2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "../ssl/ssl_local.h"
45 #include "../ssl/record/methods/recmethod_local.h"
46 #include "filterprov.h"
48 #undef OSSL_NO_USABLE_TLS1_3
49 #if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 * If we don't have ec or dh then there are no built-in groups that are usable
55 # define OSSL_NO_USABLE_TLS1_3
58 /* Defined in tls-provider.c */
59 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
64 static OSSL_LIB_CTX *libctx = NULL;
65 static OSSL_PROVIDER *defctxnull = NULL;
67 #ifndef OSSL_NO_USABLE_TLS1_3
69 static SSL_SESSION *clientpsk = NULL;
70 static SSL_SESSION *serverpsk = NULL;
71 static const char *pskid = "Identity";
72 static const char *srvid;
74 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76 static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
79 static int use_session_cb_cnt = 0;
80 static int find_session_cb_cnt = 0;
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
100 static int is_fips = 0;
101 static int fips_ems_check = 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
119 #define CLIENT_VERSION_LEN 2
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
138 static int hostname_cb(SSL *s, int *al, void *arg)
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
146 return SSL_TLSEXT_ERR_NOACK;
149 static void client_keylog_callback(const SSL *ssl, const char *line)
151 int line_length = strlen(line);
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
165 static void server_keylog_callback(const SSL *ssl, const char *line)
167 int line_length = strlen(line);
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
181 static int compare_hex_encoded_buffer(const char *hex_encoded,
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 if (!TEST_size_t_eq(strlen(token), 16))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 if (!TEST_size_t_eq(strlen(token), 64))
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 master_key_size = SSL_SESSION_get_master_key(session,
266 if (!TEST_size_t_ne(master_key_size, 0))
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 if (!TEST_size_t_eq(strlen(token), 64))
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
319 TEST_info("Unexpected token %s\n", token);
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
353 struct sslapitest_log_counts expected;
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
366 &sctx, &cctx, cert, privkey)))
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 || !TEST_false(error_writing_log))
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
499 serverssl = clientssl = NULL;
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 || !TEST_true(SSL_session_reused(clientssl)))
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
535 SSL_SESSION_free(sess);
545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551 /* this should not happen but check anyway */
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
564 static int test_client_cert_verify_cb(void)
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
643 static int test_ssl_build_cert_chain(void)
646 SSL_CTX *ssl_ctx = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674 static const char pass[] = "testpass";
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
683 static int test_ssl_ctx_build_cert_chain(void)
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
705 OPENSSL_free(leaf_chain);
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
714 const unsigned char *p;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
723 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
730 /* Make sure we can defer processing and get called back. */
732 return SSL_CLIENT_HELLO_RETRY;
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
746 return SSL_CLIENT_HELLO_ERROR;
749 return SSL_CLIENT_HELLO_SUCCESS;
752 static int test_client_hello_cb(void)
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
794 static int test_no_ems(void)
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0, status;
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
822 printf("Creating SSL connection failed\n");
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
849 * encryption to real encryption).
851 static int test_ccs_change_cipher(void)
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
862 * Create a connection so we can resume and potentially (but not) use
863 * a different cipher in the second connection.
865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
901 * Now create a fresh connection and try to renegotiate a different
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
951 SSL_SESSION_free(sess);
957 static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
986 * Test that read_ahead works correctly when dealing with large
989 SSL_CTX_set_read_ahead(cctx, 1);
992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1005 if (!TEST_true(SSL_clear(serverssl)))
1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1018 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1020 /* sock must be connected */
1021 static int ktls_chk_platform(int sock)
1023 if (!ktls_enable(sock))
1028 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
1042 SSL_CONNECTION *clientsc, *serversc;
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1082 * If ktls is used then kernel sequences are used instead of
1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
1095 if (!BIO_get_ktls_send(serversc->wbio)) {
1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
1130 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1131 int tls_version, const char *cipher)
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1138 SSL_CONNECTION *clientsc, *serversc;
1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1142 size_t offset = 0, i;
1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1147 /* Skip this test if the platform does not support ktls */
1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1158 /* Create a session based on SHA-256 */
1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1160 TLS_client_method(),
1161 tls_version, tls_version,
1162 &sctx, &cctx, cert, privkey)))
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1205 if (BIO_get_ktls_send(clientsc->wbio))
1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1213 if (BIO_get_ktls_send(serversc->wbio))
1217 #if defined(OPENSSL_NO_KTLS_RX)
1222 if (!cis_ktls || !rx_supported) {
1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1226 if (BIO_get_ktls_send(clientsc->rbio))
1230 if (!sis_ktls || !rx_supported) {
1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1234 if (BIO_get_ktls_send(serversc->rbio))
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1248 buf = OPENSSL_zalloc(bufsz);
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1261 /* Now check that we can read all the data we wrote */
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1270 } while (offset < bufsz);
1272 if (!TEST_true(offset == bufsz))
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
1705 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1713 const unsigned char *zbuf;
1714 SSL_CONNECTION *serversc;
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1722 min_version, max_version,
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 if (smeth == DTLS_server_method()) {
1729 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1815 static int test_cleanse_plaintext(void)
1817 #if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1826 #if !defined(OSSL_NO_USABLE_TLS1_3)
1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1834 #if !defined(OPENSSL_NO_DTLS)
1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1845 #ifndef OPENSSL_NO_OCSP
1846 static int ocsp_server_cb(SSL *s, void *arg)
1848 int *argi = (int *)arg;
1849 unsigned char *copy = NULL;
1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1859 id = sk_OCSP_RESPID_value(ids, 0);
1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1874 ocsp_server_called = 1;
1875 return SSL_TLSEXT_ERR_OK;
1878 static int ocsp_client_cb(SSL *s, void *arg)
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1884 if (*argi != 1 && *argi != 2)
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1888 if (!TEST_mem_eq(orespder, len, respderin, len))
1891 ocsp_client_called = 1;
1895 static int test_tlsext_status_type(void)
1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1906 &sctx, &cctx, cert, privkey))
1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1912 /* First just do various checks getting and setting tlsext_status_type */
1914 clientssl = SSL_new(cctx);
1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
1922 SSL_free(clientssl);
1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1929 clientssl = SSL_new(cctx);
1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1932 SSL_free(clientssl);
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1985 * specific one. We'll use the server cert.
1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2019 X509_free(ocspcert);
2026 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2027 static int new_called, remove_called, get_called;
2029 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2033 * sess has been up-refed for us, but we don't actually need it so free it
2036 SSL_SESSION_free(sess);
2040 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2045 static SSL_SESSION *get_sess_val = NULL;
2047 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2052 return get_sess_val;
2055 static int execute_test_session(int maxprot, int use_int_cache,
2056 int use_ext_cache, long s_options)
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2061 # ifndef OPENSSL_NO_TLS1_1
2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2065 int testresult = 0, numnewsesstick = 1;
2067 new_called = remove_called = 0;
2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
2075 &sctx, &cctx, cert, privkey)))
2079 * Only allow the max protocol version so we can force a connection failure
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
2085 /* Set up session cache */
2086 if (use_ext_cache) {
2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2090 if (use_int_cache) {
2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2100 SSL_CTX_set_options(sctx, s_options);
2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2110 /* Should fail because it should already be in the cache */
2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2114 && (!TEST_int_eq(new_called, numnewsesstick)
2116 || !TEST_int_eq(remove_called, 0)))
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2128 if (maxprot == TLS1_3_VERSION) {
2130 * In TLSv1.3 we should have created a new session even though we have
2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
2135 && (!TEST_int_eq(new_called, 1)
2136 || !TEST_int_eq(remove_called, 1)))
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
2155 new_called = remove_called = 0;
2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
2170 new_called = remove_called = 0;
2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2183 if (use_int_cache) {
2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2190 new_called = remove_called = 0;
2191 /* This shouldn't be in the cache so should fail */
2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2199 # if !defined(OPENSSL_NO_TLS1_1)
2200 new_called = remove_called = 0;
2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
2206 /* This should fail because of the mismatched protocol versions */
2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2211 /* We should have automatically removed the session from the cache */
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2216 /* Should succeed because it should not already be in the cache */
2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2246 SSL_SESSION_free(sess2);
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2252 new_called = remove_called = get_called = 0;
2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2281 if (!TEST_int_eq(new_called, numnewsesstick)
2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2296 SSL_SESSION_free(sess2);
2301 new_called = remove_called = get_called = 0;
2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2311 if (use_ext_cache) {
2312 if (!TEST_int_eq(remove_called, 0))
2315 if (maxprot == TLS1_3_VERSION) {
2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
2359 # ifndef OPENSSL_NO_TLS1_1
2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2370 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2372 static int test_session_with_only_int_cache(void)
2374 #ifndef OSSL_NO_USABLE_TLS1_3
2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2379 #ifndef OPENSSL_NO_TLS1_2
2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2386 static int test_session_with_only_ext_cache(void)
2388 #ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2393 #ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2400 static int test_session_with_both_cache(void)
2402 #ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2407 #ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2414 static int test_session_wo_ca_names(void)
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2421 #ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2429 #ifndef OSSL_NO_USABLE_TLS1_3
2430 static SSL_SESSION *sesscache[6];
2431 static int do_cache;
2433 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2436 sesscache[new_called] = sess;
2438 /* We don't need the reference to the session, so free it */
2439 SSL_SESSION_free(sess);
2446 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2448 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2449 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2452 /* Start handshake on the server and client */
2453 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2454 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2455 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2456 || !TEST_true(create_ssl_connection(sssl, cssl,
2463 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2466 int sess_id_ctx = 1;
2468 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2469 TLS_client_method(), TLS1_VERSION, 0,
2470 sctx, cctx, cert, privkey))
2471 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2472 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2473 (void *)&sess_id_ctx,
2474 sizeof(sess_id_ctx))))
2478 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2480 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2481 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2482 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2487 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2489 SSL *serverssl = NULL, *clientssl = NULL;
2492 /* Test that we can resume with all the tickets we got given */
2493 for (i = 0; i < idx * 2; i++) {
2495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2496 &clientssl, NULL, NULL))
2497 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2500 SSL_set_post_handshake_auth(clientssl, 1);
2502 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2507 * Following a successful resumption we only get 1 ticket. After a
2508 * failed one we should get idx tickets.
2511 if (!TEST_true(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, 1))
2515 if (!TEST_false(SSL_session_reused(clientssl))
2516 || !TEST_int_eq(new_called, idx))
2521 /* After a post-handshake authentication we should get 1 new ticket */
2523 && (!post_handshake_verify(serverssl, clientssl)
2524 || !TEST_int_eq(new_called, 1)))
2527 SSL_shutdown(clientssl);
2528 SSL_shutdown(serverssl);
2529 SSL_free(serverssl);
2530 SSL_free(clientssl);
2531 serverssl = clientssl = NULL;
2532 SSL_SESSION_free(sesscache[i]);
2533 sesscache[i] = NULL;
2539 SSL_free(clientssl);
2540 SSL_free(serverssl);
2544 static int test_tickets(int stateful, int idx)
2546 SSL_CTX *sctx = NULL, *cctx = NULL;
2547 SSL *serverssl = NULL, *clientssl = NULL;
2551 /* idx is the test number, but also the number of tickets we want */
2556 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2559 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2560 &clientssl, NULL, NULL)))
2563 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2565 /* Check we got the number of tickets we were expecting */
2566 || !TEST_int_eq(idx, new_called))
2569 SSL_shutdown(clientssl);
2570 SSL_shutdown(serverssl);
2571 SSL_free(serverssl);
2572 SSL_free(clientssl);
2575 clientssl = serverssl = NULL;
2579 * Now we try to resume with the tickets we previously created. The
2580 * resumption attempt is expected to fail (because we're now using a new
2581 * SSL_CTX). We should see idx number of tickets issued again.
2584 /* Stop caching sessions - just count them */
2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2590 if (!check_resumption(idx, sctx, cctx, 0))
2593 /* Start again with caching sessions */
2600 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2604 &clientssl, NULL, NULL)))
2607 SSL_set_post_handshake_auth(clientssl, 1);
2609 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2611 /* Check we got the number of tickets we were expecting */
2612 || !TEST_int_eq(idx, new_called))
2615 /* After a post-handshake authentication we should get new tickets issued */
2616 if (!post_handshake_verify(serverssl, clientssl)
2617 || !TEST_int_eq(idx * 2, new_called))
2620 SSL_shutdown(clientssl);
2621 SSL_shutdown(serverssl);
2622 SSL_free(serverssl);
2623 SSL_free(clientssl);
2624 serverssl = clientssl = NULL;
2626 /* Stop caching sessions - just count them */
2630 * Check we can resume with all the tickets we created. This time around the
2631 * resumptions should all be successful.
2633 if (!check_resumption(idx, sctx, cctx, 1))
2639 SSL_free(serverssl);
2640 SSL_free(clientssl);
2641 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2642 SSL_SESSION_free(sesscache[j]);
2643 sesscache[j] = NULL;
2651 static int test_stateless_tickets(int idx)
2653 return test_tickets(0, idx);
2656 static int test_stateful_tickets(int idx)
2658 return test_tickets(1, idx);
2661 static int test_psk_tickets(void)
2663 SSL_CTX *sctx = NULL, *cctx = NULL;
2664 SSL *serverssl = NULL, *clientssl = NULL;
2666 int sess_id_ctx = 1;
2668 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2669 TLS_client_method(), TLS1_VERSION, 0,
2670 &sctx, &cctx, NULL, NULL))
2671 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2672 (void *)&sess_id_ctx,
2673 sizeof(sess_id_ctx))))
2676 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2677 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2678 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2679 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2680 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2681 use_session_cb_cnt = 0;
2682 find_session_cb_cnt = 0;
2686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2689 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2690 if (!TEST_ptr(clientpsk))
2692 SSL_SESSION_up_ref(clientpsk);
2694 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2696 || !TEST_int_eq(1, find_session_cb_cnt)
2697 || !TEST_int_eq(1, use_session_cb_cnt)
2698 /* We should always get 1 ticket when using external PSK */
2699 || !TEST_int_eq(1, new_called))
2705 SSL_free(serverssl);
2706 SSL_free(clientssl);
2709 SSL_SESSION_free(clientpsk);
2710 SSL_SESSION_free(serverpsk);
2711 clientpsk = serverpsk = NULL;
2716 static int test_extra_tickets(int idx)
2718 SSL_CTX *sctx = NULL, *cctx = NULL;
2719 SSL *serverssl = NULL, *clientssl = NULL;
2720 BIO *bretry = BIO_new(bio_s_always_retry());
2725 unsigned char c, buf[1];
2735 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2737 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2738 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2739 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2741 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2742 &clientssl, NULL, NULL)))
2746 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2747 * incremented by both client and server.
2749 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2751 /* Check we got the number of tickets we were expecting */
2752 || !TEST_int_eq(idx * 2, new_called)
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_true(SSL_new_session_ticket(serverssl))
2755 || !TEST_int_eq(idx * 2, new_called))
2758 /* Now try a (real) write to actually send the tickets */
2760 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2761 || !TEST_size_t_eq(1, nbytes)
2762 || !TEST_int_eq(idx * 2 + 2, new_called)
2763 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2764 || !TEST_int_eq(idx * 2 + 4, new_called)
2765 || !TEST_int_eq(sizeof(buf), nbytes)
2766 || !TEST_int_eq(c, buf[0])
2767 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2770 /* Try with only requesting one new ticket, too */
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2775 || !TEST_size_t_eq(sizeof(c), nbytes)
2776 || !TEST_int_eq(1, new_called)
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2778 || !TEST_int_eq(2, new_called)
2779 || !TEST_size_t_eq(sizeof(buf), nbytes)
2780 || !TEST_int_eq(c, buf[0]))
2783 /* Do it again but use dummy writes to drive the ticket generation */
2786 if (!TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_new_session_ticket(serverssl))
2788 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2789 || !TEST_size_t_eq(0, nbytes)
2790 || !TEST_int_eq(2, new_called)
2791 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2792 || !TEST_int_eq(4, new_called))
2795 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2798 if (!TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_new_session_ticket(serverssl))
2800 || !TEST_true(SSL_do_handshake(serverssl))
2801 || !TEST_int_eq(2, new_called)
2802 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2803 || !TEST_int_eq(4, new_called))
2807 * Use the always-retry BIO to exercise the logic that forces ticket
2808 * generation to wait until a record boundary.
2812 tmp = SSL_get_wbio(serverssl);
2813 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2817 SSL_set0_wbio(serverssl, bretry);
2819 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2820 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2821 || !TEST_size_t_eq(nbytes, 0))
2823 /* Restore a BIO that will let the write succeed */
2824 SSL_set0_wbio(serverssl, tmp);
2827 * These calls should just queue the request and not send anything
2828 * even if we explicitly try to hit the state machine.
2830 if (!TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_true(SSL_new_session_ticket(serverssl))
2832 || !TEST_int_eq(0, new_called)
2833 || !TEST_true(SSL_do_handshake(serverssl))
2834 || !TEST_int_eq(0, new_called))
2836 /* Re-do the write; still no tickets sent */
2837 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2838 || !TEST_size_t_eq(1, nbytes)
2839 || !TEST_int_eq(0, new_called)
2840 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2841 || !TEST_int_eq(0, new_called)
2842 || !TEST_int_eq(sizeof(buf), nbytes)
2843 || !TEST_int_eq(c, buf[0])
2844 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2846 /* Even trying to hit the state machine now will still not send tickets */
2847 if (!TEST_true(SSL_do_handshake(serverssl))
2848 || !TEST_int_eq(0, new_called))
2850 /* Now the *next* write should send the tickets */
2852 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2853 || !TEST_size_t_eq(1, nbytes)
2854 || !TEST_int_eq(2, new_called)
2855 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2856 || !TEST_int_eq(4, new_called)
2857 || !TEST_int_eq(sizeof(buf), nbytes)
2858 || !TEST_int_eq(c, buf[0])
2859 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2869 SSL_free(serverssl);
2870 SSL_free(clientssl);
2873 clientssl = serverssl = NULL;
2882 #define USE_DEFAULT 3
2884 #define CONNTYPE_CONNECTION_SUCCESS 0
2885 #define CONNTYPE_CONNECTION_FAIL 1
2886 #define CONNTYPE_NO_CONNECTION 2
2888 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2889 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2890 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2891 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2893 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2896 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2898 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2900 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2917 * Tests calls to SSL_set_bio() under various conditions.
2919 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2920 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2921 * then do more tests where we create a successful connection first using our
2922 * standard connection setup functions, and then call SSL_set_bio() with
2923 * various combinations of valid BIOs or NULL. We then repeat these tests
2924 * following a failed connection. In this last case we are looking to check that
2925 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2927 static int test_ssl_set_bio(int idx)
2929 SSL_CTX *sctx = NULL, *cctx = NULL;
2932 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2933 SSL *serverssl = NULL, *clientssl = NULL;
2934 int initrbio, initwbio, newrbio, newwbio, conntype;
2937 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2945 conntype = CONNTYPE_NO_CONNECTION;
2947 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2948 initrbio = initwbio = USE_DEFAULT;
2956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2957 TLS_client_method(), TLS1_VERSION, 0,
2958 &sctx, &cctx, cert, privkey)))
2961 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2963 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2964 * because we reduced the number of tests in the definition of
2965 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2966 * mismatched protocol versions we will force a connection failure.
2968 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2976 if (initrbio == USE_BIO_1
2977 || initwbio == USE_BIO_1
2978 || newrbio == USE_BIO_1
2979 || newwbio == USE_BIO_1) {
2980 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2984 if (initrbio == USE_BIO_2
2985 || initwbio == USE_BIO_2
2986 || newrbio == USE_BIO_2
2987 || newwbio == USE_BIO_2) {
2988 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2992 if (initrbio != USE_DEFAULT) {
2993 setupbio(&irbio, bio1, bio2, initrbio);
2994 setupbio(&iwbio, bio1, bio2, initwbio);
2995 SSL_set_bio(clientssl, irbio, iwbio);
2998 * We want to maintain our own refs to these BIO, so do an up ref for
2999 * each BIO that will have ownership transferred in the SSL_set_bio()
3004 if (iwbio != NULL && iwbio != irbio)
3008 if (conntype != CONNTYPE_NO_CONNECTION
3009 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3011 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3014 setupbio(&nrbio, bio1, bio2, newrbio);
3015 setupbio(&nwbio, bio1, bio2, newwbio);
3018 * We will (maybe) transfer ownership again so do more up refs.
3019 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3024 && (nwbio != iwbio || nrbio != nwbio))
3028 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3031 SSL_set_bio(clientssl, nrbio, nwbio);
3040 * This test is checking that the ref counting for SSL_set_bio is correct.
3041 * If we get here and we did too many frees then we will fail in the above
3044 SSL_free(serverssl);
3045 SSL_free(clientssl);
3051 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3053 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3055 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3060 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3061 || !TEST_ptr(ssl = SSL_new(ctx))
3062 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3063 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3066 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3069 * If anything goes wrong here then we could leak memory.
3071 BIO_push(sslbio, membio1);
3073 /* Verify changing the rbio/wbio directly does not cause leaks */
3074 if (change_bio != NO_BIO_CHANGE) {
3075 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3079 if (change_bio == CHANGE_RBIO)
3080 SSL_set0_rbio(ssl, membio2);
3082 SSL_set0_wbio(ssl, membio2);
3101 static int test_ssl_bio_pop_next_bio(void)
3103 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3106 static int test_ssl_bio_pop_ssl_bio(void)
3108 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3111 static int test_ssl_bio_change_rbio(void)
3113 return execute_test_ssl_bio(0, CHANGE_RBIO);
3116 static int test_ssl_bio_change_wbio(void)
3118 return execute_test_ssl_bio(0, CHANGE_WBIO);
3121 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3123 /* The list of sig algs */
3125 /* The length of the list */
3127 /* A sigalgs list in string format */
3128 const char *liststr;
3129 /* Whether setting the list should succeed */
3131 /* Whether creating a connection with the list should succeed */
3135 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3136 # ifndef OPENSSL_NO_EC
3137 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3138 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3140 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3141 static const int invalidlist2[] = {NID_sha256, NID_undef};
3142 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3143 static const int invalidlist4[] = {NID_sha256};
3144 static const sigalgs_list testsigalgs[] = {
3145 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3146 # ifndef OPENSSL_NO_EC
3147 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3148 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3150 {NULL, 0, "RSA+SHA256", 1, 1},
3151 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3152 # ifndef OPENSSL_NO_EC
3153 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3154 {NULL, 0, "ECDSA+SHA512", 1, 0},
3156 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3157 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3158 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3159 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3160 {NULL, 0, "RSA", 0, 0},
3161 {NULL, 0, "SHA256", 0, 0},
3162 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3163 {NULL, 0, "Invalid", 0, 0}
3166 static int test_set_sigalgs(int idx)
3168 SSL_CTX *cctx = NULL, *sctx = NULL;
3169 SSL *clientssl = NULL, *serverssl = NULL;
3171 const sigalgs_list *curr;
3174 /* Should never happen */
3175 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3178 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3179 curr = testctx ? &testsigalgs[idx]
3180 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3183 TLS_client_method(), TLS1_VERSION, 0,
3184 &sctx, &cctx, cert, privkey)))
3187 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3192 if (curr->list != NULL)
3193 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3195 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3199 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3205 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3211 &clientssl, NULL, NULL)))
3217 if (curr->list != NULL)
3218 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3220 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3223 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3232 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3240 SSL_free(serverssl);
3241 SSL_free(clientssl);
3249 #ifndef OSSL_NO_USABLE_TLS1_3
3250 static int psk_client_cb_cnt = 0;
3251 static int psk_server_cb_cnt = 0;
3253 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3254 size_t *idlen, SSL_SESSION **sess)
3256 switch (++use_session_cb_cnt) {
3258 /* The first call should always have a NULL md */
3264 /* The second call should always have an md */
3270 /* We should only be called a maximum of twice */
3274 if (clientpsk != NULL)
3275 SSL_SESSION_up_ref(clientpsk);
3278 *id = (const unsigned char *)pskid;
3279 *idlen = strlen(pskid);
3284 #ifndef OPENSSL_NO_PSK
3285 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3286 unsigned int max_id_len,
3288 unsigned int max_psk_len)
3290 unsigned int psklen = 0;
3292 psk_client_cb_cnt++;
3294 if (strlen(pskid) + 1 > max_id_len)
3297 /* We should only ever be called a maximum of twice per connection */
3298 if (psk_client_cb_cnt > 2)
3301 if (clientpsk == NULL)
3304 /* We'll reuse the PSK we set up for TLSv1.3 */
3305 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3307 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3308 strncpy(id, pskid, max_id_len);
3312 #endif /* OPENSSL_NO_PSK */
3314 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3315 size_t identity_len, SSL_SESSION **sess)
3317 find_session_cb_cnt++;
3319 /* We should only ever be called a maximum of twice per connection */
3320 if (find_session_cb_cnt > 2)
3323 if (serverpsk == NULL)
3326 /* Identity should match that set by the client */
3327 if (strlen(srvid) != identity_len
3328 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3329 /* No PSK found, continue but without a PSK */
3334 SSL_SESSION_up_ref(serverpsk);
3340 #ifndef OPENSSL_NO_PSK
3341 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3342 unsigned char *psk, unsigned int max_psk_len)
3344 unsigned int psklen = 0;
3346 psk_server_cb_cnt++;
3348 /* We should only ever be called a maximum of twice per connection */
3349 if (find_session_cb_cnt > 2)
3352 if (serverpsk == NULL)
3355 /* Identity should match that set by the client */
3356 if (strcmp(srvid, identity) != 0) {
3360 /* We'll reuse the PSK we set up for TLSv1.3 */
3361 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3363 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3367 #endif /* OPENSSL_NO_PSK */
3369 #define MSG1 "Hello"
3370 #define MSG2 "World."
3375 #define MSG7 "message."
3377 static int artificial_ticket_time = 0;
3379 static int ed_gen_cb(SSL *s, void *arg)
3381 SSL_SESSION *sess = SSL_get0_session(s);
3387 * Artificially give the ticket some age. Just do it for the number of
3388 * tickets we've been told to do.
3390 if (artificial_ticket_time == 0)
3392 artificial_ticket_time--;
3394 if (SSL_SESSION_set_time_ex(sess, SSL_SESSION_get_time_ex(sess) - 10) == 0)
3401 * Helper method to setup objects for early data test. Caller frees objects on
3404 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3405 SSL **serverssl, SSL_SESSION **sess, int idx,
3408 int artificial = (artificial_ticket_time > 0);
3411 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3412 TLS_client_method(),
3414 sctx, cctx, cert, privkey)))
3418 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3420 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3424 /* When idx == 1 we repeat the tests with read_ahead set */
3425 SSL_CTX_set_read_ahead(*cctx, 1);
3426 SSL_CTX_set_read_ahead(*sctx, 1);
3427 } else if (idx == 2) {
3428 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3429 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3430 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3431 use_session_cb_cnt = 0;
3432 find_session_cb_cnt = 0;
3436 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3441 * For one of the run throughs (doesn't matter which one), we'll try sending
3442 * some SNI data in the initial ClientHello. This will be ignored (because
3443 * there is no SNI cb set up by the server), so it should not impact
3447 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3451 clientpsk = create_a_psk(*clientssl, mdsize);
3452 if (!TEST_ptr(clientpsk)
3454 * We just choose an arbitrary value for max_early_data which
3455 * should be big enough for testing purposes.
3457 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3459 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3464 serverpsk = clientpsk;
3467 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3468 SSL_SESSION_free(clientpsk);
3469 SSL_SESSION_free(serverpsk);
3470 clientpsk = serverpsk = NULL;
3481 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3485 *sess = SSL_get1_session(*clientssl);
3486 SSL_shutdown(*clientssl);
3487 SSL_shutdown(*serverssl);
3488 SSL_free(*serverssl);
3489 SSL_free(*clientssl);
3490 *serverssl = *clientssl = NULL;
3493 * Artificially give the ticket some age to match the artificial age we
3494 * gave it on the server side
3497 && !TEST_time_t_gt(SSL_SESSION_set_time_ex(*sess,
3498 SSL_SESSION_get_time_ex(*sess) - 10), 0))
3501 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3502 clientssl, NULL, NULL))
3503 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3509 static int test_early_data_read_write(int idx)
3511 SSL_CTX *cctx = NULL, *sctx = NULL;
3512 SSL *clientssl = NULL, *serverssl = NULL;
3514 SSL_SESSION *sess = NULL;
3515 unsigned char buf[20], data[1024];
3516 size_t readbytes, written, eoedlen, rawread, rawwritten;
3519 /* Artificially give the next 2 tickets some age for non PSK sessions */
3521 artificial_ticket_time = 2;
3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3523 &serverssl, &sess, idx,
3524 SHA384_DIGEST_LENGTH))) {
3525 artificial_ticket_time = 0;
3528 artificial_ticket_time = 0;
3530 /* Write and read some early data */
3531 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3533 || !TEST_size_t_eq(written, strlen(MSG1))
3534 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3535 sizeof(buf), &readbytes),
3536 SSL_READ_EARLY_DATA_SUCCESS)
3537 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3538 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3539 SSL_EARLY_DATA_ACCEPTED))
3543 * Server should be able to write data, and client should be able to
3546 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3548 || !TEST_size_t_eq(written, strlen(MSG2))
3549 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3550 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3553 /* Even after reading normal data, client should be able write early data */
3554 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3556 || !TEST_size_t_eq(written, strlen(MSG3)))
3559 /* Server should still be able read early data after writing data */
3560 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3562 SSL_READ_EARLY_DATA_SUCCESS)
3563 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3566 /* Write more data from server and read it from client */
3567 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3569 || !TEST_size_t_eq(written, strlen(MSG4))
3570 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3571 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3575 * If client writes normal data it should mean writing early data is no
3578 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3579 || !TEST_size_t_eq(written, strlen(MSG5))
3580 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3581 SSL_EARLY_DATA_ACCEPTED))
3585 * At this point the client has written EndOfEarlyData, ClientFinished and
3586 * normal (fully protected) data. We are going to cause a delay between the
3587 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3588 * in the read BIO, and then just put back the EndOfEarlyData message.
3590 rbio = SSL_get_rbio(serverssl);
3591 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3592 || !TEST_size_t_lt(rawread, sizeof(data))
3593 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3596 /* Record length is in the 4th and 5th bytes of the record header */
3597 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3598 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3599 || !TEST_size_t_eq(rawwritten, eoedlen))
3602 /* Server should be told that there is no more early data */
3603 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3605 SSL_READ_EARLY_DATA_FINISH)
3606 || !TEST_size_t_eq(readbytes, 0))
3610 * Server has not finished init yet, so should still be able to write early
3613 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3615 || !TEST_size_t_eq(written, strlen(MSG6)))
3618 /* Push the ClientFinished and the normal data back into the server rbio */
3619 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3621 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3624 /* Server should be able to read normal data */
3625 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3626 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3629 /* Client and server should not be able to write/read early data now */
3630 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3634 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3636 SSL_READ_EARLY_DATA_ERROR))
3640 /* Client should be able to read the data sent by the server */
3641 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3646 * Make sure we process the two NewSessionTickets. These arrive
3647 * post-handshake. We attempt reads which we do not expect to return any
3650 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3651 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3655 /* Server should be able to write normal data */
3656 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3657 || !TEST_size_t_eq(written, strlen(MSG7))
3658 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3659 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3662 SSL_SESSION_free(sess);
3663 sess = SSL_get1_session(clientssl);
3664 use_session_cb_cnt = 0;
3665 find_session_cb_cnt = 0;
3667 SSL_shutdown(clientssl);
3668 SSL_shutdown(serverssl);
3669 SSL_free(serverssl);
3670 SSL_free(clientssl);
3671 serverssl = clientssl = NULL;
3672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3673 &clientssl, NULL, NULL))
3674 || !TEST_true(SSL_set_session(clientssl, sess)))
3677 /* Write and read some early data */
3678 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3680 || !TEST_size_t_eq(written, strlen(MSG1))
3681 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3683 SSL_READ_EARLY_DATA_SUCCESS)
3684 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3687 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3688 || !TEST_int_gt(SSL_accept(serverssl), 0))
3691 /* Client and server should not be able to write/read early data now */
3692 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3696 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3698 SSL_READ_EARLY_DATA_ERROR))
3702 /* Client and server should be able to write/read normal data */
3703 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3704 || !TEST_size_t_eq(written, strlen(MSG5))
3705 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3706 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3712 SSL_SESSION_free(sess);
3713 SSL_SESSION_free(clientpsk);
3714 SSL_SESSION_free(serverpsk);
3715 clientpsk = serverpsk = NULL;
3716 SSL_free(serverssl);
3717 SSL_free(clientssl);
3723 static int allow_ed_cb_called = 0;
3725 static int allow_early_data_cb(SSL *s, void *arg)
3727 int *usecb = (int *)arg;
3729 allow_ed_cb_called++;
3738 * idx == 0: Standard early_data setup
3739 * idx == 1: early_data setup using read_ahead
3740 * usecb == 0: Don't use a custom early data callback
3741 * usecb == 1: Use a custom early data callback and reject the early data
3742 * usecb == 2: Use a custom early data callback and accept the early data
3743 * confopt == 0: Configure anti-replay directly
3744 * confopt == 1: Configure anti-replay using SSL_CONF
3746 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3748 SSL_CTX *cctx = NULL, *sctx = NULL;
3749 SSL *clientssl = NULL, *serverssl = NULL;
3751 SSL_SESSION *sess = NULL;
3752 size_t readbytes, written;
3753 unsigned char buf[20];
3755 allow_ed_cb_called = 0;
3757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3758 TLS_client_method(), TLS1_VERSION, 0,
3759 &sctx, &cctx, cert, privkey)))
3764 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3766 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3768 if (!TEST_ptr(confctx))
3770 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3771 | SSL_CONF_FLAG_SERVER);
3772 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3773 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3775 SSL_CONF_CTX_free(confctx);
3778 SSL_CONF_CTX_free(confctx);
3780 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3783 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3784 &serverssl, &sess, idx,
3785 SHA384_DIGEST_LENGTH)))
3789 * The server is configured to accept early data. Create a connection to
3790 * "use up" the ticket
3792 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3793 || !TEST_true(SSL_session_reused(clientssl)))
3796 SSL_shutdown(clientssl);
3797 SSL_shutdown(serverssl);
3798 SSL_free(serverssl);
3799 SSL_free(clientssl);
3800 serverssl = clientssl = NULL;
3802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3803 &clientssl, NULL, NULL))
3804 || !TEST_true(SSL_set_session(clientssl, sess)))
3807 /* Write and read some early data */
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3810 || !TEST_size_t_eq(written, strlen(MSG1)))
3814 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3816 SSL_READ_EARLY_DATA_FINISH)
3818 * The ticket was reused, so the we should have rejected the
3821 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3822 SSL_EARLY_DATA_REJECTED))
3825 /* In this case the callback decides to accept the early data */
3826 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3828 SSL_READ_EARLY_DATA_SUCCESS)
3829 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3831 * Server will have sent its flight so client can now send
3832 * end of early data and complete its half of the handshake
3834 || !TEST_int_gt(SSL_connect(clientssl), 0)
3835 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3837 SSL_READ_EARLY_DATA_FINISH)
3838 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3839 SSL_EARLY_DATA_ACCEPTED))
3843 /* Complete the connection */
3844 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3845 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3846 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3852 SSL_SESSION_free(sess);
3853 SSL_SESSION_free(clientpsk);
3854 SSL_SESSION_free(serverpsk);
3855 clientpsk = serverpsk = NULL;
3856 SSL_free(serverssl);
3857 SSL_free(clientssl);
3863 static int test_early_data_replay(int idx)
3865 int ret = 1, usecb, confopt;
3867 for (usecb = 0; usecb < 3; usecb++) {
3868 for (confopt = 0; confopt < 2; confopt++)
3869 ret &= test_early_data_replay_int(idx, usecb, confopt);
3875 static const char *ciphersuites[] = {
3876 "TLS_AES_128_CCM_8_SHA256",
3877 "TLS_AES_128_GCM_SHA256",
3878 "TLS_AES_256_GCM_SHA384",
3879 "TLS_AES_128_CCM_SHA256",
3880 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3881 "TLS_CHACHA20_POLY1305_SHA256"
3886 * Helper function to test that a server attempting to read early data can
3887 * handle a connection from a client where the early data should be skipped.
3888 * testtype: 0 == No HRR
3889 * testtype: 1 == HRR
3890 * testtype: 2 == HRR, invalid early_data sent after HRR
3891 * testtype: 3 == recv_max_early_data set to 0
3893 static int early_data_skip_helper(int testtype, int cipher, int idx)
3895 SSL_CTX *cctx = NULL, *sctx = NULL;
3896 SSL *clientssl = NULL, *serverssl = NULL;
3898 SSL_SESSION *sess = NULL;
3899 unsigned char buf[20];
3900 size_t readbytes, written;
3902 if (is_fips && cipher == 4)
3905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3906 TLS_client_method(),
3908 &sctx, &cctx, cert, privkey)))
3912 SSL_CTX_set_security_level(sctx, 0);
3913 SSL_CTX_set_security_level(cctx, 0);
3916 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3917 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3920 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3921 &serverssl, &sess, idx,
3922 cipher == 2 ? SHA384_DIGEST_LENGTH
3923 : SHA256_DIGEST_LENGTH)))
3926 if (testtype == 1 || testtype == 2) {
3927 /* Force an HRR to occur */
3928 #if defined(OPENSSL_NO_EC)
3929 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3932 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3935 } else if (idx == 2) {
3937 * We force early_data rejection by ensuring the PSK identity is
3940 srvid = "Dummy Identity";
3943 * Deliberately corrupt the creation time. We take 20 seconds off the
3944 * time. It could be any value as long as it is not within tolerance.
3945 * This should mean the ticket is rejected.
3947 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3952 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3955 /* Write some early data */
3956 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3958 || !TEST_size_t_eq(written, strlen(MSG1)))
3961 /* Server should reject the early data */
3962 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3964 SSL_READ_EARLY_DATA_FINISH)
3965 || !TEST_size_t_eq(readbytes, 0)
3966 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3967 SSL_EARLY_DATA_REJECTED))
3977 * Finish off the handshake. We perform the same writes and reads as
3978 * further down but we expect them to fail due to the incomplete
3981 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3982 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3989 BIO *wbio = SSL_get_wbio(clientssl);
3990 /* A record that will appear as bad early_data */
3991 const unsigned char bad_early_data[] = {
3992 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3996 * We force the client to attempt a write. This will fail because
3997 * we're still in the handshake. It will cause the second
3998 * ClientHello to be sent.
4000 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4005 * Inject some early_data after the second ClientHello. This should
4006 * cause the server to fail
4008 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4009 sizeof(bad_early_data), &written)))
4016 * This client has sent more early_data than we are willing to skip
4017 * (case 3) or sent invalid early_data (case 2) so the connection should
4020 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4021 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4024 /* Connection has failed - nothing more to do */
4029 TEST_error("Invalid test type");
4035 * Should be able to send normal data despite rejection of early data. The
4036 * early_data should be skipped.
4038 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4039 || !TEST_size_t_eq(written, strlen(MSG2))
4040 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4041 SSL_EARLY_DATA_REJECTED)
4042 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4043 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4047 * Failure to decrypt early data records should not leave spurious errors
4048 * on the error stack
4050 if (!TEST_long_eq(ERR_peek_error(), 0))
4056 SSL_SESSION_free(clientpsk);
4057 SSL_SESSION_free(serverpsk);
4058 clientpsk = serverpsk = NULL;
4059 SSL_SESSION_free(sess);
4060 SSL_free(serverssl);
4061 SSL_free(clientssl);
4068 * Test that a server attempting to read early data can handle a connection
4069 * from a client where the early data is not acceptable.
4071 static int test_early_data_skip(int idx)
4073 return early_data_skip_helper(0,
4074 idx % OSSL_NELEM(ciphersuites),
4075 idx / OSSL_NELEM(ciphersuites));
4079 * Test that a server attempting to read early data can handle a connection
4080 * from a client where an HRR occurs.
4082 static int test_early_data_skip_hrr(int idx)
4084 return early_data_skip_helper(1,
4085 idx % OSSL_NELEM(ciphersuites),
4086 idx / OSSL_NELEM(ciphersuites));
4090 * Test that a server attempting to read early data can handle a connection
4091 * from a client where an HRR occurs and correctly fails if early_data is sent
4094 static int test_early_data_skip_hrr_fail(int idx)
4096 return early_data_skip_helper(2,
4097 idx % OSSL_NELEM(ciphersuites),
4098 idx / OSSL_NELEM(ciphersuites));
4102 * Test that a server attempting to read early data will abort if it tries to
4103 * skip over too much.
4105 static int test_early_data_skip_abort(int idx)
4107 return early_data_skip_helper(3,
4108 idx % OSSL_NELEM(ciphersuites),
4109 idx / OSSL_NELEM(ciphersuites));
4113 * Test that a server attempting to read early data can handle a connection
4114 * from a client that doesn't send any.
4116 static int test_early_data_not_sent(int idx)
4118 SSL_CTX *cctx = NULL, *sctx = NULL;
4119 SSL *clientssl = NULL, *serverssl = NULL;
4121 SSL_SESSION *sess = NULL;
4122 unsigned char buf[20];
4123 size_t readbytes, written;
4125 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4126 &serverssl, &sess, idx,
4127 SHA384_DIGEST_LENGTH)))
4130 /* Write some data - should block due to handshake with server */
4131 SSL_set_connect_state(clientssl);
4132 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4135 /* Server should detect that early data has not been sent */
4136 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4138 SSL_READ_EARLY_DATA_FINISH)
4139 || !TEST_size_t_eq(readbytes, 0)
4140 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4141 SSL_EARLY_DATA_NOT_SENT)
4142 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4143 SSL_EARLY_DATA_NOT_SENT))
4146 /* Continue writing the message we started earlier */
4147 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4148 || !TEST_size_t_eq(written, strlen(MSG1))
4149 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4150 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4151 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4152 || !TEST_size_t_eq(written, strlen(MSG2)))
4155 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4156 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4162 SSL_SESSION_free(sess);
4163 SSL_SESSION_free(clientpsk);
4164 SSL_SESSION_free(serverpsk);
4165 clientpsk = serverpsk = NULL;
4166 SSL_free(serverssl);
4167 SSL_free(clientssl);
4173 static const char *servalpn;
4175 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4176 unsigned char *outlen, const unsigned char *in,
4177 unsigned int inlen, void *arg)
4179 unsigned int protlen = 0;
4180 const unsigned char *prot;
4182 for (prot = in; prot < in + inlen; prot += protlen) {
4184 if (in + inlen < prot + protlen)
4185 return SSL_TLSEXT_ERR_NOACK;
4187 if (protlen == strlen(servalpn)
4188 && memcmp(prot, servalpn, protlen) == 0) {
4191 return SSL_TLSEXT_ERR_OK;
4195 return SSL_TLSEXT_ERR_NOACK;
4198 /* Test that a PSK can be used to send early_data */
4199 static int test_early_data_psk(int idx)
4201 SSL_CTX *cctx = NULL, *sctx = NULL;
4202 SSL *clientssl = NULL, *serverssl = NULL;
4204 SSL_SESSION *sess = NULL;
4205 unsigned char alpnlist[] = {
4206 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4209 #define GOODALPNLEN 9
4210 #define BADALPNLEN 8
4211 #define GOODALPN (alpnlist)
4212 #define BADALPN (alpnlist + GOODALPNLEN)
4214 unsigned char buf[20];
4215 size_t readbytes, written;
4216 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4217 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4219 /* We always set this up with a final parameter of "2" for PSK */
4220 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4221 &serverssl, &sess, 2,
4222 SHA384_DIGEST_LENGTH)))
4225 servalpn = "goodalpn";
4228 * Note: There is no test for inconsistent SNI with late client detection.
4229 * This is because servers do not acknowledge SNI even if they are using
4230 * it in a resumption handshake - so it is not actually possible for a
4231 * client to detect a problem.
4235 /* Set inconsistent SNI (early client detection) */
4236 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4237 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4238 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4243 /* Set inconsistent ALPN (early client detection) */
4244 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4245 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4246 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4248 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4255 * Set invalid protocol version. Technically this affects PSKs without
4256 * early_data too, but we test it here because it is similar to the
4257 * SNI/ALPN consistency tests.
4259 err = SSL_R_BAD_PSK;
4260 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4266 * Set inconsistent SNI (server side). In this case the connection
4267 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4268 * is associated with each handshake - not the session. Therefore it
4269 * should not matter that we used a different server name last time.
4271 SSL_SESSION_free(serverpsk);
4272 serverpsk = SSL_SESSION_dup(clientpsk);
4273 if (!TEST_ptr(serverpsk)
4274 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4278 /* Set consistent SNI */
4279 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4280 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4281 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4288 * Set inconsistent ALPN (server detected). In this case the connection
4289 * will succeed but reject early_data.
4291 servalpn = "badalpn";
4292 edstatus = SSL_EARLY_DATA_REJECTED;
4293 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4297 * Set consistent ALPN.
4298 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4299 * accepts a list of protos (each one length prefixed).
4300 * SSL_set1_alpn_selected accepts a single protocol (not length
4303 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4305 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4309 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4313 /* Set inconsistent ALPN (late client detection) */
4314 SSL_SESSION_free(serverpsk);
4315 serverpsk = SSL_SESSION_dup(clientpsk);
4316 if (!TEST_ptr(serverpsk)
4317 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4320 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4323 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4326 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4327 edstatus = SSL_EARLY_DATA_ACCEPTED;
4328 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4329 /* SSL_connect() call should fail */
4334 TEST_error("Bad test index");
4338 SSL_set_connect_state(clientssl);
4340 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4342 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4343 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4350 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4351 &readbytes), readearlyres)
4352 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4353 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4354 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4355 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4362 SSL_SESSION_free(sess);
4363 SSL_SESSION_free(clientpsk);
4364 SSL_SESSION_free(serverpsk);
4365 clientpsk = serverpsk = NULL;
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4374 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4375 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4376 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4377 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4378 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4379 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4381 static int test_early_data_psk_with_all_ciphers(int idx)
4383 SSL_CTX *cctx = NULL, *sctx = NULL;
4384 SSL *clientssl = NULL, *serverssl = NULL;
4386 SSL_SESSION *sess = NULL;
4387 unsigned char buf[20];
4388 size_t readbytes, written;
4389 const SSL_CIPHER *cipher;
4390 const char *cipher_str[] = {
4391 TLS1_3_RFC_AES_128_GCM_SHA256,
4392 TLS1_3_RFC_AES_256_GCM_SHA384,
4393 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4394 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4398 TLS1_3_RFC_AES_128_CCM_SHA256,
4399 TLS1_3_RFC_AES_128_CCM_8_SHA256
4401 const unsigned char *cipher_bytes[] = {
4402 TLS13_AES_128_GCM_SHA256_BYTES,
4403 TLS13_AES_256_GCM_SHA384_BYTES,
4404 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4405 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4409 TLS13_AES_128_CCM_SHA256_BYTES,
4410 TLS13_AES_128_CCM_8_SHA256_BYTES
4413 if (cipher_str[idx] == NULL)
4415 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4416 if (idx == 2 && is_fips == 1)
4419 /* We always set this up with a final parameter of "2" for PSK */
4420 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4421 &serverssl, &sess, 2,
4422 SHA384_DIGEST_LENGTH)))
4426 /* CCM8 ciphers are considered low security due to their short tag */
4427 SSL_set_security_level(clientssl, 0);
4428 SSL_set_security_level(serverssl, 0);
4431 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4432 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4436 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4437 * and assigns to both client and server with incremented reference
4438 * and the same instance is updated in 'sess'.
4439 * So updating ciphersuite in 'sess' which will get reflected in
4440 * PSK handshake using psk use sess and find sess cb.
4442 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4443 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4446 SSL_set_connect_state(clientssl);
4447 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4451 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4453 SSL_READ_EARLY_DATA_SUCCESS)
4454 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4456 SSL_EARLY_DATA_ACCEPTED)
4457 || !TEST_int_eq(SSL_connect(clientssl), 1)
4458 || !TEST_int_eq(SSL_accept(serverssl), 1))
4461 /* Send some normal data from client to server */
4462 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4463 || !TEST_size_t_eq(written, strlen(MSG2)))
4466 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4467 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4472 SSL_SESSION_free(sess);
4473 SSL_SESSION_free(clientpsk);
4474 SSL_SESSION_free(serverpsk);
4475 clientpsk = serverpsk = NULL;
4476 if (clientssl != NULL)
4477 SSL_shutdown(clientssl);
4478 if (serverssl != NULL)
4479 SSL_shutdown(serverssl);
4480 SSL_free(serverssl);
4481 SSL_free(clientssl);
4488 * Test that a server that doesn't try to read early data can handle a
4489 * client sending some.
4491 static int test_early_data_not_expected(int idx)
4493 SSL_CTX *cctx = NULL, *sctx = NULL;
4494 SSL *clientssl = NULL, *serverssl = NULL;
4496 SSL_SESSION *sess = NULL;
4497 unsigned char buf[20];
4498 size_t readbytes, written;
4500 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4501 &serverssl, &sess, idx,
4502 SHA384_DIGEST_LENGTH)))
4505 /* Write some early data */
4506 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4511 * Server should skip over early data and then block waiting for client to
4512 * continue handshake
4514 if (!TEST_int_le(SSL_accept(serverssl), 0)
4515 || !TEST_int_gt(SSL_connect(clientssl), 0)
4516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4517 SSL_EARLY_DATA_REJECTED)
4518 || !TEST_int_gt(SSL_accept(serverssl), 0)
4519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4520 SSL_EARLY_DATA_REJECTED))
4523 /* Send some normal data from client to server */
4524 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4525 || !TEST_size_t_eq(written, strlen(MSG2)))
4528 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4529 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4535 SSL_SESSION_free(sess);
4536 SSL_SESSION_free(clientpsk);
4537 SSL_SESSION_free(serverpsk);
4538 clientpsk = serverpsk = NULL;
4539 SSL_free(serverssl);
4540 SSL_free(clientssl);
4547 # ifndef OPENSSL_NO_TLS1_2
4549 * Test that a server attempting to read early data can handle a connection
4550 * from a TLSv1.2 client.
4552 static int test_early_data_tls1_2(int idx)
4554 SSL_CTX *cctx = NULL, *sctx = NULL;
4555 SSL *clientssl = NULL, *serverssl = NULL;
4557 unsigned char buf[20];
4558 size_t readbytes, written;
4560 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4561 &serverssl, NULL, idx,
4562 SHA384_DIGEST_LENGTH)))
4565 /* Write some data - should block due to handshake with server */
4566 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4567 SSL_set_connect_state(clientssl);
4568 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4572 * Server should do TLSv1.2 handshake. First it will block waiting for more
4573 * messages from client after ServerDone. Then SSL_read_early_data should
4574 * finish and detect that early data has not been sent
4576 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4578 SSL_READ_EARLY_DATA_ERROR))
4582 * Continue writing the message we started earlier. Will still block waiting
4583 * for the CCS/Finished from server
4585 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4586 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4588 SSL_READ_EARLY_DATA_FINISH)
4589 || !TEST_size_t_eq(readbytes, 0)
4590 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4591 SSL_EARLY_DATA_NOT_SENT))
4594 /* Continue writing the message we started earlier */
4595 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4596 || !TEST_size_t_eq(written, strlen(MSG1))
4597 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4598 SSL_EARLY_DATA_NOT_SENT)
4599 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4600 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4601 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4602 || !TEST_size_t_eq(written, strlen(MSG2))
4603 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4604 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4610 SSL_SESSION_free(clientpsk);
4611 SSL_SESSION_free(serverpsk);
4612 clientpsk = serverpsk = NULL;
4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4620 # endif /* OPENSSL_NO_TLS1_2 */
4623 * Test configuring the TLSv1.3 ciphersuites
4625 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4626 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4627 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4628 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4629 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4630 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4631 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4632 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4633 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4634 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4636 static int test_set_ciphersuite(int idx)
4638 SSL_CTX *cctx = NULL, *sctx = NULL;
4639 SSL *clientssl = NULL, *serverssl = NULL;
4642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4643 TLS_client_method(), TLS1_VERSION, 0,
4644 &sctx, &cctx, cert, privkey))
4645 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4646 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4649 if (idx >=4 && idx <= 7) {
4650 /* SSL_CTX explicit cipher list */
4651 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4655 if (idx == 0 || idx == 4) {
4656 /* Default ciphersuite */
4657 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4658 "TLS_AES_128_GCM_SHA256")))
4660 } else if (idx == 1 || idx == 5) {
4661 /* Non default ciphersuite */
4662 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4663 "TLS_AES_128_CCM_SHA256")))
4667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4668 &clientssl, NULL, NULL)))
4671 if (idx == 8 || idx == 9) {
4672 /* SSL explicit cipher list */
4673 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4677 if (idx == 2 || idx == 6 || idx == 8) {
4678 /* Default ciphersuite */
4679 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4680 "TLS_AES_128_GCM_SHA256")))
4682 } else if (idx == 3 || idx == 7 || idx == 9) {
4683 /* Non default ciphersuite */
4684 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4685 "TLS_AES_128_CCM_SHA256")))
4689 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4695 SSL_free(serverssl);
4696 SSL_free(clientssl);
4703 static int test_ciphersuite_change(void)
4705 SSL_CTX *cctx = NULL, *sctx = NULL;
4706 SSL *clientssl = NULL, *serverssl = NULL;
4707 SSL_SESSION *clntsess = NULL;
4709 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4711 /* Create a session based on SHA-256 */
4712 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4713 TLS_client_method(), TLS1_VERSION, 0,
4714 &sctx, &cctx, cert, privkey))
4715 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4716 "TLS_AES_128_GCM_SHA256:"
4717 "TLS_AES_256_GCM_SHA384:"
4718 "TLS_AES_128_CCM_SHA256"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4720 "TLS_AES_128_GCM_SHA256")))
4723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4729 clntsess = SSL_get1_session(clientssl);
4730 /* Save for later */
4731 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4732 SSL_shutdown(clientssl);
4733 SSL_shutdown(serverssl);
4734 SSL_free(serverssl);
4735 SSL_free(clientssl);
4736 serverssl = clientssl = NULL;
4738 /* Check we can resume a session with a different SHA-256 ciphersuite */
4739 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4740 "TLS_AES_128_CCM_SHA256"))
4741 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4742 &clientssl, NULL, NULL))
4743 || !TEST_true(SSL_set_session(clientssl, clntsess))
4744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4746 || !TEST_true(SSL_session_reused(clientssl)))
4749 SSL_SESSION_free(clntsess);
4750 clntsess = SSL_get1_session(clientssl);
4751 SSL_shutdown(clientssl);
4752 SSL_shutdown(serverssl);
4753 SSL_free(serverssl);
4754 SSL_free(clientssl);
4755 serverssl = clientssl = NULL;
4758 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4759 * succeeds but does not resume.
4761 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4762 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4764 || !TEST_true(SSL_set_session(clientssl, clntsess))
4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4767 || !TEST_false(SSL_session_reused(clientssl)))
4770 SSL_SESSION_free(clntsess);
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4778 /* Create a session based on SHA384 */
4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4780 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4781 &clientssl, NULL, NULL))
4782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4786 clntsess = SSL_get1_session(clientssl);
4787 SSL_shutdown(clientssl);
4788 SSL_shutdown(serverssl);
4789 SSL_free(serverssl);
4790 SSL_free(clientssl);
4791 serverssl = clientssl = NULL;
4793 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4794 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4795 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4796 "TLS_AES_256_GCM_SHA384"))
4797 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4799 || !TEST_true(SSL_set_session(clientssl, clntsess))
4801 * We use SSL_ERROR_WANT_READ below so that we can pause the
4802 * connection after the initial ClientHello has been sent to
4803 * enable us to make some session changes.
4805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4806 SSL_ERROR_WANT_READ)))
4809 /* Trick the client into thinking this session is for a different digest */
4810 clntsess->cipher = aes_128_gcm_sha256;
4811 clntsess->cipher_id = clntsess->cipher->id;
4814 * Continue the previously started connection. Server has selected a SHA-384
4815 * ciphersuite, but client thinks the session is for SHA-256, so it should
4818 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4820 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4821 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4827 SSL_SESSION_free(clntsess);
4828 SSL_free(serverssl);
4829 SSL_free(clientssl);
4837 * Test TLSv1.3 Key exchange
4838 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4839 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4840 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4841 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4842 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4843 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4844 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4845 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4846 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4847 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4848 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4849 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4850 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4851 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4853 # ifndef OPENSSL_NO_EC
4854 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4856 # ifndef OPENSSL_NO_ECX
4857 NID_X25519, NID_X448
4861 # ifndef OPENSSL_NO_DH
4862 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4863 NID_ffdhe6144, NID_ffdhe8192};
4865 static int test_key_exchange(int idx)
4867 SSL_CTX *sctx = NULL, *cctx = NULL;
4868 SSL *serverssl = NULL, *clientssl = NULL;
4871 int *kexch_groups = &kexch_alg;
4872 int kexch_groups_size = 1;
4873 int max_version = TLS1_3_VERSION;
4874 char *kexch_name0 = NULL;
4877 # ifndef OPENSSL_NO_EC
4878 # ifndef OPENSSL_NO_TLS1_2
4880 max_version = TLS1_2_VERSION;
4884 kexch_groups = ecdhe_kexch_groups;
4885 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4886 kexch_name0 = "secp256r1";
4889 kexch_alg = NID_X9_62_prime256v1;
4890 kexch_name0 = "secp256r1";
4893 kexch_alg = NID_secp384r1;
4894 kexch_name0 = "secp384r1";
4897 kexch_alg = NID_secp521r1;
4898 kexch_name0 = "secp521r1";
4900 # ifndef OPENSSL_NO_ECX
4902 kexch_alg = NID_X25519;
4903 kexch_name0 = "x25519";
4906 kexch_alg = NID_X448;
4907 kexch_name0 = "x448";
4911 # ifndef OPENSSL_NO_DH
4912 # ifndef OPENSSL_NO_TLS1_2
4914 max_version = TLS1_2_VERSION;
4915 kexch_name0 = "ffdhe2048";
4919 kexch_groups = ffdhe_kexch_groups;
4920 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4921 kexch_name0 = "ffdhe2048";
4924 kexch_alg = NID_ffdhe2048;
4925 kexch_name0 = "ffdhe2048";
4928 kexch_alg = NID_ffdhe3072;
4929 kexch_name0 = "ffdhe3072";
4932 kexch_alg = NID_ffdhe4096;
4933 kexch_name0 = "ffdhe4096";
4936 kexch_alg = NID_ffdhe6144;
4937 kexch_name0 = "ffdhe6144";
4940 kexch_alg = NID_ffdhe8192;
4941 kexch_name0 = "ffdhe8192";
4945 /* We're skipping this test */
4949 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4950 TLS_client_method(), TLS1_VERSION,
4951 max_version, &sctx, &cctx, cert,
4955 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4956 TLS1_3_RFC_AES_128_GCM_SHA256)))
4959 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4960 TLS1_3_RFC_AES_128_GCM_SHA256)))
4963 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4964 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4965 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4966 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4970 * Must include an EC ciphersuite so that we send supported groups in
4973 # ifndef OPENSSL_NO_TLS1_2
4974 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4975 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4976 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4984 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4985 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4988 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4992 * If Handshake succeeds the negotiated kexch alg should be the first one in
4993 * configured, except in the case of FFDHE groups (idx 13), which are
4994 * TLSv1.3 only so we expect no shared group to exist.
4996 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4997 idx == 13 ? 0 : kexch_groups[0]))
5000 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5004 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5006 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5007 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5009 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5011 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5017 SSL_free(serverssl);
5018 SSL_free(clientssl);
5024 # if !defined(OPENSSL_NO_TLS1_2) \
5025 && !defined(OPENSSL_NO_EC) \
5026 && !defined(OPENSSL_NO_DH)
5027 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5028 int isecdhe, int idx)
5031 int *kexch_groups = &kexch_alg;
5034 numec = OSSL_NELEM(ecdhe_kexch_groups);
5035 numff = OSSL_NELEM(ffdhe_kexch_groups);
5037 kexch_alg = ecdhe_kexch_groups[idx];
5039 kexch_alg = ffdhe_kexch_groups[idx];
5042 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5045 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5049 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5054 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5057 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5061 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5070 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5071 * Run through both the ECDHE and FFDHE group lists used in the previous
5072 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5073 * confirming the expected result; then perform a resumption handshake
5074 * while offering the same group list, and another resumption handshake
5075 * offering a different group list. The returned value should be the
5076 * negotiated group for the initial handshake; for TLS 1.3 resumption
5077 * handshakes the returned value will be negotiated on the resumption
5078 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5079 * be cached in the session from the original handshake, regardless of what
5080 * was offered in the resumption ClientHello.
5082 * Using E for the number of EC groups and F for the number of FF groups:
5083 * E tests of ECDHE with TLS 1.3, server only has one group
5084 * F tests of FFDHE with TLS 1.3, server only has one group
5085 * E tests of ECDHE with TLS 1.2, server only has one group
5086 * F tests of FFDHE with TLS 1.2, server only has one group
5087 * E tests of ECDHE with TLS 1.3, client sends only one group
5088 * F tests of FFDHE with TLS 1.3, client sends only one group
5089 * E tests of ECDHE with TLS 1.2, client sends only one group
5090 * F tests of FFDHE with TLS 1.2, client sends only one group
5092 static int test_negotiated_group(int idx)
5094 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5096 SSL_CTX *sctx = NULL, *cctx = NULL;
5097 SSL *serverssl = NULL, *clientssl = NULL;
5098 SSL_SESSION *origsess = NULL;
5101 int max_version = TLS1_3_VERSION;
5103 numec = OSSL_NELEM(ecdhe_kexch_groups);
5104 numff = OSSL_NELEM(ffdhe_kexch_groups);
5105 numgroups = numec + numff;
5106 clientmulti = (idx < 2 * numgroups);
5107 idx = idx % (2 * numgroups);
5108 istls13 = (idx < numgroups);
5109 idx = idx % numgroups;
5110 isecdhe = (idx < numec);
5113 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5115 kexch_alg = ecdhe_kexch_groups[idx];
5117 kexch_alg = ffdhe_kexch_groups[idx];
5118 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5119 if (!istls13 && !isecdhe)
5120 expectednid = NID_undef;
5122 expectednid = kexch_alg;
5125 max_version = TLS1_2_VERSION;
5127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5128 TLS_client_method(), TLS1_VERSION,
5129 max_version, &sctx, &cctx, cert,
5134 * Force (EC)DHE ciphers for TLS 1.2.
5135 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5137 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5138 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5139 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5140 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5143 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5144 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5151 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5155 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5158 /* Initial handshake; always the configured one */
5159 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5160 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5163 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5166 SSL_shutdown(clientssl);
5167 SSL_shutdown(serverssl);
5168 SSL_free(serverssl);
5169 SSL_free(clientssl);
5170 serverssl = clientssl = NULL;
5172 /* First resumption attempt; use the same config as initial handshake */
5173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5175 || !TEST_true(SSL_set_session(clientssl, origsess))
5176 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5181 || !TEST_true(SSL_session_reused(clientssl)))
5184 /* Still had better agree, since nothing changed... */
5185 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5186 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5189 SSL_shutdown(clientssl);
5190 SSL_shutdown(serverssl);
5191 SSL_free(serverssl);
5192 SSL_free(clientssl);
5193 serverssl = clientssl = NULL;
5196 * Second resumption attempt
5197 * The party that picks one group changes it, which we effectuate by
5198 * changing 'idx' and updating what we expect.
5206 expectednid = ecdhe_kexch_groups[idx];
5208 expectednid = ffdhe_kexch_groups[idx];
5209 /* Verify that we are changing what we expect. */
5210 if (!TEST_int_ne(expectednid, kexch_alg))
5213 /* TLS 1.2 only supports named groups for ECDHE. */
5215 expectednid = kexch_alg;
5219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5221 || !TEST_true(SSL_set_session(clientssl, origsess))
5222 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5226 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5227 || !TEST_true(SSL_session_reused(clientssl)))
5230 /* Check that we get what we expected */
5231 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5232 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5237 SSL_free(serverssl);
5238 SSL_free(clientssl);
5241 SSL_SESSION_free(origsess);
5244 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5247 * Test TLSv1.3 Cipher Suite
5248 * Test 0 = Set TLS1.3 cipher on context
5249 * Test 1 = Set TLS1.3 cipher on SSL
5250 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5251 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5253 static int test_tls13_ciphersuite(int idx)
5255 SSL_CTX *sctx = NULL, *cctx = NULL;
5256 SSL *serverssl = NULL, *clientssl = NULL;
5257 static const struct {
5258 const char *ciphername;
5262 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5263 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5264 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5265 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5266 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5267 { TLS1_3_RFC_AES_256_GCM_SHA384
5268 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5270 /* CCM8 ciphers are considered low security due to their short tag */
5271 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5272 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5274 const char *t13_cipher = NULL;
5275 const char *t12_cipher = NULL;
5276 const char *negotiated_scipher;
5277 const char *negotiated_ccipher;
5293 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5297 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5301 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5302 # ifdef OPENSSL_NO_TLS1_2
5303 if (max_ver == TLS1_2_VERSION)
5306 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5307 if (is_fips && !t13_ciphers[i].fipscapable)
5309 t13_cipher = t13_ciphers[i].ciphername;
5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5311 TLS_client_method(),
5312 TLS1_VERSION, max_ver,
5313 &sctx, &cctx, cert, privkey)))
5316 if (t13_ciphers[i].low_security) {
5317 SSL_CTX_set_security_level(sctx, 0);
5318 SSL_CTX_set_security_level(cctx, 0);
5322 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5323 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5325 if (t12_cipher != NULL) {
5326 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5327 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5334 &clientssl, NULL, NULL)))
5338 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5339 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5341 if (t12_cipher != NULL) {
5342 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5343 || !TEST_true(SSL_set_cipher_list(clientssl,
5349 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5353 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5355 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5357 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5361 * TEST_strn_eq is used below because t13_cipher can contain
5362 * multiple ciphersuites
5364 if (max_ver == TLS1_3_VERSION
5365 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5366 strlen(negotiated_scipher)))
5369 # ifndef OPENSSL_NO_TLS1_2
5370 /* Below validation is not done when t12_cipher is NULL */
5371 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5372 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5376 SSL_free(serverssl);
5378 SSL_free(clientssl);
5389 SSL_free(serverssl);
5390 SSL_free(clientssl);
5398 * Test 0 = Test new style callbacks
5399 * Test 1 = Test both new and old style callbacks
5400 * Test 2 = Test old style callbacks
5401 * Test 3 = Test old style callbacks with no certificate
5403 static int test_tls13_psk(int idx)
5405 SSL_CTX *sctx = NULL, *cctx = NULL;
5406 SSL *serverssl = NULL, *clientssl = NULL;
5407 const SSL_CIPHER *cipher = NULL;
5408 const unsigned char key[] = {
5409 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5410 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5411 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5412 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5416 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5417 TLS_client_method(), TLS1_VERSION, 0,
5418 &sctx, &cctx, idx == 3 ? NULL : cert,
5419 idx == 3 ? NULL : privkey)))
5424 * We use a ciphersuite with SHA256 to ease testing old style PSK
5425 * callbacks which will always default to SHA256. This should not be
5426 * necessary if we have no cert/priv key. In that case the server should
5427 * prefer SHA256 automatically.
5429 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5430 "TLS_AES_128_GCM_SHA256")))
5434 * As noted above the server should prefer SHA256 automatically. However
5435 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5436 * code works even if we are testing with only the FIPS provider loaded.
5438 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5439 "TLS_AES_256_GCM_SHA384:"
5440 "TLS_AES_128_GCM_SHA256")))
5445 * Test 0: New style callbacks only
5446 * Test 1: New and old style callbacks (only the new ones should be used)
5447 * Test 2: Old style callbacks only
5449 if (idx == 0 || idx == 1) {
5450 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5451 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5453 #ifndef OPENSSL_NO_PSK
5455 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5456 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5460 use_session_cb_cnt = 0;
5461 find_session_cb_cnt = 0;
5462 psk_client_cb_cnt = 0;
5463 psk_server_cb_cnt = 0;
5467 * Check we can create a connection if callback decides not to send a
5470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5474 || !TEST_false(SSL_session_reused(clientssl))
5475 || !TEST_false(SSL_session_reused(serverssl)))
5478 if (idx == 0 || idx == 1) {
5479 if (!TEST_true(use_session_cb_cnt == 1)
5480 || !TEST_true(find_session_cb_cnt == 0)
5482 * If no old style callback then below should be 0
5485 || !TEST_true(psk_client_cb_cnt == idx)
5486 || !TEST_true(psk_server_cb_cnt == 0))
5489 if (!TEST_true(use_session_cb_cnt == 0)
5490 || !TEST_true(find_session_cb_cnt == 0)
5491 || !TEST_true(psk_client_cb_cnt == 1)
5492 || !TEST_true(psk_server_cb_cnt == 0))
5496 shutdown_ssl_connection(serverssl, clientssl);
5497 serverssl = clientssl = NULL;
5498 use_session_cb_cnt = psk_client_cb_cnt = 0;
5501 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505 /* Create the PSK */
5506 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5507 clientpsk = SSL_SESSION_new();
5508 if (!TEST_ptr(clientpsk)
5509 || !TEST_ptr(cipher)
5510 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5512 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5513 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5515 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5517 serverpsk = clientpsk;
5519 /* Check we can create a connection and the PSK is used */
5520 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5521 || !TEST_true(SSL_session_reused(clientssl))
5522 || !TEST_true(SSL_session_reused(serverssl)))
5525 if (idx == 0 || idx == 1) {
5526 if (!TEST_true(use_session_cb_cnt == 1)
5527 || !TEST_true(find_session_cb_cnt == 1)
5528 || !TEST_true(psk_client_cb_cnt == 0)
5529 || !TEST_true(psk_server_cb_cnt == 0))
5532 if (!TEST_true(use_session_cb_cnt == 0)
5533 || !TEST_true(find_session_cb_cnt == 0)
5534 || !TEST_true(psk_client_cb_cnt == 1)
5535 || !TEST_true(psk_server_cb_cnt == 1))
5539 shutdown_ssl_connection(serverssl, clientssl);
5540 serverssl = clientssl = NULL;
5541 use_session_cb_cnt = find_session_cb_cnt = 0;
5542 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5549 #if defined(OPENSSL_NO_EC)
5550 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5553 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5558 * Check we can create a connection, the PSK is used and the callbacks are
5561 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5562 || !TEST_true(SSL_session_reused(clientssl))
5563 || !TEST_true(SSL_session_reused(serverssl)))
5566 if (idx == 0 || idx == 1) {
5567 if (!TEST_true(use_session_cb_cnt == 2)
5568 || !TEST_true(find_session_cb_cnt == 2)
5569 || !TEST_true(psk_client_cb_cnt == 0)
5570 || !TEST_true(psk_server_cb_cnt == 0))
5573 if (!TEST_true(use_session_cb_cnt == 0)
5574 || !TEST_true(find_session_cb_cnt == 0)
5575 || !TEST_true(psk_client_cb_cnt == 2)
5576 || !TEST_true(psk_server_cb_cnt == 2))
5580 shutdown_ssl_connection(serverssl, clientssl);
5581 serverssl = clientssl = NULL;
5582 use_session_cb_cnt = find_session_cb_cnt = 0;
5583 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5587 * Check that if the server rejects the PSK we can still connect, but with
5590 srvid = "Dummy Identity";
5591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5595 || !TEST_false(SSL_session_reused(clientssl))
5596 || !TEST_false(SSL_session_reused(serverssl)))
5599 if (idx == 0 || idx == 1) {
5600 if (!TEST_true(use_session_cb_cnt == 1)
5601 || !TEST_true(find_session_cb_cnt == 1)
5602 || !TEST_true(psk_client_cb_cnt == 0)
5604 * If no old style callback then below should be 0
5607 || !TEST_true(psk_server_cb_cnt == idx))
5610 if (!TEST_true(use_session_cb_cnt == 0)
5611 || !TEST_true(find_session_cb_cnt == 0)
5612 || !TEST_true(psk_client_cb_cnt == 1)
5613 || !TEST_true(psk_server_cb_cnt == 1))
5617 shutdown_ssl_connection(serverssl, clientssl);
5618 serverssl = clientssl = NULL;
5623 SSL_SESSION_free(clientpsk);
5624 SSL_SESSION_free(serverpsk);
5625 clientpsk = serverpsk = NULL;
5626 SSL_free(serverssl);
5627 SSL_free(clientssl);
5633 #ifndef OSSL_NO_USABLE_TLS1_3
5635 * Test TLS1.3 connection establishment succeeds with various configurations of
5636 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5637 * The verification of whether the right KEX mode is chosen is not covered by
5638 * this test but by `test_tls13kexmodes`.
5640 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5641 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5642 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5644 static int test_tls13_no_dhe_kex(const int idx)
5646 SSL_CTX *sctx = NULL, *cctx = NULL;
5647 SSL *serverssl = NULL, *clientssl = NULL;
5650 SSL_SESSION *saved_session;
5652 int server_allow_no_dhe = (idx & 1) != 0;
5653 int server_prefer_no_dhe = (idx & 2) != 0;
5654 int client_allow_no_dhe = (idx & 4) != 0;
5656 uint64_t server_options = 0
5657 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5658 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5660 uint64_t client_options = 0
5661 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5666 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5667 TLS_client_method(), TLS1_3_VERSION, 0,
5668 &sctx, &cctx, cert, privkey)))
5671 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5672 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5674 SSL_CTX_set_options(sctx, server_options);
5675 SSL_CTX_set_options(cctx, client_options);
5677 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5680 &clientssl, NULL, NULL)))
5683 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5685 /* Check we got the number of tickets we were expecting */
5686 || !TEST_int_eq(2, new_called))
5689 /* We'll reuse the last ticket. */
5690 saved_session = sesscache[new_called - 1];
5692 SSL_shutdown(clientssl);
5693 SSL_shutdown(serverssl);
5694 SSL_free(serverssl);
5695 SSL_free(clientssl);
5697 clientssl = serverssl = NULL;
5701 * Now we resume with the last ticket we created.
5704 /* The server context already exists, so we only create the client. */
5705 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5706 TLS_client_method(), TLS1_3_VERSION, 0,
5707 NULL, &cctx, cert, privkey)))
5710 SSL_CTX_set_options(cctx, client_options);
5712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5713 &clientssl, NULL, NULL))
5714 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5722 * Make sure, the session was resumed.
5724 if (!TEST_true(SSL_session_reused(clientssl)))
5727 SSL_shutdown(clientssl);
5728 SSL_shutdown(serverssl);
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5735 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5736 SSL_SESSION_free(sesscache[j]);
5737 sesscache[j] = NULL;
5744 #endif /* OSSL_NO_USABLE_TLS1_3 */
5746 static unsigned char cookie_magic_value[] = "cookie magic";
5748 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5749 unsigned int *cookie_len)
5752 * Not suitable as a real cookie generation function but good enough for
5755 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5756 *cookie_len = sizeof(cookie_magic_value) - 1;
5761 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5762 unsigned int cookie_len)
5764 if (cookie_len == sizeof(cookie_magic_value) - 1
5765 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5771 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5775 int res = generate_cookie_callback(ssl, cookie, &temp);
5780 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5783 return verify_cookie_callback(ssl, cookie, cookie_len);
5786 static int test_stateless(void)
5788 SSL_CTX *sctx = NULL, *cctx = NULL;
5789 SSL *serverssl = NULL, *clientssl = NULL;
5792 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5793 TLS_client_method(), TLS1_VERSION, 0,
5794 &sctx, &cctx, cert, privkey)))
5797 /* The arrival of CCS messages can confuse the test */
5798 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5802 /* Send the first ClientHello */
5803 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5804 SSL_ERROR_WANT_READ))
5806 * This should fail with a -1 return because we have no callbacks
5809 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5812 /* Fatal error so abandon the connection from this client */
5813 SSL_free(clientssl);
5816 /* Set up the cookie generation and verification callbacks */
5817 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5818 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5821 * Create a new connection from the client (we can reuse the server SSL
5824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5826 /* Send the first ClientHello */
5827 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5828 SSL_ERROR_WANT_READ))
5829 /* This should fail because there is no cookie */
5830 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5833 /* Abandon the connection from this client */
5834 SSL_free(clientssl);
5838 * Now create a connection from a new client but with the same server SSL
5841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5843 /* Send the first ClientHello */
5844 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5845 SSL_ERROR_WANT_READ))
5846 /* This should fail because there is no cookie */
5847 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5848 /* Send the second ClientHello */
5849 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5850 SSL_ERROR_WANT_READ))
5851 /* This should succeed because a cookie is now present */
5852 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5853 /* Complete the connection */
5854 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5858 shutdown_ssl_connection(serverssl, clientssl);
5859 serverssl = clientssl = NULL;
5863 SSL_free(serverssl);
5864 SSL_free(clientssl);
5870 #endif /* OSSL_NO_USABLE_TLS1_3 */
5872 static int clntaddoldcb = 0;
5873 static int clntparseoldcb = 0;
5874 static int srvaddoldcb = 0;
5875 static int srvparseoldcb = 0;
5876 static int clntaddnewcb = 0;
5877 static int clntparsenewcb = 0;
5878 static int srvaddnewcb = 0;
5879 static int srvparsenewcb = 0;
5880 static int snicb = 0;
5882 #define TEST_EXT_TYPE1 0xff00
5884 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5885 size_t *outlen, int *al, void *add_arg)
5887 int *server = (int *)add_arg;
5888 unsigned char *data;
5890 if (SSL_is_server(s))
5895 if (*server != SSL_is_server(s)
5896 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5901 *outlen = sizeof(char);
5905 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5908 OPENSSL_free((unsigned char *)out);
5911 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5912 size_t inlen, int *al, void *parse_arg)
5914 int *server = (int *)parse_arg;
5916 if (SSL_is_server(s))
5921 if (*server != SSL_is_server(s)
5922 || inlen != sizeof(char)
5929 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5930 const unsigned char **out, size_t *outlen, X509 *x,
5931 size_t chainidx, int *al, void *add_arg)
5933 int *server = (int *)add_arg;
5934 unsigned char *data;
5936 if (SSL_is_server(s))
5941 if (*server != SSL_is_server(s)
5942 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5947 *outlen = sizeof(*data);
5951 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5952 const unsigned char *out, void *add_arg)
5954 OPENSSL_free((unsigned char *)out);
5957 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5958 const unsigned char *in, size_t inlen, X509 *x,
5959 size_t chainidx, int *al, void *parse_arg)
5961 int *server = (int *)parse_arg;
5963 if (SSL_is_server(s))
5968 if (*server != SSL_is_server(s)
5969 || inlen != sizeof(char) || *in != 1)
5975 static int sni_cb(SSL *s, int *al, void *arg)
5977 SSL_CTX *ctx = (SSL_CTX *)arg;
5979 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5980 *al = SSL_AD_INTERNAL_ERROR;
5981 return SSL_TLSEXT_ERR_ALERT_FATAL;
5984 return SSL_TLSEXT_ERR_OK;
5987 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5993 * Custom call back tests.
5994 * Test 0: Old style callbacks in TLSv1.2
5995 * Test 1: New style callbacks in TLSv1.2
5996 * Test 2: New style callbacks in TLSv1.2 with SNI
5997 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5998 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5999 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6001 static int test_custom_exts(int tst)
6003 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6004 SSL *clientssl = NULL, *serverssl = NULL;
6006 static int server = 1;
6007 static int client = 0;
6008 SSL_SESSION *sess = NULL;
6009 unsigned int context;
6011 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6012 /* Skip tests for TLSv1.2 and below in this case */
6017 /* Reset callback counters */
6018 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6019 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6022 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6023 TLS_client_method(), TLS1_VERSION, 0,
6024 &sctx, &cctx, cert, privkey)))
6028 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6030 &sctx2, NULL, cert, privkey)))
6035 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6036 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6038 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6042 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6043 | SSL_EXT_TLS1_3_CERTIFICATE;
6044 SSL_CTX_set_verify(sctx,
6045 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6047 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6048 SSL_FILETYPE_PEM), 1)
6049 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6050 SSL_FILETYPE_PEM), 1)
6051 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6053 } else if (tst == 4) {
6054 context = SSL_EXT_CLIENT_HELLO
6055 | SSL_EXT_TLS1_2_SERVER_HELLO
6056 | SSL_EXT_TLS1_3_SERVER_HELLO
6057 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6058 | SSL_EXT_TLS1_3_CERTIFICATE
6059 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6061 context = SSL_EXT_CLIENT_HELLO
6062 | SSL_EXT_TLS1_2_SERVER_HELLO
6063 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6066 /* Create a client side custom extension */
6068 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6069 old_add_cb, old_free_cb,
6070 &client, old_parse_cb,
6074 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6075 new_add_cb, new_free_cb,
6076 &client, new_parse_cb, &client)))
6080 /* Should not be able to add duplicates */
6081 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6082 old_add_cb, old_free_cb,
6083 &client, old_parse_cb,
6085 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6086 context, new_add_cb,
6087 new_free_cb, &client,
6088 new_parse_cb, &client)))
6091 /* Create a server side custom extension */
6093 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6094 old_add_cb, old_free_cb,
6095 &server, old_parse_cb,
6099 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6100 new_add_cb, new_free_cb,
6101 &server, new_parse_cb, &server)))
6104 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6105 context, new_add_cb,
6106 new_free_cb, &server,
6107 new_parse_cb, &server)))
6111 /* Should not be able to add duplicates */
6112 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6113 old_add_cb, old_free_cb,
6114 &server, old_parse_cb,
6116 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6117 context, new_add_cb,
6118 new_free_cb, &server,
6119 new_parse_cb, &server)))
6124 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6125 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6130 &clientssl, NULL, NULL))
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6136 if (clntaddoldcb != 1
6137 || clntparseoldcb != 1
6139 || srvparseoldcb != 1)
6141 } else if (tst == 1 || tst == 2 || tst == 3) {
6142 if (clntaddnewcb != 1
6143 || clntparsenewcb != 1
6145 || srvparsenewcb != 1
6146 || (tst != 2 && snicb != 0)
6147 || (tst == 2 && snicb != 1))
6149 } else if (tst == 5) {
6150 if (clntaddnewcb != 1
6151 || clntparsenewcb != 1
6153 || srvparsenewcb != 1)
6156 /* In this case there 2 NewSessionTicket messages created */
6157 if (clntaddnewcb != 1
6158 || clntparsenewcb != 5
6160 || srvparsenewcb != 1)
6164 sess = SSL_get1_session(clientssl);
6165 SSL_shutdown(clientssl);
6166 SSL_shutdown(serverssl);
6167 SSL_free(serverssl);
6168 SSL_free(clientssl);
6169 serverssl = clientssl = NULL;
6171 if (tst == 3 || tst == 5) {
6172 /* We don't bother with the resumption aspects for these tests */
6177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6179 || !TEST_true(SSL_set_session(clientssl, sess))
6180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6185 * For a resumed session we expect to add the ClientHello extension. For the
6186 * old style callbacks we ignore it on the server side because they set
6187 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6191 if (clntaddoldcb != 2
6192 || clntparseoldcb != 1
6194 || srvparseoldcb != 1)
6196 } else if (tst == 1 || tst == 2 || tst == 3) {
6197 if (clntaddnewcb != 2
6198 || clntparsenewcb != 2
6200 || srvparsenewcb != 2)
6204 * No Certificate message extensions in the resumption handshake,
6205 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6207 if (clntaddnewcb != 2
6208 || clntparsenewcb != 8
6210 || srvparsenewcb != 2)
6217 SSL_SESSION_free(sess);
6218 SSL_free(serverssl);
6219 SSL_free(clientssl);
6220 SSL_CTX_free(sctx2);
6226 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6228 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6229 | SSL_EXT_CLIENT_HELLO \
6230 | SSL_EXT_TLS1_2_SERVER_HELLO \
6231 | SSL_EXT_IGNORE_ON_RESUMPTION)
6233 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6234 | SSL_EXT_TLS1_2_SERVER_HELLO \
6235 | SSL_EXT_CLIENT_HELLO)
6237 #define SERVERINFO_CUSTOM \
6238 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6242 static const unsigned char serverinfo_custom_tls13[] = {
6243 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6246 static const unsigned char serverinfo_custom_v2[] = {
6247 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6250 static const unsigned char serverinfo_custom_v1[] = {
6253 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6254 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6255 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6257 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6258 unsigned int context,
6259 const unsigned char *in,
6260 size_t inlen, X509 *x,
6261 size_t chainidx, int *al,
6264 const size_t len = serverinfo_custom_v1_len;
6265 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6266 int *p_cb_result = (int*)parse_arg;
6267 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6271 static int test_serverinfo_custom(const int idx)
6273 SSL_CTX *sctx = NULL, *cctx = NULL;
6274 SSL *clientssl = NULL, *serverssl = NULL;
6279 * Following variables are set in the switch statement
6280 * according to the test iteration.
6281 * Default values do not make much sense: test would fail with them.
6283 int serverinfo_version = 0;
6284 int protocol_version = 0;
6285 unsigned int extension_context = 0;
6286 const unsigned char *si = NULL;
6289 const int call_use_serverinfo_ex = idx > 0;
6291 case 0: /* FALLTHROUGH */
6293 serverinfo_version = SSL_SERVERINFOV1;
6294 protocol_version = TLS1_2_VERSION;
6295 extension_context = SYNTHV1CONTEXT;
6296 si = serverinfo_custom_v1;
6297 si_len = serverinfo_custom_v1_len;
6300 serverinfo_version = SSL_SERVERINFOV2;
6301 protocol_version = TLS1_2_VERSION;
6302 extension_context = SYNTHV1CONTEXT;
6303 si = serverinfo_custom_v2;
6304 si_len = serverinfo_custom_v2_len;
6307 serverinfo_version = SSL_SERVERINFOV2;
6308 protocol_version = TLS1_3_VERSION;
6309 extension_context = TLS13CONTEXT;
6310 si = serverinfo_custom_tls13;
6311 si_len = serverinfo_custom_tls13_len;
6315 if (!TEST_true(create_ssl_ctx_pair(libctx,
6320 &sctx, &cctx, cert, privkey)))
6323 if (call_use_serverinfo_ex) {
6324 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6328 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6332 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6335 serverinfo_custom_parse_cb,
6337 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6341 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6344 if (!TEST_true(cb_result))
6350 SSL_free(serverssl);
6351 SSL_free(clientssl);
6360 * Test that SSL_export_keying_material() produces expected results. There are
6361 * no test vectors so all we do is test that both sides of the communication
6362 * produce the same results for different protocol versions.
6364 #define SMALL_LABEL_LEN 10
6365 #define LONG_LABEL_LEN 249
6366 static int test_export_key_mat(int tst)
6369 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6370 SSL *clientssl = NULL, *serverssl = NULL;
6371 const char label[LONG_LABEL_LEN + 1] = "test label";
6372 const unsigned char context[] = "context";
6373 const unsigned char *emptycontext = NULL;
6374 unsigned char longcontext[1280];
6375 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6376 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6377 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6379 const int protocols[] = {
6388 #ifdef OPENSSL_NO_TLS1
6392 #ifdef OPENSSL_NO_TLS1_1
6396 if (is_fips && (tst == 0 || tst == 1))
6398 #ifdef OPENSSL_NO_TLS1_2
6402 #ifdef OSSL_NO_USABLE_TLS1_3
6406 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6407 TLS_client_method(), TLS1_VERSION, 0,
6408 &sctx, &cctx, cert, privkey)))
6411 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6412 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6413 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6414 if ((protocols[tst] < TLS1_2_VERSION) &&
6415 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6416 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6424 * Premature call of SSL_export_keying_material should just fail.
6426 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6427 sizeof(ckeymat1), label,
6428 SMALL_LABEL_LEN + 1, context,
6429 sizeof(context) - 1, 1), 0))
6432 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6438 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6441 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6442 sizeof(ckeymat1), label,
6443 LONG_LABEL_LEN + 1, context,
6444 sizeof(context) - 1, 1), 0))
6449 } else if (tst == 4) {
6450 labellen = LONG_LABEL_LEN;
6452 labellen = SMALL_LABEL_LEN;
6455 memset(longcontext, 1, sizeof(longcontext));
6457 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6458 sizeof(ckeymat1), label,
6460 sizeof(context) - 1, 1), 1)
6461 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6462 sizeof(ckeymat2), label,
6466 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6467 sizeof(ckeymat3), label,
6470 || (test_longcontext
6471 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6473 sizeof(ckeymat4), label,
6476 sizeof(longcontext), 1),
6478 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6479 sizeof(skeymat1), label,
6482 sizeof(context) -1, 1),
6484 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6485 sizeof(skeymat2), label,
6489 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6490 sizeof(skeymat3), label,
6493 || (test_longcontext
6494 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6495 sizeof(skeymat4), label,
6498 sizeof(longcontext), 1),
6501 * Check that both sides created the same key material with the
6504 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6507 * Check that both sides created the same key material with an
6510 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6513 * Check that both sides created the same key material without a
6516 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6519 * Check that both sides created the same key material with a
6522 || (test_longcontext
6523 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6525 /* Different contexts should produce different results */
6526 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6531 * Check that an empty context and no context produce different results in
6532 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6534 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6536 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6543 SSL_free(serverssl);
6544 SSL_free(clientssl);
6545 SSL_CTX_free(sctx2);
6552 #ifndef OSSL_NO_USABLE_TLS1_3
6554 * Test that SSL_export_keying_material_early() produces expected
6555 * results. There are no test vectors so all we do is test that both
6556 * sides of the communication produce the same results for different
6557 * protocol versions.
6559 static int test_export_key_mat_early(int idx)
6561 static const char label[] = "test label";
6562 static const unsigned char context[] = "context";
6564 SSL_CTX *cctx = NULL, *sctx = NULL;
6565 SSL *clientssl = NULL, *serverssl = NULL;
6566 SSL_SESSION *sess = NULL;
6567 const unsigned char *emptycontext = NULL;
6568 unsigned char ckeymat1[80], ckeymat2[80];
6569 unsigned char skeymat1[80], skeymat2[80];
6570 unsigned char buf[1];
6571 size_t readbytes, written;
6573 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6574 &sess, idx, SHA384_DIGEST_LENGTH)))
6577 /* Here writing 0 length early data is enough. */
6578 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6579 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6581 SSL_READ_EARLY_DATA_ERROR)
6582 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6583 SSL_EARLY_DATA_ACCEPTED))
6586 if (!TEST_int_eq(SSL_export_keying_material_early(
6587 clientssl, ckeymat1, sizeof(ckeymat1), label,
6588 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6589 || !TEST_int_eq(SSL_export_keying_material_early(
6590 clientssl, ckeymat2, sizeof(ckeymat2), label,
6591 sizeof(label) - 1, emptycontext, 0), 1)
6592 || !TEST_int_eq(SSL_export_keying_material_early(
6593 serverssl, skeymat1, sizeof(skeymat1), label,
6594 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6595 || !TEST_int_eq(SSL_export_keying_material_early(
6596 serverssl, skeymat2, sizeof(skeymat2), label,
6597 sizeof(label) - 1, emptycontext, 0), 1)
6599 * Check that both sides created the same key material with the
6602 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6605 * Check that both sides created the same key material with an
6608 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6610 /* Different contexts should produce different results */
6611 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6618 SSL_SESSION_free(sess);
6619 SSL_SESSION_free(clientpsk);
6620 SSL_SESSION_free(serverpsk);
6621 clientpsk = serverpsk = NULL;
6622 SSL_free(serverssl);
6623 SSL_free(clientssl);
6630 #define NUM_KEY_UPDATE_MESSAGES 40
6634 static int test_key_update(void)
6636 SSL_CTX *cctx = NULL, *sctx = NULL;
6637 SSL *clientssl = NULL, *serverssl = NULL;
6638 int testresult = 0, i, j;
6640 static char *mess = "A test message";
6642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6643 TLS_client_method(),
6646 &sctx, &cctx, cert, privkey))
6647 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6653 for (j = 0; j < 2; j++) {
6654 /* Send lots of KeyUpdate messages */
6655 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6656 if (!TEST_true(SSL_key_update(clientssl,
6658 ? SSL_KEY_UPDATE_NOT_REQUESTED
6659 : SSL_KEY_UPDATE_REQUESTED))
6660 || !TEST_true(SSL_do_handshake(clientssl)))
6664 /* Check that sending and receiving app data is ok */
6665 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6666 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6670 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6671 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6679 SSL_free(serverssl);
6680 SSL_free(clientssl);
6688 * Test we can handle a KeyUpdate (update requested) message while
6689 * write data is pending in peer.
6690 * Test 0: Client sends KeyUpdate while Server is writing
6691 * Test 1: Server sends KeyUpdate while Client is writing
6693 static int test_key_update_peer_in_write(int tst)
6695 SSL_CTX *cctx = NULL, *sctx = NULL;
6696 SSL *clientssl = NULL, *serverssl = NULL;
6699 static char *mess = "A test message";
6700 BIO *bretry = BIO_new(bio_s_always_retry());
6702 SSL *peerupdate = NULL, *peerwrite = NULL;
6704 if (!TEST_ptr(bretry)
6705 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6706 TLS_client_method(),
6709 &sctx, &cctx, cert, privkey))
6710 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6712 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6716 peerupdate = tst == 0 ? clientssl : serverssl;
6717 peerwrite = tst == 0 ? serverssl : clientssl;
6719 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6720 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6723 /* Swap the writing endpoint's write BIO to force a retry */
6724 tmp = SSL_get_wbio(peerwrite);
6725 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6729 SSL_set0_wbio(peerwrite, bretry);
6732 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6733 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6734 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6735 || !TEST_true(SSL_want_write(peerwrite))
6736 || !TEST_true(SSL_net_write_desired(peerwrite)))
6739 /* Reinstate the original writing endpoint's write BIO */
6740 SSL_set0_wbio(peerwrite, tmp);
6743 /* Now read some data - we will read the key update */
6744 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6745 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6746 || !TEST_true(SSL_want_read(peerwrite))
6747 || !TEST_true(SSL_net_read_desired(peerwrite)))
6751 * Complete the write we started previously and read it from the other
6754 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6755 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6758 /* Write more data to ensure we send the KeyUpdate message back */
6759 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6760 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6763 if (!TEST_false(SSL_net_read_desired(peerwrite))
6764 || !TEST_false(SSL_net_write_desired(peerwrite))
6765 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6771 SSL_free(serverssl);
6772 SSL_free(clientssl);
6782 * Test we can handle a KeyUpdate (update requested) message while
6783 * peer read data is pending after peer accepted keyupdate(the msg header
6784 * had been read 5 bytes).
6785 * Test 0: Client sends KeyUpdate while Server is reading
6786 * Test 1: Server sends KeyUpdate while Client is reading
6788 static int test_key_update_peer_in_read(int tst)
6790 SSL_CTX *cctx = NULL, *sctx = NULL;
6791 SSL *clientssl = NULL, *serverssl = NULL;
6793 char prbuf[515], lwbuf[515] = {0};
6794 static char *mess = "A test message";
6795 BIO *lbio = NULL, *pbio = NULL;
6796 SSL *local = NULL, *peer = NULL;
6798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6799 TLS_client_method(),
6802 &sctx, &cctx, cert, privkey))
6803 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6809 local = tst == 0 ? clientssl : serverssl;
6810 peer = tst == 0 ? serverssl : clientssl;
6812 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6815 SSL_set_bio(local, lbio, lbio);
6816 SSL_set_bio(peer, pbio, pbio);
6819 * we first write keyupdate msg then appdata in local
6820 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6821 * lwbuf app data msg size + key updata msg size > 512(the size of
6822 * the bio pair buffer)
6824 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6825 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6826 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6830 * first read keyupdate msg in peer in peer
6831 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6833 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6834 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6837 /* Now write some data in peer - we will write the key update */
6838 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6842 * write data in local previously that we will complete
6843 * read data in peer previously that we will complete
6845 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6846 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6849 /* check that sending and receiving appdata ok */
6850 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6851 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6857 SSL_free(serverssl);
6858 SSL_free(clientssl);
6866 * Test we can't send a KeyUpdate (update requested) message while
6867 * local write data is pending.
6868 * Test 0: Client sends KeyUpdate while Client is writing
6869 * Test 1: Server sends KeyUpdate while Server is writing
6871 static int test_key_update_local_in_write(int tst)
6873 SSL_CTX *cctx = NULL, *sctx = NULL;
6874 SSL *clientssl = NULL, *serverssl = NULL;
6877 static char *mess = "A test message";
6878 BIO *bretry = BIO_new(bio_s_always_retry());
6880 SSL *local = NULL, *peer = NULL;
6882 if (!TEST_ptr(bretry)
6883 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6884 TLS_client_method(),
6887 &sctx, &cctx, cert, privkey))
6888 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6894 local = tst == 0 ? clientssl : serverssl;
6895 peer = tst == 0 ? serverssl : clientssl;
6897 /* Swap the writing endpoint's write BIO to force a retry */
6898 tmp = SSL_get_wbio(local);
6899 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6903 SSL_set0_wbio(local, bretry);
6906 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6907 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6908 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6911 /* Reinstate the original writing endpoint's write BIO */
6912 SSL_set0_wbio(local, tmp);
6915 /* SSL_key_update will fail, because writing in local*/
6916 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6917 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6921 /* write data in local previously that we will complete */
6922 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6925 /* SSL_key_update will succeed because there is no pending write data */
6926 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6927 || !TEST_int_eq(SSL_do_handshake(local), 1))
6931 * we write some appdata in local
6932 * read data in peer - we will read the keyupdate msg
6934 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6935 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6938 /* Write more peer more data to ensure we send the keyupdate message back */
6939 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6940 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6946 SSL_free(serverssl);
6947 SSL_free(clientssl);
6957 * Test we can handle a KeyUpdate (update requested) message while
6958 * local read data is pending(the msg header had been read 5 bytes).
6959 * Test 0: Client sends KeyUpdate while Client is reading
6960 * Test 1: Server sends KeyUpdate while Server is reading
6962 static int test_key_update_local_in_read(int tst)
6964 SSL_CTX *cctx = NULL, *sctx = NULL;
6965 SSL *clientssl = NULL, *serverssl = NULL;
6967 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6968 static char *mess = "A test message";
6969 BIO *lbio = NULL, *pbio = NULL;
6970 SSL *local = NULL, *peer = NULL;
6972 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6973 TLS_client_method(),
6976 &sctx, &cctx, cert, privkey))
6977 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6979 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6983 local = tst == 0 ? clientssl : serverssl;
6984 peer = tst == 0 ? serverssl : clientssl;
6986 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6989 SSL_set_bio(local, lbio, lbio);
6990 SSL_set_bio(peer, pbio, pbio);
6992 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6993 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6994 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6997 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6998 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6999 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7002 /* SSL_do_handshake will send keyupdate msg */
7003 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7004 || !TEST_int_eq(SSL_do_handshake(local), 1))
7008 * write data in peer previously that we will complete
7009 * read data in local previously that we will complete
7011 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7012 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7016 * write data in local
7017 * read data in peer - we will read the key update
7019 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7020 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7023 /* Write more peer data to ensure we send the keyupdate message back */
7024 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7025 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7031 SSL_free(serverssl);
7032 SSL_free(clientssl);
7038 #endif /* OSSL_NO_USABLE_TLS1_3 */
7041 * Test clearing a connection via SSL_clear(), or resetting it via
7042 * SSL_set_connect_state()/SSL_set_accept_state()
7043 * Test 0: SSL_set_connect_state, TLSv1.3
7044 * Test 1: SSL_set_connect_state, TLSv1.2
7045 * Test 2: SSL_set_accept_state, TLSv1.3
7046 * Test 3: SSL_set_accept_state, TLSv1.2
7047 * Test 4: SSL_clear (client), TLSv1.3
7048 * Test 5: SSL_clear (client), TLSv1.2
7049 * Test 6: SSL_clear (server), TLSv1.3
7050 * Test 7: SSL_clear (server), TLSv1.2
7052 static int test_ssl_clear(int idx)
7054 SSL_CTX *cctx = NULL, *sctx = NULL;
7055 SSL *clientssl = NULL, *serverssl = NULL;
7056 SSL *writer, *reader;
7058 int tls12test, servertest, cleartest;
7059 size_t written, readbytes;
7060 const char *msg = "Hello World";
7061 unsigned char buf[5];
7063 tls12test = idx & 1;
7065 servertest = idx & 1;
7067 cleartest = idx & 1;
7069 #ifdef OPENSSL_NO_TLS1_2
7071 return TEST_skip("No TLSv1.2 in this build");
7074 /* Create an initial connection */
7075 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7076 TLS_client_method(), TLS1_VERSION, 0,
7077 &sctx, &cctx, cert, privkey))
7079 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7081 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7082 &clientssl, NULL, NULL))
7083 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7095 /* Write some data */
7096 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7097 || written != strlen(msg))
7101 * Read a partial record. The remaining buffered data should be cleared by
7102 * the subsequent clear/reset
7104 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7105 || readbytes != sizeof(buf))
7108 SSL_shutdown(clientssl);
7109 SSL_shutdown(serverssl);
7111 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7114 if (!TEST_true(SSL_clear(serverssl)))
7117 SSL_set_accept_state(serverssl);
7120 * A peculiarity of SSL_clear() is that it does not clear the session.
7121 * This is intended behaviour so that a client can create a new
7122 * connection and reuse the session. But this doesn't make much sense
7123 * on the server side - and causes incorrect behaviour due to the
7124 * handshake failing (even though the documentation does say SSL_clear()
7125 * is supposed to work on the server side). We clear the session
7126 * explicitly - although note that the documentation for
7127 * SSL_set_session() says that its only useful for clients!
7129 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7131 SSL_free(clientssl);
7135 if (!TEST_true(SSL_clear(clientssl)))
7138 SSL_set_connect_state(clientssl);
7140 SSL_free(serverssl);
7144 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7148 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7151 SSL_shutdown(clientssl);
7152 SSL_shutdown(serverssl);
7157 SSL_free(serverssl);
7158 SSL_free(clientssl);
7165 /* Parse CH and retrieve any MFL extension value if present */
7166 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7169 unsigned char *data;
7170 PACKET pkt, pkt2, pkt3;
7171 unsigned int MFL_code = 0, type = 0;
7173 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7176 memset(&pkt, 0, sizeof(pkt));
7177 memset(&pkt2, 0, sizeof(pkt2));
7178 memset(&pkt3, 0, sizeof(pkt3));
7180 if (!TEST_long_gt(len, 0)
7181 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7182 /* Skip the record header */
7183 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7184 /* Skip the handshake message header */
7185 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7186 /* Skip client version and random */
7187 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7188 + SSL3_RANDOM_SIZE))
7189 /* Skip session id */
7190 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7192 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7193 /* Skip compression */
7194 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7195 /* Extensions len */
7196 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7199 /* Loop through all extensions */
7200 while (PACKET_remaining(&pkt2)) {
7201 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7202 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7205 if (type == TLSEXT_TYPE_max_fragment_length) {
7206 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7207 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7210 *mfl_codemfl_code = MFL_code;
7219 /* Maximum-Fragment-Length TLS extension mode to test */
7220 static const unsigned char max_fragment_len_test[] = {
7221 TLSEXT_max_fragment_length_512,
7222 TLSEXT_max_fragment_length_1024,
7223 TLSEXT_max_fragment_length_2048,
7224 TLSEXT_max_fragment_length_4096
7227 static int test_max_fragment_len_ext(int idx_tst)
7229 SSL_CTX *ctx = NULL;
7231 int testresult = 0, MFL_mode = 0;
7234 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7235 TLS1_VERSION, 0, NULL, &ctx, NULL,
7239 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7240 ctx, max_fragment_len_test[idx_tst])))
7247 rbio = BIO_new(BIO_s_mem());
7248 wbio = BIO_new(BIO_s_mem());
7249 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7255 SSL_set_bio(con, rbio, wbio);
7257 if (!TEST_int_le(SSL_connect(con), 0)) {
7258 /* This shouldn't succeed because we don't have a server! */
7262 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7263 /* no MFL in client hello */
7265 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7277 #ifndef OSSL_NO_USABLE_TLS1_3
7278 static int test_pha_key_update(void)
7280 SSL_CTX *cctx = NULL, *sctx = NULL;
7281 SSL *clientssl = NULL, *serverssl = NULL;
7284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7285 TLS_client_method(), TLS1_VERSION, 0,
7286 &sctx, &cctx, cert, privkey)))
7289 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7290 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7291 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7292 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7295 SSL_CTX_set_post_handshake_auth(cctx, 1);
7297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7301 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7305 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7306 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7309 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7312 /* Start handshake on the server */
7313 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7316 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7317 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7321 SSL_shutdown(clientssl);
7322 SSL_shutdown(serverssl);
7327 SSL_free(serverssl);
7328 SSL_free(clientssl);
7335 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7337 static SRP_VBASE *vbase = NULL;
7339 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7341 int ret = SSL3_AL_FATAL;
7343 SRP_user_pwd *user = NULL;
7345 username = SSL_get_srp_username(s);
7346 if (username == NULL) {
7347 *ad = SSL_AD_INTERNAL_ERROR;
7351 user = SRP_VBASE_get1_by_user(vbase, username);
7353 *ad = SSL_AD_INTERNAL_ERROR;
7357 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7359 *ad = SSL_AD_INTERNAL_ERROR;
7366 SRP_user_pwd_free(user);
7370 static int create_new_vfile(char *userid, char *password, const char *filename)
7373 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7376 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7379 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7382 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7383 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7384 if (!TEST_ptr(gNid))
7388 * The only way to create an empty TXT_DB is to provide a BIO with no data
7391 db = TXT_DB_read(dummy, DB_NUMBER);
7395 out = BIO_new_file(filename, "w");
7399 row[DB_srpid] = OPENSSL_strdup(userid);
7400 row[DB_srptype] = OPENSSL_strdup("V");
7401 row[DB_srpgN] = OPENSSL_strdup(gNid);
7403 if (!TEST_ptr(row[DB_srpid])
7404 || !TEST_ptr(row[DB_srptype])
7405 || !TEST_ptr(row[DB_srpgN])
7406 || !TEST_true(TXT_DB_insert(db, row)))
7411 if (TXT_DB_write(out, db) <= 0)
7417 for (i = 0; i < DB_NUMBER; i++)
7418 OPENSSL_free(row[i]);
7428 static int create_new_vbase(char *userid, char *password)
7430 BIGNUM *verifier = NULL, *salt = NULL;
7431 const SRP_gN *lgN = NULL;
7432 SRP_user_pwd *user_pwd = NULL;
7435 lgN = SRP_get_default_gN(NULL);
7439 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7440 lgN->N, lgN->g, libctx, NULL)))
7443 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7444 if (!TEST_ptr(user_pwd))
7447 user_pwd->N = lgN->N;
7448 user_pwd->g = lgN->g;
7449 user_pwd->id = OPENSSL_strdup(userid);
7450 if (!TEST_ptr(user_pwd->id))
7453 user_pwd->v = verifier;
7455 verifier = salt = NULL;
7457 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7463 SRP_user_pwd_free(user_pwd);
7473 * Test 0: Simple successful SRP connection, new vbase
7474 * Test 1: Connection failure due to bad password, new vbase
7475 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7476 * Test 3: Connection failure due to bad password, vbase loaded from existing
7478 * Test 4: Simple successful SRP connection, vbase loaded from new file
7479 * Test 5: Connection failure due to bad password, vbase loaded from new file
7481 static int test_srp(int tst)
7483 char *userid = "test", *password = "password", *tstsrpfile;
7484 SSL_CTX *cctx = NULL, *sctx = NULL;
7485 SSL *clientssl = NULL, *serverssl = NULL;
7486 int ret, testresult = 0;
7488 vbase = SRP_VBASE_new(NULL);
7489 if (!TEST_ptr(vbase))
7492 if (tst == 0 || tst == 1) {
7493 if (!TEST_true(create_new_vbase(userid, password)))
7496 if (tst == 4 || tst == 5) {
7497 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7499 tstsrpfile = tmpfilename;
7501 tstsrpfile = srpvfile;
7503 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7508 TLS_client_method(), TLS1_VERSION, 0,
7509 &sctx, &cctx, cert, privkey)))
7512 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7513 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7514 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7515 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7516 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7520 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7523 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7531 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7533 if (!TEST_true(tst % 2 == 0))
7536 if (!TEST_true(tst % 2 == 1))
7543 SRP_VBASE_free(vbase);
7545 SSL_free(serverssl);
7546 SSL_free(clientssl);
7554 static int info_cb_failed = 0;
7555 static int info_cb_offset = 0;
7556 static int info_cb_this_state = -1;
7558 static struct info_cb_states_st {
7560 const char *statestr;
7561 } info_cb_states[][60] = {
7563 /* TLSv1.2 server followed by resumption */
7564 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7565 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7566 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7567 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7568 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7569 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7570 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7571 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7572 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7573 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7574 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7575 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7576 {SSL_CB_EXIT, NULL}, {0, NULL},
7578 /* TLSv1.2 client followed by resumption */
7579 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7580 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7581 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7582 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7583 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7584 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7585 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7586 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7587 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7588 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7589 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7590 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7592 /* TLSv1.3 server followed by resumption */
7593 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7594 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7595 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7596 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7597 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7598 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7599 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7600 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7601 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7602 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7603 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7604 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7605 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7607 /* TLSv1.3 client followed by resumption */
7608 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7609 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7610 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7611 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7612 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7613 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7614 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7615 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7616 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7617 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7618 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7619 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7621 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7622 {SSL_CB_EXIT, NULL}, {0, NULL},
7624 /* TLSv1.3 server, early_data */
7625 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7626 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7627 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7628 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7629 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7630 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7631 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7632 {SSL_CB_EXIT, NULL}, {0, NULL},
7634 /* TLSv1.3 client, early_data */
7635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7636 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7637 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7638 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7639 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7640 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7641 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7642 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7643 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7645 /* TLSv1.3 server, certificate compression, followed by resumption */
7646 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7647 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7648 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7649 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7650 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7651 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7652 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7653 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7654 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7655 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7656 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7657 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7658 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7660 /* TLSv1.3 client, certificate compression, followed by resumption */
7661 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7662 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7663 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7664 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7665 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7666 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7667 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7668 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7669 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7670 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7672 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7673 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7674 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7675 {SSL_CB_EXIT, NULL}, {0, NULL},
7681 static void sslapi_info_callback(const SSL *s, int where, int ret)
7683 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7685 /* We do not ever expect a connection to fail in this test */
7686 if (!TEST_false(ret == 0)) {
7692 * Do some sanity checks. We never expect these things to happen in this
7695 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7696 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7697 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7702 /* Now check we're in the right state */
7703 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7707 if ((where & SSL_CB_LOOP) != 0
7708 && !TEST_int_eq(strcmp(SSL_state_string(s),
7709 state[info_cb_this_state].statestr), 0)) {
7715 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7717 if ((where & SSL_CB_HANDSHAKE_DONE)
7718 && SSL_in_init((SSL *)s) != 0) {
7725 * Test the info callback gets called when we expect it to.
7727 * Test 0: TLSv1.2, server
7728 * Test 1: TLSv1.2, client
7729 * Test 2: TLSv1.3, server
7730 * Test 3: TLSv1.3, client
7731 * Test 4: TLSv1.3, server, early_data
7732 * Test 5: TLSv1.3, client, early_data
7733 * Test 6: TLSv1.3, server, compressed certificate
7734 * Test 7: TLSv1.3, client, compressed certificate
7736 static int test_info_callback(int tst)
7738 SSL_CTX *cctx = NULL, *sctx = NULL;
7739 SSL *clientssl = NULL, *serverssl = NULL;
7740 SSL_SESSION *clntsess = NULL;
7745 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7746 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7747 || !defined(OPENSSL_NO_DH))
7748 tlsvers = TLS1_2_VERSION;
7753 #ifndef OSSL_NO_USABLE_TLS1_3
7754 tlsvers = TLS1_3_VERSION;
7762 info_cb_this_state = -1;
7763 info_cb_offset = tst;
7765 #ifndef OSSL_NO_USABLE_TLS1_3
7766 if (tst >= 4 && tst < 6) {
7767 SSL_SESSION *sess = NULL;
7768 size_t written, readbytes;
7769 unsigned char buf[80];
7771 /* early_data tests */
7772 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7773 &serverssl, &sess, 0,
7774 SHA384_DIGEST_LENGTH)))
7777 /* We don't actually need this reference */
7778 SSL_SESSION_free(sess);
7780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7781 sslapi_info_callback);
7783 /* Write and read some early data and then complete the connection */
7784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7786 || !TEST_size_t_eq(written, strlen(MSG1))
7787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7788 sizeof(buf), &readbytes),
7789 SSL_READ_EARLY_DATA_SUCCESS)
7790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7792 SSL_EARLY_DATA_ACCEPTED)
7793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7795 || !TEST_false(info_cb_failed))
7803 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7804 TLS_client_method(),
7805 tlsvers, tlsvers, &sctx, &cctx, cert,
7809 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7813 * For even numbered tests we check the server callbacks. For odd numbers we
7816 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7817 sslapi_info_callback);
7819 if (!SSL_CTX_compress_certs(sctx, 0))
7823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7824 &clientssl, NULL, NULL))
7825 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7827 || !TEST_false(info_cb_failed))
7832 clntsess = SSL_get1_session(clientssl);
7833 SSL_shutdown(clientssl);
7834 SSL_shutdown(serverssl);
7835 SSL_free(serverssl);
7836 SSL_free(clientssl);
7837 serverssl = clientssl = NULL;
7839 /* Now do a resumption */
7840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7842 || !TEST_true(SSL_set_session(clientssl, clntsess))
7843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7845 || !TEST_true(SSL_session_reused(clientssl))
7846 || !TEST_false(info_cb_failed))
7852 SSL_free(serverssl);
7853 SSL_free(clientssl);
7854 SSL_SESSION_free(clntsess);
7860 static int test_ssl_pending(int tst)
7862 SSL_CTX *cctx = NULL, *sctx = NULL;
7863 SSL *clientssl = NULL, *serverssl = NULL;
7865 char msg[] = "A test message";
7867 size_t written, readbytes;
7870 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7871 TLS_client_method(),
7873 &sctx, &cctx, cert, privkey)))
7876 #ifndef OPENSSL_NO_DTLS
7877 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7878 DTLS_client_method(),
7880 &sctx, &cctx, cert, privkey)))
7883 # ifdef OPENSSL_NO_DTLS1_2
7884 /* Not supported in the FIPS provider */
7890 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7893 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7894 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7895 "DEFAULT:@SECLEVEL=0")))
7903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7909 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7910 || !TEST_false(SSL_has_pending(clientssl))
7911 || !TEST_int_eq(SSL_pending(serverssl), 0)
7912 || !TEST_false(SSL_has_pending(serverssl))
7913 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7914 || !TEST_size_t_eq(written, sizeof(msg))
7915 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7916 || !TEST_size_t_eq(readbytes, sizeof(buf))
7917 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7918 || !TEST_true(SSL_has_pending(clientssl)))
7924 SSL_free(serverssl);
7925 SSL_free(clientssl);
7933 unsigned int maxprot;
7934 const char *clntciphers;
7935 const char *clnttls13ciphers;
7936 const char *srvrciphers;
7937 const char *srvrtls13ciphers;
7939 const char *fipsshared;
7940 } shared_ciphers_data[] = {
7942 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7943 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7945 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7948 "AES128-SHA:AES256-SHA",
7950 "AES256-SHA:DHE-RSA-AES128-SHA",
7955 # if !defined(OPENSSL_NO_CHACHA) \
7956 && !defined(OPENSSL_NO_POLY1305) \
7957 && !defined(OPENSSL_NO_EC)
7960 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7962 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7964 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7970 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7972 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7974 "AES128-SHA:AES256-SHA",
7975 "AES128-SHA:AES256-SHA"
7979 "AES128-SHA:AES256-SHA",
7981 "AES128-SHA:DHE-RSA-AES128-SHA",
7988 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7991 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7992 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7995 "AES128-SHA:AES256-SHA",
7997 "AES256-SHA:AES128-SHA256",
7999 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8000 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8001 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8004 #ifndef OSSL_NO_USABLE_TLS1_3
8008 "TLS_AES_256_GCM_SHA384",
8010 "TLS_AES_256_GCM_SHA384",
8011 "TLS_AES_256_GCM_SHA384",
8012 "TLS_AES_256_GCM_SHA384"
8017 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8019 SSL_CTX *cctx = NULL, *sctx = NULL;
8020 SSL *clientssl = NULL, *serverssl = NULL;
8023 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8025 if (!TEST_ptr(tmplibctx))
8029 * Regardless of whether we're testing with the FIPS provider loaded into
8030 * libctx, we want one peer to always use the full set of ciphersuites
8031 * available. Therefore we use a separate libctx with the default provider
8032 * loaded into it. We run the same tests twice - once with the client side
8033 * having the full set of ciphersuites and once with the server side.
8036 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8037 if (!TEST_ptr(cctx))
8040 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8041 if (!TEST_ptr(sctx))
8045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8046 TLS_client_method(),
8048 shared_ciphers_data[tst].maxprot,
8049 &sctx, &cctx, cert, privkey)))
8052 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8053 shared_ciphers_data[tst].clntciphers))
8054 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8055 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8056 shared_ciphers_data[tst].clnttls13ciphers)))
8057 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8058 shared_ciphers_data[tst].srvrciphers))
8059 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8060 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8061 shared_ciphers_data[tst].srvrtls13ciphers))))
8065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8067 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8071 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8072 || !TEST_int_eq(strcmp(buf,
8074 ? shared_ciphers_data[tst].fipsshared
8075 : shared_ciphers_data[tst].shared),
8077 TEST_info("Shared ciphers are: %s\n", buf);
8084 SSL_free(serverssl);
8085 SSL_free(clientssl);
8088 OSSL_LIB_CTX_free(tmplibctx);
8093 static int test_ssl_get_shared_ciphers(int tst)
8095 return int_test_ssl_get_shared_ciphers(tst, 0)
8096 && int_test_ssl_get_shared_ciphers(tst, 1);
8100 static const char *appdata = "Hello World";
8101 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8102 static int tick_key_renew = 0;
8103 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8105 static int gen_tick_cb(SSL *s, void *arg)
8107 gen_tick_called = 1;
8109 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8113 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8114 const unsigned char *keyname,
8115 size_t keyname_length,
8116 SSL_TICKET_STATUS status,
8122 dec_tick_called = 1;
8124 if (status == SSL_TICKET_EMPTY)
8125 return SSL_TICKET_RETURN_IGNORE_RENEW;
8127 if (!TEST_true(status == SSL_TICKET_SUCCESS
8128 || status == SSL_TICKET_SUCCESS_RENEW))
8129 return SSL_TICKET_RETURN_ABORT;
8131 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8133 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8134 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8135 return SSL_TICKET_RETURN_ABORT;
8137 if (tick_key_cb_called) {
8138 /* Don't change what the ticket key callback wanted to do */
8140 case SSL_TICKET_NO_DECRYPT:
8141 return SSL_TICKET_RETURN_IGNORE_RENEW;
8143 case SSL_TICKET_SUCCESS:
8144 return SSL_TICKET_RETURN_USE;
8146 case SSL_TICKET_SUCCESS_RENEW:
8147 return SSL_TICKET_RETURN_USE_RENEW;
8150 return SSL_TICKET_RETURN_ABORT;
8153 return tick_dec_ret;
8157 #ifndef OPENSSL_NO_DEPRECATED_3_0
8158 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8159 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8160 HMAC_CTX *hctx, int enc)
8162 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8163 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8164 EVP_CIPHER *aes128cbc;
8168 tick_key_cb_called = 1;
8170 if (tick_key_renew == -1)
8173 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8174 if (!TEST_ptr(aes128cbc))
8176 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8177 if (!TEST_ptr(sha256)) {
8178 EVP_CIPHER_free(aes128cbc);
8182 memset(iv, 0, AES_BLOCK_SIZE);
8183 memset(key_name, 0, 16);
8184 if (aes128cbc == NULL
8186 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8187 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8191 ret = tick_key_renew ? 2 : 1;
8193 EVP_CIPHER_free(aes128cbc);
8194 EVP_MD_free(sha256);
8200 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8201 unsigned char iv[EVP_MAX_IV_LENGTH],
8202 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8204 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8205 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8206 OSSL_PARAM params[2];
8207 EVP_CIPHER *aes128cbc;
8210 tick_key_cb_called = 1;
8212 if (tick_key_renew == -1)
8215 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8216 if (!TEST_ptr(aes128cbc))
8219 memset(iv, 0, AES_BLOCK_SIZE);
8220 memset(key_name, 0, 16);
8221 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8223 params[1] = OSSL_PARAM_construct_end();
8224 if (aes128cbc == NULL
8225 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8226 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8230 ret = tick_key_renew ? 2 : 1;
8232 EVP_CIPHER_free(aes128cbc);
8238 * Test the various ticket callbacks
8239 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8240 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8241 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8242 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8243 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8244 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8245 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8246 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8247 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8248 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8249 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8250 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8251 * Test 12: TLSv1.2, old ticket key callback, no ticket
8252 * Test 13: TLSv1.3, old ticket key callback, no ticket
8253 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8254 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8255 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8256 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8257 * Test 18: TLSv1.2, ticket key callback, no ticket
8258 * Test 19: TLSv1.3, ticket key callback, no ticket
8260 static int test_ticket_callbacks(int tst)
8262 SSL_CTX *cctx = NULL, *sctx = NULL;
8263 SSL *clientssl = NULL, *serverssl = NULL;
8264 SSL_SESSION *clntsess = NULL;
8267 #ifdef OPENSSL_NO_TLS1_2
8271 #ifdef OSSL_NO_USABLE_TLS1_3
8275 #ifdef OPENSSL_NO_DEPRECATED_3_0
8276 if (tst >= 8 && tst <= 13)
8280 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8282 /* Which tests the ticket key callback should request renewal for */
8284 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8286 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8287 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8291 /* Which tests the decrypt ticket callback should request renewal for */
8295 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8300 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8305 tick_dec_ret = SSL_TICKET_RETURN_USE;
8310 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8314 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8318 TLS_client_method(),
8320 ((tst % 2) == 0) ? TLS1_2_VERSION
8322 &sctx, &cctx, cert, privkey)))
8326 * We only want sessions to resume from tickets - not the session cache. So
8327 * switch the cache off.
8329 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8332 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8337 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8339 #ifndef OPENSSL_NO_DEPRECATED_3_0
8340 } else if (tst >= 8) {
8341 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8353 * The decrypt ticket key callback in TLSv1.2 should be called even though
8354 * we have no ticket yet, because it gets called with a status of
8355 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8356 * actually send any ticket data). This does not happen in TLSv1.3 because
8357 * it is not valid to send empty ticket data in TLSv1.3.
8359 if (!TEST_int_eq(gen_tick_called, 1)
8360 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8363 gen_tick_called = dec_tick_called = 0;
8365 clntsess = SSL_get1_session(clientssl);
8366 SSL_shutdown(clientssl);
8367 SSL_shutdown(serverssl);
8368 SSL_free(serverssl);
8369 SSL_free(clientssl);
8370 serverssl = clientssl = NULL;
8372 /* Now do a resumption */
8373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8375 || !TEST_true(SSL_set_session(clientssl, clntsess))
8376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8380 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8381 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8382 || tick_key_renew == -1) {
8383 if (!TEST_false(SSL_session_reused(clientssl)))
8386 if (!TEST_true(SSL_session_reused(clientssl)))
8390 if (!TEST_int_eq(gen_tick_called,
8392 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8393 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8395 /* There is no ticket to decrypt in tests 13 and 19 */
8396 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8402 SSL_SESSION_free(clntsess);
8403 SSL_free(serverssl);
8404 SSL_free(clientssl);
8412 * Test incorrect shutdown.
8413 * Test 0: client does not shutdown properly,
8414 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8415 * server should get SSL_ERROR_SSL
8416 * Test 1: client does not shutdown properly,
8417 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8418 * server should get SSL_ERROR_ZERO_RETURN
8420 static int test_incorrect_shutdown(int tst)
8422 SSL_CTX *cctx = NULL, *sctx = NULL;
8423 SSL *clientssl = NULL, *serverssl = NULL;
8428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8429 TLS_client_method(), 0, 0,
8430 &sctx, &cctx, cert, privkey)))
8434 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8440 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8444 c2s = SSL_get_rbio(serverssl);
8445 BIO_set_mem_eof_return(c2s, 0);
8447 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8450 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8452 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8458 SSL_free(serverssl);
8459 SSL_free(clientssl);
8467 * Test bi-directional shutdown.
8469 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8470 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8471 * Test 3: TLSv1.3, pending NewSessionTicket messages
8472 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8473 * sends key update, client reads it
8474 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8475 * sends CertificateRequest, client reads and ignores it
8476 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8479 static int test_shutdown(int tst)
8481 SSL_CTX *cctx = NULL, *sctx = NULL;
8482 SSL *clientssl = NULL, *serverssl = NULL;
8484 char msg[] = "A test message";
8486 size_t written, readbytes;
8489 #ifdef OPENSSL_NO_TLS1_2
8493 #ifdef OSSL_NO_USABLE_TLS1_3
8498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8499 TLS_client_method(),
8501 (tst <= 1) ? TLS1_2_VERSION
8503 &sctx, &cctx, cert, privkey)))
8507 SSL_CTX_set_post_handshake_auth(cctx, 1);
8509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8514 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8515 SSL_ERROR_NONE, 1, 0))
8516 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8517 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8519 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8521 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8522 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8526 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8531 * Reading on the server after the client has sent close_notify should
8532 * fail and provide SSL_ERROR_ZERO_RETURN
8534 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8535 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8536 SSL_ERROR_ZERO_RETURN)
8537 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8538 SSL_RECEIVED_SHUTDOWN)
8540 * Even though we're shutdown on receive we should still be
8543 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8546 && !TEST_true(SSL_key_update(serverssl,
8547 SSL_KEY_UPDATE_REQUESTED)))
8550 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8551 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8554 if ((tst == 4 || tst == 5)
8555 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8557 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8559 if (tst == 4 || tst == 5) {
8560 /* Should still be able to read data from server */
8561 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8563 || !TEST_size_t_eq(readbytes, sizeof(msg))
8564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8565 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8567 || !TEST_size_t_eq(readbytes, sizeof(msg))
8568 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8573 /* Writing on the client after sending close_notify shouldn't be possible */
8574 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8579 * For these tests the client has sent close_notify but it has not yet
8580 * been received by the server. The server has not sent close_notify
8583 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8585 * Writing on the server after sending close_notify shouldn't
8588 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8589 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8590 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8591 || !TEST_true(SSL_SESSION_is_resumable(sess))
8592 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8594 } else if (tst == 4 || tst == 5) {
8596 * In this test the client has sent close_notify and it has been
8597 * received by the server which has responded with a close_notify. The
8598 * client needs to read the close_notify sent by the server.
8600 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8601 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8602 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8608 * The client has sent close_notify and is expecting a close_notify
8609 * back, but instead there is application data first. The shutdown
8610 * should fail with a fatal error.
8612 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8613 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8620 SSL_free(serverssl);
8621 SSL_free(clientssl);
8629 * Test that sending close_notify alerts works correctly in the case of a
8630 * retryable write failure.
8632 static int test_async_shutdown(void)
8634 SSL_CTX *cctx = NULL, *sctx = NULL;
8635 SSL *clientssl = NULL, *serverssl = NULL;
8637 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8639 if (!TEST_ptr(bretry))
8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8643 TLS_client_method(),
8645 &sctx, &cctx, cert, privkey)))
8648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8655 /* Close write side of clientssl */
8656 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8659 tmp = SSL_get_wbio(serverssl);
8660 if (!TEST_true(BIO_up_ref(tmp))) {
8664 SSL_set0_wbio(serverssl, bretry);
8667 /* First server shutdown should fail because of a retrable write failure */
8668 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8669 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8672 /* Second server shutdown should fail for the same reason */
8673 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8674 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8677 SSL_set0_wbio(serverssl, tmp);
8680 /* Third server shutdown should send close_notify */
8681 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8684 /* Fourth server shutdown should read close_notify from client and finish */
8685 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8688 /* Client should also successfully fully shutdown */
8689 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8694 SSL_free(serverssl);
8695 SSL_free(clientssl);
8704 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8705 static int cert_cb_cnt;
8707 static int cert_cb(SSL *s, void *arg)
8709 SSL_CTX *ctx = (SSL_CTX *)arg;
8711 EVP_PKEY *pkey = NULL;
8712 X509 *x509 = NULL, *rootx = NULL;
8713 STACK_OF(X509) *chain = NULL;
8714 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8717 if (cert_cb_cnt == 0) {
8718 /* Suspend the handshake */
8721 } else if (cert_cb_cnt == 1) {
8723 * Update the SSL_CTX, set the certificate and private key and then
8724 * continue the handshake normally.
8726 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8729 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8730 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8732 || !TEST_true(SSL_check_private_key(s)))
8736 } else if (cert_cb_cnt == 3) {
8739 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8740 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8741 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8742 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8744 chain = sk_X509_new_null();
8745 if (!TEST_ptr(chain))
8747 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8748 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8749 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8750 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8751 || !TEST_true(sk_X509_push(chain, rootx)))
8755 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8756 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8757 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8758 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8761 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8762 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8763 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8767 rv = SSL_check_chain(s, x509, pkey, chain);
8769 * If the cert doesn't show as valid here (e.g., because we don't
8770 * have any shared sigalgs), then we will not set it, and there will
8771 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8772 * will cause tls_choose_sigalgs() to fail the connection.
8774 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8775 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8776 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8783 /* Abort the handshake */
8785 OPENSSL_free(ecdsacert);
8786 OPENSSL_free(ecdsakey);
8787 OPENSSL_free(rootfile);
8789 EVP_PKEY_free(pkey);
8792 OSSL_STACK_OF_X509_free(chain);
8797 * Test the certificate callback.
8798 * Test 0: Callback fails
8799 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8800 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8801 * Test 3: Success - Call SSL_check_chain from the callback
8802 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8804 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8806 static int test_cert_cb_int(int prot, int tst)
8808 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8809 SSL *clientssl = NULL, *serverssl = NULL;
8810 int testresult = 0, ret;
8812 #ifdef OPENSSL_NO_EC
8813 /* We use an EC cert in these tests, so we skip in a no-ec build */
8818 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8819 TLS_client_method(),
8822 &sctx, &cctx, NULL, NULL)))
8833 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8834 if (!TEST_ptr(snictx))
8838 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8846 * We cause SSL_check_chain() to fail by specifying sig_algs that
8847 * the chain doesn't meet (the root uses an RSA cert)
8849 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8850 "ecdsa_secp256r1_sha256")))
8852 } else if (tst == 5) {
8854 * We cause SSL_check_chain() to fail by specifying sig_algs that
8855 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8857 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8858 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8862 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8863 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8865 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8872 SSL_free(serverssl);
8873 SSL_free(clientssl);
8876 SSL_CTX_free(snictx);
8882 static int test_cert_cb(int tst)
8886 #ifndef OPENSSL_NO_TLS1_2
8887 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8889 #ifndef OSSL_NO_USABLE_TLS1_3
8890 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8896 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8901 BIO *priv_in = NULL;
8903 /* Check that SSL_get0_peer_certificate() returns something sensible */
8904 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8907 in = BIO_new_file(cert, "r");
8911 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8912 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8913 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8914 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8932 static int test_client_cert_cb(int tst)
8934 SSL_CTX *cctx = NULL, *sctx = NULL;
8935 SSL *clientssl = NULL, *serverssl = NULL;
8938 #ifdef OPENSSL_NO_TLS1_2
8942 #ifdef OSSL_NO_USABLE_TLS1_3
8947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8948 TLS_client_method(),
8950 tst == 0 ? TLS1_2_VERSION
8952 &sctx, &cctx, cert, privkey)))
8956 * Test that setting a client_cert_cb results in a client certificate being
8959 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8960 SSL_CTX_set_verify(sctx,
8961 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8973 SSL_free(serverssl);
8974 SSL_free(clientssl);
8981 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8983 * Test setting certificate authorities on both client and server.
8985 * Test 0: SSL_CTX_set0_CA_list() only
8986 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8987 * Test 2: Only SSL_CTX_set_client_CA_list()
8989 static int test_ca_names_int(int prot, int tst)
8991 SSL_CTX *cctx = NULL, *sctx = NULL;
8992 SSL *clientssl = NULL, *serverssl = NULL;
8995 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8996 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8997 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8998 const STACK_OF(X509_NAME) *sktmp = NULL;
9000 for (i = 0; i < OSSL_NELEM(name); i++) {
9001 name[i] = X509_NAME_new();
9002 if (!TEST_ptr(name[i])
9003 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9011 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9012 TLS_client_method(),
9015 &sctx, &cctx, cert, privkey)))
9018 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9020 if (tst == 0 || tst == 1) {
9021 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9022 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9023 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9024 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9025 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9026 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9029 SSL_CTX_set0_CA_list(sctx, sk1);
9030 SSL_CTX_set0_CA_list(cctx, sk2);
9033 if (tst == 1 || tst == 2) {
9034 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9035 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9036 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9037 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9038 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9039 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9042 SSL_CTX_set_client_CA_list(sctx, sk1);
9043 SSL_CTX_set_client_CA_list(cctx, sk2);
9047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9049 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9054 * We only expect certificate authorities to have been sent to the server
9055 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9057 sktmp = SSL_get0_peer_CA_list(serverssl);
9058 if (prot == TLS1_3_VERSION
9059 && (tst == 0 || tst == 1)) {
9060 if (!TEST_ptr(sktmp)
9061 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9062 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9064 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9067 } else if (!TEST_ptr_null(sktmp)) {
9072 * In all tests we expect certificate authorities to have been sent to the
9073 * client. However, SSL_set_client_CA_list() should override
9074 * SSL_set0_CA_list()
9076 sktmp = SSL_get0_peer_CA_list(clientssl);
9077 if (!TEST_ptr(sktmp)
9078 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9079 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9080 name[tst == 0 ? 0 : 2]), 0)
9081 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9082 name[tst == 0 ? 1 : 3]), 0))
9088 SSL_free(serverssl);
9089 SSL_free(clientssl);
9092 for (i = 0; i < OSSL_NELEM(name); i++)
9093 X509_NAME_free(name[i]);
9094 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9095 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9101 static int test_ca_names(int tst)
9105 #ifndef OPENSSL_NO_TLS1_2
9106 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9108 #ifndef OSSL_NO_USABLE_TLS1_3
9109 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9115 #ifndef OPENSSL_NO_TLS1_2
9116 static const char *multiblock_cipherlist_data[]=
9124 /* Reduce the fragment size - so the multiblock test buffer can be small */
9125 # define MULTIBLOCK_FRAGSIZE 512
9127 static int test_multiblock_write(int test_index)
9129 static const char *fetchable_ciphers[]=
9131 "AES-128-CBC-HMAC-SHA1",
9132 "AES-128-CBC-HMAC-SHA256",
9133 "AES-256-CBC-HMAC-SHA1",
9134 "AES-256-CBC-HMAC-SHA256"
9136 const char *cipherlist = multiblock_cipherlist_data[test_index];
9137 const SSL_METHOD *smeth = TLS_server_method();
9138 const SSL_METHOD *cmeth = TLS_client_method();
9139 int min_version = TLS1_VERSION;
9140 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9141 SSL_CTX *cctx = NULL, *sctx = NULL;
9142 SSL *clientssl = NULL, *serverssl = NULL;
9146 * Choose a buffer large enough to perform a multi-block operation
9147 * i.e: write_len >= 4 * frag_size
9148 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9150 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9151 unsigned char buf[sizeof(msg)], *p = buf;
9152 size_t readbytes, written, len;
9153 EVP_CIPHER *ciph = NULL;
9156 * Check if the cipher exists before attempting to use it since it only has
9157 * a hardware specific implementation.
9159 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9161 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9164 EVP_CIPHER_free(ciph);
9166 /* Set up a buffer with some data that will be sent to the client */
9167 RAND_bytes(msg, sizeof(msg));
9169 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9170 max_version, &sctx, &cctx, cert,
9174 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9181 /* settings to force it to use AES-CBC-HMAC_SHA */
9182 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9183 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9189 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9190 || !TEST_size_t_eq(written, sizeof(msg)))
9195 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9200 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9212 #endif /* OPENSSL_NO_TLS1_2 */
9214 static int test_session_timeout(int test)
9217 * Test session ordering and timeout
9218 * Can't explicitly test performance of the new code,
9219 * but can test to see if the ordering of the sessions
9220 * are correct, and they are removed as expected
9222 SSL_SESSION *early = NULL;
9223 SSL_SESSION *middle = NULL;
9224 SSL_SESSION *late = NULL;
9227 long now = (long)time(NULL);
9230 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9231 || !TEST_ptr(early = SSL_SESSION_new())
9232 || !TEST_ptr(middle = SSL_SESSION_new())
9233 || !TEST_ptr(late = SSL_SESSION_new()))
9236 /* assign unique session ids */
9237 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9238 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9239 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9240 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9241 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9242 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9244 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9245 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9246 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9249 /* Make sure they are all added */
9250 if (!TEST_ptr(early->prev)
9251 || !TEST_ptr(middle->prev)
9252 || !TEST_ptr(late->prev))
9255 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9256 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9257 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9260 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9261 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9262 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9265 /* Make sure they are all still there */
9266 if (!TEST_ptr(early->prev)
9267 || !TEST_ptr(middle->prev)
9268 || !TEST_ptr(late->prev))
9271 /* Make sure they are in the expected order */
9272 if (!TEST_ptr_eq(late->next, middle)
9273 || !TEST_ptr_eq(middle->next, early)
9274 || !TEST_ptr_eq(early->prev, middle)
9275 || !TEST_ptr_eq(middle->prev, late))
9278 /* This should remove "early" */
9279 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9280 if (!TEST_ptr_null(early->prev)
9281 || !TEST_ptr(middle->prev)
9282 || !TEST_ptr(late->prev))
9285 /* This should remove "middle" */
9286 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9287 if (!TEST_ptr_null(early->prev)
9288 || !TEST_ptr_null(middle->prev)
9289 || !TEST_ptr(late->prev))
9292 /* This should remove "late" */
9293 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9294 if (!TEST_ptr_null(early->prev)
9295 || !TEST_ptr_null(middle->prev)
9296 || !TEST_ptr_null(late->prev))
9299 /* Add them back in again */
9300 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9301 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9302 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9305 /* Make sure they are all added */
9306 if (!TEST_ptr(early->prev)
9307 || !TEST_ptr(middle->prev)
9308 || !TEST_ptr(late->prev))
9311 /* This should remove all of them */
9312 SSL_CTX_flush_sessions(ctx, 0);
9313 if (!TEST_ptr_null(early->prev)
9314 || !TEST_ptr_null(middle->prev)
9315 || !TEST_ptr_null(late->prev))
9318 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9319 | SSL_CTX_get_session_cache_mode(ctx));
9321 /* make sure |now| is NOT equal to the current time */
9323 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9324 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9325 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9331 SSL_SESSION_free(early);
9332 SSL_SESSION_free(middle);
9333 SSL_SESSION_free(late);
9338 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9339 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9340 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9341 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9342 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9343 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9344 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9345 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9346 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9347 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9349 static int test_servername(int tst)
9351 SSL_CTX *cctx = NULL, *sctx = NULL;
9352 SSL *clientssl = NULL, *serverssl = NULL;
9354 SSL_SESSION *sess = NULL;
9355 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9357 #ifdef OPENSSL_NO_TLS1_2
9361 #ifdef OSSL_NO_USABLE_TLS1_3
9366 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9367 TLS_client_method(),
9369 (tst <= 4) ? TLS1_2_VERSION
9371 &sctx, &cctx, cert, privkey))
9372 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9376 if (tst != 1 && tst != 6) {
9377 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9382 if (tst != 3 && tst != 8) {
9383 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9385 sexpectedhost = cexpectedhost = "goodhost";
9388 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9391 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9393 || !TEST_str_eq(SSL_get_servername(serverssl,
9394 TLSEXT_NAMETYPE_host_name),
9398 /* Now repeat with a resumption handshake */
9400 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9401 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9402 || !TEST_true(SSL_SESSION_is_resumable(sess))
9403 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9406 SSL_free(clientssl);
9407 SSL_free(serverssl);
9408 clientssl = serverssl = NULL;
9410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9414 if (!TEST_true(SSL_set_session(clientssl, sess)))
9417 sexpectedhost = cexpectedhost = "goodhost";
9418 if (tst == 2 || tst == 7) {
9419 /* Set an inconsistent hostname */
9420 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9423 * In TLSv1.2 we expect the hostname from the original handshake, in
9424 * TLSv1.3 we expect the hostname from this handshake
9427 sexpectedhost = cexpectedhost = "altgoodhost";
9429 if (!TEST_str_eq(SSL_get_servername(clientssl,
9430 TLSEXT_NAMETYPE_host_name),
9433 } else if (tst == 4 || tst == 9) {
9435 * A TLSv1.3 session does not associate a session with a servername,
9436 * but a TLSv1.2 session does.
9439 sexpectedhost = cexpectedhost = NULL;
9441 if (!TEST_str_eq(SSL_get_servername(clientssl,
9442 TLSEXT_NAMETYPE_host_name),
9446 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9449 * In a TLSv1.2 resumption where the hostname was not acknowledged
9450 * we expect the hostname on the server to be empty. On the client we
9451 * return what was requested in this case.
9453 * Similarly if the client didn't set a hostname on an original TLSv1.2
9454 * session but is now, the server hostname will be empty, but the client
9457 if (tst == 1 || tst == 3)
9458 sexpectedhost = NULL;
9460 if (!TEST_str_eq(SSL_get_servername(clientssl,
9461 TLSEXT_NAMETYPE_host_name),
9466 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9469 if (!TEST_true(SSL_session_reused(clientssl))
9470 || !TEST_true(SSL_session_reused(serverssl))
9471 || !TEST_str_eq(SSL_get_servername(clientssl,
9472 TLSEXT_NAMETYPE_host_name),
9474 || !TEST_str_eq(SSL_get_servername(serverssl,
9475 TLSEXT_NAMETYPE_host_name),
9482 SSL_SESSION_free(sess);
9483 SSL_free(serverssl);
9484 SSL_free(clientssl);
9491 static int test_unknown_sigalgs_groups(void)
9494 SSL_CTX *ctx = NULL;
9496 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9499 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9500 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9503 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9504 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9505 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9508 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9509 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9512 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9513 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9514 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9517 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9522 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9523 "?nonexistent1:?nonexistent2:?nonexistent3"),
9527 #ifndef OPENSSL_NO_EC
9528 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9529 "P-256:nonexistent"),
9533 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9534 "P-384:?nonexistent:?P-521"),
9537 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9538 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9539 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9549 #if !defined(OPENSSL_NO_EC) \
9550 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9552 * Test that if signature algorithms are not available, then we do not offer or
9554 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9555 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9556 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9557 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9558 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9559 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9561 static int test_sigalgs_available(int idx)
9563 SSL_CTX *cctx = NULL, *sctx = NULL;
9564 SSL *clientssl = NULL, *serverssl = NULL;
9566 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9567 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9568 OSSL_PROVIDER *filterprov = NULL;
9571 if (!TEST_ptr(tmpctx))
9574 if (idx != 0 && idx != 3) {
9575 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9576 filter_provider_init)))
9579 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9580 if (!TEST_ptr(filterprov))
9585 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9586 * or accepted for the peer that uses this libctx. Note that libssl
9587 * *requires* SHA2-256 to be available so we cannot disable that. We
9588 * also need SHA1 for our certificate.
9590 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9594 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9596 # ifdef OPENSSL_NO_ECX
9597 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9599 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9606 if (idx == 1 || idx == 4)
9612 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9613 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9614 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9619 TLS_client_method(),
9622 &sctx, &cctx, cert, privkey)))
9625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9626 TLS_client_method(),
9629 &sctx, &cctx, cert2, privkey2)))
9633 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9635 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9636 "ECDHE-RSA-AES128-GCM-SHA256")))
9639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9640 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9645 if (!SSL_CTX_set1_sigalgs_list(cctx,
9646 "rsa_pss_rsae_sha384"
9647 ":rsa_pss_rsae_sha256")
9648 || !SSL_CTX_set1_sigalgs_list(sctx,
9649 "rsa_pss_rsae_sha384"
9650 ":rsa_pss_rsae_sha256"))
9653 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9654 || !SSL_CTX_set1_sigalgs_list(sctx,
9655 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9660 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9661 SSL_FILETYPE_PEM), 1)
9662 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9664 SSL_FILETYPE_PEM), 1)
9665 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9672 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9675 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9676 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9678 (idx == 0 || idx == 3) ? 2 : 1))
9681 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9684 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9688 testresult = filter_provider_check_clean_finish();
9691 SSL_free(serverssl);
9692 SSL_free(clientssl);
9695 OSSL_PROVIDER_unload(filterprov);
9696 OSSL_LIB_CTX_free(tmpctx);
9701 * !defined(OPENSSL_NO_EC) \
9702 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9705 #ifndef OPENSSL_NO_TLS1_3
9706 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9707 static int test_pluggable_group(int idx)
9709 SSL_CTX *cctx = NULL, *sctx = NULL;
9710 SSL *clientssl = NULL, *serverssl = NULL;
9712 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9713 /* Check that we are not impacted by a provider without any groups */
9714 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9715 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9717 if (!TEST_ptr(tlsprov))
9720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9721 TLS_client_method(),
9724 &sctx, &cctx, cert, privkey))
9725 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9729 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9730 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9731 /* removing a single algorithm from the list makes the test pass */
9732 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9735 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9738 if (!TEST_str_eq(group_name,
9739 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9742 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9743 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9749 SSL_free(serverssl);
9750 SSL_free(clientssl);
9753 OSSL_PROVIDER_unload(tlsprov);
9754 OSSL_PROVIDER_unload(legacyprov);
9760 * This function triggers encode, decode and sign functions
9761 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9762 * creating private key and certificate files for use in TLS testing.
9764 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9766 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9767 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9768 EVP_PKEY *pkey = NULL;
9769 X509 *x509 = X509_new();
9770 X509_NAME *name = NULL;
9771 BIO *keybio = NULL, *certbio = NULL;
9774 if (!TEST_ptr(evpctx)
9775 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9776 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9779 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9780 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9781 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9782 || !TEST_true(X509_set_pubkey(x509, pkey))
9783 || !TEST_ptr(name = X509_get_subject_name(x509))
9784 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9785 (unsigned char *)"CH", -1, -1, 0))
9786 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9787 (unsigned char *)"test.org", -1, -1, 0))
9788 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9789 (unsigned char *)"localhost", -1, -1, 0))
9790 || !TEST_true(X509_set_issuer_name(x509, name))
9791 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9792 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9793 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9794 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9795 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9798 EVP_PKEY_free(pkey);
9800 EVP_PKEY_CTX_free(evpctx);
9807 * Test that signature algorithms loaded via the provider interface can
9808 * correctly establish a TLS (1.3) connection.
9809 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9810 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9811 * Test 2: Test 0 using RPK
9812 * Test 3: Test 1 using RPK
9814 static int test_pluggable_signature(int idx)
9816 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9817 SSL_CTX *cctx = NULL, *sctx = NULL;
9818 SSL *clientssl = NULL, *serverssl = NULL;
9820 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9821 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9822 char *certfilename = "tls-prov-cert.pem";
9823 char *privkeyfilename = "tls-prov-key.pem";
9824 int sigidx = idx % 2;
9825 int rpkidx = idx / 2;
9827 /* create key and certificate for the different algorithm types */
9828 if (!TEST_ptr(tlsprov)
9829 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9833 TLS_client_method(),
9836 &sctx, &cctx, certfilename, privkeyfilename))
9837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9841 /* Enable RPK for server cert */
9843 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9844 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9848 /* This is necessary to pass minimal setup w/o other groups configured */
9849 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9850 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9854 * If this connection gets established, it must have been completed
9855 * via the tls-provider-implemented "hmacsig" algorithm, testing
9856 * both sign and verify functions during handshake.
9858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9861 /* If using RPK, make sure we got one */
9862 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9868 SSL_free(serverssl);
9869 SSL_free(clientssl);
9872 OSSL_PROVIDER_unload(tlsprov);
9873 OSSL_PROVIDER_unload(defaultprov);
9879 #ifndef OPENSSL_NO_TLS1_2
9880 static int test_ssl_dup(void)
9882 SSL_CTX *cctx = NULL, *sctx = NULL;
9883 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9885 BIO *rbio = NULL, *wbio = NULL;
9887 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9888 TLS_client_method(),
9891 &sctx, &cctx, cert, privkey)))
9894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9898 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9899 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9902 client2ssl = SSL_dup(clientssl);
9903 rbio = SSL_get_rbio(clientssl);
9905 || !TEST_true(BIO_up_ref(rbio)))
9907 SSL_set0_rbio(client2ssl, rbio);
9910 wbio = SSL_get_wbio(clientssl);
9911 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9913 SSL_set0_wbio(client2ssl, wbio);
9916 if (!TEST_ptr(client2ssl)
9917 /* Handshake not started so pointers should be different */
9918 || !TEST_ptr_ne(clientssl, client2ssl))
9921 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9922 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9925 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9928 SSL_free(clientssl);
9929 clientssl = SSL_dup(client2ssl);
9930 if (!TEST_ptr(clientssl)
9931 /* Handshake has finished so pointers should be the same */
9932 || !TEST_ptr_eq(clientssl, client2ssl))
9938 SSL_free(serverssl);
9939 SSL_free(clientssl);
9940 SSL_free(client2ssl);
9947 # ifndef OPENSSL_NO_DH
9949 static EVP_PKEY *tmp_dh_params = NULL;
9951 /* Helper function for the test_set_tmp_dh() tests */
9952 static EVP_PKEY *get_tmp_dh_params(void)
9954 if (tmp_dh_params == NULL) {
9956 OSSL_PARAM_BLD *tmpl = NULL;
9957 EVP_PKEY_CTX *pctx = NULL;
9958 OSSL_PARAM *params = NULL;
9959 EVP_PKEY *dhpkey = NULL;
9961 p = BN_get_rfc3526_prime_2048(NULL);
9965 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9967 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9970 tmpl = OSSL_PARAM_BLD_new();
9972 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9973 OSSL_PKEY_PARAM_FFC_P,
9975 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9976 OSSL_PKEY_PARAM_FFC_G,
9980 params = OSSL_PARAM_BLD_to_param(tmpl);
9981 if (!TEST_ptr(params)
9982 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9983 EVP_PKEY_KEY_PARAMETERS,
9987 tmp_dh_params = dhpkey;
9990 EVP_PKEY_CTX_free(pctx);
9991 OSSL_PARAM_BLD_free(tmpl);
9992 OSSL_PARAM_free(params);
9995 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9998 return tmp_dh_params;
10001 # ifndef OPENSSL_NO_DEPRECATED_3_0
10002 /* Callback used by test_set_tmp_dh() */
10003 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10005 EVP_PKEY *dhpkey = get_tmp_dh_params();
10008 if (!TEST_ptr(dhpkey))
10012 * libssl does not free the returned DH, so we free it now knowing that even
10013 * after we free dhpkey, there will still be a reference to the owning
10014 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10015 * of time we need it for.
10017 ret = EVP_PKEY_get1_DH(dhpkey);
10020 EVP_PKEY_free(dhpkey);
10027 * Test the various methods for setting temporary DH parameters
10029 * Test 0: Default (no auto) setting
10030 * Test 1: Explicit SSL_CTX auto off
10031 * Test 2: Explicit SSL auto off
10032 * Test 3: Explicit SSL_CTX auto on
10033 * Test 4: Explicit SSL auto on
10034 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10035 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10037 * The following are testing deprecated APIs, so we only run them if available
10038 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10039 * Test 8: Explicit SSL auto off, custom DH params via DH
10040 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10041 * Test 10: Explicit SSL auto off, custom DH params via callback
10043 static int test_set_tmp_dh(int idx)
10045 SSL_CTX *cctx = NULL, *sctx = NULL;
10046 SSL *clientssl = NULL, *serverssl = NULL;
10047 int testresult = 0;
10048 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10049 int expected = (idx <= 2) ? 0 : 1;
10050 EVP_PKEY *dhpkey = NULL;
10051 # ifndef OPENSSL_NO_DEPRECATED_3_0
10059 if (idx >= 5 && idx <= 8) {
10060 dhpkey = get_tmp_dh_params();
10061 if (!TEST_ptr(dhpkey))
10064 # ifndef OPENSSL_NO_DEPRECATED_3_0
10065 if (idx == 7 || idx == 8) {
10066 dh = EVP_PKEY_get1_DH(dhpkey);
10072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10073 TLS_client_method(),
10076 &sctx, &cctx, cert, privkey)))
10079 if ((idx & 1) == 1) {
10080 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10085 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10089 # ifndef OPENSSL_NO_DEPRECATED_3_0
10090 else if (idx == 7) {
10091 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10093 } else if (idx == 9) {
10094 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10102 if ((idx & 1) == 0 && idx != 0) {
10103 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10107 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10111 # ifndef OPENSSL_NO_DEPRECATED_3_0
10112 else if (idx == 8) {
10113 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10115 } else if (idx == 10) {
10116 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10120 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10121 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10122 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10126 * If autoon then we should succeed. Otherwise we expect failure because
10127 * there are no parameters
10129 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10130 SSL_ERROR_NONE), expected))
10136 # ifndef OPENSSL_NO_DEPRECATED_3_0
10139 SSL_free(serverssl);
10140 SSL_free(clientssl);
10141 SSL_CTX_free(sctx);
10142 SSL_CTX_free(cctx);
10143 EVP_PKEY_free(dhpkey);
10149 * Test the auto DH keys are appropriately sized
10151 static int test_dh_auto(int idx)
10153 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10154 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10155 SSL *clientssl = NULL, *serverssl = NULL;
10156 int testresult = 0;
10157 EVP_PKEY *tmpkey = NULL;
10158 char *thiscert = NULL, *thiskey = NULL;
10159 size_t expdhsize = 0;
10160 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10162 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10167 /* The FIPS provider doesn't support this DH size - so we ignore it */
10172 thiscert = cert1024;
10173 thiskey = privkey1024;
10175 SSL_CTX_set_security_level(sctx, 1);
10176 SSL_CTX_set_security_level(cctx, 1);
10179 /* 2048 bit prime */
10185 thiscert = cert3072;
10186 thiskey = privkey3072;
10190 thiscert = cert4096;
10191 thiskey = privkey4096;
10195 thiscert = cert8192;
10196 thiskey = privkey8192;
10199 /* No certificate cases */
10201 /* The FIPS provider doesn't support this DH size - so we ignore it */
10206 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10210 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10214 TEST_error("Invalid text index");
10218 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10222 &sctx, &cctx, thiscert, thiskey)))
10225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10229 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10230 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10231 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10232 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10233 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10237 * Send the server's first flight. At this point the server has created the
10238 * temporary DH key but hasn't finished using it yet. Once used it is
10239 * removed, so we cannot test it.
10241 if (!TEST_int_le(SSL_connect(clientssl), 0)
10242 || !TEST_int_le(SSL_accept(serverssl), 0))
10245 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10247 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10256 SSL_free(serverssl);
10257 SSL_free(clientssl);
10258 SSL_CTX_free(sctx);
10259 SSL_CTX_free(cctx);
10260 EVP_PKEY_free(tmpkey);
10265 # endif /* OPENSSL_NO_DH */
10266 #endif /* OPENSSL_NO_TLS1_2 */
10268 #ifndef OSSL_NO_USABLE_TLS1_3
10270 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10271 * that it works even without a certificate configured for the original
10274 static int test_sni_tls13(void)
10276 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10277 SSL *clientssl = NULL, *serverssl = NULL;
10278 int testresult = 0;
10280 /* Reset callback counter */
10283 /* Create an initial SSL_CTX with no certificate configured */
10284 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10285 if (!TEST_ptr(sctx))
10287 /* Require TLSv1.3 as a minimum */
10288 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10289 TLS_client_method(), TLS1_3_VERSION, 0,
10290 &sctx2, &cctx, cert, privkey)))
10294 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10295 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10299 * Connection should still succeed because the final SSL_CTX has the right
10300 * certificates configured.
10302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10303 &clientssl, NULL, NULL))
10304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10308 /* We should have had the SNI callback called exactly once */
10309 if (!TEST_int_eq(snicb, 1))
10315 SSL_free(serverssl);
10316 SSL_free(clientssl);
10317 SSL_CTX_free(sctx2);
10318 SSL_CTX_free(sctx);
10319 SSL_CTX_free(cctx);
10324 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10328 static int test_ticket_lifetime(int idx)
10330 SSL_CTX *cctx = NULL, *sctx = NULL;
10331 SSL *clientssl = NULL, *serverssl = NULL;
10332 int testresult = 0;
10333 int version = TLS1_3_VERSION;
10335 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10336 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10339 #ifdef OPENSSL_NO_TLS1_2
10340 return TEST_skip("TLS 1.2 is disabled.");
10342 version = TLS1_2_VERSION;
10346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10347 TLS_client_method(), version, version,
10348 &sctx, &cctx, cert, privkey)))
10351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10352 &clientssl, NULL, NULL)))
10356 * Set the timeout to be more than 1 week
10357 * make sure the returned value is the default
10359 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10360 SSL_get_default_timeout(serverssl)))
10363 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10367 /* TLSv1.2 uses the set value */
10368 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10371 /* TLSv1.3 uses the limited value */
10372 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10378 SSL_free(serverssl);
10379 SSL_free(clientssl);
10380 SSL_CTX_free(sctx);
10381 SSL_CTX_free(cctx);
10386 * Test that setting an ALPN does not violate RFC
10388 static int test_set_alpn(void)
10390 SSL_CTX *ctx = NULL;
10392 int testresult = 0;
10394 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10395 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10396 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10397 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10398 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10399 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10401 /* Create an initial SSL_CTX with no certificate configured */
10402 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10403 if (!TEST_ptr(ctx))
10406 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10407 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10409 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10411 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10413 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10415 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10417 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10419 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10421 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10423 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10426 ssl = SSL_new(ctx);
10427 if (!TEST_ptr(ssl))
10430 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10432 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10434 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10436 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10438 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10440 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10442 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10444 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10446 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10458 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10460 static int test_set_verify_cert_store_ssl_ctx(void)
10462 SSL_CTX *ctx = NULL;
10463 int testresult = 0;
10464 X509_STORE *store = NULL, *new_store = NULL,
10465 *cstore = NULL, *new_cstore = NULL;
10467 /* Create an initial SSL_CTX. */
10468 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10469 if (!TEST_ptr(ctx))
10472 /* Retrieve verify store pointer. */
10473 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10476 /* Retrieve chain store pointer. */
10477 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10480 /* We haven't set any yet, so this should be NULL. */
10481 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10484 /* Create stores. We use separate stores so pointers are different. */
10485 new_store = X509_STORE_new();
10486 if (!TEST_ptr(new_store))
10489 new_cstore = X509_STORE_new();
10490 if (!TEST_ptr(new_cstore))
10494 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10497 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10500 /* Should be able to retrieve the same pointer. */
10501 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10504 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10507 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10510 /* Should be able to unset again. */
10511 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10514 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10517 /* Should now be NULL. */
10518 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10521 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10524 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10530 X509_STORE_free(new_store);
10531 X509_STORE_free(new_cstore);
10537 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10539 static int test_set_verify_cert_store_ssl(void)
10541 SSL_CTX *ctx = NULL;
10543 int testresult = 0;
10544 X509_STORE *store = NULL, *new_store = NULL,
10545 *cstore = NULL, *new_cstore = NULL;
10547 /* Create an initial SSL_CTX. */
10548 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10549 if (!TEST_ptr(ctx))
10552 /* Create an SSL object. */
10553 ssl = SSL_new(ctx);
10554 if (!TEST_ptr(ssl))
10557 /* Retrieve verify store pointer. */
10558 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10561 /* Retrieve chain store pointer. */
10562 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10565 /* We haven't set any yet, so this should be NULL. */
10566 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10569 /* Create stores. We use separate stores so pointers are different. */
10570 new_store = X509_STORE_new();
10571 if (!TEST_ptr(new_store))
10574 new_cstore = X509_STORE_new();
10575 if (!TEST_ptr(new_cstore))
10579 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10582 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10585 /* Should be able to retrieve the same pointer. */
10586 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10589 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10592 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10595 /* Should be able to unset again. */
10596 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10599 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10602 /* Should now be NULL. */
10603 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10606 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10609 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10615 X509_STORE_free(new_store);
10616 X509_STORE_free(new_cstore);
10623 static int test_inherit_verify_param(void)
10625 int testresult = 0;
10627 SSL_CTX *ctx = NULL;
10628 X509_VERIFY_PARAM *cp = NULL;
10630 X509_VERIFY_PARAM *sp = NULL;
10631 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10633 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10634 if (!TEST_ptr(ctx))
10637 cp = SSL_CTX_get0_param(ctx);
10640 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10643 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10645 ssl = SSL_new(ctx);
10646 if (!TEST_ptr(ssl))
10649 sp = SSL_get0_param(ssl);
10652 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10664 static int test_load_dhfile(void)
10666 #ifndef OPENSSL_NO_DH
10667 int testresult = 0;
10669 SSL_CTX *ctx = NULL;
10670 SSL_CONF_CTX *cctx = NULL;
10672 if (dhfile == NULL)
10675 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10676 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10679 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10680 SSL_CONF_CTX_set_flags(cctx,
10681 SSL_CONF_FLAG_CERTIFICATE
10682 | SSL_CONF_FLAG_SERVER
10683 | SSL_CONF_FLAG_FILE);
10685 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10690 SSL_CONF_CTX_free(cctx);
10695 return TEST_skip("DH not supported by this build");
10699 #ifndef OSSL_NO_USABLE_TLS1_3
10700 /* Test that read_ahead works across a key change */
10701 static int test_read_ahead_key_change(void)
10703 SSL_CTX *cctx = NULL, *sctx = NULL;
10704 SSL *clientssl = NULL, *serverssl = NULL;
10705 int testresult = 0;
10706 char *msg = "Hello World";
10707 size_t written, readbytes;
10711 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10712 TLS_client_method(), TLS1_3_VERSION, 0,
10713 &sctx, &cctx, cert, privkey)))
10716 SSL_CTX_set_read_ahead(sctx, 1);
10718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10719 &clientssl, NULL, NULL)))
10722 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10725 /* Write some data, send a key update, write more data */
10726 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10727 || !TEST_size_t_eq(written, strlen(msg)))
10730 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10733 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10734 || !TEST_size_t_eq(written, strlen(msg)))
10738 * Since read_ahead is on the first read below should read the record with
10739 * the first app data, the second record with the key update message, and
10740 * the third record with the app data all in one go. We should be able to
10741 * still process the read_ahead data correctly even though it crosses
10744 for (i = 0; i < 2; i++) {
10745 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10749 buf[readbytes] = '\0';
10750 if (!TEST_str_eq(buf, msg))
10757 SSL_free(serverssl);
10758 SSL_free(clientssl);
10759 SSL_CTX_free(sctx);
10760 SSL_CTX_free(cctx);
10764 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10768 switch ((*called)++) {
10770 /* Add some padding to first record */
10773 /* Maximally pad the second record */
10774 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10777 * Exceeding the maximum padding should be fine. It should just pad to
10778 * the maximum anyway
10780 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10783 * Very large padding should also be ok. Should just pad to the maximum
10793 * Test that setting record padding in TLSv1.3 works as expected
10794 * Test 0: Record padding callback on the SSL_CTX
10795 * Test 1: Record padding callback on the SSL
10796 * Test 2: Record block padding on the SSL_CTX
10797 * Test 3: Record block padding on the SSL
10799 static int test_tls13_record_padding(int idx)
10801 SSL_CTX *cctx = NULL, *sctx = NULL;
10802 SSL *clientssl = NULL, *serverssl = NULL;
10803 int testresult = 0;
10804 char *msg = "Hello World";
10805 size_t written, readbytes;
10810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10811 TLS_client_method(), TLS1_3_VERSION, 0,
10812 &sctx, &cctx, cert, privkey)))
10816 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10817 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10818 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10820 } else if (idx == 2) {
10821 /* Exceeding the max plain length should fail */
10822 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10823 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10825 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10830 &clientssl, NULL, NULL)))
10834 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10835 SSL_set_record_padding_callback_arg(clientssl, &called);
10836 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10838 } else if (idx == 3) {
10839 /* Exceeding the max plain length should fail */
10840 if (!TEST_false(SSL_set_block_padding(clientssl,
10841 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10843 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10852 * Write some data, then check we can read it. Do this four times to check
10853 * we can continue to write and read padded data after the initial record
10854 * padding has been added. We don't actually check that the padding has
10855 * been applied to the record - just that we can continue to communicate
10856 * normally and that the callback has been called (if appropriate).
10858 for (i = 0; i < 4; i++) {
10859 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10860 || !TEST_size_t_eq(written, strlen(msg)))
10863 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10865 || !TEST_size_t_eq(written, readbytes))
10868 buf[readbytes] = '\0';
10869 if (!TEST_str_eq(buf, msg))
10873 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10878 SSL_free(serverssl);
10879 SSL_free(clientssl);
10880 SSL_CTX_free(sctx);
10881 SSL_CTX_free(cctx);
10884 #endif /* OSSL_NO_USABLE_TLS1_3 */
10886 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10888 static ENGINE *load_dasync(void)
10892 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10895 if (!TEST_true(ENGINE_init(e))) {
10900 if (!TEST_true(ENGINE_register_ciphers(e))) {
10909 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10910 * support this yet. The only pipeline capable cipher that we have is in the
10911 * dasync engine (providers don't support this yet), so we have to use
10912 * deprecated APIs for this test.
10914 * Test 0: Client has pipelining enabled, server does not
10915 * Test 1: Server has pipelining enabled, client does not
10916 * Test 2: Client has pipelining enabled, server does not: not enough data to
10917 * fill all the pipelines
10918 * Test 3: Client has pipelining enabled, server does not: not enough data to
10919 * fill all the pipelines by more than a full pipeline's worth
10920 * Test 4: Client has pipelining enabled, server does not: more data than all
10921 * the available pipelines can take
10922 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10923 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10926 static int test_pipelining(int idx)
10928 SSL_CTX *cctx = NULL, *sctx = NULL;
10929 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10930 int testresult = 0, numreads;
10931 /* A 55 byte message */
10932 unsigned char *msg = (unsigned char *)
10933 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10934 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10935 size_t expectedreads;
10936 unsigned char *buf = NULL;
10945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10946 TLS_client_method(), 0,
10947 TLS1_2_VERSION, &sctx, &cctx, cert,
10955 /* Now act like test 0 */
10959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10960 &clientssl, NULL, NULL)))
10963 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10966 /* peera is always configured for pipelining, while peerb is not. */
10978 /* Maximum allowed fragment size */
10979 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10980 msglen = fragsize * numpipes;
10981 msg = OPENSSL_malloc(msglen);
10982 if (!TEST_ptr(msg))
10984 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10986 } else if (idx == 4) {
10992 msglen -= 2; /* Send 2 less bytes */
10994 msglen -= 12; /* Send 12 less bytes */
10996 buf = OPENSSL_malloc(msglen);
10997 if (!TEST_ptr(buf))
11002 * Test that setting a split send fragment longer than the maximum
11005 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11010 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11011 * (50 bytes in total). This is a ridiculously small number of bytes -
11012 * but sufficient for our purposes
11014 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11015 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11018 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11021 /* Write some data from peera to peerb */
11022 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11023 || !TEST_size_t_eq(written, msglen))
11027 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11028 * have been used - except in test 3 where only |numpipes - 1| pipelines
11029 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11030 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11031 * expect this to be read in |numpipes| or |numpipes - 1| separate
11032 * SSL_read_ex calls. In the case of test 4, there is then one additional
11033 * read for left over data that couldn't fit in the previous pipelines
11035 for (offset = 0, numreads = 0;
11037 offset += readbytes, numreads++) {
11038 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11039 msglen - offset, &readbytes)))
11043 expectedreads = idx == 4 ? numpipes + 1
11044 : (idx == 3 ? numpipes - 1 : numpipes);
11045 if (!TEST_mem_eq(msg, msglen, buf, offset)
11046 || !TEST_int_eq(numreads, expectedreads))
11050 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11051 * chunks to exercise the read pipelining code on peera.
11053 for (offset = 0; offset < msglen; offset += fragsize) {
11054 size_t sendlen = msglen - offset;
11056 if (sendlen > fragsize)
11057 sendlen = fragsize;
11058 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11059 || !TEST_size_t_eq(written, sendlen))
11064 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11065 * separate chunks (depending on which test we are running). If the
11066 * pipelining is working then we expect peera to read up to numpipes chunks
11067 * and process them in parallel, giving back the complete result in a single
11068 * call to SSL_read_ex
11070 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11071 || !TEST_size_t_le(readbytes, msglen))
11077 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11078 msglen - readbytes, &readbytes2)))
11080 readbytes += readbytes2;
11081 if (!TEST_size_t_le(readbytes, msglen))
11085 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11090 SSL_free(serverssl);
11091 SSL_free(clientssl);
11092 SSL_CTX_free(sctx);
11093 SSL_CTX_free(cctx);
11095 ENGINE_unregister_ciphers(e);
11100 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11104 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11106 static int check_version_string(SSL *s, int version)
11108 const char *verstr = NULL;
11117 case TLS1_1_VERSION:
11118 verstr = "TLSv1.1";
11120 case TLS1_2_VERSION:
11121 verstr = "TLSv1.2";
11123 case TLS1_3_VERSION:
11124 verstr = "TLSv1.3";
11126 case DTLS1_VERSION:
11129 case DTLS1_2_VERSION:
11130 verstr = "DTLSv1.2";
11133 return TEST_str_eq(verstr, SSL_get_version(s));
11137 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11138 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11139 * test_version() in quicapitest.c which does the same thing for QUIC
11142 static int test_version(int idx)
11144 SSL_CTX *cctx = NULL, *sctx = NULL;
11145 SSL *clientssl = NULL, *serverssl = NULL;
11146 int testresult = 0, version;
11147 const SSL_METHOD *servmeth = TLS_server_method();
11148 const SSL_METHOD *clientmeth = TLS_client_method();
11151 #if !defined(OPENSSL_NO_SSL3)
11153 version = SSL3_VERSION;
11156 #if !defined(OPENSSL_NO_TLS1)
11158 version = TLS1_VERSION;
11161 #if !defined(OPENSSL_NO_TLS1_2)
11163 version = TLS1_2_VERSION;
11166 #if !defined(OSSL_NO_USABLE_TLS1_3)
11168 version = TLS1_3_VERSION;
11171 #if !defined(OPENSSL_NO_DTLS1)
11173 version = DTLS1_VERSION;
11176 #if !defined(OPENSSL_NO_DTLS1_2)
11178 version = DTLS1_2_VERSION;
11182 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11183 * We also don't support DTLS1_BAD_VER since we have no server support for
11187 TEST_skip("Unsupported protocol version");
11192 && (version == SSL3_VERSION
11193 || version == TLS1_VERSION
11194 || version == DTLS1_VERSION)) {
11195 TEST_skip("Protocol version not supported with FIPS");
11199 #if !defined(OPENSSL_NO_DTLS)
11200 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11201 servmeth = DTLS_server_method();
11202 clientmeth = DTLS_client_method();
11206 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11207 version, &sctx, &cctx, cert, privkey)))
11210 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11211 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11212 "DEFAULT:@SECLEVEL=0")))
11215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11216 &clientssl, NULL, NULL)))
11219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11222 if (!TEST_int_eq(SSL_version(serverssl), version)
11223 || !TEST_int_eq(SSL_version(clientssl), version)
11224 || !TEST_true(check_version_string(serverssl, version))
11225 || !TEST_true(check_version_string(clientssl, version)))
11228 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11229 if (!TEST_true(SSL_is_dtls(serverssl))
11230 || !TEST_true(SSL_is_dtls(clientssl))
11231 || !TEST_false(SSL_is_tls(serverssl))
11232 || !TEST_false(SSL_is_tls(clientssl))
11233 || !TEST_false(SSL_is_quic(serverssl))
11234 || !TEST_false(SSL_is_quic(clientssl)))
11237 if (!TEST_true(SSL_is_tls(serverssl))
11238 || !TEST_true(SSL_is_tls(clientssl))
11239 || !TEST_false(SSL_is_dtls(serverssl))
11240 || !TEST_false(SSL_is_dtls(clientssl))
11241 || !TEST_false(SSL_is_quic(serverssl))
11242 || !TEST_false(SSL_is_quic(clientssl)))
11248 SSL_free(serverssl);
11249 SSL_free(clientssl);
11250 SSL_CTX_free(sctx);
11251 SSL_CTX_free(cctx);
11256 * Test that the SSL_rstate_string*() APIs return sane results
11258 static int test_rstate_string(void)
11260 SSL_CTX *cctx = NULL, *sctx = NULL;
11261 SSL *clientssl = NULL, *serverssl = NULL;
11262 int testresult = 0, version;
11263 const SSL_METHOD *servmeth = TLS_server_method();
11264 const SSL_METHOD *clientmeth = TLS_client_method();
11265 size_t written, readbytes;
11266 unsigned char buf[2];
11267 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11268 SSL3_RT_APPLICATION_DATA,
11269 TLS1_2_VERSION_MAJOR,
11270 0, /* To be filled in later */
11275 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11276 0, &sctx, &cctx, cert, privkey)))
11279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11280 &clientssl, NULL, NULL)))
11283 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11284 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11290 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11291 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11294 /* Fill in the correct version for the record header */
11295 version = SSL_version(serverssl);
11296 if (version == TLS1_3_VERSION)
11297 version = TLS1_2_VERSION;
11298 dummyheader[2] = version & 0xff;
11301 * Send a dummy header. If we continued to read the body as well this
11302 * would fail with a bad record mac, but we're not going to go that far.
11304 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11305 sizeof(dummyheader), &written))
11306 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11309 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11312 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11313 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11318 SSL_free(serverssl);
11319 SSL_free(clientssl);
11320 SSL_CTX_free(sctx);
11321 SSL_CTX_free(cctx);
11326 * Force a write retry during handshaking. We test various combinations of
11327 * scenarios. We test a large certificate message which will fill the buffering
11328 * BIO used in the handshake. We try with client auth on and off. Finally we
11329 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11330 * to indicate retry via -1 - but sometimes BIOs don't do that.
11332 * Test 0: Standard certificate message
11333 * Test 1: Large certificate message
11334 * Test 2: Standard cert, verify peer
11335 * Test 3: Large cert, verify peer
11336 * Test 4: Standard cert, BIO returns 0 on retry
11337 * Test 5: Large cert, BIO returns 0 on retry
11338 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11339 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11340 * Test 8-15: Repeat of above with TLSv1.2
11342 static int test_handshake_retry(int idx)
11344 SSL_CTX *cctx = NULL, *sctx = NULL;
11345 SSL *clientssl = NULL, *serverssl = NULL;
11346 int testresult = 0;
11347 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11348 int maxversion = 0;
11350 if (!TEST_ptr(bretry))
11353 #ifndef OPENSSL_NO_TLS1_2
11354 if ((idx & 8) == 8)
11355 maxversion = TLS1_2_VERSION;
11357 if ((idx & 8) == 8)
11358 return TEST_skip("No TLSv1.2");
11361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11362 TLS_client_method(), 0, maxversion,
11363 &sctx, &cctx, cert, privkey)))
11367 * Add a large amount of data to fill the buffering BIO used by the SSL
11370 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11374 * We don't actually configure a client cert, but neither do we fail if one
11377 if ((idx & 2) == 2)
11378 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11380 if ((idx & 4) == 4)
11381 set_always_retry_err_val(0);
11383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11384 &clientssl, NULL, NULL)))
11387 tmp = SSL_get_wbio(serverssl);
11388 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11392 SSL_set0_wbio(serverssl, bretry);
11395 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11398 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11399 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11402 /* Restore a BIO that will let the write succeed */
11403 SSL_set0_wbio(serverssl, tmp);
11406 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11411 SSL_free(serverssl);
11412 SSL_free(clientssl);
11413 SSL_CTX_free(sctx);
11414 SSL_CTX_free(cctx);
11417 set_always_retry_err_val(-1);
11422 * Test that receiving retries when writing application data works as expected
11424 static int test_data_retry(void)
11426 SSL_CTX *cctx = NULL, *sctx = NULL;
11427 SSL *clientssl = NULL, *serverssl = NULL;
11428 int testresult = 0;
11429 unsigned char inbuf[1200], outbuf[1200];
11432 BIO *bretry = BIO_new(bio_s_maybe_retry());
11433 size_t written, readbytes, totread = 0;
11435 if (!TEST_ptr(bretry))
11438 for (i = 0; i < sizeof(inbuf); i++)
11439 inbuf[i] = (unsigned char)(0xff & i);
11440 memset(outbuf, 0, sizeof(outbuf));
11442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11443 TLS_client_method(), 0, 0, &sctx, &cctx,
11447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11451 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11454 /* Smallest possible max send fragment is 512 */
11455 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11458 tmp = SSL_get_wbio(clientssl);
11459 if (!TEST_ptr(tmp))
11461 if (!TEST_true(BIO_up_ref(tmp)))
11463 BIO_push(bretry, tmp);
11465 SSL_set0_wbio(clientssl, bretry);
11466 if (!BIO_up_ref(bretry)) {
11471 for (i = 0; i < 3; i++) {
11472 /* We expect this call to make no progress and indicate retry */
11473 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11475 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11478 /* Allow one write to progress, but the next one to signal retry */
11479 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11487 * This call will hopefully make progress but will still indicate retry
11488 * because there is more data than will fit into a single record.
11490 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11492 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11496 /* The final call should write the last chunk of data and succeed */
11497 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11499 /* Read all the data available */
11500 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11502 totread += readbytes;
11503 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11508 SSL_free(serverssl);
11509 SSL_free(clientssl);
11510 SSL_CTX_free(sctx);
11511 SSL_CTX_free(cctx);
11512 BIO_free_all(bretry);
11518 * Test multiple resumptions and cache size handling
11519 * Test 0: TLSv1.3 (max_early_data set)
11520 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11521 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11524 static int test_multi_resume(int idx)
11526 SSL_CTX *sctx = NULL, *cctx = NULL;
11527 SSL *serverssl = NULL, *clientssl = NULL;
11528 SSL_SESSION *sess = NULL;
11529 int max_version = TLS1_3_VERSION;
11530 int i, testresult = 0;
11533 max_version = TLS1_2_VERSION;
11535 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11536 TLS_client_method(), TLS1_VERSION,
11537 max_version, &sctx, &cctx, cert,
11542 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11543 * replay protection), or if SSL_OP_NO_TICKET is in use
11545 if (idx == 0 || idx == 2) {
11546 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11549 if (idx == 1 || idx == 2)
11550 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11552 SSL_CTX_sess_set_cache_size(sctx, 5);
11554 for (i = 0; i < 30; i++) {
11555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11557 || !TEST_true(SSL_set_session(clientssl, sess)))
11561 * Recreate a bug where dynamically changing the max_early_data value
11562 * can cause sessions in the session cache which cannot be deleted.
11564 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11565 SSL_set_max_early_data(serverssl, 0);
11567 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11570 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11571 if (!TEST_false(SSL_session_reused(clientssl)))
11574 if (!TEST_true(SSL_session_reused(clientssl)))
11577 SSL_SESSION_free(sess);
11579 /* Do a full handshake, followed by two resumptions */
11580 if ((i % 3) == 2) {
11583 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11587 SSL_shutdown(clientssl);
11588 SSL_shutdown(serverssl);
11589 SSL_free(serverssl);
11590 SSL_free(clientssl);
11591 serverssl = clientssl = NULL;
11594 /* We should never exceed the session cache size limit */
11595 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11600 SSL_free(serverssl);
11601 SSL_free(clientssl);
11602 SSL_CTX_free(sctx);
11603 SSL_CTX_free(cctx);
11604 SSL_SESSION_free(sess);
11608 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11610 int setup_tests(void)
11615 libctx = OSSL_LIB_CTX_new();
11616 if (!TEST_ptr(libctx))
11619 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11622 * Verify that the default and fips providers in the default libctx are not
11625 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11626 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11629 if (!test_skip_common_options()) {
11630 TEST_error("Error parsing test options\n");
11634 if (!TEST_ptr(certsdir = test_get_argument(0))
11635 || !TEST_ptr(srpvfile = test_get_argument(1))
11636 || !TEST_ptr(tmpfilename = test_get_argument(2))
11637 || !TEST_ptr(modulename = test_get_argument(3))
11638 || !TEST_ptr(configfile = test_get_argument(4))
11639 || !TEST_ptr(dhfile = test_get_argument(5)))
11642 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11645 /* Check we have the expected provider available */
11646 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11649 /* Check the default provider is not available */
11650 if (strcmp(modulename, "default") != 0
11651 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11654 if (strcmp(modulename, "fips") == 0) {
11655 OSSL_PROVIDER *prov = NULL;
11656 OSSL_PARAM params[2];
11660 prov = OSSL_PROVIDER_load(libctx, "fips");
11661 if (prov != NULL) {
11662 /* Query the fips provider to check if the check ems option is enabled */
11664 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11666 params[1] = OSSL_PARAM_construct_end();
11667 OSSL_PROVIDER_get_params(prov, params);
11668 OSSL_PROVIDER_unload(prov);
11673 * We add, but don't load the test "tls-provider". We'll load it when we
11676 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11677 tls_provider_init)))
11681 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11682 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11683 TEST_error("not supported in this build");
11686 int i, mcount, rcount, fcount;
11688 for (i = 0; i < 4; i++)
11689 test_export_key_mat(i);
11690 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11691 test_printf_stdout("malloc %d realloc %d free %d\n",
11692 mcount, rcount, fcount);
11697 cert = test_mk_file_path(certsdir, "servercert.pem");
11701 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11702 if (privkey == NULL)
11705 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11709 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11710 if (privkey2 == NULL)
11713 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11714 if (cert1024 == NULL)
11717 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11718 if (privkey1024 == NULL)
11721 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11722 if (cert3072 == NULL)
11725 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11726 if (privkey3072 == NULL)
11729 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11730 if (cert4096 == NULL)
11733 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11734 if (privkey4096 == NULL)
11737 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11738 if (cert8192 == NULL)
11741 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11742 if (privkey8192 == NULL)
11745 if (fips_ems_check) {
11746 #ifndef OPENSSL_NO_TLS1_2
11747 ADD_TEST(test_no_ems);
11751 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11752 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11753 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11754 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11757 ADD_TEST(test_large_message_tls);
11758 ADD_TEST(test_large_message_tls_read_ahead);
11759 #ifndef OPENSSL_NO_DTLS
11760 ADD_TEST(test_large_message_dtls);
11762 ADD_ALL_TESTS(test_large_app_data, 28);
11763 ADD_TEST(test_cleanse_plaintext);
11764 #ifndef OPENSSL_NO_OCSP
11765 ADD_TEST(test_tlsext_status_type);
11767 ADD_TEST(test_session_with_only_int_cache);
11768 ADD_TEST(test_session_with_only_ext_cache);
11769 ADD_TEST(test_session_with_both_cache);
11770 ADD_TEST(test_session_wo_ca_names);
11771 #ifndef OSSL_NO_USABLE_TLS1_3
11772 ADD_ALL_TESTS(test_stateful_tickets, 3);
11773 ADD_ALL_TESTS(test_stateless_tickets, 3);
11774 ADD_TEST(test_psk_tickets);
11775 ADD_ALL_TESTS(test_extra_tickets, 6);
11777 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11778 ADD_TEST(test_ssl_bio_pop_next_bio);
11779 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11780 ADD_TEST(test_ssl_bio_change_rbio);
11781 ADD_TEST(test_ssl_bio_change_wbio);
11782 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11783 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11784 ADD_TEST(test_keylog);
11786 #ifndef OSSL_NO_USABLE_TLS1_3
11787 ADD_TEST(test_keylog_no_master_key);
11789 ADD_TEST(test_client_cert_verify_cb);
11790 ADD_TEST(test_ssl_build_cert_chain);
11791 ADD_TEST(test_ssl_ctx_build_cert_chain);
11792 #ifndef OPENSSL_NO_TLS1_2
11793 ADD_TEST(test_client_hello_cb);
11794 ADD_TEST(test_no_ems);
11795 ADD_TEST(test_ccs_change_cipher);
11797 #ifndef OSSL_NO_USABLE_TLS1_3
11798 ADD_ALL_TESTS(test_early_data_read_write, 6);
11800 * We don't do replay tests for external PSK. Replay protection isn't used
11801 * in that scenario.
11803 ADD_ALL_TESTS(test_early_data_replay, 2);
11804 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11805 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11806 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11807 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11808 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11809 ADD_ALL_TESTS(test_early_data_psk, 8);
11810 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11811 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11812 # ifndef OPENSSL_NO_TLS1_2
11813 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11816 #ifndef OSSL_NO_USABLE_TLS1_3
11817 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11818 ADD_TEST(test_ciphersuite_change);
11819 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11820 # ifdef OPENSSL_NO_PSK
11821 ADD_ALL_TESTS(test_tls13_psk, 1);
11823 ADD_ALL_TESTS(test_tls13_psk, 4);
11824 # endif /* OPENSSL_NO_PSK */
11825 #ifndef OSSL_NO_USABLE_TLS1_3
11826 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
11827 #endif /* OSSL_NO_USABLE_TLS1_3 */
11828 # ifndef OPENSSL_NO_TLS1_2
11829 /* Test with both TLSv1.3 and 1.2 versions */
11830 ADD_ALL_TESTS(test_key_exchange, 14);
11831 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11832 ADD_ALL_TESTS(test_negotiated_group,
11833 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11834 + OSSL_NELEM(ffdhe_kexch_groups)));
11837 /* Test with only TLSv1.3 versions */
11838 ADD_ALL_TESTS(test_key_exchange, 12);
11840 ADD_ALL_TESTS(test_custom_exts, 6);
11841 ADD_TEST(test_stateless);
11842 ADD_TEST(test_pha_key_update);
11844 ADD_ALL_TESTS(test_custom_exts, 3);
11846 ADD_ALL_TESTS(test_export_key_mat, 6);
11847 #ifndef OSSL_NO_USABLE_TLS1_3
11848 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11849 ADD_TEST(test_key_update);
11850 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11851 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11852 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11853 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11855 ADD_ALL_TESTS(test_ssl_clear, 8);
11856 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11857 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11858 ADD_ALL_TESTS(test_srp, 6);
11860 #if !defined(OPENSSL_NO_COMP_ALG)
11861 /* Add compression case */
11862 ADD_ALL_TESTS(test_info_callback, 8);
11864 ADD_ALL_TESTS(test_info_callback, 6);
11866 ADD_ALL_TESTS(test_ssl_pending, 2);
11867 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11868 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11869 ADD_ALL_TESTS(test_shutdown, 7);
11870 ADD_TEST(test_async_shutdown);
11871 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11872 ADD_ALL_TESTS(test_cert_cb, 6);
11873 ADD_ALL_TESTS(test_client_cert_cb, 2);
11874 ADD_ALL_TESTS(test_ca_names, 3);
11875 #ifndef OPENSSL_NO_TLS1_2
11876 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11878 ADD_ALL_TESTS(test_servername, 10);
11879 ADD_TEST(test_unknown_sigalgs_groups);
11880 #if !defined(OPENSSL_NO_EC) \
11881 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11882 ADD_ALL_TESTS(test_sigalgs_available, 6);
11884 #ifndef OPENSSL_NO_TLS1_3
11885 ADD_ALL_TESTS(test_pluggable_group, 2);
11886 ADD_ALL_TESTS(test_pluggable_signature, 4);
11888 #ifndef OPENSSL_NO_TLS1_2
11889 ADD_TEST(test_ssl_dup);
11890 # ifndef OPENSSL_NO_DH
11891 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11892 ADD_ALL_TESTS(test_dh_auto, 7);
11895 #ifndef OSSL_NO_USABLE_TLS1_3
11896 ADD_TEST(test_sni_tls13);
11897 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11899 ADD_TEST(test_inherit_verify_param);
11900 ADD_TEST(test_set_alpn);
11901 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11902 ADD_TEST(test_set_verify_cert_store_ssl);
11903 ADD_ALL_TESTS(test_session_timeout, 1);
11904 ADD_TEST(test_load_dhfile);
11905 #ifndef OSSL_NO_USABLE_TLS1_3
11906 ADD_TEST(test_read_ahead_key_change);
11907 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11909 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11910 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11912 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11913 ADD_ALL_TESTS(test_pipelining, 7);
11915 ADD_ALL_TESTS(test_version, 6);
11916 ADD_TEST(test_rstate_string);
11917 ADD_ALL_TESTS(test_handshake_retry, 16);
11918 ADD_TEST(test_data_retry);
11919 ADD_ALL_TESTS(test_multi_resume, 4);
11923 OPENSSL_free(cert);
11924 OPENSSL_free(privkey);
11925 OPENSSL_free(cert2);
11926 OPENSSL_free(privkey2);
11930 void cleanup_tests(void)
11932 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11933 EVP_PKEY_free(tmp_dh_params);
11935 OPENSSL_free(cert);
11936 OPENSSL_free(privkey);
11937 OPENSSL_free(cert2);
11938 OPENSSL_free(privkey2);
11939 OPENSSL_free(cert1024);
11940 OPENSSL_free(privkey1024);
11941 OPENSSL_free(cert3072);
11942 OPENSSL_free(privkey3072);
11943 OPENSSL_free(cert4096);
11944 OPENSSL_free(privkey4096);
11945 OPENSSL_free(cert8192);
11946 OPENSSL_free(privkey8192);
11947 bio_s_mempacket_test_free();
11948 bio_s_always_retry_free();
11949 bio_s_maybe_retry_free();
11950 OSSL_PROVIDER_unload(defctxnull);
11951 OSSL_LIB_CTX_free(libctx);