2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
36 #include "helpers/ssltestlib.h"
38 #include "testutil/output.h"
39 #include "internal/nelem.h"
40 #include "internal/ktls.h"
41 #include "../ssl/ssl_local.h"
42 #include "filterprov.h"
44 #undef OSSL_NO_USABLE_TLS1_3
45 #if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48 * If we don't have ec or dh then there are no built-in groups that are usable
51 # define OSSL_NO_USABLE_TLS1_3
54 /* Defined in tls-provider.c */
55 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
60 static OSSL_LIB_CTX *libctx = NULL;
61 static OSSL_PROVIDER *defctxnull = NULL;
63 #ifndef OSSL_NO_USABLE_TLS1_3
65 static SSL_SESSION *clientpsk = NULL;
66 static SSL_SESSION *serverpsk = NULL;
67 static const char *pskid = "Identity";
68 static const char *srvid;
70 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72 static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
75 static int use_session_cb_cnt = 0;
76 static int find_session_cb_cnt = 0;
78 static SSL_SESSION *create_a_psk(SSL *ssl);
81 static char *certsdir = NULL;
82 static char *cert = NULL;
83 static char *privkey = NULL;
84 static char *cert2 = NULL;
85 static char *privkey2 = NULL;
86 static char *cert1024 = NULL;
87 static char *privkey1024 = NULL;
88 static char *cert3072 = NULL;
89 static char *privkey3072 = NULL;
90 static char *cert4096 = NULL;
91 static char *privkey4096 = NULL;
92 static char *cert8192 = NULL;
93 static char *privkey8192 = NULL;
94 static char *srpvfile = NULL;
95 static char *tmpfilename = NULL;
97 static int is_fips = 0;
99 #define LOG_BUFFER_SIZE 2048
100 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
101 static size_t server_log_buffer_index = 0;
102 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t client_log_buffer_index = 0;
104 static int error_writing_log = 0;
106 #ifndef OPENSSL_NO_OCSP
107 static const unsigned char orespder[] = "Dummy OCSP Response";
108 static int ocsp_server_called = 0;
109 static int ocsp_client_called = 0;
111 static int cdummyarg = 1;
112 static X509 *ocspcert = NULL;
115 #define NUM_EXTRA_CERTS 40
116 #define CLIENT_VERSION_LEN 2
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
122 struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
125 unsigned int client_early_secret_count;
126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
130 unsigned int early_exporter_secret_count;
131 unsigned int exporter_secret_count;
135 static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static unsigned char serverinfov2[] = {
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
149 static int hostname_cb(SSL *s, int *al, void *arg)
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
157 return SSL_TLSEXT_ERR_NOACK;
160 static void client_keylog_callback(const SSL *ssl, const char *line)
162 int line_length = strlen(line);
164 /* If the log doesn't fit, error out. */
165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
167 error_writing_log = 1;
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
173 client_log_buffer[client_log_buffer_index++] = '\n';
176 static void server_keylog_callback(const SSL *ssl, const char *line)
178 int line_length = strlen(line);
180 /* If the log doesn't fit, error out. */
181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
182 TEST_info("Server log too full");
183 error_writing_log = 1;
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
189 server_log_buffer[server_log_buffer_index++] = '\n';
192 static int compare_hex_encoded_buffer(const char *hex_encoded,
200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
204 sprintf(hexed, "%02x", raw[i]);
205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
213 static int test_keylog_output(char *buffer, const SSL *ssl,
214 const SSL_SESSION *session,
215 struct sslapitest_log_counts *expected)
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
224 unsigned int client_early_secret_count = 0;
225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
229 unsigned int early_exporter_secret_count = 0;
230 unsigned int exporter_secret_count = 0;
232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
234 if (strcmp(token, "RSA") == 0) {
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
237 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 16))
244 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
251 rsa_key_exchange_count++;
252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
255 * client random, then the hex-encoded master secret.
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 if (!TEST_size_t_eq(strlen(token), 64))
267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
272 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 master_key_size = SSL_SESSION_get_master_key(session,
277 if (!TEST_size_t_ne(master_key_size, 0))
279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
283 master_secret_count++;
284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
290 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 if (!TEST_size_t_eq(strlen(token), 64))
322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
327 if (!TEST_ptr(token = strtok(NULL, " \n")))
331 * TODO(TLS1.3): test that application traffic secrets are what
334 TEST_info("Unexpected token %s\n", token);
339 /* Got what we expected? */
340 if (!TEST_size_t_eq(rsa_key_exchange_count,
341 expected->rsa_key_exchange_count)
342 || !TEST_size_t_eq(master_secret_count,
343 expected->master_secret_count)
344 || !TEST_size_t_eq(client_early_secret_count,
345 expected->client_early_secret_count)
346 || !TEST_size_t_eq(client_handshake_secret_count,
347 expected->client_handshake_secret_count)
348 || !TEST_size_t_eq(server_handshake_secret_count,
349 expected->server_handshake_secret_count)
350 || !TEST_size_t_eq(client_application_secret_count,
351 expected->client_application_secret_count)
352 || !TEST_size_t_eq(server_application_secret_count,
353 expected->server_application_secret_count)
354 || !TEST_size_t_eq(early_exporter_secret_count,
355 expected->early_exporter_secret_count)
356 || !TEST_size_t_eq(exporter_secret_count,
357 expected->exporter_secret_count))
362 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
363 static int test_keylog(void)
365 SSL_CTX *cctx = NULL, *sctx = NULL;
366 SSL *clientssl = NULL, *serverssl = NULL;
368 struct sslapitest_log_counts expected;
370 /* Clean up logging space */
371 memset(&expected, 0, sizeof(expected));
372 memset(client_log_buffer, 0, sizeof(client_log_buffer));
373 memset(server_log_buffer, 0, sizeof(server_log_buffer));
374 client_log_buffer_index = 0;
375 server_log_buffer_index = 0;
376 error_writing_log = 0;
378 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
381 &sctx, &cctx, cert, privkey)))
384 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
385 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
386 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
388 /* We also want to ensure that we use RSA-based key exchange. */
389 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
393 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
395 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
396 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
397 == client_keylog_callback))
399 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
400 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
401 == server_keylog_callback))
404 /* Now do a handshake and check that the logs have been written to. */
405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
406 &clientssl, NULL, NULL))
407 || !TEST_true(create_ssl_connection(serverssl, clientssl,
409 || !TEST_false(error_writing_log)
410 || !TEST_int_gt(client_log_buffer_index, 0)
411 || !TEST_int_gt(server_log_buffer_index, 0))
415 * Now we want to test that our output data was vaguely sensible. We
416 * do that by using strtok and confirming that we have more or less the
417 * data we expect. For both client and server, we expect to see one master
418 * secret. The client should also see a RSA key exchange.
420 expected.rsa_key_exchange_count = 1;
421 expected.master_secret_count = 1;
422 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
423 SSL_get_session(clientssl), &expected)))
426 expected.rsa_key_exchange_count = 0;
427 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
428 SSL_get_session(serverssl), &expected)))
443 #ifndef OSSL_NO_USABLE_TLS1_3
444 static int test_keylog_no_master_key(void)
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 SSL_SESSION *sess = NULL;
450 struct sslapitest_log_counts expected;
451 unsigned char buf[1];
452 size_t readbytes, written;
454 /* Clean up logging space */
455 memset(&expected, 0, sizeof(expected));
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
460 error_writing_log = 0;
462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
463 TLS_client_method(), TLS1_VERSION, 0,
464 &sctx, &cctx, cert, privkey))
465 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
466 SSL3_RT_MAX_PLAIN_LENGTH)))
469 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
470 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
473 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
474 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
475 == client_keylog_callback))
478 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
479 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
480 == server_keylog_callback))
483 /* Now do a handshake and check that the logs have been written to. */
484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
485 &clientssl, NULL, NULL))
486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
488 || !TEST_false(error_writing_log))
492 * Now we want to test that our output data was vaguely sensible. For this
493 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
494 * TLSv1.3, but we do expect both client and server to emit keys.
496 expected.client_handshake_secret_count = 1;
497 expected.server_handshake_secret_count = 1;
498 expected.client_application_secret_count = 1;
499 expected.server_application_secret_count = 1;
500 expected.exporter_secret_count = 1;
501 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
502 SSL_get_session(clientssl), &expected))
503 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
504 SSL_get_session(serverssl),
508 /* Terminate old session and resume with early data. */
509 sess = SSL_get1_session(clientssl);
510 SSL_shutdown(clientssl);
511 SSL_shutdown(serverssl);
514 serverssl = clientssl = NULL;
517 memset(client_log_buffer, 0, sizeof(client_log_buffer));
518 memset(server_log_buffer, 0, sizeof(server_log_buffer));
519 client_log_buffer_index = 0;
520 server_log_buffer_index = 0;
522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
523 &clientssl, NULL, NULL))
524 || !TEST_true(SSL_set_session(clientssl, sess))
525 /* Here writing 0 length early data is enough. */
526 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
527 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
529 SSL_READ_EARLY_DATA_ERROR)
530 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
531 SSL_EARLY_DATA_ACCEPTED)
532 || !TEST_true(create_ssl_connection(serverssl, clientssl,
534 || !TEST_true(SSL_session_reused(clientssl)))
537 /* In addition to the previous entries, expect early secrets. */
538 expected.client_early_secret_count = 1;
539 expected.early_exporter_secret_count = 1;
540 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
541 SSL_get_session(clientssl), &expected))
542 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
543 SSL_get_session(serverssl),
550 SSL_SESSION_free(sess);
560 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
562 int res = X509_verify_cert(ctx);
564 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
565 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
566 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
570 static int test_client_cert_verify_cb(void)
572 /* server key, cert, chain, and root */
573 char *skey = test_mk_file_path(certsdir, "leaf.key");
574 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
575 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
576 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
577 char *root = test_mk_file_path(certsdir, "rootCA.pem");
578 X509 *crt1 = NULL, *crt2 = NULL;
579 STACK_OF(X509) *server_chain;
580 SSL_CTX *cctx = NULL, *sctx = NULL;
581 SSL *clientssl = NULL, *serverssl = NULL;
584 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
585 TLS_client_method(), TLS1_VERSION, 0,
586 &sctx, &cctx, NULL, NULL)))
588 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
589 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
590 SSL_FILETYPE_PEM), 1)
591 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
593 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
595 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
596 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
597 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
598 &clientssl, NULL, NULL)))
601 /* attempt SSL_connect() with incomplete server chain */
602 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
603 SSL_ERROR_WANT_RETRY_VERIFY)))
606 /* application provides intermediate certs needed to verify server cert */
607 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
608 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
609 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
611 /* add certs in reverse order to demonstrate real chain building */
612 if (!TEST_true(sk_X509_push(server_chain, crt1)))
615 if (!TEST_true(sk_X509_push(server_chain, crt2)))
619 /* continue SSL_connect(), must now succeed with completed server chain */
620 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
629 if (clientssl != NULL) {
630 SSL_shutdown(clientssl);
633 if (serverssl != NULL) {
634 SSL_shutdown(serverssl);
649 static int test_ssl_build_cert_chain(void)
652 SSL_CTX *ssl_ctx = NULL;
654 char *skey = test_mk_file_path(certsdir, "leaf.key");
655 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
657 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
659 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
661 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
662 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
663 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
664 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
666 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
667 | SSL_BUILD_CHAIN_FLAG_CHECK)))
672 SSL_CTX_free(ssl_ctx);
673 OPENSSL_free(leaf_chain);
678 static int test_ssl_ctx_build_cert_chain(void)
682 char *skey = test_mk_file_path(certsdir, "leaf.key");
683 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
685 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
687 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
688 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
689 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
690 SSL_FILETYPE_PEM), 1)
691 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
693 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
694 | SSL_BUILD_CHAIN_FLAG_CHECK)))
699 OPENSSL_free(leaf_chain);
704 #ifndef OPENSSL_NO_TLS1_2
705 static int full_client_hello_callback(SSL *s, int *al, void *arg)
708 const unsigned char *p;
710 /* We only configure two ciphers, but the SCSV is added automatically. */
712 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
714 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
717 const int expected_extensions[] = {
718 #ifndef OPENSSL_NO_EC
724 /* Make sure we can defer processing and get called back. */
726 return SSL_CLIENT_HELLO_RETRY;
728 len = SSL_client_hello_get0_ciphers(s, &p);
729 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
731 SSL_client_hello_get0_compression_methods(s, &p), 1)
732 || !TEST_int_eq(*p, 0))
733 return SSL_CLIENT_HELLO_ERROR;
734 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
735 return SSL_CLIENT_HELLO_ERROR;
736 if (len != OSSL_NELEM(expected_extensions) ||
737 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
738 printf("ClientHello callback expected extensions mismatch\n");
740 return SSL_CLIENT_HELLO_ERROR;
743 return SSL_CLIENT_HELLO_SUCCESS;
746 static int test_client_hello_cb(void)
748 SSL_CTX *cctx = NULL, *sctx = NULL;
749 SSL *clientssl = NULL, *serverssl = NULL;
750 int testctr = 0, testresult = 0;
752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
753 TLS_client_method(), TLS1_VERSION, 0,
754 &sctx, &cctx, cert, privkey)))
756 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
758 /* The gimpy cipher list we configure can't do TLS 1.3. */
759 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
761 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
762 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
763 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_false(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_WANT_CLIENT_HELLO_CB))
768 * Passing a -1 literal is a hack since
769 * the real value was lost.
771 || !TEST_int_eq(SSL_get_error(serverssl, -1),
772 SSL_ERROR_WANT_CLIENT_HELLO_CB)
773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
788 static int test_no_ems(void)
790 SSL_CTX *cctx = NULL, *sctx = NULL;
791 SSL *clientssl = NULL, *serverssl = NULL;
794 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
795 TLS1_VERSION, TLS1_2_VERSION,
796 &sctx, &cctx, cert, privkey)) {
797 printf("Unable to create SSL_CTX pair\n");
801 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
803 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
804 printf("Unable to create SSL objects\n");
808 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
809 printf("Creating SSL connection failed\n");
813 if (SSL_get_extms_support(serverssl)) {
814 printf("Server reports Extended Master Secret support\n");
818 if (SSL_get_extms_support(clientssl)) {
819 printf("Client reports Extended Master Secret support\n");
834 * Very focused test to exercise a single case in the server-side state
835 * machine, when the ChangeCipherState message needs to actually change
836 * from one cipher to a different cipher (i.e., not changing from null
837 * encryption to real encryption).
839 static int test_ccs_change_cipher(void)
841 SSL_CTX *cctx = NULL, *sctx = NULL;
842 SSL *clientssl = NULL, *serverssl = NULL;
843 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850 * Create a conection so we can resume and potentially (but not) use
851 * a different cipher in the second connection.
853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
855 TLS1_VERSION, TLS1_2_VERSION,
856 &sctx, &cctx, cert, privkey))
857 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
858 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
860 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
861 || !TEST_true(create_ssl_connection(serverssl, clientssl,
863 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
864 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
867 shutdown_ssl_connection(serverssl, clientssl);
868 serverssl = clientssl = NULL;
870 /* Resume, preferring a different cipher. Our server will force the
871 * same cipher to be used as the initial handshake. */
872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 || !TEST_true(SSL_set_session(clientssl, sess))
875 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
876 || !TEST_true(create_ssl_connection(serverssl, clientssl,
878 || !TEST_true(SSL_session_reused(clientssl))
879 || !TEST_true(SSL_session_reused(serverssl))
880 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
881 || !TEST_ptr_eq(sesspre, sesspost)
882 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
883 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
885 shutdown_ssl_connection(serverssl, clientssl);
886 serverssl = clientssl = NULL;
889 * Now create a fresh connection and try to renegotiate a different
892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
897 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
898 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
899 || !TEST_true(SSL_renegotiate(clientssl))
900 || !TEST_true(SSL_renegotiate_pending(clientssl)))
902 /* Actually drive the renegotiation. */
903 for (i = 0; i < 3; i++) {
904 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
905 if (!TEST_ulong_eq(readbytes, 0))
907 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
908 SSL_ERROR_WANT_READ)) {
911 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
914 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
915 SSL_ERROR_WANT_READ)) {
919 /* sesspre and sesspost should be different since the cipher changed. */
920 if (!TEST_false(SSL_renegotiate_pending(clientssl))
921 || !TEST_false(SSL_session_reused(clientssl))
922 || !TEST_false(SSL_session_reused(serverssl))
923 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
924 || !TEST_ptr_ne(sesspre, sesspost)
925 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
926 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
929 shutdown_ssl_connection(serverssl, clientssl);
930 serverssl = clientssl = NULL;
939 SSL_SESSION_free(sess);
945 static int execute_test_large_message(const SSL_METHOD *smeth,
946 const SSL_METHOD *cmeth,
947 int min_version, int max_version,
950 SSL_CTX *cctx = NULL, *sctx = NULL;
951 SSL *clientssl = NULL, *serverssl = NULL;
955 X509 *chaincert = NULL;
958 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
961 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
964 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
969 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
970 max_version, &sctx, &cctx, cert,
974 #ifdef OPENSSL_NO_DTLS1_2
975 if (smeth == DTLS_server_method()) {
977 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
980 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
981 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
982 "DEFAULT:@SECLEVEL=0")))
989 * Test that read_ahead works correctly when dealing with large
992 SSL_CTX_set_read_ahead(cctx, 1);
996 * We assume the supplied certificate is big enough so that if we add
997 * NUM_EXTRA_CERTS it will make the overall message large enough. The
998 * default buffer size is requested to be 16k, but due to the way BUF_MEM
999 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1000 * test we need to have a message larger than that.
1002 certlen = i2d_X509(chaincert, NULL);
1003 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1004 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1005 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1006 if (!X509_up_ref(chaincert))
1008 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1009 X509_free(chaincert);
1014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1016 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1021 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1024 if (!TEST_true(SSL_clear(serverssl)))
1030 X509_free(chaincert);
1031 SSL_free(serverssl);
1032 SSL_free(clientssl);
1039 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1040 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1041 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
1042 /* sock must be connected */
1043 static int ktls_chk_platform(int sock)
1045 if (!ktls_enable(sock))
1050 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
1052 static char count = 1;
1053 unsigned char cbuf[16000] = {0};
1054 unsigned char sbuf[16000];
1056 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1057 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1058 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1059 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1060 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1061 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1062 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1063 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1066 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
1067 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
1068 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
1069 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
1071 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1074 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1075 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1080 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1083 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1084 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1089 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1090 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1091 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1092 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
1094 /* verify the payload */
1095 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1098 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1099 if ((SSL_get_options(clientssl) & SSL_OP_ENABLE_KTLS) == 0) {
1100 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1101 crec_wseq_after, rec_seq_size))
1104 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1105 crec_wseq_after, rec_seq_size))
1109 if ((SSL_get_options(serverssl) & SSL_OP_ENABLE_KTLS) == 0) {
1110 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1111 srec_wseq_after, rec_seq_size))
1114 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1115 srec_wseq_after, rec_seq_size))
1119 if ((SSL_get_options(clientssl) & SSL_OP_ENABLE_KTLS) == 0
1120 #if defined(OPENSSL_NO_KTLS_RX)
1124 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1125 crec_rseq_after, rec_seq_size))
1128 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1129 crec_rseq_after, rec_seq_size))
1133 if ((SSL_get_options(serverssl) & SSL_OP_ENABLE_KTLS) == 0
1134 #if defined(OPENSSL_NO_KTLS_RX)
1138 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1139 srec_rseq_after, rec_seq_size))
1142 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1143 srec_rseq_after, rec_seq_size))
1152 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1153 int tls_version, const char *cipher,
1156 SSL_CTX *cctx = NULL, *sctx = NULL;
1157 SSL *clientssl = NULL, *serverssl = NULL;
1161 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1164 /* Skip this test if the platform does not support ktls */
1165 if (!ktls_chk_platform(cfd))
1168 /* Create a session based on SHA-256 */
1169 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1170 TLS_client_method(),
1171 tls_version, tls_version,
1172 &sctx, &cctx, cert, privkey))
1173 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1174 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1175 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1180 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1185 if (!TEST_true(SSL_set_mode(serverssl, SSL_OP_ENABLE_KTLS)))
1189 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1194 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1197 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1202 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1205 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1210 #if defined(OPENSSL_NO_KTLS_RX)
1214 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1217 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1222 #if defined(OPENSSL_NO_KTLS_RX)
1226 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1229 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1233 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1240 SSL_shutdown(clientssl);
1241 SSL_free(clientssl);
1244 SSL_shutdown(serverssl);
1245 SSL_free(serverssl);
1249 serverssl = clientssl = NULL;
1253 #define SENDFILE_SZ (16 * 4096)
1254 #define SENDFILE_CHUNK (4 * 4096)
1255 #define min(a,b) ((a) > (b) ? (b) : (a))
1257 static int test_ktls_sendfile(int tls_version, const char *cipher)
1259 SSL_CTX *cctx = NULL, *sctx = NULL;
1260 SSL *clientssl = NULL, *serverssl = NULL;
1261 unsigned char *buf, *buf_dst;
1262 BIO *out = NULL, *in = NULL;
1263 int cfd, sfd, ffd, err;
1264 ssize_t chunk_size = 0;
1265 off_t chunk_off = 0;
1269 buf = OPENSSL_zalloc(SENDFILE_SZ);
1270 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1271 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1272 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1275 /* Skip this test if the platform does not support ktls */
1276 if (!ktls_chk_platform(sfd)) {
1281 /* Create a session based on SHA-256 */
1282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1283 TLS_client_method(),
1284 tls_version, tls_version,
1285 &sctx, &cctx, cert, privkey))
1286 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1287 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1288 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1289 &clientssl, sfd, cfd)))
1292 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1294 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1297 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1300 out = BIO_new_file(tmpfilename, "wb");
1304 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1309 in = BIO_new_file(tmpfilename, "rb");
1310 BIO_get_fp(in, &ffdp);
1313 while (chunk_off < SENDFILE_SZ) {
1314 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1315 while ((err = SSL_sendfile(serverssl,
1319 0)) != chunk_size) {
1320 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1323 while ((err = SSL_read(clientssl,
1324 buf_dst + chunk_off,
1325 chunk_size)) != chunk_size) {
1326 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1330 /* verify the payload */
1331 if (!TEST_mem_eq(buf_dst + chunk_off,
1337 chunk_off += chunk_size;
1343 SSL_shutdown(clientssl);
1344 SSL_free(clientssl);
1347 SSL_shutdown(serverssl);
1348 SSL_free(serverssl);
1352 serverssl = clientssl = NULL;
1356 OPENSSL_free(buf_dst);
1360 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1361 static int test_ktls(int test)
1363 int cis_ktls, sis_ktls;
1364 int tlsver, testresult;
1367 #if defined(OSSL_NO_USABLE_TLS1_3)
1371 tlsver = TLS1_3_VERSION;
1374 #if defined(OPENSSL_NO_TLS1_2)
1377 tlsver = TLS1_2_VERSION;
1381 cis_ktls = (test & 1) != 0;
1382 sis_ktls = (test & 2) != 0;
1385 #ifdef OPENSSL_KTLS_AES_GCM_128
1386 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver,
1387 "AES128-GCM-SHA256",
1388 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1390 #ifdef OPENSSL_KTLS_AES_CCM_128
1391 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver, "AES128-CCM",
1392 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1394 #ifdef OPENSSL_KTLS_AES_GCM_256
1395 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver,
1396 "AES256-GCM-SHA384",
1397 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1402 static int test_ktls_sendfile_anytls(int tst)
1404 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1408 #if defined(OSSL_NO_USABLE_TLS1_3)
1412 tlsver = TLS1_3_VERSION;
1415 #if defined(OPENSSL_NO_TLS1_2)
1418 tlsver = TLS1_2_VERSION;
1422 #ifndef OPENSSL_KTLS_AES_GCM_128
1423 if(tst == 0) return 1;
1425 #ifndef OPENSSL_KTLS_AES_CCM_128
1426 if(tst == 1) return 1;
1428 #ifndef OPENSSL_KTLS_AES_GCM_256
1429 if(tst == 2) return 1;
1431 return test_ktls_sendfile(tlsver, cipher[tst]);
1437 static int test_large_message_tls(void)
1439 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1440 TLS1_VERSION, 0, 0);
1443 static int test_large_message_tls_read_ahead(void)
1445 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1446 TLS1_VERSION, 0, 1);
1449 #ifndef OPENSSL_NO_DTLS
1450 static int test_large_message_dtls(void)
1452 # ifdef OPENSSL_NO_DTLS1_2
1453 /* Not supported in the FIPS provider */
1458 * read_ahead is not relevant to DTLS because DTLS always acts as if
1459 * read_ahead is set.
1461 return execute_test_large_message(DTLS_server_method(),
1462 DTLS_client_method(),
1463 DTLS1_VERSION, 0, 0);
1467 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1468 const SSL_METHOD *cmeth,
1469 int min_version, int max_version)
1472 SSL_CTX *cctx = NULL, *sctx = NULL;
1473 SSL *clientssl = NULL, *serverssl = NULL;
1478 static unsigned char cbuf[16000];
1479 static unsigned char sbuf[16000];
1481 if (!TEST_true(create_ssl_ctx_pair(libctx,
1483 min_version, max_version,
1488 #ifdef OPENSSL_NO_DTLS1_2
1489 if (smeth == DTLS_server_method()) {
1490 # ifdef OPENSSL_NO_DTLS1_2
1491 /* Not supported in the FIPS provider */
1498 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1501 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1502 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1503 "DEFAULT:@SECLEVEL=0")))
1508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1512 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1515 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1519 for (i = 0; i < sizeof(cbuf); i++) {
1523 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1526 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1529 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1533 * Since we called SSL_peek(), we know the data in the record
1534 * layer is a plaintext record. We can gather the pointer to check
1535 * for zeroization after SSL_read().
1537 rr = serverssl->rlayer.rrec;
1538 zbuf = &rr->data[rr->off];
1539 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1543 * After SSL_peek() the plaintext must still be stored in the
1546 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1549 memset(sbuf, 0, sizeof(sbuf));
1550 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1553 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1556 /* Check if rbuf is cleansed */
1557 memset(cbuf, 0, sizeof(cbuf));
1558 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1563 SSL_free(serverssl);
1564 SSL_free(clientssl);
1571 static int test_cleanse_plaintext(void)
1573 #if !defined(OPENSSL_NO_TLS1_2)
1574 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1575 TLS_client_method(),
1582 #if !defined(OSSL_NO_USABLE_TLS1_3)
1583 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1584 TLS_client_method(),
1590 #if !defined(OPENSSL_NO_DTLS)
1592 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1593 DTLS_client_method(),
1601 #ifndef OPENSSL_NO_OCSP
1602 static int ocsp_server_cb(SSL *s, void *arg)
1604 int *argi = (int *)arg;
1605 unsigned char *copy = NULL;
1606 STACK_OF(OCSP_RESPID) *ids = NULL;
1607 OCSP_RESPID *id = NULL;
1610 /* In this test we are expecting exactly 1 OCSP_RESPID */
1611 SSL_get_tlsext_status_ids(s, &ids);
1612 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1613 return SSL_TLSEXT_ERR_ALERT_FATAL;
1615 id = sk_OCSP_RESPID_value(ids, 0);
1616 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1617 return SSL_TLSEXT_ERR_ALERT_FATAL;
1618 } else if (*argi != 1) {
1619 return SSL_TLSEXT_ERR_ALERT_FATAL;
1622 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1623 return SSL_TLSEXT_ERR_ALERT_FATAL;
1625 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1626 ocsp_server_called = 1;
1627 return SSL_TLSEXT_ERR_OK;
1630 static int ocsp_client_cb(SSL *s, void *arg)
1632 int *argi = (int *)arg;
1633 const unsigned char *respderin;
1636 if (*argi != 1 && *argi != 2)
1639 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1640 if (!TEST_mem_eq(orespder, len, respderin, len))
1643 ocsp_client_called = 1;
1647 static int test_tlsext_status_type(void)
1649 SSL_CTX *cctx = NULL, *sctx = NULL;
1650 SSL *clientssl = NULL, *serverssl = NULL;
1652 STACK_OF(OCSP_RESPID) *ids = NULL;
1653 OCSP_RESPID *id = NULL;
1654 BIO *certbio = NULL;
1656 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1658 &sctx, &cctx, cert, privkey))
1661 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1664 /* First just do various checks getting and setting tlsext_status_type */
1666 clientssl = SSL_new(cctx);
1667 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1668 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1669 TLSEXT_STATUSTYPE_ocsp))
1670 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1671 TLSEXT_STATUSTYPE_ocsp))
1674 SSL_free(clientssl);
1677 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1678 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1681 clientssl = SSL_new(cctx);
1682 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1684 SSL_free(clientssl);
1688 * Now actually do a handshake and check OCSP information is exchanged and
1689 * the callbacks get called
1691 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1692 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1693 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1694 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1696 &clientssl, NULL, NULL))
1697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1699 || !TEST_true(ocsp_client_called)
1700 || !TEST_true(ocsp_server_called))
1702 SSL_free(serverssl);
1703 SSL_free(clientssl);
1707 /* Try again but this time force the server side callback to fail */
1708 ocsp_client_called = 0;
1709 ocsp_server_called = 0;
1711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1712 &clientssl, NULL, NULL))
1713 /* This should fail because the callback will fail */
1714 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1716 || !TEST_false(ocsp_client_called)
1717 || !TEST_false(ocsp_server_called))
1719 SSL_free(serverssl);
1720 SSL_free(clientssl);
1725 * This time we'll get the client to send an OCSP_RESPID that it will
1728 ocsp_client_called = 0;
1729 ocsp_server_called = 0;
1731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1732 &clientssl, NULL, NULL)))
1736 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1737 * specific one. We'll use the server cert.
1739 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1740 || !TEST_ptr(id = OCSP_RESPID_new())
1741 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1742 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1743 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1744 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1745 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1748 SSL_set_tlsext_status_ids(clientssl, ids);
1749 /* Control has been transferred */
1755 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1757 || !TEST_true(ocsp_client_called)
1758 || !TEST_true(ocsp_server_called))
1764 SSL_free(serverssl);
1765 SSL_free(clientssl);
1768 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1769 OCSP_RESPID_free(id);
1771 X509_free(ocspcert);
1778 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1779 static int new_called, remove_called, get_called;
1781 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1785 * sess has been up-refed for us, but we don't actually need it so free it
1788 SSL_SESSION_free(sess);
1792 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1797 static SSL_SESSION *get_sess_val = NULL;
1799 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1804 return get_sess_val;
1807 static int execute_test_session(int maxprot, int use_int_cache,
1808 int use_ext_cache, long s_options)
1810 SSL_CTX *sctx = NULL, *cctx = NULL;
1811 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1812 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1813 # ifndef OPENSSL_NO_TLS1_1
1814 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1816 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1817 int testresult = 0, numnewsesstick = 1;
1819 new_called = remove_called = 0;
1821 /* TLSv1.3 sends 2 NewSessionTickets */
1822 if (maxprot == TLS1_3_VERSION)
1825 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1826 TLS_client_method(), TLS1_VERSION, 0,
1827 &sctx, &cctx, cert, privkey)))
1831 * Only allow the max protocol version so we can force a connection failure
1834 SSL_CTX_set_min_proto_version(cctx, maxprot);
1835 SSL_CTX_set_max_proto_version(cctx, maxprot);
1837 /* Set up session cache */
1838 if (use_ext_cache) {
1839 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1840 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1842 if (use_int_cache) {
1843 /* Also covers instance where both are set */
1844 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1846 SSL_CTX_set_session_cache_mode(cctx,
1847 SSL_SESS_CACHE_CLIENT
1848 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1852 SSL_CTX_set_options(sctx, s_options);
1855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1857 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1859 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1862 /* Should fail because it should already be in the cache */
1863 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1866 && (!TEST_int_eq(new_called, numnewsesstick)
1868 || !TEST_int_eq(remove_called, 0)))
1871 new_called = remove_called = 0;
1872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1873 &clientssl2, NULL, NULL))
1874 || !TEST_true(SSL_set_session(clientssl2, sess1))
1875 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1877 || !TEST_true(SSL_session_reused(clientssl2)))
1880 if (maxprot == TLS1_3_VERSION) {
1882 * In TLSv1.3 we should have created a new session even though we have
1883 * resumed. Since we attempted a resume we should also have removed the
1884 * old ticket from the cache so that we try to only use tickets once.
1887 && (!TEST_int_eq(new_called, 1)
1888 || !TEST_int_eq(remove_called, 1)))
1892 * In TLSv1.2 we expect to have resumed so no sessions added or
1896 && (!TEST_int_eq(new_called, 0)
1897 || !TEST_int_eq(remove_called, 0)))
1901 SSL_SESSION_free(sess1);
1902 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1904 shutdown_ssl_connection(serverssl2, clientssl2);
1905 serverssl2 = clientssl2 = NULL;
1907 new_called = remove_called = 0;
1908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1909 &clientssl2, NULL, NULL))
1910 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1914 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1918 && (!TEST_int_eq(new_called, numnewsesstick)
1919 || !TEST_int_eq(remove_called, 0)))
1922 new_called = remove_called = 0;
1924 * This should clear sess2 from the cache because it is a "bad" session.
1925 * See SSL_set_session() documentation.
1927 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1930 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1932 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1935 if (use_int_cache) {
1936 /* Should succeeded because it should not already be in the cache */
1937 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1938 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1942 new_called = remove_called = 0;
1943 /* This shouldn't be in the cache so should fail */
1944 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1948 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1951 # if !defined(OPENSSL_NO_TLS1_1)
1952 new_called = remove_called = 0;
1953 /* Force a connection failure */
1954 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1956 &clientssl3, NULL, NULL))
1957 || !TEST_true(SSL_set_session(clientssl3, sess1))
1958 /* This should fail because of the mismatched protocol versions */
1959 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1963 /* We should have automatically removed the session from the cache */
1965 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1968 /* Should succeed because it should not already be in the cache */
1969 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1973 /* Now do some tests for server side caching */
1974 if (use_ext_cache) {
1975 SSL_CTX_sess_set_new_cb(cctx, NULL);
1976 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1977 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1978 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1979 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1980 get_sess_val = NULL;
1983 SSL_CTX_set_session_cache_mode(cctx, 0);
1984 /* Internal caching is the default on the server side */
1986 SSL_CTX_set_session_cache_mode(sctx,
1987 SSL_SESS_CACHE_SERVER
1988 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1990 SSL_free(serverssl1);
1991 SSL_free(clientssl1);
1992 serverssl1 = clientssl1 = NULL;
1993 SSL_free(serverssl2);
1994 SSL_free(clientssl2);
1995 serverssl2 = clientssl2 = NULL;
1996 SSL_SESSION_free(sess1);
1998 SSL_SESSION_free(sess2);
2001 SSL_CTX_set_max_proto_version(sctx, maxprot);
2002 if (maxprot == TLS1_2_VERSION)
2003 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2004 new_called = remove_called = get_called = 0;
2005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2007 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2009 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2010 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2013 if (use_int_cache) {
2014 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2016 * In TLSv1.3 it should not have been added to the internal cache,
2017 * except in the case where we also have an external cache (in that
2018 * case it gets added to the cache in order to generate remove
2019 * events after timeout).
2021 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2024 /* Should fail because it should already be in the cache */
2025 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2030 if (use_ext_cache) {
2031 SSL_SESSION *tmp = sess2;
2033 if (!TEST_int_eq(new_called, numnewsesstick)
2034 || !TEST_int_eq(remove_called, 0)
2035 || !TEST_int_eq(get_called, 0))
2038 * Delete the session from the internal cache to force a lookup from
2039 * the external cache. We take a copy first because
2040 * SSL_CTX_remove_session() also marks the session as non-resumable.
2042 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2043 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2044 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2046 SSL_SESSION_free(sess2);
2051 new_called = remove_called = get_called = 0;
2052 get_sess_val = sess2;
2053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2054 &clientssl2, NULL, NULL))
2055 || !TEST_true(SSL_set_session(clientssl2, sess1))
2056 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2058 || !TEST_true(SSL_session_reused(clientssl2)))
2061 if (use_ext_cache) {
2062 if (!TEST_int_eq(remove_called, 0))
2065 if (maxprot == TLS1_3_VERSION) {
2066 if (!TEST_int_eq(new_called, 1)
2067 || !TEST_int_eq(get_called, 0))
2070 if (!TEST_int_eq(new_called, 0)
2071 || !TEST_int_eq(get_called, 1))
2079 SSL_free(serverssl1);
2080 SSL_free(clientssl1);
2081 SSL_free(serverssl2);
2082 SSL_free(clientssl2);
2083 # ifndef OPENSSL_NO_TLS1_1
2084 SSL_free(serverssl3);
2085 SSL_free(clientssl3);
2087 SSL_SESSION_free(sess1);
2088 SSL_SESSION_free(sess2);
2094 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2096 static int test_session_with_only_int_cache(void)
2098 #ifndef OSSL_NO_USABLE_TLS1_3
2099 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2103 #ifndef OPENSSL_NO_TLS1_2
2104 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2110 static int test_session_with_only_ext_cache(void)
2112 #ifndef OSSL_NO_USABLE_TLS1_3
2113 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2117 #ifndef OPENSSL_NO_TLS1_2
2118 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2124 static int test_session_with_both_cache(void)
2126 #ifndef OSSL_NO_USABLE_TLS1_3
2127 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2131 #ifndef OPENSSL_NO_TLS1_2
2132 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2138 static int test_session_wo_ca_names(void)
2140 #ifndef OSSL_NO_USABLE_TLS1_3
2141 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2145 #ifndef OPENSSL_NO_TLS1_2
2146 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2153 #ifndef OSSL_NO_USABLE_TLS1_3
2154 static SSL_SESSION *sesscache[6];
2155 static int do_cache;
2157 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2160 sesscache[new_called] = sess;
2162 /* We don't need the reference to the session, so free it */
2163 SSL_SESSION_free(sess);
2170 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2172 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2173 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2176 /* Start handshake on the server and client */
2177 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2178 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2179 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2180 || !TEST_true(create_ssl_connection(sssl, cssl,
2187 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2190 int sess_id_ctx = 1;
2192 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2193 TLS_client_method(), TLS1_VERSION, 0,
2194 sctx, cctx, cert, privkey))
2195 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2196 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2197 (void *)&sess_id_ctx,
2198 sizeof(sess_id_ctx))))
2202 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2204 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2205 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2206 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2211 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2213 SSL *serverssl = NULL, *clientssl = NULL;
2216 /* Test that we can resume with all the tickets we got given */
2217 for (i = 0; i < idx * 2; i++) {
2219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2220 &clientssl, NULL, NULL))
2221 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2224 SSL_set_post_handshake_auth(clientssl, 1);
2226 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2231 * Following a successful resumption we only get 1 ticket. After a
2232 * failed one we should get idx tickets.
2235 if (!TEST_true(SSL_session_reused(clientssl))
2236 || !TEST_int_eq(new_called, 1))
2239 if (!TEST_false(SSL_session_reused(clientssl))
2240 || !TEST_int_eq(new_called, idx))
2245 /* After a post-handshake authentication we should get 1 new ticket */
2247 && (!post_handshake_verify(serverssl, clientssl)
2248 || !TEST_int_eq(new_called, 1)))
2251 SSL_shutdown(clientssl);
2252 SSL_shutdown(serverssl);
2253 SSL_free(serverssl);
2254 SSL_free(clientssl);
2255 serverssl = clientssl = NULL;
2256 SSL_SESSION_free(sesscache[i]);
2257 sesscache[i] = NULL;
2263 SSL_free(clientssl);
2264 SSL_free(serverssl);
2268 static int test_tickets(int stateful, int idx)
2270 SSL_CTX *sctx = NULL, *cctx = NULL;
2271 SSL *serverssl = NULL, *clientssl = NULL;
2275 /* idx is the test number, but also the number of tickets we want */
2280 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2283 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2284 &clientssl, NULL, NULL)))
2287 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2289 /* Check we got the number of tickets we were expecting */
2290 || !TEST_int_eq(idx, new_called))
2293 SSL_shutdown(clientssl);
2294 SSL_shutdown(serverssl);
2295 SSL_free(serverssl);
2296 SSL_free(clientssl);
2299 clientssl = serverssl = NULL;
2303 * Now we try to resume with the tickets we previously created. The
2304 * resumption attempt is expected to fail (because we're now using a new
2305 * SSL_CTX). We should see idx number of tickets issued again.
2308 /* Stop caching sessions - just count them */
2311 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2314 if (!check_resumption(idx, sctx, cctx, 0))
2317 /* Start again with caching sessions */
2324 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2328 &clientssl, NULL, NULL)))
2331 SSL_set_post_handshake_auth(clientssl, 1);
2333 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2335 /* Check we got the number of tickets we were expecting */
2336 || !TEST_int_eq(idx, new_called))
2339 /* After a post-handshake authentication we should get new tickets issued */
2340 if (!post_handshake_verify(serverssl, clientssl)
2341 || !TEST_int_eq(idx * 2, new_called))
2344 SSL_shutdown(clientssl);
2345 SSL_shutdown(serverssl);
2346 SSL_free(serverssl);
2347 SSL_free(clientssl);
2348 serverssl = clientssl = NULL;
2350 /* Stop caching sessions - just count them */
2354 * Check we can resume with all the tickets we created. This time around the
2355 * resumptions should all be successful.
2357 if (!check_resumption(idx, sctx, cctx, 1))
2363 SSL_free(serverssl);
2364 SSL_free(clientssl);
2365 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2366 SSL_SESSION_free(sesscache[j]);
2367 sesscache[j] = NULL;
2375 static int test_stateless_tickets(int idx)
2377 return test_tickets(0, idx);
2380 static int test_stateful_tickets(int idx)
2382 return test_tickets(1, idx);
2385 static int test_psk_tickets(void)
2387 SSL_CTX *sctx = NULL, *cctx = NULL;
2388 SSL *serverssl = NULL, *clientssl = NULL;
2390 int sess_id_ctx = 1;
2392 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2393 TLS_client_method(), TLS1_VERSION, 0,
2394 &sctx, &cctx, NULL, NULL))
2395 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2396 (void *)&sess_id_ctx,
2397 sizeof(sess_id_ctx))))
2400 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2401 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2402 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2403 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2404 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2405 use_session_cb_cnt = 0;
2406 find_session_cb_cnt = 0;
2410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2413 clientpsk = serverpsk = create_a_psk(clientssl);
2414 if (!TEST_ptr(clientpsk))
2416 SSL_SESSION_up_ref(clientpsk);
2418 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2420 || !TEST_int_eq(1, find_session_cb_cnt)
2421 || !TEST_int_eq(1, use_session_cb_cnt)
2422 /* We should always get 1 ticket when using external PSK */
2423 || !TEST_int_eq(1, new_called))
2429 SSL_free(serverssl);
2430 SSL_free(clientssl);
2433 SSL_SESSION_free(clientpsk);
2434 SSL_SESSION_free(serverpsk);
2435 clientpsk = serverpsk = NULL;
2440 static int test_extra_tickets(int idx)
2442 SSL_CTX *sctx = NULL, *cctx = NULL;
2443 SSL *serverssl = NULL, *clientssl = NULL;
2444 BIO *bretry = BIO_new(bio_s_always_retry());
2449 unsigned char c, buf[1];
2459 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2461 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2462 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2463 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2466 &clientssl, NULL, NULL)))
2470 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2471 * incremented by both client and server.
2473 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2475 /* Check we got the number of tickets we were expecting */
2476 || !TEST_int_eq(idx * 2, new_called)
2477 || !TEST_true(SSL_new_session_ticket(serverssl))
2478 || !TEST_true(SSL_new_session_ticket(serverssl))
2479 || !TEST_int_eq(idx * 2, new_called))
2482 /* Now try a (real) write to actually send the tickets */
2484 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2485 || !TEST_size_t_eq(1, nbytes)
2486 || !TEST_int_eq(idx * 2 + 2, new_called)
2487 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2488 || !TEST_int_eq(idx * 2 + 4, new_called)
2489 || !TEST_int_eq(sizeof(buf), nbytes)
2490 || !TEST_int_eq(c, buf[0])
2491 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2494 /* Try with only requesting one new ticket, too */
2497 if (!TEST_true(SSL_new_session_ticket(serverssl))
2498 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2499 || !TEST_size_t_eq(sizeof(c), nbytes)
2500 || !TEST_int_eq(1, new_called)
2501 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2502 || !TEST_int_eq(2, new_called)
2503 || !TEST_size_t_eq(sizeof(buf), nbytes)
2504 || !TEST_int_eq(c, buf[0]))
2507 /* Do it again but use dummy writes to drive the ticket generation */
2510 if (!TEST_true(SSL_new_session_ticket(serverssl))
2511 || !TEST_true(SSL_new_session_ticket(serverssl))
2512 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2513 || !TEST_size_t_eq(0, nbytes)
2514 || !TEST_int_eq(2, new_called)
2515 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2516 || !TEST_int_eq(4, new_called))
2519 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2522 if (!TEST_true(SSL_new_session_ticket(serverssl))
2523 || !TEST_true(SSL_new_session_ticket(serverssl))
2524 || !TEST_true(SSL_do_handshake(serverssl))
2525 || !TEST_int_eq(2, new_called)
2526 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2527 || !TEST_int_eq(4, new_called))
2531 * Use the always-retry BIO to exercise the logic that forces ticket
2532 * generation to wait until a record boundary.
2536 tmp = SSL_get_wbio(serverssl);
2537 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2541 SSL_set0_wbio(serverssl, bretry);
2543 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2544 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2545 || !TEST_size_t_eq(nbytes, 0))
2547 /* Restore a BIO that will let the write succeed */
2548 SSL_set0_wbio(serverssl, tmp);
2551 * These calls should just queue the request and not send anything
2552 * even if we explicitly try to hit the state machine.
2554 if (!TEST_true(SSL_new_session_ticket(serverssl))
2555 || !TEST_true(SSL_new_session_ticket(serverssl))
2556 || !TEST_int_eq(0, new_called)
2557 || !TEST_true(SSL_do_handshake(serverssl))
2558 || !TEST_int_eq(0, new_called))
2560 /* Re-do the write; still no tickets sent */
2561 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2562 || !TEST_size_t_eq(1, nbytes)
2563 || !TEST_int_eq(0, new_called)
2564 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2565 || !TEST_int_eq(0, new_called)
2566 || !TEST_int_eq(sizeof(buf), nbytes)
2567 || !TEST_int_eq(c, buf[0])
2568 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2570 /* Even trying to hit the state machine now will still not send tickets */
2571 if (!TEST_true(SSL_do_handshake(serverssl))
2572 || !TEST_int_eq(0, new_called))
2574 /* Now the *next* write should send the tickets */
2576 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2577 || !TEST_size_t_eq(1, nbytes)
2578 || !TEST_int_eq(2, new_called)
2579 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2580 || !TEST_int_eq(4, new_called)
2581 || !TEST_int_eq(sizeof(buf), nbytes)
2582 || !TEST_int_eq(c, buf[0])
2583 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2586 SSL_shutdown(clientssl);
2587 SSL_shutdown(serverssl);
2593 SSL_free(serverssl);
2594 SSL_free(clientssl);
2597 clientssl = serverssl = NULL;
2606 #define USE_DEFAULT 3
2608 #define CONNTYPE_CONNECTION_SUCCESS 0
2609 #define CONNTYPE_CONNECTION_FAIL 1
2610 #define CONNTYPE_NO_CONNECTION 2
2612 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2613 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2614 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2615 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2617 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2620 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2621 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2622 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2624 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2641 * Tests calls to SSL_set_bio() under various conditions.
2643 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2644 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2645 * then do more tests where we create a successful connection first using our
2646 * standard connection setup functions, and then call SSL_set_bio() with
2647 * various combinations of valid BIOs or NULL. We then repeat these tests
2648 * following a failed connection. In this last case we are looking to check that
2649 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2651 static int test_ssl_set_bio(int idx)
2653 SSL_CTX *sctx = NULL, *cctx = NULL;
2656 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2657 SSL *serverssl = NULL, *clientssl = NULL;
2658 int initrbio, initwbio, newrbio, newwbio, conntype;
2661 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2669 conntype = CONNTYPE_NO_CONNECTION;
2671 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2672 initrbio = initwbio = USE_DEFAULT;
2680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2681 TLS_client_method(), TLS1_VERSION, 0,
2682 &sctx, &cctx, cert, privkey)))
2685 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2687 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2688 * because we reduced the number of tests in the definition of
2689 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2690 * mismatched protocol versions we will force a connection failure.
2692 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2693 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2700 if (initrbio == USE_BIO_1
2701 || initwbio == USE_BIO_1
2702 || newrbio == USE_BIO_1
2703 || newwbio == USE_BIO_1) {
2704 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2708 if (initrbio == USE_BIO_2
2709 || initwbio == USE_BIO_2
2710 || newrbio == USE_BIO_2
2711 || newwbio == USE_BIO_2) {
2712 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2716 if (initrbio != USE_DEFAULT) {
2717 setupbio(&irbio, bio1, bio2, initrbio);
2718 setupbio(&iwbio, bio1, bio2, initwbio);
2719 SSL_set_bio(clientssl, irbio, iwbio);
2722 * We want to maintain our own refs to these BIO, so do an up ref for
2723 * each BIO that will have ownership transferred in the SSL_set_bio()
2728 if (iwbio != NULL && iwbio != irbio)
2732 if (conntype != CONNTYPE_NO_CONNECTION
2733 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2735 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2738 setupbio(&nrbio, bio1, bio2, newrbio);
2739 setupbio(&nwbio, bio1, bio2, newwbio);
2742 * We will (maybe) transfer ownership again so do more up refs.
2743 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2748 && (nwbio != iwbio || nrbio != nwbio))
2752 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2755 SSL_set_bio(clientssl, nrbio, nwbio);
2764 * This test is checking that the ref counting for SSL_set_bio is correct.
2765 * If we get here and we did too many frees then we will fail in the above
2768 SSL_free(serverssl);
2769 SSL_free(clientssl);
2775 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2777 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2779 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2784 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2785 || !TEST_ptr(ssl = SSL_new(ctx))
2786 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2787 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2790 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2793 * If anything goes wrong here then we could leak memory.
2795 BIO_push(sslbio, membio1);
2797 /* Verify changing the rbio/wbio directly does not cause leaks */
2798 if (change_bio != NO_BIO_CHANGE) {
2799 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2803 if (change_bio == CHANGE_RBIO)
2804 SSL_set0_rbio(ssl, membio2);
2806 SSL_set0_wbio(ssl, membio2);
2825 static int test_ssl_bio_pop_next_bio(void)
2827 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2830 static int test_ssl_bio_pop_ssl_bio(void)
2832 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2835 static int test_ssl_bio_change_rbio(void)
2837 return execute_test_ssl_bio(0, CHANGE_RBIO);
2840 static int test_ssl_bio_change_wbio(void)
2842 return execute_test_ssl_bio(0, CHANGE_WBIO);
2845 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2847 /* The list of sig algs */
2849 /* The length of the list */
2851 /* A sigalgs list in string format */
2852 const char *liststr;
2853 /* Whether setting the list should succeed */
2855 /* Whether creating a connection with the list should succeed */
2859 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2860 # ifndef OPENSSL_NO_EC
2861 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2862 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2864 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2865 static const int invalidlist2[] = {NID_sha256, NID_undef};
2866 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2867 static const int invalidlist4[] = {NID_sha256};
2868 static const sigalgs_list testsigalgs[] = {
2869 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2870 # ifndef OPENSSL_NO_EC
2871 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2872 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2874 {NULL, 0, "RSA+SHA256", 1, 1},
2875 # ifndef OPENSSL_NO_EC
2876 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2877 {NULL, 0, "ECDSA+SHA512", 1, 0},
2879 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2880 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2881 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2882 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2883 {NULL, 0, "RSA", 0, 0},
2884 {NULL, 0, "SHA256", 0, 0},
2885 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2886 {NULL, 0, "Invalid", 0, 0}
2889 static int test_set_sigalgs(int idx)
2891 SSL_CTX *cctx = NULL, *sctx = NULL;
2892 SSL *clientssl = NULL, *serverssl = NULL;
2894 const sigalgs_list *curr;
2897 /* Should never happen */
2898 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2901 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2902 curr = testctx ? &testsigalgs[idx]
2903 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2906 TLS_client_method(), TLS1_VERSION, 0,
2907 &sctx, &cctx, cert, privkey)))
2911 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2912 * for TLSv1.2 for now until we add a new API.
2914 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2919 if (curr->list != NULL)
2920 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2922 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2926 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2932 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2938 &clientssl, NULL, NULL)))
2944 if (curr->list != NULL)
2945 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2947 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2950 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2959 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2967 SSL_free(serverssl);
2968 SSL_free(clientssl);
2976 #ifndef OSSL_NO_USABLE_TLS1_3
2977 static int psk_client_cb_cnt = 0;
2978 static int psk_server_cb_cnt = 0;
2980 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2981 size_t *idlen, SSL_SESSION **sess)
2983 switch (++use_session_cb_cnt) {
2985 /* The first call should always have a NULL md */
2991 /* The second call should always have an md */
2997 /* We should only be called a maximum of twice */
3001 if (clientpsk != NULL)
3002 SSL_SESSION_up_ref(clientpsk);
3005 *id = (const unsigned char *)pskid;
3006 *idlen = strlen(pskid);
3011 #ifndef OPENSSL_NO_PSK
3012 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3013 unsigned int max_id_len,
3015 unsigned int max_psk_len)
3017 unsigned int psklen = 0;
3019 psk_client_cb_cnt++;
3021 if (strlen(pskid) + 1 > max_id_len)
3024 /* We should only ever be called a maximum of twice per connection */
3025 if (psk_client_cb_cnt > 2)
3028 if (clientpsk == NULL)
3031 /* We'll reuse the PSK we set up for TLSv1.3 */
3032 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3034 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3035 strncpy(id, pskid, max_id_len);
3039 #endif /* OPENSSL_NO_PSK */
3041 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3042 size_t identity_len, SSL_SESSION **sess)
3044 find_session_cb_cnt++;
3046 /* We should only ever be called a maximum of twice per connection */
3047 if (find_session_cb_cnt > 2)
3050 if (serverpsk == NULL)
3053 /* Identity should match that set by the client */
3054 if (strlen(srvid) != identity_len
3055 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3056 /* No PSK found, continue but without a PSK */
3061 SSL_SESSION_up_ref(serverpsk);
3067 #ifndef OPENSSL_NO_PSK
3068 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3069 unsigned char *psk, unsigned int max_psk_len)
3071 unsigned int psklen = 0;
3073 psk_server_cb_cnt++;
3075 /* We should only ever be called a maximum of twice per connection */
3076 if (find_session_cb_cnt > 2)
3079 if (serverpsk == NULL)
3082 /* Identity should match that set by the client */
3083 if (strcmp(srvid, identity) != 0) {
3087 /* We'll reuse the PSK we set up for TLSv1.3 */
3088 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3090 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3094 #endif /* OPENSSL_NO_PSK */
3096 #define MSG1 "Hello"
3097 #define MSG2 "World."
3102 #define MSG7 "message."
3104 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3105 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3106 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3107 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3108 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3111 static SSL_SESSION *create_a_psk(SSL *ssl)
3113 const SSL_CIPHER *cipher = NULL;
3114 const unsigned char key[] = {
3115 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3116 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3117 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3118 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3119 0x2c, 0x2d, 0x2e, 0x2f
3121 SSL_SESSION *sess = NULL;
3123 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3124 sess = SSL_SESSION_new();
3126 || !TEST_ptr(cipher)
3127 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3129 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3131 SSL_SESSION_set_protocol_version(sess,
3133 SSL_SESSION_free(sess);
3140 * Helper method to setup objects for early data test. Caller frees objects on
3143 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3144 SSL **serverssl, SSL_SESSION **sess, int idx)
3147 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3148 TLS_client_method(),
3150 sctx, cctx, cert, privkey)))
3153 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3157 /* When idx == 1 we repeat the tests with read_ahead set */
3158 SSL_CTX_set_read_ahead(*cctx, 1);
3159 SSL_CTX_set_read_ahead(*sctx, 1);
3160 } else if (idx == 2) {
3161 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3162 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3163 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3164 use_session_cb_cnt = 0;
3165 find_session_cb_cnt = 0;
3169 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3174 * For one of the run throughs (doesn't matter which one), we'll try sending
3175 * some SNI data in the initial ClientHello. This will be ignored (because
3176 * there is no SNI cb set up by the server), so it should not impact
3180 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3184 clientpsk = create_a_psk(*clientssl);
3185 if (!TEST_ptr(clientpsk)
3187 * We just choose an arbitrary value for max_early_data which
3188 * should be big enough for testing purposes.
3190 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3192 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3193 SSL_SESSION_free(clientpsk);
3197 serverpsk = clientpsk;
3200 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3201 SSL_SESSION_free(clientpsk);
3202 SSL_SESSION_free(serverpsk);
3203 clientpsk = serverpsk = NULL;
3214 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3218 *sess = SSL_get1_session(*clientssl);
3219 SSL_shutdown(*clientssl);
3220 SSL_shutdown(*serverssl);
3221 SSL_free(*serverssl);
3222 SSL_free(*clientssl);
3223 *serverssl = *clientssl = NULL;
3225 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3226 clientssl, NULL, NULL))
3227 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3233 static int test_early_data_read_write(int idx)
3235 SSL_CTX *cctx = NULL, *sctx = NULL;
3236 SSL *clientssl = NULL, *serverssl = NULL;
3238 SSL_SESSION *sess = NULL;
3239 unsigned char buf[20], data[1024];
3240 size_t readbytes, written, eoedlen, rawread, rawwritten;
3243 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3244 &serverssl, &sess, idx)))
3247 /* Write and read some early data */
3248 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3250 || !TEST_size_t_eq(written, strlen(MSG1))
3251 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3252 sizeof(buf), &readbytes),
3253 SSL_READ_EARLY_DATA_SUCCESS)
3254 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3255 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3256 SSL_EARLY_DATA_ACCEPTED))
3260 * Server should be able to write data, and client should be able to
3263 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3265 || !TEST_size_t_eq(written, strlen(MSG2))
3266 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3267 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3270 /* Even after reading normal data, client should be able write early data */
3271 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3273 || !TEST_size_t_eq(written, strlen(MSG3)))
3276 /* Server should still be able read early data after writing data */
3277 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3279 SSL_READ_EARLY_DATA_SUCCESS)
3280 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3283 /* Write more data from server and read it from client */
3284 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3286 || !TEST_size_t_eq(written, strlen(MSG4))
3287 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3288 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3292 * If client writes normal data it should mean writing early data is no
3295 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3296 || !TEST_size_t_eq(written, strlen(MSG5))
3297 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3298 SSL_EARLY_DATA_ACCEPTED))
3302 * At this point the client has written EndOfEarlyData, ClientFinished and
3303 * normal (fully protected) data. We are going to cause a delay between the
3304 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3305 * in the read BIO, and then just put back the EndOfEarlyData message.
3307 rbio = SSL_get_rbio(serverssl);
3308 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3309 || !TEST_size_t_lt(rawread, sizeof(data))
3310 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3313 /* Record length is in the 4th and 5th bytes of the record header */
3314 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3315 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3316 || !TEST_size_t_eq(rawwritten, eoedlen))
3319 /* Server should be told that there is no more early data */
3320 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3322 SSL_READ_EARLY_DATA_FINISH)
3323 || !TEST_size_t_eq(readbytes, 0))
3327 * Server has not finished init yet, so should still be able to write early
3330 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3332 || !TEST_size_t_eq(written, strlen(MSG6)))
3335 /* Push the ClientFinished and the normal data back into the server rbio */
3336 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3338 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3341 /* Server should be able to read normal data */
3342 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3346 /* Client and server should not be able to write/read early data now */
3347 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3351 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3353 SSL_READ_EARLY_DATA_ERROR))
3357 /* Client should be able to read the data sent by the server */
3358 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3359 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3363 * Make sure we process the two NewSessionTickets. These arrive
3364 * post-handshake. We attempt reads which we do not expect to return any
3367 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3368 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3372 /* Server should be able to write normal data */
3373 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3374 || !TEST_size_t_eq(written, strlen(MSG7))
3375 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3376 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3379 SSL_SESSION_free(sess);
3380 sess = SSL_get1_session(clientssl);
3381 use_session_cb_cnt = 0;
3382 find_session_cb_cnt = 0;
3384 SSL_shutdown(clientssl);
3385 SSL_shutdown(serverssl);
3386 SSL_free(serverssl);
3387 SSL_free(clientssl);
3388 serverssl = clientssl = NULL;
3389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3390 &clientssl, NULL, NULL))
3391 || !TEST_true(SSL_set_session(clientssl, sess)))
3394 /* Write and read some early data */
3395 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3397 || !TEST_size_t_eq(written, strlen(MSG1))
3398 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3400 SSL_READ_EARLY_DATA_SUCCESS)
3401 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3404 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3405 || !TEST_int_gt(SSL_accept(serverssl), 0))
3408 /* Client and server should not be able to write/read early data now */
3409 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3413 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3415 SSL_READ_EARLY_DATA_ERROR))
3419 /* Client and server should be able to write/read normal data */
3420 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3421 || !TEST_size_t_eq(written, strlen(MSG5))
3422 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3423 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3429 SSL_SESSION_free(sess);
3430 SSL_SESSION_free(clientpsk);
3431 SSL_SESSION_free(serverpsk);
3432 clientpsk = serverpsk = NULL;
3433 SSL_free(serverssl);
3434 SSL_free(clientssl);
3440 static int allow_ed_cb_called = 0;
3442 static int allow_early_data_cb(SSL *s, void *arg)
3444 int *usecb = (int *)arg;
3446 allow_ed_cb_called++;
3455 * idx == 0: Standard early_data setup
3456 * idx == 1: early_data setup using read_ahead
3457 * usecb == 0: Don't use a custom early data callback
3458 * usecb == 1: Use a custom early data callback and reject the early data
3459 * usecb == 2: Use a custom early data callback and accept the early data
3460 * confopt == 0: Configure anti-replay directly
3461 * confopt == 1: Configure anti-replay using SSL_CONF
3463 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3465 SSL_CTX *cctx = NULL, *sctx = NULL;
3466 SSL *clientssl = NULL, *serverssl = NULL;
3468 SSL_SESSION *sess = NULL;
3469 size_t readbytes, written;
3470 unsigned char buf[20];
3472 allow_ed_cb_called = 0;
3474 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3475 TLS_client_method(), TLS1_VERSION, 0,
3476 &sctx, &cctx, cert, privkey)))
3481 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3483 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3485 if (!TEST_ptr(confctx))
3487 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3488 | SSL_CONF_FLAG_SERVER);
3489 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3490 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3492 SSL_CONF_CTX_free(confctx);
3495 SSL_CONF_CTX_free(confctx);
3497 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3500 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3501 &serverssl, &sess, idx)))
3505 * The server is configured to accept early data. Create a connection to
3506 * "use up" the ticket
3508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3509 || !TEST_true(SSL_session_reused(clientssl)))
3512 SSL_shutdown(clientssl);
3513 SSL_shutdown(serverssl);
3514 SSL_free(serverssl);
3515 SSL_free(clientssl);
3516 serverssl = clientssl = NULL;
3518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3519 &clientssl, NULL, NULL))
3520 || !TEST_true(SSL_set_session(clientssl, sess)))
3523 /* Write and read some early data */
3524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3526 || !TEST_size_t_eq(written, strlen(MSG1)))
3530 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3532 SSL_READ_EARLY_DATA_FINISH)
3534 * The ticket was reused, so the we should have rejected the
3537 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3538 SSL_EARLY_DATA_REJECTED))
3541 /* In this case the callback decides to accept the early data */
3542 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3544 SSL_READ_EARLY_DATA_SUCCESS)
3545 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3547 * Server will have sent its flight so client can now send
3548 * end of early data and complete its half of the handshake
3550 || !TEST_int_gt(SSL_connect(clientssl), 0)
3551 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3553 SSL_READ_EARLY_DATA_FINISH)
3554 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3555 SSL_EARLY_DATA_ACCEPTED))
3559 /* Complete the connection */
3560 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3561 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3562 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3568 SSL_SESSION_free(sess);
3569 SSL_SESSION_free(clientpsk);
3570 SSL_SESSION_free(serverpsk);
3571 clientpsk = serverpsk = NULL;
3572 SSL_free(serverssl);
3573 SSL_free(clientssl);
3579 static int test_early_data_replay(int idx)
3581 int ret = 1, usecb, confopt;
3583 for (usecb = 0; usecb < 3; usecb++) {
3584 for (confopt = 0; confopt < 2; confopt++)
3585 ret &= test_early_data_replay_int(idx, usecb, confopt);
3592 * Helper function to test that a server attempting to read early data can
3593 * handle a connection from a client where the early data should be skipped.
3594 * testtype: 0 == No HRR
3595 * testtype: 1 == HRR
3596 * testtype: 2 == HRR, invalid early_data sent after HRR
3597 * testtype: 3 == recv_max_early_data set to 0
3599 static int early_data_skip_helper(int testtype, int idx)
3601 SSL_CTX *cctx = NULL, *sctx = NULL;
3602 SSL *clientssl = NULL, *serverssl = NULL;
3604 SSL_SESSION *sess = NULL;
3605 unsigned char buf[20];
3606 size_t readbytes, written;
3608 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3609 &serverssl, &sess, idx)))
3612 if (testtype == 1 || testtype == 2) {
3613 /* Force an HRR to occur */
3614 #if defined(OPENSSL_NO_EC)
3615 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3618 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3621 } else if (idx == 2) {
3623 * We force early_data rejection by ensuring the PSK identity is
3626 srvid = "Dummy Identity";
3629 * Deliberately corrupt the creation time. We take 20 seconds off the
3630 * time. It could be any value as long as it is not within tolerance.
3631 * This should mean the ticket is rejected.
3633 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3638 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3641 /* Write some early data */
3642 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3644 || !TEST_size_t_eq(written, strlen(MSG1)))
3647 /* Server should reject the early data */
3648 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3650 SSL_READ_EARLY_DATA_FINISH)
3651 || !TEST_size_t_eq(readbytes, 0)
3652 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3653 SSL_EARLY_DATA_REJECTED))
3663 * Finish off the handshake. We perform the same writes and reads as
3664 * further down but we expect them to fail due to the incomplete
3667 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3668 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3675 BIO *wbio = SSL_get_wbio(clientssl);
3676 /* A record that will appear as bad early_data */
3677 const unsigned char bad_early_data[] = {
3678 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3682 * We force the client to attempt a write. This will fail because
3683 * we're still in the handshake. It will cause the second
3684 * ClientHello to be sent.
3686 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3691 * Inject some early_data after the second ClientHello. This should
3692 * cause the server to fail
3694 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3695 sizeof(bad_early_data), &written)))
3702 * This client has sent more early_data than we are willing to skip
3703 * (case 3) or sent invalid early_data (case 2) so the connection should
3706 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3707 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3710 /* Connection has failed - nothing more to do */
3715 TEST_error("Invalid test type");
3720 * Should be able to send normal data despite rejection of early data. The
3721 * early_data should be skipped.
3723 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3724 || !TEST_size_t_eq(written, strlen(MSG2))
3725 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3726 SSL_EARLY_DATA_REJECTED)
3727 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3728 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3734 SSL_SESSION_free(clientpsk);
3735 SSL_SESSION_free(serverpsk);
3736 clientpsk = serverpsk = NULL;
3737 SSL_SESSION_free(sess);
3738 SSL_free(serverssl);
3739 SSL_free(clientssl);
3746 * Test that a server attempting to read early data can handle a connection
3747 * from a client where the early data is not acceptable.
3749 static int test_early_data_skip(int idx)
3751 return early_data_skip_helper(0, idx);
3755 * Test that a server attempting to read early data can handle a connection
3756 * from a client where an HRR occurs.
3758 static int test_early_data_skip_hrr(int idx)
3760 return early_data_skip_helper(1, idx);
3764 * Test that a server attempting to read early data can handle a connection
3765 * from a client where an HRR occurs and correctly fails if early_data is sent
3768 static int test_early_data_skip_hrr_fail(int idx)
3770 return early_data_skip_helper(2, idx);
3774 * Test that a server attempting to read early data will abort if it tries to
3775 * skip over too much.
3777 static int test_early_data_skip_abort(int idx)
3779 return early_data_skip_helper(3, idx);
3783 * Test that a server attempting to read early data can handle a connection
3784 * from a client that doesn't send any.
3786 static int test_early_data_not_sent(int idx)
3788 SSL_CTX *cctx = NULL, *sctx = NULL;
3789 SSL *clientssl = NULL, *serverssl = NULL;
3791 SSL_SESSION *sess = NULL;
3792 unsigned char buf[20];
3793 size_t readbytes, written;
3795 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3796 &serverssl, &sess, idx)))
3799 /* Write some data - should block due to handshake with server */
3800 SSL_set_connect_state(clientssl);
3801 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3804 /* Server should detect that early data has not been sent */
3805 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3807 SSL_READ_EARLY_DATA_FINISH)
3808 || !TEST_size_t_eq(readbytes, 0)
3809 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3810 SSL_EARLY_DATA_NOT_SENT)
3811 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3812 SSL_EARLY_DATA_NOT_SENT))
3815 /* Continue writing the message we started earlier */
3816 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3817 || !TEST_size_t_eq(written, strlen(MSG1))
3818 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3819 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3820 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3821 || !TEST_size_t_eq(written, strlen(MSG2)))
3824 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3825 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3831 SSL_SESSION_free(sess);
3832 SSL_SESSION_free(clientpsk);
3833 SSL_SESSION_free(serverpsk);
3834 clientpsk = serverpsk = NULL;
3835 SSL_free(serverssl);
3836 SSL_free(clientssl);
3842 static const char *servalpn;
3844 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3845 unsigned char *outlen, const unsigned char *in,
3846 unsigned int inlen, void *arg)
3848 unsigned int protlen = 0;
3849 const unsigned char *prot;
3851 for (prot = in; prot < in + inlen; prot += protlen) {
3853 if (in + inlen < prot + protlen)
3854 return SSL_TLSEXT_ERR_NOACK;
3856 if (protlen == strlen(servalpn)
3857 && memcmp(prot, servalpn, protlen) == 0) {
3860 return SSL_TLSEXT_ERR_OK;
3864 return SSL_TLSEXT_ERR_NOACK;
3867 /* Test that a PSK can be used to send early_data */
3868 static int test_early_data_psk(int idx)
3870 SSL_CTX *cctx = NULL, *sctx = NULL;
3871 SSL *clientssl = NULL, *serverssl = NULL;
3873 SSL_SESSION *sess = NULL;
3874 unsigned char alpnlist[] = {
3875 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3878 #define GOODALPNLEN 9
3879 #define BADALPNLEN 8
3880 #define GOODALPN (alpnlist)
3881 #define BADALPN (alpnlist + GOODALPNLEN)
3883 unsigned char buf[20];
3884 size_t readbytes, written;
3885 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3886 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3888 /* We always set this up with a final parameter of "2" for PSK */
3889 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3890 &serverssl, &sess, 2)))
3893 servalpn = "goodalpn";
3896 * Note: There is no test for inconsistent SNI with late client detection.
3897 * This is because servers do not acknowledge SNI even if they are using
3898 * it in a resumption handshake - so it is not actually possible for a
3899 * client to detect a problem.
3903 /* Set inconsistent SNI (early client detection) */
3904 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3905 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3906 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3911 /* Set inconsistent ALPN (early client detection) */
3912 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3913 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3914 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3916 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3923 * Set invalid protocol version. Technically this affects PSKs without
3924 * early_data too, but we test it here because it is similar to the
3925 * SNI/ALPN consistency tests.
3927 err = SSL_R_BAD_PSK;
3928 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3934 * Set inconsistent SNI (server side). In this case the connection
3935 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3936 * is associated with each handshake - not the session. Therefore it
3937 * should not matter that we used a different server name last time.
3939 SSL_SESSION_free(serverpsk);
3940 serverpsk = SSL_SESSION_dup(clientpsk);
3941 if (!TEST_ptr(serverpsk)
3942 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3946 /* Set consistent SNI */
3947 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3948 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3949 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3956 * Set inconsistent ALPN (server detected). In this case the connection
3957 * will succeed but reject early_data.
3959 servalpn = "badalpn";
3960 edstatus = SSL_EARLY_DATA_REJECTED;
3961 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3965 * Set consistent ALPN.
3966 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3967 * accepts a list of protos (each one length prefixed).
3968 * SSL_set1_alpn_selected accepts a single protocol (not length
3971 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3973 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3977 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3981 /* Set inconsistent ALPN (late client detection) */
3982 SSL_SESSION_free(serverpsk);
3983 serverpsk = SSL_SESSION_dup(clientpsk);
3984 if (!TEST_ptr(serverpsk)
3985 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3988 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3991 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3994 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3995 edstatus = SSL_EARLY_DATA_ACCEPTED;
3996 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3997 /* SSL_connect() call should fail */
4002 TEST_error("Bad test index");
4006 SSL_set_connect_state(clientssl);
4008 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4010 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4011 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4014 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4018 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4019 &readbytes), readearlyres)
4020 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4021 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4022 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4023 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4030 SSL_SESSION_free(sess);
4031 SSL_SESSION_free(clientpsk);
4032 SSL_SESSION_free(serverpsk);
4033 clientpsk = serverpsk = NULL;
4034 SSL_free(serverssl);
4035 SSL_free(clientssl);
4042 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4043 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4044 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4045 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4046 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4047 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4049 static int test_early_data_psk_with_all_ciphers(int idx)
4051 SSL_CTX *cctx = NULL, *sctx = NULL;
4052 SSL *clientssl = NULL, *serverssl = NULL;
4054 SSL_SESSION *sess = NULL;
4055 unsigned char buf[20];
4056 size_t readbytes, written;
4057 const SSL_CIPHER *cipher;
4058 const char *cipher_str[] = {
4059 TLS1_3_RFC_AES_128_GCM_SHA256,
4060 TLS1_3_RFC_AES_256_GCM_SHA384,
4061 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4062 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4066 TLS1_3_RFC_AES_128_CCM_SHA256,
4067 TLS1_3_RFC_AES_128_CCM_8_SHA256
4069 const unsigned char *cipher_bytes[] = {
4070 TLS13_AES_128_GCM_SHA256_BYTES,
4071 TLS13_AES_256_GCM_SHA384_BYTES,
4072 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4073 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4077 TLS13_AES_128_CCM_SHA256_BYTES,
4078 TLS13_AES_128_CCM_8_SHA256_BYTES
4081 if (cipher_str[idx] == NULL)
4083 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4084 if (idx == 2 && is_fips == 1)
4087 /* We always set this up with a final parameter of "2" for PSK */
4088 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4089 &serverssl, &sess, 2)))
4092 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4093 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4097 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4098 * and assigns to both client and server with incremented reference
4099 * and the same instance is updated in 'sess'.
4100 * So updating ciphersuite in 'sess' which will get reflected in
4101 * PSK handshake using psk use sess and find sess cb.
4103 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4104 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4107 SSL_set_connect_state(clientssl);
4108 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4112 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4114 SSL_READ_EARLY_DATA_SUCCESS)
4115 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4116 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4117 SSL_EARLY_DATA_ACCEPTED)
4118 || !TEST_int_eq(SSL_connect(clientssl), 1)
4119 || !TEST_int_eq(SSL_accept(serverssl), 1))
4122 /* Send some normal data from client to server */
4123 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4124 || !TEST_size_t_eq(written, strlen(MSG2)))
4127 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4128 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4133 SSL_SESSION_free(sess);
4134 SSL_SESSION_free(clientpsk);
4135 SSL_SESSION_free(serverpsk);
4136 clientpsk = serverpsk = NULL;
4137 if (clientssl != NULL)
4138 SSL_shutdown(clientssl);
4139 if (serverssl != NULL)
4140 SSL_shutdown(serverssl);
4141 SSL_free(serverssl);
4142 SSL_free(clientssl);
4149 * Test that a server that doesn't try to read early data can handle a
4150 * client sending some.
4152 static int test_early_data_not_expected(int idx)
4154 SSL_CTX *cctx = NULL, *sctx = NULL;
4155 SSL *clientssl = NULL, *serverssl = NULL;
4157 SSL_SESSION *sess = NULL;
4158 unsigned char buf[20];
4159 size_t readbytes, written;
4161 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4162 &serverssl, &sess, idx)))
4165 /* Write some early data */
4166 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4171 * Server should skip over early data and then block waiting for client to
4172 * continue handshake
4174 if (!TEST_int_le(SSL_accept(serverssl), 0)
4175 || !TEST_int_gt(SSL_connect(clientssl), 0)
4176 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4177 SSL_EARLY_DATA_REJECTED)
4178 || !TEST_int_gt(SSL_accept(serverssl), 0)
4179 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4180 SSL_EARLY_DATA_REJECTED))
4183 /* Send some normal data from client to server */
4184 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4185 || !TEST_size_t_eq(written, strlen(MSG2)))
4188 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4189 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4195 SSL_SESSION_free(sess);
4196 SSL_SESSION_free(clientpsk);
4197 SSL_SESSION_free(serverpsk);
4198 clientpsk = serverpsk = NULL;
4199 SSL_free(serverssl);
4200 SSL_free(clientssl);
4207 # ifndef OPENSSL_NO_TLS1_2
4209 * Test that a server attempting to read early data can handle a connection
4210 * from a TLSv1.2 client.
4212 static int test_early_data_tls1_2(int idx)
4214 SSL_CTX *cctx = NULL, *sctx = NULL;
4215 SSL *clientssl = NULL, *serverssl = NULL;
4217 unsigned char buf[20];
4218 size_t readbytes, written;
4220 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4221 &serverssl, NULL, idx)))
4224 /* Write some data - should block due to handshake with server */
4225 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4226 SSL_set_connect_state(clientssl);
4227 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4231 * Server should do TLSv1.2 handshake. First it will block waiting for more
4232 * messages from client after ServerDone. Then SSL_read_early_data should
4233 * finish and detect that early data has not been sent
4235 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4237 SSL_READ_EARLY_DATA_ERROR))
4241 * Continue writing the message we started earlier. Will still block waiting
4242 * for the CCS/Finished from server
4244 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4245 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4247 SSL_READ_EARLY_DATA_FINISH)
4248 || !TEST_size_t_eq(readbytes, 0)
4249 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4250 SSL_EARLY_DATA_NOT_SENT))
4253 /* Continue writing the message we started earlier */
4254 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4255 || !TEST_size_t_eq(written, strlen(MSG1))
4256 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4257 SSL_EARLY_DATA_NOT_SENT)
4258 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4259 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4260 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4261 || !TEST_size_t_eq(written, strlen(MSG2))
4262 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4263 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4269 SSL_SESSION_free(clientpsk);
4270 SSL_SESSION_free(serverpsk);
4271 clientpsk = serverpsk = NULL;
4272 SSL_free(serverssl);
4273 SSL_free(clientssl);
4279 # endif /* OPENSSL_NO_TLS1_2 */
4282 * Test configuring the TLSv1.3 ciphersuites
4284 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4285 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4286 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4287 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4288 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4289 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4290 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4291 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4292 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4293 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4295 static int test_set_ciphersuite(int idx)
4297 SSL_CTX *cctx = NULL, *sctx = NULL;
4298 SSL *clientssl = NULL, *serverssl = NULL;
4301 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4302 TLS_client_method(), TLS1_VERSION, 0,
4303 &sctx, &cctx, cert, privkey))
4304 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4305 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4308 if (idx >=4 && idx <= 7) {
4309 /* SSL_CTX explicit cipher list */
4310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4314 if (idx == 0 || idx == 4) {
4315 /* Default ciphersuite */
4316 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4317 "TLS_AES_128_GCM_SHA256")))
4319 } else if (idx == 1 || idx == 5) {
4320 /* Non default ciphersuite */
4321 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4322 "TLS_AES_128_CCM_SHA256")))
4326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4327 &clientssl, NULL, NULL)))
4330 if (idx == 8 || idx == 9) {
4331 /* SSL explicit cipher list */
4332 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4336 if (idx == 2 || idx == 6 || idx == 8) {
4337 /* Default ciphersuite */
4338 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4339 "TLS_AES_128_GCM_SHA256")))
4341 } else if (idx == 3 || idx == 7 || idx == 9) {
4342 /* Non default ciphersuite */
4343 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4344 "TLS_AES_128_CCM_SHA256")))
4348 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4354 SSL_free(serverssl);
4355 SSL_free(clientssl);
4362 static int test_ciphersuite_change(void)
4364 SSL_CTX *cctx = NULL, *sctx = NULL;
4365 SSL *clientssl = NULL, *serverssl = NULL;
4366 SSL_SESSION *clntsess = NULL;
4368 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4370 /* Create a session based on SHA-256 */
4371 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4372 TLS_client_method(), TLS1_VERSION, 0,
4373 &sctx, &cctx, cert, privkey))
4374 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4375 "TLS_AES_128_GCM_SHA256:"
4376 "TLS_AES_256_GCM_SHA384:"
4377 "TLS_AES_128_CCM_SHA256"))
4378 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4379 "TLS_AES_128_GCM_SHA256"))
4380 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4381 &clientssl, NULL, NULL))
4382 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4386 clntsess = SSL_get1_session(clientssl);
4387 /* Save for later */
4388 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4389 SSL_shutdown(clientssl);
4390 SSL_shutdown(serverssl);
4391 SSL_free(serverssl);
4392 SSL_free(clientssl);
4393 serverssl = clientssl = NULL;
4395 /* Check we can resume a session with a different SHA-256 ciphersuite */
4396 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4397 "TLS_AES_128_CCM_SHA256"))
4398 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4399 &clientssl, NULL, NULL))
4400 || !TEST_true(SSL_set_session(clientssl, clntsess))
4401 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4403 || !TEST_true(SSL_session_reused(clientssl)))
4406 SSL_SESSION_free(clntsess);
4407 clntsess = SSL_get1_session(clientssl);
4408 SSL_shutdown(clientssl);
4409 SSL_shutdown(serverssl);
4410 SSL_free(serverssl);
4411 SSL_free(clientssl);
4412 serverssl = clientssl = NULL;
4415 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4416 * succeeds but does not resume.
4418 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4419 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4421 || !TEST_true(SSL_set_session(clientssl, clntsess))
4422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4424 || !TEST_false(SSL_session_reused(clientssl)))
4427 SSL_SESSION_free(clntsess);
4429 SSL_shutdown(clientssl);
4430 SSL_shutdown(serverssl);
4431 SSL_free(serverssl);
4432 SSL_free(clientssl);
4433 serverssl = clientssl = NULL;
4435 /* Create a session based on SHA384 */
4436 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4437 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4438 &clientssl, NULL, NULL))
4439 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4443 clntsess = SSL_get1_session(clientssl);
4444 SSL_shutdown(clientssl);
4445 SSL_shutdown(serverssl);
4446 SSL_free(serverssl);
4447 SSL_free(clientssl);
4448 serverssl = clientssl = NULL;
4450 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4451 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4452 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4453 "TLS_AES_256_GCM_SHA384"))
4454 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4456 || !TEST_true(SSL_set_session(clientssl, clntsess))
4458 * We use SSL_ERROR_WANT_READ below so that we can pause the
4459 * connection after the initial ClientHello has been sent to
4460 * enable us to make some session changes.
4462 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4463 SSL_ERROR_WANT_READ)))
4466 /* Trick the client into thinking this session is for a different digest */
4467 clntsess->cipher = aes_128_gcm_sha256;
4468 clntsess->cipher_id = clntsess->cipher->id;
4471 * Continue the previously started connection. Server has selected a SHA-384
4472 * ciphersuite, but client thinks the session is for SHA-256, so it should
4475 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4477 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4478 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4484 SSL_SESSION_free(clntsess);
4485 SSL_free(serverssl);
4486 SSL_free(clientssl);
4494 * Test TLSv1.3 Key exchange
4495 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4496 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4497 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4498 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4499 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4500 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4501 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4502 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4503 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4504 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4505 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4506 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4507 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4508 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4510 # ifndef OPENSSL_NO_EC
4511 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4512 NID_secp521r1, NID_X25519, NID_X448};
4514 # ifndef OPENSSL_NO_DH
4515 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4516 NID_ffdhe6144, NID_ffdhe8192};
4518 static int test_key_exchange(int idx)
4520 SSL_CTX *sctx = NULL, *cctx = NULL;
4521 SSL *serverssl = NULL, *clientssl = NULL;
4524 int *kexch_groups = &kexch_alg;
4525 int kexch_groups_size = 1;
4526 int max_version = TLS1_3_VERSION;
4527 char *kexch_name0 = NULL;
4530 # ifndef OPENSSL_NO_EC
4531 # ifndef OPENSSL_NO_TLS1_2
4533 max_version = TLS1_2_VERSION;
4537 kexch_groups = ecdhe_kexch_groups;
4538 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4539 kexch_name0 = "secp256r1";
4542 kexch_alg = NID_X9_62_prime256v1;
4543 kexch_name0 = "secp256r1";
4546 kexch_alg = NID_secp384r1;
4547 kexch_name0 = "secp384r1";
4550 kexch_alg = NID_secp521r1;
4551 kexch_name0 = "secp521r1";
4554 kexch_alg = NID_X25519;
4555 kexch_name0 = "x25519";
4558 kexch_alg = NID_X448;
4559 kexch_name0 = "x448";
4562 # ifndef OPENSSL_NO_DH
4563 # ifndef OPENSSL_NO_TLS1_2
4565 max_version = TLS1_2_VERSION;
4566 kexch_name0 = "ffdhe2048";
4570 kexch_groups = ffdhe_kexch_groups;
4571 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4572 kexch_name0 = "ffdhe2048";
4575 kexch_alg = NID_ffdhe2048;
4576 kexch_name0 = "ffdhe2048";
4579 kexch_alg = NID_ffdhe3072;
4580 kexch_name0 = "ffdhe3072";
4583 kexch_alg = NID_ffdhe4096;
4584 kexch_name0 = "ffdhe4096";
4587 kexch_alg = NID_ffdhe6144;
4588 kexch_name0 = "ffdhe6144";
4591 kexch_alg = NID_ffdhe8192;
4592 kexch_name0 = "ffdhe8192";
4596 /* We're skipping this test */
4600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4601 TLS_client_method(), TLS1_VERSION,
4602 max_version, &sctx, &cctx, cert,
4606 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4607 TLS1_3_RFC_AES_128_GCM_SHA256)))
4610 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4611 TLS1_3_RFC_AES_128_GCM_SHA256)))
4614 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4615 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4616 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4617 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4621 * Must include an EC ciphersuite so that we send supported groups in
4624 # ifndef OPENSSL_NO_TLS1_2
4625 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4626 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4627 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4635 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4636 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4639 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4643 * If Handshake succeeds the negotiated kexch alg should be the first one in
4644 * configured, except in the case of FFDHE groups (idx 13), which are
4645 * TLSv1.3 only so we expect no shared group to exist.
4647 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4648 idx == 13 ? 0 : kexch_groups[0]))
4651 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4655 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4657 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4659 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4665 SSL_free(serverssl);
4666 SSL_free(clientssl);
4672 # if !defined(OPENSSL_NO_TLS1_2) \
4673 && !defined(OPENSSL_NO_EC) \
4674 && !defined(OPENSSL_NO_DH)
4675 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4676 int isecdhe, int idx)
4679 int *kexch_groups = &kexch_alg;
4682 numec = OSSL_NELEM(ecdhe_kexch_groups);
4683 numff = OSSL_NELEM(ffdhe_kexch_groups);
4685 kexch_alg = ecdhe_kexch_groups[idx];
4687 kexch_alg = ffdhe_kexch_groups[idx];
4690 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4693 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4697 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4702 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4705 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4709 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4718 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4719 * Run through both the ECDHE and FFDHE group lists used in the previous
4720 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4721 * confirming the expected result; then perform a resumption handshake
4722 * while offering the same group list, and another resumption handshake
4723 * offering a different group list. The returned value should be the
4724 * negotiated group for the initial handshake; for TLS 1.3 resumption
4725 * handshakes the returned value will be negotiated on the resumption
4726 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4727 * be cached in the session from the original handshake, regardless of what
4728 * was offered in the resumption ClientHello.
4730 * Using E for the number of EC groups and F for the number of FF groups:
4731 * E tests of ECDHE with TLS 1.3, client sends only one group
4732 * F tests of FFDHE with TLS 1.3, client sends only one group
4733 * E tests of ECDHE with TLS 1.2, client sends only one group
4734 * F tests of FFDHE with TLS 1.2, client sends only one group
4735 * E tests of ECDHE with TLS 1.3, server only has one group
4736 * F tests of FFDHE with TLS 1.3, server only has one group
4737 * E tests of ECDHE with TLS 1.2, server only has one group
4738 * F tests of FFDHE with TLS 1.2, server only has one group
4740 static int test_negotiated_group(int idx)
4742 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4744 SSL_CTX *sctx = NULL, *cctx = NULL;
4745 SSL *serverssl = NULL, *clientssl = NULL;
4746 SSL_SESSION *origsess = NULL;
4749 int max_version = TLS1_3_VERSION;
4751 numec = OSSL_NELEM(ecdhe_kexch_groups);
4752 numff = OSSL_NELEM(ffdhe_kexch_groups);
4753 numgroups = numec + numff;
4754 clientmulti = (idx < 2 * numgroups);
4755 idx = idx % (2 * numgroups);
4756 istls13 = (idx < numgroups);
4757 idx = idx % numgroups;
4758 isecdhe = (idx < numec);
4761 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4763 kexch_alg = ecdhe_kexch_groups[idx];
4765 kexch_alg = ffdhe_kexch_groups[idx];
4766 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4767 if (!istls13 && !isecdhe)
4768 expectednid = NID_undef;
4770 expectednid = kexch_alg;
4773 max_version = TLS1_2_VERSION;
4775 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4776 TLS_client_method(), TLS1_VERSION,
4777 max_version, &sctx, &cctx, cert,
4782 * Force (EC)DHE ciphers for TLS 1.2.
4783 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4785 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4786 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4787 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4788 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4790 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4791 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4792 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4799 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4803 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4806 /* Initial handshake; always the configured one */
4807 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4808 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4811 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4814 SSL_shutdown(clientssl);
4815 SSL_shutdown(serverssl);
4816 SSL_free(serverssl);
4817 SSL_free(clientssl);
4818 serverssl = clientssl = NULL;
4820 /* First resumption attempt; use the same config as initial handshake */
4821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4823 || !TEST_true(SSL_set_session(clientssl, origsess))
4824 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4828 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4829 || !TEST_true(SSL_session_reused(clientssl)))
4832 /* Still had better agree, since nothing changed... */
4833 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4834 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4837 SSL_shutdown(clientssl);
4838 SSL_shutdown(serverssl);
4839 SSL_free(serverssl);
4840 SSL_free(clientssl);
4841 serverssl = clientssl = NULL;
4844 * Second resumption attempt
4845 * The party that picks one group changes it, which we effectuate by
4846 * changing 'idx' and updating what we expect.
4854 expectednid = ecdhe_kexch_groups[idx];
4856 expectednid = ffdhe_kexch_groups[idx];
4857 /* Verify that we are changing what we expect. */
4858 if (!TEST_int_ne(expectednid, kexch_alg))
4861 /* TLS 1.2 only supports named groups for ECDHE. */
4863 expectednid = kexch_alg;
4867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4869 || !TEST_true(SSL_set_session(clientssl, origsess))
4870 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4874 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4875 || !TEST_true(SSL_session_reused(clientssl)))
4878 /* Check that we get what we expected */
4879 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4880 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4885 SSL_free(serverssl);
4886 SSL_free(clientssl);
4889 SSL_SESSION_free(origsess);
4892 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4895 * Test TLSv1.3 Cipher Suite
4896 * Test 0 = Set TLS1.3 cipher on context
4897 * Test 1 = Set TLS1.3 cipher on SSL
4898 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4899 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4901 static int test_tls13_ciphersuite(int idx)
4903 SSL_CTX *sctx = NULL, *cctx = NULL;
4904 SSL *serverssl = NULL, *clientssl = NULL;
4905 static const struct {
4906 const char *ciphername;
4909 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4910 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4911 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4912 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4913 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4914 { TLS1_3_RFC_AES_256_GCM_SHA384
4915 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4917 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4919 const char *t13_cipher = NULL;
4920 const char *t12_cipher = NULL;
4921 const char *negotiated_scipher;
4922 const char *negotiated_ccipher;
4938 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4942 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4946 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4947 # ifdef OPENSSL_NO_TLS1_2
4948 if (max_ver == TLS1_2_VERSION)
4951 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4952 if (is_fips && !t13_ciphers[i].fipscapable)
4954 t13_cipher = t13_ciphers[i].ciphername;
4955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4956 TLS_client_method(),
4957 TLS1_VERSION, max_ver,
4958 &sctx, &cctx, cert, privkey)))
4962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4965 if (t12_cipher != NULL) {
4966 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4967 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4974 &clientssl, NULL, NULL)))
4978 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4979 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4981 if (t12_cipher != NULL) {
4982 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4983 || !TEST_true(SSL_set_cipher_list(clientssl,
4989 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4993 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4995 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4997 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5001 * TEST_strn_eq is used below because t13_cipher can contain
5002 * multiple ciphersuites
5004 if (max_ver == TLS1_3_VERSION
5005 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5006 strlen(negotiated_scipher)))
5009 # ifndef OPENSSL_NO_TLS1_2
5010 /* Below validation is not done when t12_cipher is NULL */
5011 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5012 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5016 SSL_free(serverssl);
5018 SSL_free(clientssl);
5029 SSL_free(serverssl);
5030 SSL_free(clientssl);
5038 * Test 0 = Test new style callbacks
5039 * Test 1 = Test both new and old style callbacks
5040 * Test 2 = Test old style callbacks
5041 * Test 3 = Test old style callbacks with no certificate
5043 static int test_tls13_psk(int idx)
5045 SSL_CTX *sctx = NULL, *cctx = NULL;
5046 SSL *serverssl = NULL, *clientssl = NULL;
5047 const SSL_CIPHER *cipher = NULL;
5048 const unsigned char key[] = {
5049 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5050 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5051 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5052 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5056 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5057 TLS_client_method(), TLS1_VERSION, 0,
5058 &sctx, &cctx, idx == 3 ? NULL : cert,
5059 idx == 3 ? NULL : privkey)))
5064 * We use a ciphersuite with SHA256 to ease testing old style PSK
5065 * callbacks which will always default to SHA256. This should not be
5066 * necessary if we have no cert/priv key. In that case the server should
5067 * prefer SHA256 automatically.
5069 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5070 "TLS_AES_128_GCM_SHA256")))
5074 * As noted above the server should prefer SHA256 automatically. However
5075 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5076 * code works even if we are testing with only the FIPS provider loaded.
5078 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5079 "TLS_AES_256_GCM_SHA384:"
5080 "TLS_AES_128_GCM_SHA256")))
5085 * Test 0: New style callbacks only
5086 * Test 1: New and old style callbacks (only the new ones should be used)
5087 * Test 2: Old style callbacks only
5089 if (idx == 0 || idx == 1) {
5090 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5091 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5093 #ifndef OPENSSL_NO_PSK
5095 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5096 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5100 use_session_cb_cnt = 0;
5101 find_session_cb_cnt = 0;
5102 psk_client_cb_cnt = 0;
5103 psk_server_cb_cnt = 0;
5107 * Check we can create a connection if callback decides not to send a
5110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5114 || !TEST_false(SSL_session_reused(clientssl))
5115 || !TEST_false(SSL_session_reused(serverssl)))
5118 if (idx == 0 || idx == 1) {
5119 if (!TEST_true(use_session_cb_cnt == 1)
5120 || !TEST_true(find_session_cb_cnt == 0)
5122 * If no old style callback then below should be 0
5125 || !TEST_true(psk_client_cb_cnt == idx)
5126 || !TEST_true(psk_server_cb_cnt == 0))
5129 if (!TEST_true(use_session_cb_cnt == 0)
5130 || !TEST_true(find_session_cb_cnt == 0)
5131 || !TEST_true(psk_client_cb_cnt == 1)
5132 || !TEST_true(psk_server_cb_cnt == 0))
5136 shutdown_ssl_connection(serverssl, clientssl);
5137 serverssl = clientssl = NULL;
5138 use_session_cb_cnt = psk_client_cb_cnt = 0;
5141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5145 /* Create the PSK */
5146 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5147 clientpsk = SSL_SESSION_new();
5148 if (!TEST_ptr(clientpsk)
5149 || !TEST_ptr(cipher)
5150 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5152 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5153 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5155 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5157 serverpsk = clientpsk;
5159 /* Check we can create a connection and the PSK is used */
5160 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5161 || !TEST_true(SSL_session_reused(clientssl))
5162 || !TEST_true(SSL_session_reused(serverssl)))
5165 if (idx == 0 || idx == 1) {
5166 if (!TEST_true(use_session_cb_cnt == 1)
5167 || !TEST_true(find_session_cb_cnt == 1)
5168 || !TEST_true(psk_client_cb_cnt == 0)
5169 || !TEST_true(psk_server_cb_cnt == 0))
5172 if (!TEST_true(use_session_cb_cnt == 0)
5173 || !TEST_true(find_session_cb_cnt == 0)
5174 || !TEST_true(psk_client_cb_cnt == 1)
5175 || !TEST_true(psk_server_cb_cnt == 1))
5179 shutdown_ssl_connection(serverssl, clientssl);
5180 serverssl = clientssl = NULL;
5181 use_session_cb_cnt = find_session_cb_cnt = 0;
5182 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5189 #if defined(OPENSSL_NO_EC)
5190 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5193 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5198 * Check we can create a connection, the PSK is used and the callbacks are
5201 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5202 || !TEST_true(SSL_session_reused(clientssl))
5203 || !TEST_true(SSL_session_reused(serverssl)))
5206 if (idx == 0 || idx == 1) {
5207 if (!TEST_true(use_session_cb_cnt == 2)
5208 || !TEST_true(find_session_cb_cnt == 2)
5209 || !TEST_true(psk_client_cb_cnt == 0)
5210 || !TEST_true(psk_server_cb_cnt == 0))
5213 if (!TEST_true(use_session_cb_cnt == 0)
5214 || !TEST_true(find_session_cb_cnt == 0)
5215 || !TEST_true(psk_client_cb_cnt == 2)
5216 || !TEST_true(psk_server_cb_cnt == 2))
5220 shutdown_ssl_connection(serverssl, clientssl);
5221 serverssl = clientssl = NULL;
5222 use_session_cb_cnt = find_session_cb_cnt = 0;
5223 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5227 * Check that if the server rejects the PSK we can still connect, but with
5230 srvid = "Dummy Identity";
5231 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5235 || !TEST_false(SSL_session_reused(clientssl))
5236 || !TEST_false(SSL_session_reused(serverssl)))
5239 if (idx == 0 || idx == 1) {
5240 if (!TEST_true(use_session_cb_cnt == 1)
5241 || !TEST_true(find_session_cb_cnt == 1)
5242 || !TEST_true(psk_client_cb_cnt == 0)
5244 * If no old style callback then below should be 0
5247 || !TEST_true(psk_server_cb_cnt == idx))
5250 if (!TEST_true(use_session_cb_cnt == 0)
5251 || !TEST_true(find_session_cb_cnt == 0)
5252 || !TEST_true(psk_client_cb_cnt == 1)
5253 || !TEST_true(psk_server_cb_cnt == 1))
5257 shutdown_ssl_connection(serverssl, clientssl);
5258 serverssl = clientssl = NULL;
5263 SSL_SESSION_free(clientpsk);
5264 SSL_SESSION_free(serverpsk);
5265 clientpsk = serverpsk = NULL;
5266 SSL_free(serverssl);
5267 SSL_free(clientssl);
5273 static unsigned char cookie_magic_value[] = "cookie magic";
5275 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5276 unsigned int *cookie_len)
5279 * Not suitable as a real cookie generation function but good enough for
5282 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5283 *cookie_len = sizeof(cookie_magic_value) - 1;
5288 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5289 unsigned int cookie_len)
5291 if (cookie_len == sizeof(cookie_magic_value) - 1
5292 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5298 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5302 int res = generate_cookie_callback(ssl, cookie, &temp);
5307 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5310 return verify_cookie_callback(ssl, cookie, cookie_len);
5313 static int test_stateless(void)
5315 SSL_CTX *sctx = NULL, *cctx = NULL;
5316 SSL *serverssl = NULL, *clientssl = NULL;
5319 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5320 TLS_client_method(), TLS1_VERSION, 0,
5321 &sctx, &cctx, cert, privkey)))
5324 /* The arrival of CCS messages can confuse the test */
5325 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5329 /* Send the first ClientHello */
5330 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5331 SSL_ERROR_WANT_READ))
5333 * This should fail with a -1 return because we have no callbacks
5336 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5339 /* Fatal error so abandon the connection from this client */
5340 SSL_free(clientssl);
5343 /* Set up the cookie generation and verification callbacks */
5344 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5345 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5348 * Create a new connection from the client (we can reuse the server SSL
5351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5353 /* Send the first ClientHello */
5354 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5355 SSL_ERROR_WANT_READ))
5356 /* This should fail because there is no cookie */
5357 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5360 /* Abandon the connection from this client */
5361 SSL_free(clientssl);
5365 * Now create a connection from a new client but with the same server SSL
5368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5370 /* Send the first ClientHello */
5371 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5372 SSL_ERROR_WANT_READ))
5373 /* This should fail because there is no cookie */
5374 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5375 /* Send the second ClientHello */
5376 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5377 SSL_ERROR_WANT_READ))
5378 /* This should succeed because a cookie is now present */
5379 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5380 /* Complete the connection */
5381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5385 shutdown_ssl_connection(serverssl, clientssl);
5386 serverssl = clientssl = NULL;
5390 SSL_free(serverssl);
5391 SSL_free(clientssl);
5397 #endif /* OSSL_NO_USABLE_TLS1_3 */
5399 static int clntaddoldcb = 0;
5400 static int clntparseoldcb = 0;
5401 static int srvaddoldcb = 0;
5402 static int srvparseoldcb = 0;
5403 static int clntaddnewcb = 0;
5404 static int clntparsenewcb = 0;
5405 static int srvaddnewcb = 0;
5406 static int srvparsenewcb = 0;
5407 static int snicb = 0;
5409 #define TEST_EXT_TYPE1 0xff00
5411 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5412 size_t *outlen, int *al, void *add_arg)
5414 int *server = (int *)add_arg;
5415 unsigned char *data;
5417 if (SSL_is_server(s))
5422 if (*server != SSL_is_server(s)
5423 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5428 *outlen = sizeof(char);
5432 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5435 OPENSSL_free((unsigned char *)out);
5438 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5439 size_t inlen, int *al, void *parse_arg)
5441 int *server = (int *)parse_arg;
5443 if (SSL_is_server(s))
5448 if (*server != SSL_is_server(s)
5449 || inlen != sizeof(char)
5456 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5457 const unsigned char **out, size_t *outlen, X509 *x,
5458 size_t chainidx, int *al, void *add_arg)
5460 int *server = (int *)add_arg;
5461 unsigned char *data;
5463 if (SSL_is_server(s))
5468 if (*server != SSL_is_server(s)
5469 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5474 *outlen = sizeof(*data);
5478 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5479 const unsigned char *out, void *add_arg)
5481 OPENSSL_free((unsigned char *)out);
5484 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5485 const unsigned char *in, size_t inlen, X509 *x,
5486 size_t chainidx, int *al, void *parse_arg)
5488 int *server = (int *)parse_arg;
5490 if (SSL_is_server(s))
5495 if (*server != SSL_is_server(s)
5496 || inlen != sizeof(char) || *in != 1)
5502 static int sni_cb(SSL *s, int *al, void *arg)
5504 SSL_CTX *ctx = (SSL_CTX *)arg;
5506 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5507 *al = SSL_AD_INTERNAL_ERROR;
5508 return SSL_TLSEXT_ERR_ALERT_FATAL;
5511 return SSL_TLSEXT_ERR_OK;
5515 * Custom call back tests.
5516 * Test 0: Old style callbacks in TLSv1.2
5517 * Test 1: New style callbacks in TLSv1.2
5518 * Test 2: New style callbacks in TLSv1.2 with SNI
5519 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5520 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5522 static int test_custom_exts(int tst)
5524 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5525 SSL *clientssl = NULL, *serverssl = NULL;
5527 static int server = 1;
5528 static int client = 0;
5529 SSL_SESSION *sess = NULL;
5530 unsigned int context;
5532 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5533 /* Skip tests for TLSv1.2 and below in this case */
5538 /* Reset callback counters */
5539 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5540 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5544 TLS_client_method(), TLS1_VERSION, 0,
5545 &sctx, &cctx, cert, privkey)))
5549 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5551 &sctx2, NULL, cert, privkey)))
5556 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5557 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5559 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5563 context = SSL_EXT_CLIENT_HELLO
5564 | SSL_EXT_TLS1_2_SERVER_HELLO
5565 | SSL_EXT_TLS1_3_SERVER_HELLO
5566 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5567 | SSL_EXT_TLS1_3_CERTIFICATE
5568 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5570 context = SSL_EXT_CLIENT_HELLO
5571 | SSL_EXT_TLS1_2_SERVER_HELLO
5572 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5575 /* Create a client side custom extension */
5577 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5578 old_add_cb, old_free_cb,
5579 &client, old_parse_cb,
5583 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5584 new_add_cb, new_free_cb,
5585 &client, new_parse_cb, &client)))
5589 /* Should not be able to add duplicates */
5590 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5591 old_add_cb, old_free_cb,
5592 &client, old_parse_cb,
5594 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5595 context, new_add_cb,
5596 new_free_cb, &client,
5597 new_parse_cb, &client)))
5600 /* Create a server side custom extension */
5602 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5603 old_add_cb, old_free_cb,
5604 &server, old_parse_cb,
5608 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5609 new_add_cb, new_free_cb,
5610 &server, new_parse_cb, &server)))
5613 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5614 context, new_add_cb,
5615 new_free_cb, &server,
5616 new_parse_cb, &server)))
5620 /* Should not be able to add duplicates */
5621 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5622 old_add_cb, old_free_cb,
5623 &server, old_parse_cb,
5625 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5626 context, new_add_cb,
5627 new_free_cb, &server,
5628 new_parse_cb, &server)))
5633 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5634 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5638 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5639 &clientssl, NULL, NULL))
5640 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5645 if (clntaddoldcb != 1
5646 || clntparseoldcb != 1
5648 || srvparseoldcb != 1)
5650 } else if (tst == 1 || tst == 2 || tst == 3) {
5651 if (clntaddnewcb != 1
5652 || clntparsenewcb != 1
5654 || srvparsenewcb != 1
5655 || (tst != 2 && snicb != 0)
5656 || (tst == 2 && snicb != 1))
5659 /* In this case there 2 NewSessionTicket messages created */
5660 if (clntaddnewcb != 1
5661 || clntparsenewcb != 5
5663 || srvparsenewcb != 1)
5667 sess = SSL_get1_session(clientssl);
5668 SSL_shutdown(clientssl);
5669 SSL_shutdown(serverssl);
5670 SSL_free(serverssl);
5671 SSL_free(clientssl);
5672 serverssl = clientssl = NULL;
5675 /* We don't bother with the resumption aspects for this test */
5680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5682 || !TEST_true(SSL_set_session(clientssl, sess))
5683 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5688 * For a resumed session we expect to add the ClientHello extension. For the
5689 * old style callbacks we ignore it on the server side because they set
5690 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5694 if (clntaddoldcb != 2
5695 || clntparseoldcb != 1
5697 || srvparseoldcb != 1)
5699 } else if (tst == 1 || tst == 2 || tst == 3) {
5700 if (clntaddnewcb != 2
5701 || clntparsenewcb != 2
5703 || srvparsenewcb != 2)
5707 * No Certificate message extensions in the resumption handshake,
5708 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5710 if (clntaddnewcb != 2
5711 || clntparsenewcb != 8
5713 || srvparsenewcb != 2)
5720 SSL_SESSION_free(sess);
5721 SSL_free(serverssl);
5722 SSL_free(clientssl);
5723 SSL_CTX_free(sctx2);
5730 * Test loading of serverinfo data in various formats. test_sslmessages actually
5731 * tests to make sure the extensions appear in the handshake
5733 static int test_serverinfo(int tst)
5735 unsigned int version;
5736 unsigned char *sibuf;
5738 int ret, expected, testresult = 0;
5741 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5745 if ((tst & 0x01) == 0x01)
5746 version = SSL_SERVERINFOV2;
5748 version = SSL_SERVERINFOV1;
5750 if ((tst & 0x02) == 0x02) {
5751 sibuf = serverinfov2;
5752 sibuflen = sizeof(serverinfov2);
5753 expected = (version == SSL_SERVERINFOV2);
5755 sibuf = serverinfov1;
5756 sibuflen = sizeof(serverinfov1);
5757 expected = (version == SSL_SERVERINFOV1);
5760 if ((tst & 0x04) == 0x04) {
5761 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5763 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5766 * The version variable is irrelevant in this case - it's what is in the
5767 * buffer that matters
5769 if ((tst & 0x02) == 0x02)
5775 if (!TEST_true(ret == expected))
5787 * Test that SSL_export_keying_material() produces expected results. There are
5788 * no test vectors so all we do is test that both sides of the communication
5789 * produce the same results for different protocol versions.
5791 #define SMALL_LABEL_LEN 10
5792 #define LONG_LABEL_LEN 249
5793 static int test_export_key_mat(int tst)
5796 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5797 SSL *clientssl = NULL, *serverssl = NULL;
5798 const char label[LONG_LABEL_LEN + 1] = "test label";
5799 const unsigned char context[] = "context";
5800 const unsigned char *emptycontext = NULL;
5801 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5802 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5804 const int protocols[] = {
5813 #ifdef OPENSSL_NO_TLS1
5817 #ifdef OPENSSL_NO_TLS1_1
5821 if (is_fips && (tst == 0 || tst == 1))
5823 #ifdef OPENSSL_NO_TLS1_2
5827 #ifdef OSSL_NO_USABLE_TLS1_3
5831 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5832 TLS_client_method(), TLS1_VERSION, 0,
5833 &sctx, &cctx, cert, privkey)))
5836 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5837 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5838 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5839 if ((protocols[tst] < TLS1_2_VERSION) &&
5840 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5841 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5849 * Premature call of SSL_export_keying_material should just fail.
5851 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5852 sizeof(ckeymat1), label,
5853 SMALL_LABEL_LEN + 1, context,
5854 sizeof(context) - 1, 1), 0))
5857 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5863 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5866 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5867 sizeof(ckeymat1), label,
5868 LONG_LABEL_LEN + 1, context,
5869 sizeof(context) - 1, 1), 0))
5874 } else if (tst == 4) {
5875 labellen = LONG_LABEL_LEN;
5877 labellen = SMALL_LABEL_LEN;
5880 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5881 sizeof(ckeymat1), label,
5883 sizeof(context) - 1, 1), 1)
5884 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5885 sizeof(ckeymat2), label,
5889 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5890 sizeof(ckeymat3), label,
5893 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5894 sizeof(skeymat1), label,
5897 sizeof(context) -1, 1),
5899 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5900 sizeof(skeymat2), label,
5904 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5905 sizeof(skeymat3), label,
5909 * Check that both sides created the same key material with the
5912 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5915 * Check that both sides created the same key material with an
5918 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5921 * Check that both sides created the same key material without a
5924 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5926 /* Different contexts should produce different results */
5927 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5932 * Check that an empty context and no context produce different results in
5933 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5935 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5937 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5944 SSL_free(serverssl);
5945 SSL_free(clientssl);
5946 SSL_CTX_free(sctx2);
5953 #ifndef OSSL_NO_USABLE_TLS1_3
5955 * Test that SSL_export_keying_material_early() produces expected
5956 * results. There are no test vectors so all we do is test that both
5957 * sides of the communication produce the same results for different
5958 * protocol versions.
5960 static int test_export_key_mat_early(int idx)
5962 static const char label[] = "test label";
5963 static const unsigned char context[] = "context";
5965 SSL_CTX *cctx = NULL, *sctx = NULL;
5966 SSL *clientssl = NULL, *serverssl = NULL;
5967 SSL_SESSION *sess = NULL;
5968 const unsigned char *emptycontext = NULL;
5969 unsigned char ckeymat1[80], ckeymat2[80];
5970 unsigned char skeymat1[80], skeymat2[80];
5971 unsigned char buf[1];
5972 size_t readbytes, written;
5974 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5978 /* Here writing 0 length early data is enough. */
5979 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5980 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5982 SSL_READ_EARLY_DATA_ERROR)
5983 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5984 SSL_EARLY_DATA_ACCEPTED))
5987 if (!TEST_int_eq(SSL_export_keying_material_early(
5988 clientssl, ckeymat1, sizeof(ckeymat1), label,
5989 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5990 || !TEST_int_eq(SSL_export_keying_material_early(
5991 clientssl, ckeymat2, sizeof(ckeymat2), label,
5992 sizeof(label) - 1, emptycontext, 0), 1)
5993 || !TEST_int_eq(SSL_export_keying_material_early(
5994 serverssl, skeymat1, sizeof(skeymat1), label,
5995 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5996 || !TEST_int_eq(SSL_export_keying_material_early(
5997 serverssl, skeymat2, sizeof(skeymat2), label,
5998 sizeof(label) - 1, emptycontext, 0), 1)
6000 * Check that both sides created the same key material with the
6003 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6006 * Check that both sides created the same key material with an
6009 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6011 /* Different contexts should produce different results */
6012 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6019 SSL_SESSION_free(sess);
6020 SSL_SESSION_free(clientpsk);
6021 SSL_SESSION_free(serverpsk);
6022 clientpsk = serverpsk = NULL;
6023 SSL_free(serverssl);
6024 SSL_free(clientssl);
6031 #define NUM_KEY_UPDATE_MESSAGES 40
6035 static int test_key_update(void)
6037 SSL_CTX *cctx = NULL, *sctx = NULL;
6038 SSL *clientssl = NULL, *serverssl = NULL;
6039 int testresult = 0, i, j;
6041 static char *mess = "A test message";
6043 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6044 TLS_client_method(),
6047 &sctx, &cctx, cert, privkey))
6048 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6050 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6054 for (j = 0; j < 2; j++) {
6055 /* Send lots of KeyUpdate messages */
6056 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6057 if (!TEST_true(SSL_key_update(clientssl,
6059 ? SSL_KEY_UPDATE_NOT_REQUESTED
6060 : SSL_KEY_UPDATE_REQUESTED))
6061 || !TEST_true(SSL_do_handshake(clientssl)))
6065 /* Check that sending and receiving app data is ok */
6066 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6067 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6071 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6072 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6080 SSL_free(serverssl);
6081 SSL_free(clientssl);
6089 * Test we can handle a KeyUpdate (update requested) message while write data
6091 * Test 0: Client sends KeyUpdate while Server is writing
6092 * Test 1: Server sends KeyUpdate while Client is writing
6094 static int test_key_update_in_write(int tst)
6096 SSL_CTX *cctx = NULL, *sctx = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6100 static char *mess = "A test message";
6101 BIO *bretry = BIO_new(bio_s_always_retry());
6103 SSL *peerupdate = NULL, *peerwrite = NULL;
6105 if (!TEST_ptr(bretry)
6106 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6107 TLS_client_method(),
6110 &sctx, &cctx, cert, privkey))
6111 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6113 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6117 peerupdate = tst == 0 ? clientssl : serverssl;
6118 peerwrite = tst == 0 ? serverssl : clientssl;
6120 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6121 || !TEST_true(SSL_do_handshake(peerupdate)))
6124 /* Swap the writing endpoint's write BIO to force a retry */
6125 tmp = SSL_get_wbio(peerwrite);
6126 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6130 SSL_set0_wbio(peerwrite, bretry);
6133 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6134 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6135 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6138 /* Reinstate the original writing endpoint's write BIO */
6139 SSL_set0_wbio(peerwrite, tmp);
6142 /* Now read some data - we will read the key update */
6143 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6144 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6148 * Complete the write we started previously and read it from the other
6151 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6152 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6155 /* Write more data to ensure we send the KeyUpdate message back */
6156 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6157 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6163 SSL_free(serverssl);
6164 SSL_free(clientssl);
6172 #endif /* OSSL_NO_USABLE_TLS1_3 */
6174 static int test_ssl_clear(int idx)
6176 SSL_CTX *cctx = NULL, *sctx = NULL;
6177 SSL *clientssl = NULL, *serverssl = NULL;
6180 #ifdef OPENSSL_NO_TLS1_2
6185 /* Create an initial connection */
6186 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6187 TLS_client_method(), TLS1_VERSION, 0,
6188 &sctx, &cctx, cert, privkey))
6190 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6192 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6193 &clientssl, NULL, NULL))
6194 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6198 SSL_shutdown(clientssl);
6199 SSL_shutdown(serverssl);
6200 SSL_free(serverssl);
6203 /* Clear clientssl - we're going to reuse the object */
6204 if (!TEST_true(SSL_clear(clientssl)))
6207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6209 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6211 || !TEST_true(SSL_session_reused(clientssl)))
6214 SSL_shutdown(clientssl);
6215 SSL_shutdown(serverssl);
6220 SSL_free(serverssl);
6221 SSL_free(clientssl);
6228 /* Parse CH and retrieve any MFL extension value if present */
6229 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6232 unsigned char *data;
6233 PACKET pkt, pkt2, pkt3;
6234 unsigned int MFL_code = 0, type = 0;
6236 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6239 memset(&pkt, 0, sizeof(pkt));
6240 memset(&pkt2, 0, sizeof(pkt2));
6241 memset(&pkt3, 0, sizeof(pkt3));
6243 if (!TEST_long_gt(len, 0)
6244 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6245 /* Skip the record header */
6246 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6247 /* Skip the handshake message header */
6248 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6249 /* Skip client version and random */
6250 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6251 + SSL3_RANDOM_SIZE))
6252 /* Skip session id */
6253 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6255 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6256 /* Skip compression */
6257 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6258 /* Extensions len */
6259 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6262 /* Loop through all extensions */
6263 while (PACKET_remaining(&pkt2)) {
6264 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6265 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6268 if (type == TLSEXT_TYPE_max_fragment_length) {
6269 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6270 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6273 *mfl_codemfl_code = MFL_code;
6282 /* Maximum-Fragment-Length TLS extension mode to test */
6283 static const unsigned char max_fragment_len_test[] = {
6284 TLSEXT_max_fragment_length_512,
6285 TLSEXT_max_fragment_length_1024,
6286 TLSEXT_max_fragment_length_2048,
6287 TLSEXT_max_fragment_length_4096
6290 static int test_max_fragment_len_ext(int idx_tst)
6292 SSL_CTX *ctx = NULL;
6294 int testresult = 0, MFL_mode = 0;
6297 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6298 TLS1_VERSION, 0, NULL, &ctx, NULL,
6302 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6303 ctx, max_fragment_len_test[idx_tst])))
6310 rbio = BIO_new(BIO_s_mem());
6311 wbio = BIO_new(BIO_s_mem());
6312 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6318 SSL_set_bio(con, rbio, wbio);
6320 if (!TEST_int_le(SSL_connect(con), 0)) {
6321 /* This shouldn't succeed because we don't have a server! */
6325 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6326 /* no MFL in client hello */
6328 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6340 #ifndef OSSL_NO_USABLE_TLS1_3
6341 static int test_pha_key_update(void)
6343 SSL_CTX *cctx = NULL, *sctx = NULL;
6344 SSL *clientssl = NULL, *serverssl = NULL;
6347 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6348 TLS_client_method(), TLS1_VERSION, 0,
6349 &sctx, &cctx, cert, privkey)))
6352 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6353 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6354 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6355 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6358 SSL_CTX_set_post_handshake_auth(cctx, 1);
6360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6364 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6368 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6369 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6372 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6375 /* Start handshake on the server */
6376 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6379 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6380 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6384 SSL_shutdown(clientssl);
6385 SSL_shutdown(serverssl);
6390 SSL_free(serverssl);
6391 SSL_free(clientssl);
6398 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6400 static SRP_VBASE *vbase = NULL;
6402 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6404 int ret = SSL3_AL_FATAL;
6406 SRP_user_pwd *user = NULL;
6408 username = SSL_get_srp_username(s);
6409 if (username == NULL) {
6410 *ad = SSL_AD_INTERNAL_ERROR;
6414 user = SRP_VBASE_get1_by_user(vbase, username);
6416 *ad = SSL_AD_INTERNAL_ERROR;
6420 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6422 *ad = SSL_AD_INTERNAL_ERROR;
6429 SRP_user_pwd_free(user);
6433 static int create_new_vfile(char *userid, char *password, const char *filename)
6436 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6439 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6442 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6445 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6446 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6447 if (!TEST_ptr(gNid))
6451 * The only way to create an empty TXT_DB is to provide a BIO with no data
6454 db = TXT_DB_read(dummy, DB_NUMBER);
6458 out = BIO_new_file(filename, "w");
6462 row[DB_srpid] = OPENSSL_strdup(userid);
6463 row[DB_srptype] = OPENSSL_strdup("V");
6464 row[DB_srpgN] = OPENSSL_strdup(gNid);
6466 if (!TEST_ptr(row[DB_srpid])
6467 || !TEST_ptr(row[DB_srptype])
6468 || !TEST_ptr(row[DB_srpgN])
6469 || !TEST_true(TXT_DB_insert(db, row)))
6474 if (!TXT_DB_write(out, db))
6480 for (i = 0; i < DB_NUMBER; i++)
6481 OPENSSL_free(row[i]);
6491 static int create_new_vbase(char *userid, char *password)
6493 BIGNUM *verifier = NULL, *salt = NULL;
6494 const SRP_gN *lgN = NULL;
6495 SRP_user_pwd *user_pwd = NULL;
6498 lgN = SRP_get_default_gN(NULL);
6502 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6503 lgN->N, lgN->g, libctx, NULL)))
6506 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6507 if (!TEST_ptr(user_pwd))
6510 user_pwd->N = lgN->N;
6511 user_pwd->g = lgN->g;
6512 user_pwd->id = OPENSSL_strdup(userid);
6513 if (!TEST_ptr(user_pwd->id))
6516 user_pwd->v = verifier;
6518 verifier = salt = NULL;
6520 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6526 SRP_user_pwd_free(user_pwd);
6536 * Test 0: Simple successful SRP connection, new vbase
6537 * Test 1: Connection failure due to bad password, new vbase
6538 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6539 * Test 3: Connection failure due to bad password, vbase loaded from existing
6541 * Test 4: Simple successful SRP connection, vbase loaded from new file
6542 * Test 5: Connection failure due to bad password, vbase loaded from new file
6544 static int test_srp(int tst)
6546 char *userid = "test", *password = "password", *tstsrpfile;
6547 SSL_CTX *cctx = NULL, *sctx = NULL;
6548 SSL *clientssl = NULL, *serverssl = NULL;
6549 int ret, testresult = 0;
6551 vbase = SRP_VBASE_new(NULL);
6552 if (!TEST_ptr(vbase))
6555 if (tst == 0 || tst == 1) {
6556 if (!TEST_true(create_new_vbase(userid, password)))
6559 if (tst == 4 || tst == 5) {
6560 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6562 tstsrpfile = tmpfilename;
6564 tstsrpfile = srpvfile;
6566 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6570 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6571 TLS_client_method(), TLS1_VERSION, 0,
6572 &sctx, &cctx, cert, privkey)))
6575 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6576 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6577 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6578 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6579 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6583 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6586 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6594 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6596 if (!TEST_true(tst % 2 == 0))
6599 if (!TEST_true(tst % 2 == 1))
6606 SRP_VBASE_free(vbase);
6608 SSL_free(serverssl);
6609 SSL_free(clientssl);
6617 static int info_cb_failed = 0;
6618 static int info_cb_offset = 0;
6619 static int info_cb_this_state = -1;
6621 static struct info_cb_states_st {
6623 const char *statestr;
6624 } info_cb_states[][60] = {
6626 /* TLSv1.2 server followed by resumption */
6627 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6628 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6629 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6630 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6631 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6632 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6634 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6635 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6636 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6637 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6638 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6639 {SSL_CB_EXIT, NULL}, {0, NULL},
6641 /* TLSv1.2 client followed by resumption */
6642 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6643 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6644 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6645 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6646 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6647 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6648 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6649 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6650 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6651 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6652 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6653 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6655 /* TLSv1.3 server followed by resumption */
6656 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6657 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6658 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6659 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6660 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6661 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6662 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6663 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6664 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6665 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6666 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6667 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6668 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6670 /* TLSv1.3 client followed by resumption */
6671 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6672 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6673 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6674 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6675 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6676 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6677 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6678 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6679 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6680 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6681 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6682 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6683 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6684 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6685 {SSL_CB_EXIT, NULL}, {0, NULL},
6687 /* TLSv1.3 server, early_data */
6688 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6689 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6690 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6691 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6692 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6693 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6694 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6695 {SSL_CB_EXIT, NULL}, {0, NULL},
6697 /* TLSv1.3 client, early_data */
6698 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6699 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6700 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6701 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6702 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6703 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6704 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6705 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6706 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6712 static void sslapi_info_callback(const SSL *s, int where, int ret)
6714 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6716 /* We do not ever expect a connection to fail in this test */
6717 if (!TEST_false(ret == 0)) {
6723 * Do some sanity checks. We never expect these things to happen in this
6726 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6727 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6728 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6733 /* Now check we're in the right state */
6734 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6738 if ((where & SSL_CB_LOOP) != 0
6739 && !TEST_int_eq(strcmp(SSL_state_string(s),
6740 state[info_cb_this_state].statestr), 0)) {
6746 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6748 if ((where & SSL_CB_HANDSHAKE_DONE)
6749 && SSL_in_init((SSL *)s) != 0) {
6756 * Test the info callback gets called when we expect it to.
6758 * Test 0: TLSv1.2, server
6759 * Test 1: TLSv1.2, client
6760 * Test 2: TLSv1.3, server
6761 * Test 3: TLSv1.3, client
6762 * Test 4: TLSv1.3, server, early_data
6763 * Test 5: TLSv1.3, client, early_data
6765 static int test_info_callback(int tst)
6767 SSL_CTX *cctx = NULL, *sctx = NULL;
6768 SSL *clientssl = NULL, *serverssl = NULL;
6769 SSL_SESSION *clntsess = NULL;
6774 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6775 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6776 || !defined(OPENSSL_NO_DH))
6777 tlsvers = TLS1_2_VERSION;
6782 #ifndef OSSL_NO_USABLE_TLS1_3
6783 tlsvers = TLS1_3_VERSION;
6791 info_cb_this_state = -1;
6792 info_cb_offset = tst;
6794 #ifndef OSSL_NO_USABLE_TLS1_3
6796 SSL_SESSION *sess = NULL;
6797 size_t written, readbytes;
6798 unsigned char buf[80];
6800 /* early_data tests */
6801 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6802 &serverssl, &sess, 0)))
6805 /* We don't actually need this reference */
6806 SSL_SESSION_free(sess);
6808 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6809 sslapi_info_callback);
6811 /* Write and read some early data and then complete the connection */
6812 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6814 || !TEST_size_t_eq(written, strlen(MSG1))
6815 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6816 sizeof(buf), &readbytes),
6817 SSL_READ_EARLY_DATA_SUCCESS)
6818 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6819 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6820 SSL_EARLY_DATA_ACCEPTED)
6821 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6823 || !TEST_false(info_cb_failed))
6831 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6832 TLS_client_method(),
6833 tlsvers, tlsvers, &sctx, &cctx, cert,
6837 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6841 * For even numbered tests we check the server callbacks. For odd numbers we
6844 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6845 sslapi_info_callback);
6847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6848 &clientssl, NULL, NULL))
6849 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6851 || !TEST_false(info_cb_failed))
6856 clntsess = SSL_get1_session(clientssl);
6857 SSL_shutdown(clientssl);
6858 SSL_shutdown(serverssl);
6859 SSL_free(serverssl);
6860 SSL_free(clientssl);
6861 serverssl = clientssl = NULL;
6863 /* Now do a resumption */
6864 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6866 || !TEST_true(SSL_set_session(clientssl, clntsess))
6867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6869 || !TEST_true(SSL_session_reused(clientssl))
6870 || !TEST_false(info_cb_failed))
6876 SSL_free(serverssl);
6877 SSL_free(clientssl);
6878 SSL_SESSION_free(clntsess);
6884 static int test_ssl_pending(int tst)
6886 SSL_CTX *cctx = NULL, *sctx = NULL;
6887 SSL *clientssl = NULL, *serverssl = NULL;
6889 char msg[] = "A test message";
6891 size_t written, readbytes;
6894 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6895 TLS_client_method(),
6897 &sctx, &cctx, cert, privkey)))
6900 #ifndef OPENSSL_NO_DTLS
6901 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6902 DTLS_client_method(),
6904 &sctx, &cctx, cert, privkey)))
6907 # ifdef OPENSSL_NO_DTLS1_2
6908 /* Not supported in the FIPS provider */
6914 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
6917 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
6918 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
6919 "DEFAULT:@SECLEVEL=0")))
6927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6929 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6933 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6934 || !TEST_false(SSL_has_pending(clientssl))
6935 || !TEST_int_eq(SSL_pending(serverssl), 0)
6936 || !TEST_false(SSL_has_pending(serverssl))
6937 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6938 || !TEST_size_t_eq(written, sizeof(msg))
6939 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6940 || !TEST_size_t_eq(readbytes, sizeof(buf))
6941 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6942 || !TEST_true(SSL_has_pending(clientssl)))
6948 SSL_free(serverssl);
6949 SSL_free(clientssl);
6957 unsigned int maxprot;
6958 const char *clntciphers;
6959 const char *clnttls13ciphers;
6960 const char *srvrciphers;
6961 const char *srvrtls13ciphers;
6963 const char *fipsshared;
6964 } shared_ciphers_data[] = {
6966 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6967 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6969 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6972 "AES128-SHA:AES256-SHA",
6974 "AES256-SHA:DHE-RSA-AES128-SHA",
6979 # if !defined(OPENSSL_NO_CHACHA) \
6980 && !defined(OPENSSL_NO_POLY1305) \
6981 && !defined(OPENSSL_NO_EC)
6984 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6986 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6988 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6994 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6996 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6998 "AES128-SHA:AES256-SHA",
6999 "AES128-SHA:AES256-SHA"
7003 "AES128-SHA:AES256-SHA",
7005 "AES128-SHA:DHE-RSA-AES128-SHA",
7012 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7015 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7016 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7019 "AES128-SHA:AES256-SHA",
7021 "AES256-SHA:AES128-SHA256",
7023 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7024 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7025 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7028 #ifndef OSSL_NO_USABLE_TLS1_3
7032 "TLS_AES_256_GCM_SHA384",
7034 "TLS_AES_256_GCM_SHA384",
7035 "TLS_AES_256_GCM_SHA384",
7036 "TLS_AES_256_GCM_SHA384"
7041 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7043 SSL_CTX *cctx = NULL, *sctx = NULL;
7044 SSL *clientssl = NULL, *serverssl = NULL;
7047 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7049 if (!TEST_ptr(tmplibctx))
7053 * Regardless of whether we're testing with the FIPS provider loaded into
7054 * libctx, we want one peer to always use the full set of ciphersuites
7055 * available. Therefore we use a separate libctx with the default provider
7056 * loaded into it. We run the same tests twice - once with the client side
7057 * having the full set of ciphersuites and once with the server side.
7060 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7061 if (!TEST_ptr(cctx))
7064 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7065 if (!TEST_ptr(sctx))
7069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7070 TLS_client_method(),
7072 shared_ciphers_data[tst].maxprot,
7073 &sctx, &cctx, cert, privkey)))
7076 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7077 shared_ciphers_data[tst].clntciphers))
7078 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7079 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7080 shared_ciphers_data[tst].clnttls13ciphers)))
7081 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7082 shared_ciphers_data[tst].srvrciphers))
7083 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7084 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7085 shared_ciphers_data[tst].srvrtls13ciphers))))
7089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7091 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7095 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7096 || !TEST_int_eq(strcmp(buf,
7098 ? shared_ciphers_data[tst].fipsshared
7099 : shared_ciphers_data[tst].shared),
7101 TEST_info("Shared ciphers are: %s\n", buf);
7108 SSL_free(serverssl);
7109 SSL_free(clientssl);
7112 OSSL_LIB_CTX_free(tmplibctx);
7117 static int test_ssl_get_shared_ciphers(int tst)
7119 return int_test_ssl_get_shared_ciphers(tst, 0)
7120 && int_test_ssl_get_shared_ciphers(tst, 1);
7124 static const char *appdata = "Hello World";
7125 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7126 static int tick_key_renew = 0;
7127 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7129 static int gen_tick_cb(SSL *s, void *arg)
7131 gen_tick_called = 1;
7133 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7137 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7138 const unsigned char *keyname,
7139 size_t keyname_length,
7140 SSL_TICKET_STATUS status,
7146 dec_tick_called = 1;
7148 if (status == SSL_TICKET_EMPTY)
7149 return SSL_TICKET_RETURN_IGNORE_RENEW;
7151 if (!TEST_true(status == SSL_TICKET_SUCCESS
7152 || status == SSL_TICKET_SUCCESS_RENEW))
7153 return SSL_TICKET_RETURN_ABORT;
7155 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7157 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7158 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7159 return SSL_TICKET_RETURN_ABORT;
7161 if (tick_key_cb_called) {
7162 /* Don't change what the ticket key callback wanted to do */
7164 case SSL_TICKET_NO_DECRYPT:
7165 return SSL_TICKET_RETURN_IGNORE_RENEW;
7167 case SSL_TICKET_SUCCESS:
7168 return SSL_TICKET_RETURN_USE;
7170 case SSL_TICKET_SUCCESS_RENEW:
7171 return SSL_TICKET_RETURN_USE_RENEW;
7174 return SSL_TICKET_RETURN_ABORT;
7177 return tick_dec_ret;
7181 #ifndef OPENSSL_NO_DEPRECATED_3_0
7182 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7183 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7184 HMAC_CTX *hctx, int enc)
7186 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7187 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7188 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7189 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7192 tick_key_cb_called = 1;
7193 memset(iv, 0, AES_BLOCK_SIZE);
7194 memset(key_name, 0, 16);
7195 if (aes128cbc == NULL
7197 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7198 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7202 ret = tick_key_renew ? 2 : 1;
7204 EVP_CIPHER_free(aes128cbc);
7205 EVP_MD_free(sha256);
7211 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7212 unsigned char iv[EVP_MAX_IV_LENGTH],
7213 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7215 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7216 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7217 OSSL_PARAM params[2];
7218 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7221 tick_key_cb_called = 1;
7222 memset(iv, 0, AES_BLOCK_SIZE);
7223 memset(key_name, 0, 16);
7224 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7226 params[1] = OSSL_PARAM_construct_end();
7227 if (aes128cbc == NULL
7228 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7229 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7233 ret = tick_key_renew ? 2 : 1;
7235 EVP_CIPHER_free(aes128cbc);
7241 * Test the various ticket callbacks
7242 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7243 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7244 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7245 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7246 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7247 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7248 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7249 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7250 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7251 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7252 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7253 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7254 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7255 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7256 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7257 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7259 static int test_ticket_callbacks(int tst)
7261 SSL_CTX *cctx = NULL, *sctx = NULL;
7262 SSL *clientssl = NULL, *serverssl = NULL;
7263 SSL_SESSION *clntsess = NULL;
7266 #ifdef OPENSSL_NO_TLS1_2
7270 #ifdef OSSL_NO_USABLE_TLS1_3
7274 #ifdef OPENSSL_NO_DEPRECATED_3_0
7275 if (tst >= 8 && tst <= 11)
7279 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7281 /* Which tests the ticket key callback should request renewal for */
7282 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7287 /* Which tests the decrypt ticket callback should request renewal for */
7291 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7296 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7301 tick_dec_ret = SSL_TICKET_RETURN_USE;
7306 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7310 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7313 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7314 TLS_client_method(),
7316 ((tst % 2) == 0) ? TLS1_2_VERSION
7318 &sctx, &cctx, cert, privkey)))
7322 * We only want sessions to resume from tickets - not the session cache. So
7323 * switch the cache off.
7325 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7328 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7333 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7335 #ifndef OPENSSL_NO_DEPRECATED_3_0
7336 } else if (tst >= 8) {
7337 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7344 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7349 * The decrypt ticket key callback in TLSv1.2 should be called even though
7350 * we have no ticket yet, because it gets called with a status of
7351 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7352 * actually send any ticket data). This does not happen in TLSv1.3 because
7353 * it is not valid to send empty ticket data in TLSv1.3.
7355 if (!TEST_int_eq(gen_tick_called, 1)
7356 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7359 gen_tick_called = dec_tick_called = 0;
7361 clntsess = SSL_get1_session(clientssl);
7362 SSL_shutdown(clientssl);
7363 SSL_shutdown(serverssl);
7364 SSL_free(serverssl);
7365 SSL_free(clientssl);
7366 serverssl = clientssl = NULL;
7368 /* Now do a resumption */
7369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7371 || !TEST_true(SSL_set_session(clientssl, clntsess))
7372 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7376 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7377 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7378 if (!TEST_false(SSL_session_reused(clientssl)))
7381 if (!TEST_true(SSL_session_reused(clientssl)))
7385 if (!TEST_int_eq(gen_tick_called,
7387 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7388 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7390 || !TEST_int_eq(dec_tick_called, 1))
7396 SSL_SESSION_free(clntsess);
7397 SSL_free(serverssl);
7398 SSL_free(clientssl);
7406 * Test incorrect shutdown.
7407 * Test 0: client does not shutdown properly,
7408 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7409 * server should get SSL_ERROR_SSL
7410 * Test 1: client does not shutdown properly,
7411 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7412 * server should get SSL_ERROR_ZERO_RETURN
7414 static int test_incorrect_shutdown(int tst)
7416 SSL_CTX *cctx = NULL, *sctx = NULL;
7417 SSL *clientssl = NULL, *serverssl = NULL;
7422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7423 TLS_client_method(), 0, 0,
7424 &sctx, &cctx, cert, privkey)))
7428 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7434 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7438 c2s = SSL_get_rbio(serverssl);
7439 BIO_set_mem_eof_return(c2s, 0);
7441 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7444 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7446 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7452 SSL_free(serverssl);
7453 SSL_free(clientssl);
7461 * Test bi-directional shutdown.
7463 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7464 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7465 * Test 3: TLSv1.3, pending NewSessionTicket messages
7466 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7467 * sends key update, client reads it
7468 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7469 * sends CertificateRequest, client reads and ignores it
7470 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7473 static int test_shutdown(int tst)
7475 SSL_CTX *cctx = NULL, *sctx = NULL;
7476 SSL *clientssl = NULL, *serverssl = NULL;
7478 char msg[] = "A test message";
7480 size_t written, readbytes;
7483 #ifdef OPENSSL_NO_TLS1_2
7487 #ifdef OSSL_NO_USABLE_TLS1_3
7492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7493 TLS_client_method(),
7495 (tst <= 1) ? TLS1_2_VERSION
7497 &sctx, &cctx, cert, privkey)))
7501 SSL_CTX_set_post_handshake_auth(cctx, 1);
7503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7508 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7510 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7511 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7513 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7515 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7516 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7520 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7525 * Reading on the server after the client has sent close_notify should
7526 * fail and provide SSL_ERROR_ZERO_RETURN
7528 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7529 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7530 SSL_ERROR_ZERO_RETURN)
7531 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7532 SSL_RECEIVED_SHUTDOWN)
7534 * Even though we're shutdown on receive we should still be
7537 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7540 && !TEST_true(SSL_key_update(serverssl,
7541 SSL_KEY_UPDATE_REQUESTED)))
7544 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7545 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7548 if ((tst == 4 || tst == 5)
7549 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7551 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7553 if (tst == 4 || tst == 5) {
7554 /* Should still be able to read data from server */
7555 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7557 || !TEST_size_t_eq(readbytes, sizeof(msg))
7558 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7559 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7561 || !TEST_size_t_eq(readbytes, sizeof(msg))
7562 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7567 /* Writing on the client after sending close_notify shouldn't be possible */
7568 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7573 * For these tests the client has sent close_notify but it has not yet
7574 * been received by the server. The server has not sent close_notify
7577 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7579 * Writing on the server after sending close_notify shouldn't
7582 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7583 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7584 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7585 || !TEST_true(SSL_SESSION_is_resumable(sess))
7586 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7588 } else if (tst == 4 || tst == 5) {
7590 * In this test the client has sent close_notify and it has been
7591 * received by the server which has responded with a close_notify. The
7592 * client needs to read the close_notify sent by the server.
7594 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7595 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7596 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7602 * The client has sent close_notify and is expecting a close_notify
7603 * back, but instead there is application data first. The shutdown
7604 * should fail with a fatal error.
7606 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7607 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7614 SSL_free(serverssl);
7615 SSL_free(clientssl);
7622 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7623 static int cert_cb_cnt;
7625 static int cert_cb(SSL *s, void *arg)
7627 SSL_CTX *ctx = (SSL_CTX *)arg;
7629 EVP_PKEY *pkey = NULL;
7630 X509 *x509 = NULL, *rootx = NULL;
7631 STACK_OF(X509) *chain = NULL;
7632 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7635 if (cert_cb_cnt == 0) {
7636 /* Suspend the handshake */
7639 } else if (cert_cb_cnt == 1) {
7641 * Update the SSL_CTX, set the certificate and private key and then
7642 * continue the handshake normally.
7644 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7647 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7648 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7650 || !TEST_true(SSL_check_private_key(s)))
7654 } else if (cert_cb_cnt == 3) {
7657 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7658 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7659 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7660 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7662 chain = sk_X509_new_null();
7663 if (!TEST_ptr(chain))
7665 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7666 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7667 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7668 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7669 || !TEST_true(sk_X509_push(chain, rootx)))
7673 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7674 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7675 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7676 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7679 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7680 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7681 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7685 rv = SSL_check_chain(s, x509, pkey, chain);
7687 * If the cert doesn't show as valid here (e.g., because we don't
7688 * have any shared sigalgs), then we will not set it, and there will
7689 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7690 * will cause tls_choose_sigalgs() to fail the connection.
7692 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7693 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7694 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7701 /* Abort the handshake */
7703 OPENSSL_free(ecdsacert);
7704 OPENSSL_free(ecdsakey);
7705 OPENSSL_free(rootfile);
7707 EVP_PKEY_free(pkey);
7710 sk_X509_pop_free(chain, X509_free);
7715 * Test the certificate callback.
7716 * Test 0: Callback fails
7717 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7718 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7719 * Test 3: Success - Call SSL_check_chain from the callback
7720 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7722 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7724 static int test_cert_cb_int(int prot, int tst)
7726 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7727 SSL *clientssl = NULL, *serverssl = NULL;
7728 int testresult = 0, ret;
7730 #ifdef OPENSSL_NO_EC
7731 /* We use an EC cert in these tests, so we skip in a no-ec build */
7736 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7737 TLS_client_method(),
7740 &sctx, &cctx, NULL, NULL)))
7751 snictx = SSL_CTX_new(TLS_server_method());
7752 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7760 * We cause SSL_check_chain() to fail by specifying sig_algs that
7761 * the chain doesn't meet (the root uses an RSA cert)
7763 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7764 "ecdsa_secp256r1_sha256")))
7766 } else if (tst == 5) {
7768 * We cause SSL_check_chain() to fail by specifying sig_algs that
7769 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7771 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7772 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7776 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7777 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7779 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7786 SSL_free(serverssl);
7787 SSL_free(clientssl);
7790 SSL_CTX_free(snictx);
7796 static int test_cert_cb(int tst)
7800 #ifndef OPENSSL_NO_TLS1_2
7801 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7803 #ifndef OSSL_NO_USABLE_TLS1_3
7804 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7810 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7815 BIO *priv_in = NULL;
7817 /* Check that SSL_get0_peer_certificate() returns something sensible */
7818 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7821 in = BIO_new_file(cert, "r");
7825 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7826 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7827 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7828 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7846 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7851 static int test_client_cert_cb(int tst)
7853 SSL_CTX *cctx = NULL, *sctx = NULL;
7854 SSL *clientssl = NULL, *serverssl = NULL;
7857 #ifdef OPENSSL_NO_TLS1_2
7861 #ifdef OSSL_NO_USABLE_TLS1_3
7866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7867 TLS_client_method(),
7869 tst == 0 ? TLS1_2_VERSION
7871 &sctx, &cctx, cert, privkey)))
7875 * Test that setting a client_cert_cb results in a client certificate being
7878 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7879 SSL_CTX_set_verify(sctx,
7880 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7885 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7892 SSL_free(serverssl);
7893 SSL_free(clientssl);
7900 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7902 * Test setting certificate authorities on both client and server.
7904 * Test 0: SSL_CTX_set0_CA_list() only
7905 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7906 * Test 2: Only SSL_CTX_set_client_CA_list()
7908 static int test_ca_names_int(int prot, int tst)
7910 SSL_CTX *cctx = NULL, *sctx = NULL;
7911 SSL *clientssl = NULL, *serverssl = NULL;
7914 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7915 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7916 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7917 const STACK_OF(X509_NAME) *sktmp = NULL;
7919 for (i = 0; i < OSSL_NELEM(name); i++) {
7920 name[i] = X509_NAME_new();
7921 if (!TEST_ptr(name[i])
7922 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7930 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7931 TLS_client_method(),
7934 &sctx, &cctx, cert, privkey)))
7937 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7939 if (tst == 0 || tst == 1) {
7940 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7941 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7942 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7943 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7944 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7945 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7948 SSL_CTX_set0_CA_list(sctx, sk1);
7949 SSL_CTX_set0_CA_list(cctx, sk2);
7952 if (tst == 1 || tst == 2) {
7953 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7954 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7955 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7956 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7957 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7958 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7961 SSL_CTX_set_client_CA_list(sctx, sk1);
7962 SSL_CTX_set_client_CA_list(cctx, sk2);
7966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7973 * We only expect certificate authorities to have been sent to the server
7974 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7976 sktmp = SSL_get0_peer_CA_list(serverssl);
7977 if (prot == TLS1_3_VERSION
7978 && (tst == 0 || tst == 1)) {
7979 if (!TEST_ptr(sktmp)
7980 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7981 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7983 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7986 } else if (!TEST_ptr_null(sktmp)) {
7991 * In all tests we expect certificate authorities to have been sent to the
7992 * client. However, SSL_set_client_CA_list() should override
7993 * SSL_set0_CA_list()
7995 sktmp = SSL_get0_peer_CA_list(clientssl);
7996 if (!TEST_ptr(sktmp)
7997 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7998 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7999 name[tst == 0 ? 0 : 2]), 0)
8000 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8001 name[tst == 0 ? 1 : 3]), 0))
8007 SSL_free(serverssl);
8008 SSL_free(clientssl);
8011 for (i = 0; i < OSSL_NELEM(name); i++)
8012 X509_NAME_free(name[i]);
8013 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8014 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8020 static int test_ca_names(int tst)
8024 #ifndef OPENSSL_NO_TLS1_2
8025 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8027 #ifndef OSSL_NO_USABLE_TLS1_3
8028 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8034 #ifndef OPENSSL_NO_TLS1_2
8035 static const char *multiblock_cipherlist_data[]=
8043 /* Reduce the fragment size - so the multiblock test buffer can be small */
8044 # define MULTIBLOCK_FRAGSIZE 512
8046 static int test_multiblock_write(int test_index)
8048 static const char *fetchable_ciphers[]=
8050 "AES-128-CBC-HMAC-SHA1",
8051 "AES-128-CBC-HMAC-SHA256",
8052 "AES-256-CBC-HMAC-SHA1",
8053 "AES-256-CBC-HMAC-SHA256"
8055 const char *cipherlist = multiblock_cipherlist_data[test_index];
8056 const SSL_METHOD *smeth = TLS_server_method();
8057 const SSL_METHOD *cmeth = TLS_client_method();
8058 int min_version = TLS1_VERSION;
8059 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8060 SSL_CTX *cctx = NULL, *sctx = NULL;
8061 SSL *clientssl = NULL, *serverssl = NULL;
8065 * Choose a buffer large enough to perform a multi-block operation
8066 * i.e: write_len >= 4 * frag_size
8067 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8069 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8070 unsigned char buf[sizeof(msg)], *p = buf;
8071 size_t readbytes, written, len;
8072 EVP_CIPHER *ciph = NULL;
8075 * Check if the cipher exists before attempting to use it since it only has
8076 * a hardware specific implementation.
8078 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8080 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8083 EVP_CIPHER_free(ciph);
8085 /* Set up a buffer with some data that will be sent to the client */
8086 RAND_bytes(msg, sizeof(msg));
8088 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8089 max_version, &sctx, &cctx, cert,
8093 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8100 /* settings to force it to use AES-CBC-HMAC_SHA */
8101 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8102 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8105 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8108 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8109 || !TEST_size_t_eq(written, sizeof(msg)))
8114 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8119 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8124 SSL_free(serverssl);
8125 SSL_free(clientssl);
8131 #endif /* OPENSSL_NO_TLS1_2 */
8134 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8135 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8136 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8137 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8138 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8139 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8140 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8141 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8142 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8143 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8145 static int test_servername(int tst)
8147 SSL_CTX *cctx = NULL, *sctx = NULL;
8148 SSL *clientssl = NULL, *serverssl = NULL;
8150 SSL_SESSION *sess = NULL;
8151 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8153 #ifdef OPENSSL_NO_TLS1_2
8157 #ifdef OSSL_NO_USABLE_TLS1_3
8162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8163 TLS_client_method(),
8165 (tst <= 4) ? TLS1_2_VERSION
8167 &sctx, &cctx, cert, privkey))
8168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8172 if (tst != 1 && tst != 6) {
8173 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8178 if (tst != 3 && tst != 8) {
8179 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8181 sexpectedhost = cexpectedhost = "goodhost";
8184 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8187 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8189 || !TEST_str_eq(SSL_get_servername(serverssl,
8190 TLSEXT_NAMETYPE_host_name),
8194 /* Now repeat with a resumption handshake */
8196 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8197 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8198 || !TEST_true(SSL_SESSION_is_resumable(sess))
8199 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8202 SSL_free(clientssl);
8203 SSL_free(serverssl);
8204 clientssl = serverssl = NULL;
8206 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8210 if (!TEST_true(SSL_set_session(clientssl, sess)))
8213 sexpectedhost = cexpectedhost = "goodhost";
8214 if (tst == 2 || tst == 7) {
8215 /* Set an inconsistent hostname */
8216 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8219 * In TLSv1.2 we expect the hostname from the original handshake, in
8220 * TLSv1.3 we expect the hostname from this handshake
8223 sexpectedhost = cexpectedhost = "altgoodhost";
8225 if (!TEST_str_eq(SSL_get_servername(clientssl,
8226 TLSEXT_NAMETYPE_host_name),
8229 } else if (tst == 4 || tst == 9) {
8231 * A TLSv1.3 session does not associate a session with a servername,
8232 * but a TLSv1.2 session does.
8235 sexpectedhost = cexpectedhost = NULL;
8237 if (!TEST_str_eq(SSL_get_servername(clientssl,
8238 TLSEXT_NAMETYPE_host_name),
8242 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8245 * In a TLSv1.2 resumption where the hostname was not acknowledged
8246 * we expect the hostname on the server to be empty. On the client we
8247 * return what was requested in this case.
8249 * Similarly if the client didn't set a hostname on an original TLSv1.2
8250 * session but is now, the server hostname will be empty, but the client
8253 if (tst == 1 || tst == 3)
8254 sexpectedhost = NULL;
8256 if (!TEST_str_eq(SSL_get_servername(clientssl,
8257 TLSEXT_NAMETYPE_host_name),
8262 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8265 if (!TEST_true(SSL_session_reused(clientssl))
8266 || !TEST_true(SSL_session_reused(serverssl))
8267 || !TEST_str_eq(SSL_get_servername(clientssl,
8268 TLSEXT_NAMETYPE_host_name),
8270 || !TEST_str_eq(SSL_get_servername(serverssl,
8271 TLSEXT_NAMETYPE_host_name),
8278 SSL_SESSION_free(sess);
8279 SSL_free(serverssl);
8280 SSL_free(clientssl);
8287 #if !defined(OPENSSL_NO_EC) \
8288 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8290 * Test that if signature algorithms are not available, then we do not offer or
8292 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8293 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8294 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8295 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8296 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8297 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8299 static int test_sigalgs_available(int idx)
8301 SSL_CTX *cctx = NULL, *sctx = NULL;
8302 SSL *clientssl = NULL, *serverssl = NULL;
8304 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8305 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8306 OSSL_PROVIDER *filterprov = NULL;
8309 if (!TEST_ptr(tmpctx))
8312 if (idx != 0 && idx != 3) {
8313 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8314 filter_provider_init)))
8317 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8318 if (!TEST_ptr(filterprov))
8323 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8324 * or accepted for the peer that uses this libctx. Note that libssl
8325 * *requires* SHA2-256 to be available so we cannot disable that. We
8326 * also need SHA1 for our certificate.
8328 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8332 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8334 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8339 if (idx == 1 || idx == 4)
8345 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8346 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8347 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8351 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8352 TLS_client_method(),
8355 &sctx, &cctx, cert, privkey)))
8358 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8359 TLS_client_method(),
8362 &sctx, &cctx, cert2, privkey2)))
8366 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8368 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8369 "ECDHE-RSA-AES128-GCM-SHA256")))
8372 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8373 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8378 if (!SSL_CTX_set1_sigalgs_list(cctx,
8379 "rsa_pss_rsae_sha384"
8380 ":rsa_pss_rsae_sha256")
8381 || !SSL_CTX_set1_sigalgs_list(sctx,
8382 "rsa_pss_rsae_sha384"
8383 ":rsa_pss_rsae_sha256"))
8386 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8387 || !SSL_CTX_set1_sigalgs_list(sctx,
8388 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8393 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8394 SSL_FILETYPE_PEM), 1)
8395 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8397 SSL_FILETYPE_PEM), 1)
8398 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8408 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8409 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8411 (idx == 0 || idx == 3) ? 2 : 1))
8414 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8417 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8421 testresult = filter_provider_check_clean_finish();
8424 SSL_free(serverssl);
8425 SSL_free(clientssl);
8428 OSSL_PROVIDER_unload(filterprov);
8429 OSSL_LIB_CTX_free(tmpctx);
8434 * !defined(OPENSSL_NO_EC) \
8435 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8438 #ifndef OPENSSL_NO_TLS1_3
8439 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8440 static int test_pluggable_group(int idx)
8442 SSL_CTX *cctx = NULL, *sctx = NULL;
8443 SSL *clientssl = NULL, *serverssl = NULL;
8445 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8446 /* Check that we are not impacted by a provider without any groups */
8447 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8448 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8450 if (!TEST_ptr(tlsprov))
8453 if (legacyprov == NULL) {
8455 * In this case we assume we've been built with "no-legacy" and skip
8456 * this test (there is no OPENSSL_NO_LEGACY)
8462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8463 TLS_client_method(),
8466 &sctx, &cctx, cert, privkey))
8467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8471 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8472 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8475 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8478 if (!TEST_str_eq(group_name,
8479 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8485 SSL_free(serverssl);
8486 SSL_free(clientssl);
8489 OSSL_PROVIDER_unload(tlsprov);
8490 OSSL_PROVIDER_unload(legacyprov);
8496 #ifndef OPENSSL_NO_TLS1_2
8497 static int test_ssl_dup(void)
8499 SSL_CTX *cctx = NULL, *sctx = NULL;
8500 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8502 BIO *rbio = NULL, *wbio = NULL;
8504 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8505 TLS_client_method(),
8508 &sctx, &cctx, cert, privkey)))
8511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8515 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8516 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8519 client2ssl = SSL_dup(clientssl);
8520 rbio = SSL_get_rbio(clientssl);
8522 || !TEST_true(BIO_up_ref(rbio)))
8524 SSL_set0_rbio(client2ssl, rbio);
8527 wbio = SSL_get_wbio(clientssl);
8528 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8530 SSL_set0_wbio(client2ssl, wbio);
8533 if (!TEST_ptr(client2ssl)
8534 /* Handshake not started so pointers should be different */
8535 || !TEST_ptr_ne(clientssl, client2ssl))
8538 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8539 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8542 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8545 SSL_free(clientssl);
8546 clientssl = SSL_dup(client2ssl);
8547 if (!TEST_ptr(clientssl)
8548 /* Handshake has finished so pointers should be the same */
8549 || !TEST_ptr_eq(clientssl, client2ssl))
8555 SSL_free(serverssl);
8556 SSL_free(clientssl);
8557 SSL_free(client2ssl);
8564 # ifndef OPENSSL_NO_DH
8566 static EVP_PKEY *tmp_dh_params = NULL;
8568 /* Helper function for the test_set_tmp_dh() tests */
8569 static EVP_PKEY *get_tmp_dh_params(void)
8571 if (tmp_dh_params == NULL) {
8573 OSSL_PARAM_BLD *tmpl = NULL;
8574 EVP_PKEY_CTX *pctx = NULL;
8575 OSSL_PARAM *params = NULL;
8576 EVP_PKEY *dhpkey = NULL;
8578 p = BN_get_rfc3526_prime_2048(NULL);
8582 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8584 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
8587 tmpl = OSSL_PARAM_BLD_new();
8589 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8590 OSSL_PKEY_PARAM_FFC_P,
8592 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8593 OSSL_PKEY_PARAM_FFC_G,
8597 params = OSSL_PARAM_BLD_to_param(tmpl);
8598 if (!TEST_ptr(params)
8599 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8600 EVP_PKEY_KEY_PARAMETERS, params)))
8603 tmp_dh_params = dhpkey;
8606 EVP_PKEY_CTX_free(pctx);
8607 OSSL_PARAM_BLD_free(tmpl);
8608 OSSL_PARAM_free(params);
8611 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
8614 return tmp_dh_params;
8617 # ifndef OPENSSL_NO_DEPRECATED_3_0
8618 /* Callback used by test_set_tmp_dh() */
8619 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8621 EVP_PKEY *dhpkey = get_tmp_dh_params();
8624 if (!TEST_ptr(dhpkey))
8628 * libssl does not free the returned DH, so we free it now knowing that even
8629 * after we free dhpkey, there will still be a reference to the owning
8630 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8631 * of time we need it for.
8633 ret = EVP_PKEY_get1_DH(dhpkey);
8636 EVP_PKEY_free(dhpkey);
8643 * Test the various methods for setting temporary DH parameters
8645 * Test 0: Default (no auto) setting
8646 * Test 1: Explicit SSL_CTX auto off
8647 * Test 2: Explicit SSL auto off
8648 * Test 3: Explicit SSL_CTX auto on
8649 * Test 4: Explicit SSL auto on
8650 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8651 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8653 * The following are testing deprecated APIs, so we only run them if available
8654 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8655 * Test 8: Explicit SSL auto off, custom DH params via DH
8656 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8657 * Test 10: Explicit SSL auto off, custom DH params via callback
8659 static int test_set_tmp_dh(int idx)
8661 SSL_CTX *cctx = NULL, *sctx = NULL;
8662 SSL *clientssl = NULL, *serverssl = NULL;
8664 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8665 int expected = (idx <= 2) ? 0 : 1;
8666 EVP_PKEY *dhpkey = NULL;
8667 # ifndef OPENSSL_NO_DEPRECATED_3_0
8675 if (idx >= 5 && idx <= 8) {
8676 dhpkey = get_tmp_dh_params();
8677 if (!TEST_ptr(dhpkey))
8680 # ifndef OPENSSL_NO_DEPRECATED_3_0
8681 if (idx == 7 || idx == 8) {
8682 dh = EVP_PKEY_get1_DH(dhpkey);
8688 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8689 TLS_client_method(),
8692 &sctx, &cctx, cert, privkey)))
8695 if ((idx & 1) == 1) {
8696 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8701 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8705 # ifndef OPENSSL_NO_DEPRECATED_3_0
8706 else if (idx == 7) {
8707 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8709 } else if (idx == 9) {
8710 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8718 if ((idx & 1) == 0 && idx != 0) {
8719 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8723 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8727 # ifndef OPENSSL_NO_DEPRECATED_3_0
8728 else if (idx == 8) {
8729 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8731 } else if (idx == 10) {
8732 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8736 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8737 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8738 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8742 * If autoon then we should succeed. Otherwise we expect failure because
8743 * there are no parameters
8745 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8746 SSL_ERROR_NONE), expected))
8752 # ifndef OPENSSL_NO_DEPRECATED_3_0
8755 SSL_free(serverssl);
8756 SSL_free(clientssl);
8759 EVP_PKEY_free(dhpkey);
8765 * Test the auto DH keys are appropriately sized
8767 static int test_dh_auto(int idx)
8769 SSL_CTX *cctx = NULL, *sctx = NULL;
8770 SSL *clientssl = NULL, *serverssl = NULL;
8772 EVP_PKEY *tmpkey = NULL;
8773 char *thiscert = NULL, *thiskey = NULL;
8774 size_t expdhsize = 0;
8775 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8779 /* The FIPS provider doesn't support this DH size - so we ignore it */
8782 thiscert = cert1024;
8783 thiskey = privkey1024;
8787 /* 2048 bit prime */
8793 thiscert = cert3072;
8794 thiskey = privkey3072;
8798 thiscert = cert4096;
8799 thiskey = privkey4096;
8803 thiscert = cert8192;
8804 thiskey = privkey8192;
8807 /* No certificate cases */
8809 /* The FIPS provider doesn't support this DH size - so we ignore it */
8812 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8816 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8820 TEST_error("Invalid text index");
8824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8825 TLS_client_method(),
8828 &sctx, &cctx, thiscert, thiskey)))
8831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8835 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8836 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8837 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8838 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8839 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8843 * Send the server's first flight. At this point the server has created the
8844 * temporary DH key but hasn't finished using it yet. Once used it is
8845 * removed, so we cannot test it.
8847 if (!TEST_int_le(SSL_connect(clientssl), 0)
8848 || !TEST_int_le(SSL_accept(serverssl), 0))
8851 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8853 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8856 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8862 SSL_free(serverssl);
8863 SSL_free(clientssl);
8866 EVP_PKEY_free(tmpkey);
8871 # endif /* OPENSSL_NO_DH */
8872 #endif /* OPENSSL_NO_TLS1_2 */
8874 #ifndef OSSL_NO_USABLE_TLS1_3
8876 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8877 * that it works even without a certificate configured for the original
8880 static int test_sni_tls13(void)
8882 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8883 SSL *clientssl = NULL, *serverssl = NULL;
8886 /* Reset callback counter */
8889 /* Create an initial SSL_CTX with no certificate configured */
8890 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8891 if (!TEST_ptr(sctx))
8893 /* Require TLSv1.3 as a minimum */
8894 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8895 TLS_client_method(), TLS1_3_VERSION, 0,
8896 &sctx2, &cctx, cert, privkey)))
8900 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8901 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8905 * Connection should still succeed because the final SSL_CTX has the right
8906 * certificates configured.
8908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8909 &clientssl, NULL, NULL))
8910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8914 /* We should have had the SNI callback called exactly once */
8915 if (!TEST_int_eq(snicb, 1))
8921 SSL_free(serverssl);
8922 SSL_free(clientssl);
8923 SSL_CTX_free(sctx2);
8930 * Test that setting an ALPN does not violate RFC
8932 static int test_set_alpn(void)
8934 SSL_CTX *ctx = NULL;
8938 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
8939 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
8940 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
8941 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
8942 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
8943 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
8945 /* Create an initial SSL_CTX with no certificate configured */
8946 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8950 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
8951 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
8953 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
8955 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
8957 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
8959 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
8961 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
8963 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
8965 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
8967 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
8974 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
8976 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
8978 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
8980 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
8982 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
8984 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
8986 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
8988 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
8990 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9001 static int test_inherit_verify_param(void)
9005 SSL_CTX *ctx = NULL;
9006 X509_VERIFY_PARAM *cp = NULL;
9008 X509_VERIFY_PARAM *sp = NULL;
9009 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9011 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9015 cp = SSL_CTX_get0_param(ctx);
9018 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9021 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9027 sp = SSL_get0_param(ssl);
9030 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9042 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9044 int setup_tests(void)
9049 libctx = OSSL_LIB_CTX_new();
9050 if (!TEST_ptr(libctx))
9053 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9056 * Verify that the default and fips providers in the default libctx are not
9059 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9060 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9063 if (!test_skip_common_options()) {
9064 TEST_error("Error parsing test options\n");
9068 if (!TEST_ptr(certsdir = test_get_argument(0))
9069 || !TEST_ptr(srpvfile = test_get_argument(1))
9070 || !TEST_ptr(tmpfilename = test_get_argument(2))
9071 || !TEST_ptr(modulename = test_get_argument(3))
9072 || !TEST_ptr(configfile = test_get_argument(4)))
9075 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9078 /* Check we have the expected provider available */
9079 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9082 /* Check the default provider is not available */
9083 if (strcmp(modulename, "default") != 0
9084 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9087 if (strcmp(modulename, "fips") == 0)
9091 * We add, but don't load the test "tls-provider". We'll load it when we
9094 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9095 tls_provider_init)))
9099 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9100 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9101 TEST_error("not supported in this build");
9104 int i, mcount, rcount, fcount;
9106 for (i = 0; i < 4; i++)
9107 test_export_key_mat(i);
9108 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9109 test_printf_stdout("malloc %d realloc %d free %d\n",
9110 mcount, rcount, fcount);
9115 cert = test_mk_file_path(certsdir, "servercert.pem");
9119 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9120 if (privkey == NULL)
9123 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9127 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9128 if (privkey2 == NULL)
9131 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9132 if (cert1024 == NULL)
9135 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9136 if (privkey1024 == NULL)
9139 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9140 if (cert3072 == NULL)
9143 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9144 if (privkey3072 == NULL)
9147 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9148 if (cert4096 == NULL)
9151 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9152 if (privkey4096 == NULL)
9155 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9156 if (cert8192 == NULL)
9159 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9160 if (privkey8192 == NULL)
9163 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9164 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9165 ADD_ALL_TESTS(test_ktls, 8);
9166 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
9169 ADD_TEST(test_large_message_tls);
9170 ADD_TEST(test_large_message_tls_read_ahead);
9171 #ifndef OPENSSL_NO_DTLS
9172 ADD_TEST(test_large_message_dtls);
9174 ADD_TEST(test_cleanse_plaintext);
9175 #ifndef OPENSSL_NO_OCSP
9176 ADD_TEST(test_tlsext_status_type);
9178 ADD_TEST(test_session_with_only_int_cache);
9179 ADD_TEST(test_session_with_only_ext_cache);
9180 ADD_TEST(test_session_with_both_cache);
9181 ADD_TEST(test_session_wo_ca_names);
9182 #ifndef OSSL_NO_USABLE_TLS1_3
9183 ADD_ALL_TESTS(test_stateful_tickets, 3);
9184 ADD_ALL_TESTS(test_stateless_tickets, 3);
9185 ADD_TEST(test_psk_tickets);
9186 ADD_ALL_TESTS(test_extra_tickets, 6);
9188 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9189 ADD_TEST(test_ssl_bio_pop_next_bio);
9190 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9191 ADD_TEST(test_ssl_bio_change_rbio);
9192 ADD_TEST(test_ssl_bio_change_wbio);
9193 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9194 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9195 ADD_TEST(test_keylog);
9197 #ifndef OSSL_NO_USABLE_TLS1_3
9198 ADD_TEST(test_keylog_no_master_key);
9200 ADD_TEST(test_client_cert_verify_cb);
9201 ADD_TEST(test_ssl_build_cert_chain);
9202 ADD_TEST(test_ssl_ctx_build_cert_chain);
9203 #ifndef OPENSSL_NO_TLS1_2
9204 ADD_TEST(test_client_hello_cb);
9205 ADD_TEST(test_no_ems);
9206 ADD_TEST(test_ccs_change_cipher);
9208 #ifndef OSSL_NO_USABLE_TLS1_3
9209 ADD_ALL_TESTS(test_early_data_read_write, 3);
9211 * We don't do replay tests for external PSK. Replay protection isn't used
9214 ADD_ALL_TESTS(test_early_data_replay, 2);
9215 ADD_ALL_TESTS(test_early_data_skip, 3);
9216 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9217 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9218 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9219 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9220 ADD_ALL_TESTS(test_early_data_psk, 8);
9221 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9222 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9223 # ifndef OPENSSL_NO_TLS1_2
9224 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9227 #ifndef OSSL_NO_USABLE_TLS1_3
9228 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9229 ADD_TEST(test_ciphersuite_change);
9230 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9231 # ifdef OPENSSL_NO_PSK
9232 ADD_ALL_TESTS(test_tls13_psk, 1);
9234 ADD_ALL_TESTS(test_tls13_psk, 4);
9235 # endif /* OPENSSL_NO_PSK */
9236 # ifndef OPENSSL_NO_TLS1_2
9237 /* Test with both TLSv1.3 and 1.2 versions */
9238 ADD_ALL_TESTS(test_key_exchange, 14);
9239 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9240 ADD_ALL_TESTS(test_negotiated_group,
9241 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9242 + OSSL_NELEM(ffdhe_kexch_groups)));
9245 /* Test with only TLSv1.3 versions */
9246 ADD_ALL_TESTS(test_key_exchange, 12);
9248 ADD_ALL_TESTS(test_custom_exts, 5);
9249 ADD_TEST(test_stateless);
9250 ADD_TEST(test_pha_key_update);
9252 ADD_ALL_TESTS(test_custom_exts, 3);
9254 ADD_ALL_TESTS(test_serverinfo, 8);
9255 ADD_ALL_TESTS(test_export_key_mat, 6);
9256 #ifndef OSSL_NO_USABLE_TLS1_3
9257 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9258 ADD_TEST(test_key_update);
9259 ADD_ALL_TESTS(test_key_update_in_write, 2);
9261 ADD_ALL_TESTS(test_ssl_clear, 2);
9262 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9263 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9264 ADD_ALL_TESTS(test_srp, 6);
9266 ADD_ALL_TESTS(test_info_callback, 6);
9267 ADD_ALL_TESTS(test_ssl_pending, 2);
9268 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9269 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9270 ADD_ALL_TESTS(test_shutdown, 7);
9271 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9272 ADD_ALL_TESTS(test_cert_cb, 6);
9273 ADD_ALL_TESTS(test_client_cert_cb, 2);
9274 ADD_ALL_TESTS(test_ca_names, 3);
9275 #ifndef OPENSSL_NO_TLS1_2
9276 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9278 ADD_ALL_TESTS(test_servername, 10);
9279 #if !defined(OPENSSL_NO_EC) \
9280 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9281 ADD_ALL_TESTS(test_sigalgs_available, 6);
9283 #ifndef OPENSSL_NO_TLS1_3
9284 ADD_ALL_TESTS(test_pluggable_group, 2);
9286 #ifndef OPENSSL_NO_TLS1_2
9287 ADD_TEST(test_ssl_dup);
9288 # ifndef OPENSSL_NO_DH
9289 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9290 ADD_ALL_TESTS(test_dh_auto, 7);
9293 #ifndef OSSL_NO_USABLE_TLS1_3
9294 ADD_TEST(test_sni_tls13);
9296 ADD_TEST(test_inherit_verify_param);
9297 ADD_TEST(test_set_alpn);
9302 OPENSSL_free(privkey);
9303 OPENSSL_free(cert2);
9304 OPENSSL_free(privkey2);
9308 void cleanup_tests(void)
9310 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9311 EVP_PKEY_free(tmp_dh_params);
9314 OPENSSL_free(privkey);
9315 OPENSSL_free(cert2);
9316 OPENSSL_free(privkey2);
9317 OPENSSL_free(cert1024);
9318 OPENSSL_free(privkey1024);
9319 OPENSSL_free(cert3072);
9320 OPENSSL_free(privkey3072);
9321 OPENSSL_free(cert4096);
9322 OPENSSL_free(privkey4096);
9323 OPENSSL_free(cert8192);
9324 OPENSSL_free(privkey8192);
9325 bio_s_mempacket_test_free();
9326 bio_s_always_retry_free();
9327 OSSL_PROVIDER_unload(defctxnull);
9328 OSSL_LIB_CTX_free(libctx);