X25519", SH }, { "*X25519:prime256v1:*X448", /* test 9 */ "secp521r1:secp384r1/X448:X25519", SERVER_PREFERENCE, "X448", SH }, /* (F) Check that '?' will ignore unknown group but use known group */ { "*X25519:?unknown_group_123:prime256v1:*X448", /* test 10 */ "secp521r1:secp384r1/X448:?unknown_group_456:?X25519", CLIENT_PREFERENCE, "X25519", SH }, { "*X25519:prime256v1:*X448:?*unknown_group_789", /* test 11 */ "secp521r1:secp384r1/?X448:?unknown_group_456:X25519", SERVER_PREFERENCE, "X448", SH }, /* * (G) Check full backward compatibility (= don't explicitly set any groups) */ { NULL, /* test 12 */ NULL, CLIENT_PREFERENCE, "X25519", SH }, { NULL, /* test 13 */ NULL, SERVER_PREFERENCE, "X25519", SH }, /* * (H) Check that removal of group is 'active' */ { "*X25519:*X448", /* test 14 */ "secp521r1:X25519:prime256v1:-X25519:secp384r1/X448", CLIENT_PREFERENCE, "X448", SH }, { "*X25519:*X448", /* test 15 */ "secp521r1:X25519:prime256v1:-X25519:secp384r1/X448", SERVER_PREFERENCE, "X448", SH }, { "*X25519:prime256v1:*X448", /* test 16 */ "X25519:prime256v1/X448:-X25519", CLIENT_PREFERENCE, "prime256v1", HRR }, { "*X25519:prime256v1:*X448", /* test 17 */ "X25519:prime256v1/X448:-X25519", SERVER_PREFERENCE, "prime256v1", HRR }, /* * (I) Check handling of the "DEFAULT" 'pseudo group name' */ { "*X25519:DEFAULT:-prime256v1:-X448", /* test 18 */ "DEFAULT:-X25519", CLIENT_PREFERENCE, "secp521r1", HRR }, { "*X25519:DEFAULT:-prime256v1:-X448", /* test 19 */ "DEFAULT:-X25519", SERVER_PREFERENCE, "secp521r1", HRR }, /* * (J) Deduplication check */ { "secp521r1:X25519:prime256v1/X25519:prime256v1/X448", /* test 20 */ "secp521r1:X25519:prime256v1/X25519:prime256v1/X448", CLIENT_PREFERENCE, "secp521r1", SH }, { "secp521r1:X25519:prime256v1/X25519:prime256v1/X448", /* test 21 */ "secp521r1:X25519:prime256v1/X25519:prime256v1/X448", SERVER_PREFERENCE, "secp521r1", SH }, /* * (K) Check group removal when first entry requested a keyshare */ { "*X25519:*prime256v1:-X25519", /* test 22 */ "X25519:prime256v1", CLIENT_PREFERENCE, "prime256v1", SH }, /* * (L) Syntax errors */ { "*X25519:*prime256v1:NOTVALID", /* test 23 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "X25519//prime256v1", /* test 24 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "**X25519:*prime256v1", /* test 25 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "*X25519:*secp256r1:*X448:*secp521r1:*secp384r1", /* test 26 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "*X25519:*secp256r1:?:*secp521r1", /* test 27 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "*X25519:*secp256r1::secp521r1", /* test 28 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { ":*secp256r1:secp521r1", /* test 29 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "*secp256r1:secp521r1:", /* test 30 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "/secp256r1/secp521r1", /* test 31 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "secp256r1/secp521r1/", /* test 32 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, /* test 33 remove all groups */ { "X25519:secp256r1:X448:secp521r1:-X448:-secp256r1:-X25519:-secp521r1", "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "X25519:??secp256r1:X448", /* test 34 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "X25519:secp256r1:**X448", /* test 35 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "--X25519:secp256r1:X448", /* test 36 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "-DEFAULT", /* test 37 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, { "?DEFAULT", /* test 38 */ "", CLIENT_PREFERENCE, SYNTAX_FAILURE }, /* * Negotiation Failures * No overlapping groups between client and server */ { "secp384r1:secp521r1:X25519", /* test 39 */ "prime256v1:X448", CLIENT_PREFERENCE, NEGOTIATION_FAILURE }, { "secp521r1:secp384r1:X25519", /* test 40 */ "prime256v1:X448", SERVER_PREFERENCE, NEGOTIATION_FAILURE }, /* * These are allowed * "X25519/prime256v1:-X448", "X25519:-*X25519:*prime256v1, "*DEFAULT" */ /* * Tests to show that spaces between tuples are allowed */ { "secp521r1:X25519 / prime256v1/X25519 / prime256v1/X448", /* test 41 */ "secp521r1:X25519 / prime256v1/X25519 / prime256v1/X448", CLIENT_PREFERENCE, "secp521r1", SH }, { "secp521r1 / prime256v1:X25519 / prime256v1/X448", /* test 42 */ "secp521r1 / prime256v1:X25519 / prime256v1/X448", SERVER_PREFERENCE, "secp521r1", SH }, }; static void server_response_check_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) { /* Cast arg to SERVER_RESPONSE */ enum SERVER_RESPONSE *server_response = (enum SERVER_RESPONSE *)arg; /* Prepare check for HRR */ const uint8_t *incoming_random = (uint8_t *)buf + 6; const uint8_t magic_HRR_random[32] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C }; /* Did a server hello arrive? */ if (write_p == 0 && /* Incoming data... */ content_type == SSL3_RT_HANDSHAKE && /* carrying a handshake record type ... */ version == TLS1_3_VERSION && /* for TLSv1.3 ... */ ((uint8_t *)buf)[0] == SSL3_MT_SERVER_HELLO) { /* with message type "ServerHello" */ /* Check what it is: SH or HRR (compare the 'random' data field with HRR magic number) */ if (memcmp((void *)incoming_random, (void *)magic_HRR_random, 32) == 0) *server_response *= HRR; else *server_response *= SH; } } static int test_invalidsyntax(const struct tls13groupselection_test_st *current_test_vector, int ssl_or_ctx) { int ok = 0; SSL_CTX *client_ctx = NULL, *server_ctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; if (!TEST_ptr(current_test_vector->client_groups) || !TEST_size_t_ne(strlen(current_test_vector->client_groups), 0)) goto end; /* Creation of the contexts */ TEST_true_or_end(create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &server_ctx, &client_ctx, cert, privkey)); /* Customization of the contexts */ if (ssl_or_ctx == WORK_ON_CONTEXT) TEST_false_or_end(SSL_CTX_set1_groups_list(client_ctx, current_test_vector->client_groups)); /* Creation of the SSL objects */ TEST_true_or_end(create_ssl_objects(server_ctx, client_ctx, &serverssl, &clientssl, NULL, NULL)); /* Customization of the SSL objects */ if (ssl_or_ctx == WORK_ON_SSL_OBJECT) TEST_false_or_end(SSL_set1_groups_list(clientssl, current_test_vector->client_groups)); ok = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(server_ctx); SSL_CTX_free(client_ctx); return ok; } static int test_groupnegotiation(const struct tls13groupselection_test_st *current_test_vector, int ssl_or_ctx, TEST_TYPE test_type) { int ok = 0; int negotiated_group_client = 0; int negotiated_group_server = 0; SSL_CTX *client_ctx = NULL, *server_ctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; enum SERVER_RESPONSE server_response; /* Creation of the contexts */ TEST_true_or_end(create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &server_ctx, &client_ctx, cert, privkey)); /* Customization of the contexts */ if (ssl_or_ctx == WORK_ON_CONTEXT) { if (current_test_vector->client_groups != NULL) { TEST_true_or_end(SSL_CTX_set1_groups_list(client_ctx, current_test_vector->client_groups)); } if (current_test_vector->server_groups != NULL) { TEST_true_or_end(SSL_CTX_set1_groups_list(server_ctx, current_test_vector->server_groups)); } TEST_true_or_end(SSL_CTX_set_min_proto_version(client_ctx, TLS1_3_VERSION)); TEST_true_or_end(SSL_CTX_set_min_proto_version(server_ctx, TLS1_3_VERSION)); if (current_test_vector->preference == SERVER_PREFERENCE) SSL_CTX_set_options(server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } /* Creation of the SSL objects */ if (!TEST_true(create_ssl_objects(server_ctx, client_ctx, &serverssl, &clientssl, NULL, NULL))) goto end; /* Customization of the SSL objects */ if (ssl_or_ctx == WORK_ON_SSL_OBJECT) { if (current_test_vector->client_groups != NULL) TEST_true_or_end(SSL_set1_groups_list(clientssl, current_test_vector->client_groups)); if (current_test_vector->server_groups != NULL) TEST_true_or_end(SSL_set1_groups_list(serverssl, current_test_vector->server_groups)); TEST_true_or_end(SSL_set_min_proto_version(clientssl, TLS1_3_VERSION)); TEST_true_or_end(SSL_set_min_proto_version(serverssl, TLS1_3_VERSION)); if (current_test_vector->preference == SERVER_PREFERENCE) SSL_set_options(serverssl, SSL_OP_CIPHER_SERVER_PREFERENCE); } /* We set the message callback on the client side (which checks SH/HRR) */ server_response = INIT; /* Variable to hold server response info */ SSL_set_msg_callback_arg(clientssl, &server_response); /* add it to the callback */ SSL_set_msg_callback(clientssl, server_response_check_cb); /* and activate callback */ /* Creating a test connection */ if (test_type == TEST_NEGOTIATION_SUCCESS) { TEST_true_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)); /* * Checking that the negotiated group matches our expectation * and must be identical on server and client * and must be expected SH or HRR */ negotiated_group_client = SSL_get_negotiated_group(clientssl); negotiated_group_server = SSL_get_negotiated_group(serverssl); if (!TEST_int_eq(negotiated_group_client, negotiated_group_server)) goto end; if (!TEST_int_eq((int)current_test_vector->expected_server_response, (int)server_response)) goto end; if (TEST_int_eq(negotiated_group_client, OBJ_sn2nid(current_test_vector->expected_group))) ok = 1; } else { TEST_false_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)); ok = 1; } end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(server_ctx); SSL_CTX_free(client_ctx); return ok; } static int tls13groupselection_test(int i) { int testresult = 1; /* Assume the test will succeed */ int res = 0; TEST_TYPE test_type = TEST_NEGOTIATION_SUCCESS; /* * Call the code under test, once such that the ssl object is used and * once such that the ctx is used. If any of the tests fail (= return 0), * the end result will be 0 thanks to multiplication */ TEST_info("==> Running TLSv1.3 test %d", i); if (strncmp(tls13groupselection_tests[i].expected_group, SYNTAX_FAILURE, sizeof(SYNTAX_FAILURE)) == 0) test_type = TEST_SYNTAX_FAILURE; else if (strncmp(tls13groupselection_tests[i].expected_group, NEGOTIATION_FAILURE, sizeof(NEGOTIATION_FAILURE)) == 0) test_type = TEST_NEGOTIATION_FAILURE; if (test_type == TEST_SYNTAX_FAILURE) res = test_invalidsyntax(&tls13groupselection_tests[i], WORK_ON_SSL_OBJECT); else res = test_groupnegotiation(&tls13groupselection_tests[i], WORK_ON_SSL_OBJECT, test_type); if (!res) TEST_error("====> [ERROR] TLSv1.3 test %d with WORK_ON_SSL_OBJECT failed", i); testresult *= res; if (test_type == TEST_SYNTAX_FAILURE) res = test_invalidsyntax(&tls13groupselection_tests[i], WORK_ON_CONTEXT); else res = test_groupnegotiation(&tls13groupselection_tests[i], WORK_ON_CONTEXT, test_type); if (!res) TEST_error("====> [ERROR] TLSv1.3 test %d with WORK_ON_CONTEXT failed", i); testresult *= res; return testresult; } int setup_tests(void) { if (!TEST_ptr(cert = test_get_argument(0)) || !TEST_ptr(privkey = test_get_argument(1))) return 0; ADD_ALL_TESTS(tls13groupselection_test, OSSL_NELEM(tls13groupselection_tests)); return 1; }