2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "../ssl/ssl_local.h"
45 #include "../ssl/record/methods/recmethod_local.h"
46 #include "filterprov.h"
48 #undef OSSL_NO_USABLE_TLS1_3
49 #if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 * If we don't have ec or dh then there are no built-in groups that are usable
55 # define OSSL_NO_USABLE_TLS1_3
58 /* Defined in tls-provider.c */
59 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
64 static OSSL_LIB_CTX *libctx = NULL;
65 static OSSL_PROVIDER *defctxnull = NULL;
67 #ifndef OSSL_NO_USABLE_TLS1_3
69 static SSL_SESSION *clientpsk = NULL;
70 static SSL_SESSION *serverpsk = NULL;
71 static const char *pskid = "Identity";
72 static const char *srvid;
74 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76 static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
79 static int use_session_cb_cnt = 0;
80 static int find_session_cb_cnt = 0;
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
100 static int is_fips = 0;
101 static int fips_ems_check = 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
119 #define CLIENT_VERSION_LEN 2
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
138 static int hostname_cb(SSL *s, int *al, void *arg)
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
146 return SSL_TLSEXT_ERR_NOACK;
149 static void client_keylog_callback(const SSL *ssl, const char *line)
151 int line_length = strlen(line);
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
165 static void server_keylog_callback(const SSL *ssl, const char *line)
167 int line_length = strlen(line);
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
181 static int compare_hex_encoded_buffer(const char *hex_encoded,
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 if (!TEST_size_t_eq(strlen(token), 16))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 if (!TEST_size_t_eq(strlen(token), 64))
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 master_key_size = SSL_SESSION_get_master_key(session,
266 if (!TEST_size_t_ne(master_key_size, 0))
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 if (!TEST_size_t_eq(strlen(token), 64))
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
319 TEST_info("Unexpected token %s\n", token);
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
353 struct sslapitest_log_counts expected;
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
366 &sctx, &cctx, cert, privkey)))
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 || !TEST_false(error_writing_log))
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
499 serverssl = clientssl = NULL;
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 || !TEST_true(SSL_session_reused(clientssl)))
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
535 SSL_SESSION_free(sess);
545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551 /* this should not happen but check anyway */
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
564 static int test_client_cert_verify_cb(void)
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
643 static int test_ssl_build_cert_chain(void)
646 SSL_CTX *ssl_ctx = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674 static const char pass[] = "testpass";
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
683 static int test_ssl_ctx_build_cert_chain(void)
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
705 OPENSSL_free(leaf_chain);
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
714 const unsigned char *p;
717 const unsigned char expected_ciphers[] = {0x00, 0x9d};
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
730 /* Make sure we can defer processing and get called back. */
732 return SSL_CLIENT_HELLO_RETRY;
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
746 return SSL_CLIENT_HELLO_ERROR;
749 return SSL_CLIENT_HELLO_SUCCESS;
752 static int test_client_hello_cb(void)
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
794 static int test_no_ems(void)
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0, status;
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
822 printf("Creating SSL connection failed\n");
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
849 * encryption to real encryption).
851 static int test_ccs_change_cipher(void)
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
862 * Create a connection so we can resume and potentially (but not) use
863 * a different cipher in the second connection.
865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
901 * Now create a fresh connection and try to renegotiate a different
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
951 SSL_SESSION_free(sess);
957 static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
986 * Test that read_ahead works correctly when dealing with large
989 SSL_CTX_set_read_ahead(cctx, 1);
992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1005 if (!TEST_true(SSL_clear(serverssl)))
1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1018 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1020 /* sock must be connected */
1021 static int ktls_chk_platform(int sock)
1023 if (!ktls_enable(sock))
1028 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
1042 SSL_CONNECTION *clientsc, *serversc;
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1082 * If ktls is used then kernel sequences are used instead of
1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
1095 if (!BIO_get_ktls_send(serversc->wbio)) {
1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
1130 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1131 int tls_version, const char *cipher)
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1138 SSL_CONNECTION *clientsc, *serversc;
1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1142 size_t offset = 0, i;
1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1147 /* Skip this test if the platform does not support ktls */
1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1158 /* Create a session based on SHA-256 */
1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1160 TLS_client_method(),
1161 tls_version, tls_version,
1162 &sctx, &cctx, cert, privkey)))
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1205 if (BIO_get_ktls_send(clientsc->wbio))
1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1213 if (BIO_get_ktls_send(serversc->wbio))
1217 #if defined(OPENSSL_NO_KTLS_RX)
1222 if (!cis_ktls || !rx_supported) {
1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1226 if (BIO_get_ktls_send(clientsc->rbio))
1230 if (!sis_ktls || !rx_supported) {
1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1234 if (BIO_get_ktls_send(serversc->rbio))
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1248 buf = OPENSSL_zalloc(bufsz);
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1261 /* Now check that we can read all the data we wrote */
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1270 } while (offset < bufsz);
1272 if (!TEST_true(offset == bufsz))
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
1705 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1713 const unsigned char *zbuf;
1714 SSL_CONNECTION *serversc;
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1722 min_version, max_version,
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 if (smeth == DTLS_server_method()) {
1729 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1815 static int test_cleanse_plaintext(void)
1817 #if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1826 #if !defined(OSSL_NO_USABLE_TLS1_3)
1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1834 #if !defined(OPENSSL_NO_DTLS)
1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1845 #ifndef OPENSSL_NO_OCSP
1846 static int ocsp_server_cb(SSL *s, void *arg)
1848 int *argi = (int *)arg;
1849 unsigned char *copy = NULL;
1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1859 id = sk_OCSP_RESPID_value(ids, 0);
1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1874 ocsp_server_called = 1;
1875 return SSL_TLSEXT_ERR_OK;
1878 static int ocsp_client_cb(SSL *s, void *arg)
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1884 if (*argi != 1 && *argi != 2)
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1888 if (!TEST_mem_eq(orespder, len, respderin, len))
1891 ocsp_client_called = 1;
1895 static int test_tlsext_status_type(void)
1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1906 &sctx, &cctx, cert, privkey))
1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1912 /* First just do various checks getting and setting tlsext_status_type */
1914 clientssl = SSL_new(cctx);
1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
1922 SSL_free(clientssl);
1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1929 clientssl = SSL_new(cctx);
1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1932 SSL_free(clientssl);
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1985 * specific one. We'll use the server cert.
1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2019 X509_free(ocspcert);
2026 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2027 static int new_called, remove_called, get_called;
2029 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2033 * sess has been up-refed for us, but we don't actually need it so free it
2036 SSL_SESSION_free(sess);
2040 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2045 static SSL_SESSION *get_sess_val = NULL;
2047 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2052 return get_sess_val;
2055 static int execute_test_session(int maxprot, int use_int_cache,
2056 int use_ext_cache, long s_options)
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2061 # ifndef OPENSSL_NO_TLS1_1
2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2065 int testresult = 0, numnewsesstick = 1;
2067 new_called = remove_called = 0;
2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
2075 &sctx, &cctx, cert, privkey)))
2079 * Only allow the max protocol version so we can force a connection failure
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
2085 /* Set up session cache */
2086 if (use_ext_cache) {
2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2090 if (use_int_cache) {
2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2100 SSL_CTX_set_options(sctx, s_options);
2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2110 /* Should fail because it should already be in the cache */
2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2114 && (!TEST_int_eq(new_called, numnewsesstick)
2116 || !TEST_int_eq(remove_called, 0)))
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2128 if (maxprot == TLS1_3_VERSION) {
2130 * In TLSv1.3 we should have created a new session even though we have
2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
2135 && (!TEST_int_eq(new_called, 1)
2136 || !TEST_int_eq(remove_called, 1)))
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
2155 new_called = remove_called = 0;
2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
2170 new_called = remove_called = 0;
2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2183 if (use_int_cache) {
2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2190 new_called = remove_called = 0;
2191 /* This shouldn't be in the cache so should fail */
2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2199 # if !defined(OPENSSL_NO_TLS1_1)
2200 new_called = remove_called = 0;
2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
2206 /* This should fail because of the mismatched protocol versions */
2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2211 /* We should have automatically removed the session from the cache */
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2216 /* Should succeed because it should not already be in the cache */
2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2246 SSL_SESSION_free(sess2);
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2252 new_called = remove_called = get_called = 0;
2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2281 if (!TEST_int_eq(new_called, numnewsesstick)
2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2296 SSL_SESSION_free(sess2);
2301 new_called = remove_called = get_called = 0;
2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2311 if (use_ext_cache) {
2312 if (!TEST_int_eq(remove_called, 0))
2315 if (maxprot == TLS1_3_VERSION) {
2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
2359 # ifndef OPENSSL_NO_TLS1_1
2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2370 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2372 static int test_session_with_only_int_cache(void)
2374 #ifndef OSSL_NO_USABLE_TLS1_3
2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2379 #ifndef OPENSSL_NO_TLS1_2
2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2386 static int test_session_with_only_ext_cache(void)
2388 #ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2393 #ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2400 static int test_session_with_both_cache(void)
2402 #ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2407 #ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2414 static int test_session_wo_ca_names(void)
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2421 #ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2428 #ifndef OSSL_NO_USABLE_TLS1_3
2429 static SSL_SESSION *sesscache[6];
2430 static int do_cache;
2432 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2435 sesscache[new_called] = sess;
2437 /* We don't need the reference to the session, so free it */
2438 SSL_SESSION_free(sess);
2445 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2447 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2448 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2451 /* Start handshake on the server and client */
2452 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2453 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2454 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2455 || !TEST_true(create_ssl_connection(sssl, cssl,
2462 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2465 int sess_id_ctx = 1;
2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 sctx, cctx, cert, privkey))
2470 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2471 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2472 (void *)&sess_id_ctx,
2473 sizeof(sess_id_ctx))))
2477 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2479 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2480 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2481 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2486 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2488 SSL *serverssl = NULL, *clientssl = NULL;
2491 /* Test that we can resume with all the tickets we got given */
2492 for (i = 0; i < idx * 2; i++) {
2494 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2495 &clientssl, NULL, NULL))
2496 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2499 SSL_set_post_handshake_auth(clientssl, 1);
2501 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2506 * Following a successful resumption we only get 1 ticket. After a
2507 * failed one we should get idx tickets.
2510 if (!TEST_true(SSL_session_reused(clientssl))
2511 || !TEST_int_eq(new_called, 1))
2514 if (!TEST_false(SSL_session_reused(clientssl))
2515 || !TEST_int_eq(new_called, idx))
2520 /* After a post-handshake authentication we should get 1 new ticket */
2522 && (!post_handshake_verify(serverssl, clientssl)
2523 || !TEST_int_eq(new_called, 1)))
2526 SSL_shutdown(clientssl);
2527 SSL_shutdown(serverssl);
2528 SSL_free(serverssl);
2529 SSL_free(clientssl);
2530 serverssl = clientssl = NULL;
2531 SSL_SESSION_free(sesscache[i]);
2532 sesscache[i] = NULL;
2538 SSL_free(clientssl);
2539 SSL_free(serverssl);
2543 static int test_tickets(int stateful, int idx)
2545 SSL_CTX *sctx = NULL, *cctx = NULL;
2546 SSL *serverssl = NULL, *clientssl = NULL;
2550 /* idx is the test number, but also the number of tickets we want */
2555 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2559 &clientssl, NULL, NULL)))
2562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2564 /* Check we got the number of tickets we were expecting */
2565 || !TEST_int_eq(idx, new_called))
2568 SSL_shutdown(clientssl);
2569 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2574 clientssl = serverssl = NULL;
2578 * Now we try to resume with the tickets we previously created. The
2579 * resumption attempt is expected to fail (because we're now using a new
2580 * SSL_CTX). We should see idx number of tickets issued again.
2583 /* Stop caching sessions - just count them */
2586 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2589 if (!check_resumption(idx, sctx, cctx, 0))
2592 /* Start again with caching sessions */
2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2603 &clientssl, NULL, NULL)))
2606 SSL_set_post_handshake_auth(clientssl, 1);
2608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2610 /* Check we got the number of tickets we were expecting */
2611 || !TEST_int_eq(idx, new_called))
2614 /* After a post-handshake authentication we should get new tickets issued */
2615 if (!post_handshake_verify(serverssl, clientssl)
2616 || !TEST_int_eq(idx * 2, new_called))
2619 SSL_shutdown(clientssl);
2620 SSL_shutdown(serverssl);
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 serverssl = clientssl = NULL;
2625 /* Stop caching sessions - just count them */
2629 * Check we can resume with all the tickets we created. This time around the
2630 * resumptions should all be successful.
2632 if (!check_resumption(idx, sctx, cctx, 1))
2638 SSL_free(serverssl);
2639 SSL_free(clientssl);
2640 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2641 SSL_SESSION_free(sesscache[j]);
2642 sesscache[j] = NULL;
2650 static int test_stateless_tickets(int idx)
2652 return test_tickets(0, idx);
2655 static int test_stateful_tickets(int idx)
2657 return test_tickets(1, idx);
2660 static int test_psk_tickets(void)
2662 SSL_CTX *sctx = NULL, *cctx = NULL;
2663 SSL *serverssl = NULL, *clientssl = NULL;
2665 int sess_id_ctx = 1;
2667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2668 TLS_client_method(), TLS1_VERSION, 0,
2669 &sctx, &cctx, NULL, NULL))
2670 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2671 (void *)&sess_id_ctx,
2672 sizeof(sess_id_ctx))))
2675 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2676 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2677 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2678 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2679 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2680 use_session_cb_cnt = 0;
2681 find_session_cb_cnt = 0;
2685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2688 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2689 if (!TEST_ptr(clientpsk))
2691 SSL_SESSION_up_ref(clientpsk);
2693 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2695 || !TEST_int_eq(1, find_session_cb_cnt)
2696 || !TEST_int_eq(1, use_session_cb_cnt)
2697 /* We should always get 1 ticket when using external PSK */
2698 || !TEST_int_eq(1, new_called))
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2708 SSL_SESSION_free(clientpsk);
2709 SSL_SESSION_free(serverpsk);
2710 clientpsk = serverpsk = NULL;
2715 static int test_extra_tickets(int idx)
2717 SSL_CTX *sctx = NULL, *cctx = NULL;
2718 SSL *serverssl = NULL, *clientssl = NULL;
2719 BIO *bretry = BIO_new(bio_s_always_retry());
2724 unsigned char c, buf[1];
2734 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2736 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2737 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2738 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2741 &clientssl, NULL, NULL)))
2745 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2746 * incremented by both client and server.
2748 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2750 /* Check we got the number of tickets we were expecting */
2751 || !TEST_int_eq(idx * 2, new_called)
2752 || !TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_int_eq(idx * 2, new_called))
2757 /* Now try a (real) write to actually send the tickets */
2759 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2760 || !TEST_size_t_eq(1, nbytes)
2761 || !TEST_int_eq(idx * 2 + 2, new_called)
2762 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2763 || !TEST_int_eq(idx * 2 + 4, new_called)
2764 || !TEST_int_eq(sizeof(buf), nbytes)
2765 || !TEST_int_eq(c, buf[0])
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2769 /* Try with only requesting one new ticket, too */
2772 if (!TEST_true(SSL_new_session_ticket(serverssl))
2773 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2774 || !TEST_size_t_eq(sizeof(c), nbytes)
2775 || !TEST_int_eq(1, new_called)
2776 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_size_t_eq(sizeof(buf), nbytes)
2779 || !TEST_int_eq(c, buf[0]))
2782 /* Do it again but use dummy writes to drive the ticket generation */
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2788 || !TEST_size_t_eq(0, nbytes)
2789 || !TEST_int_eq(2, new_called)
2790 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2791 || !TEST_int_eq(4, new_called))
2794 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2797 if (!TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2806 * Use the always-retry BIO to exercise the logic that forces ticket
2807 * generation to wait until a record boundary.
2811 tmp = SSL_get_wbio(serverssl);
2812 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2816 SSL_set0_wbio(serverssl, bretry);
2818 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2820 || !TEST_size_t_eq(nbytes, 0))
2822 /* Restore a BIO that will let the write succeed */
2823 SSL_set0_wbio(serverssl, tmp);
2826 * These calls should just queue the request and not send anything
2827 * even if we explicitly try to hit the state machine.
2829 if (!TEST_true(SSL_new_session_ticket(serverssl))
2830 || !TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_int_eq(0, new_called)
2832 || !TEST_true(SSL_do_handshake(serverssl))
2833 || !TEST_int_eq(0, new_called))
2835 /* Re-do the write; still no tickets sent */
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(0, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2845 /* Even trying to hit the state machine now will still not send tickets */
2846 if (!TEST_true(SSL_do_handshake(serverssl))
2847 || !TEST_int_eq(0, new_called))
2849 /* Now the *next* write should send the tickets */
2851 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2852 || !TEST_size_t_eq(1, nbytes)
2853 || !TEST_int_eq(2, new_called)
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2855 || !TEST_int_eq(4, new_called)
2856 || !TEST_int_eq(sizeof(buf), nbytes)
2857 || !TEST_int_eq(c, buf[0])
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2872 clientssl = serverssl = NULL;
2881 #define USE_DEFAULT 3
2883 #define CONNTYPE_CONNECTION_SUCCESS 0
2884 #define CONNTYPE_CONNECTION_FAIL 1
2885 #define CONNTYPE_NO_CONNECTION 2
2887 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2888 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2889 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2890 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2892 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2895 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2896 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2899 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2916 * Tests calls to SSL_set_bio() under various conditions.
2918 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2920 * then do more tests where we create a successful connection first using our
2921 * standard connection setup functions, and then call SSL_set_bio() with
2922 * various combinations of valid BIOs or NULL. We then repeat these tests
2923 * following a failed connection. In this last case we are looking to check that
2924 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2926 static int test_ssl_set_bio(int idx)
2928 SSL_CTX *sctx = NULL, *cctx = NULL;
2931 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2932 SSL *serverssl = NULL, *clientssl = NULL;
2933 int initrbio, initwbio, newrbio, newwbio, conntype;
2936 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2944 conntype = CONNTYPE_NO_CONNECTION;
2946 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2947 initrbio = initwbio = USE_DEFAULT;
2955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2956 TLS_client_method(), TLS1_VERSION, 0,
2957 &sctx, &cctx, cert, privkey)))
2960 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2962 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2963 * because we reduced the number of tests in the definition of
2964 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2965 * mismatched protocol versions we will force a connection failure.
2967 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2975 if (initrbio == USE_BIO_1
2976 || initwbio == USE_BIO_1
2977 || newrbio == USE_BIO_1
2978 || newwbio == USE_BIO_1) {
2979 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2983 if (initrbio == USE_BIO_2
2984 || initwbio == USE_BIO_2
2985 || newrbio == USE_BIO_2
2986 || newwbio == USE_BIO_2) {
2987 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2991 if (initrbio != USE_DEFAULT) {
2992 setupbio(&irbio, bio1, bio2, initrbio);
2993 setupbio(&iwbio, bio1, bio2, initwbio);
2994 SSL_set_bio(clientssl, irbio, iwbio);
2997 * We want to maintain our own refs to these BIO, so do an up ref for
2998 * each BIO that will have ownership transferred in the SSL_set_bio()
3003 if (iwbio != NULL && iwbio != irbio)
3007 if (conntype != CONNTYPE_NO_CONNECTION
3008 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3010 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3013 setupbio(&nrbio, bio1, bio2, newrbio);
3014 setupbio(&nwbio, bio1, bio2, newwbio);
3017 * We will (maybe) transfer ownership again so do more up refs.
3018 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3023 && (nwbio != iwbio || nrbio != nwbio))
3027 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3030 SSL_set_bio(clientssl, nrbio, nwbio);
3039 * This test is checking that the ref counting for SSL_set_bio is correct.
3040 * If we get here and we did too many frees then we will fail in the above
3043 SSL_free(serverssl);
3044 SSL_free(clientssl);
3050 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3052 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3054 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3059 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3060 || !TEST_ptr(ssl = SSL_new(ctx))
3061 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3062 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3065 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3068 * If anything goes wrong here then we could leak memory.
3070 BIO_push(sslbio, membio1);
3072 /* Verify changing the rbio/wbio directly does not cause leaks */
3073 if (change_bio != NO_BIO_CHANGE) {
3074 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3078 if (change_bio == CHANGE_RBIO)
3079 SSL_set0_rbio(ssl, membio2);
3081 SSL_set0_wbio(ssl, membio2);
3100 static int test_ssl_bio_pop_next_bio(void)
3102 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3105 static int test_ssl_bio_pop_ssl_bio(void)
3107 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3110 static int test_ssl_bio_change_rbio(void)
3112 return execute_test_ssl_bio(0, CHANGE_RBIO);
3115 static int test_ssl_bio_change_wbio(void)
3117 return execute_test_ssl_bio(0, CHANGE_WBIO);
3120 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3122 /* The list of sig algs */
3124 /* The length of the list */
3126 /* A sigalgs list in string format */
3127 const char *liststr;
3128 /* Whether setting the list should succeed */
3130 /* Whether creating a connection with the list should succeed */
3134 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3135 # ifndef OPENSSL_NO_EC
3136 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3137 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3139 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3140 static const int invalidlist2[] = {NID_sha256, NID_undef};
3141 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3142 static const int invalidlist4[] = {NID_sha256};
3143 static const sigalgs_list testsigalgs[] = {
3144 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3145 # ifndef OPENSSL_NO_EC
3146 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3147 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3149 {NULL, 0, "RSA+SHA256", 1, 1},
3150 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3151 # ifndef OPENSSL_NO_EC
3152 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3153 {NULL, 0, "ECDSA+SHA512", 1, 0},
3155 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3156 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3157 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3158 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3159 {NULL, 0, "RSA", 0, 0},
3160 {NULL, 0, "SHA256", 0, 0},
3161 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3162 {NULL, 0, "Invalid", 0, 0}
3165 static int test_set_sigalgs(int idx)
3167 SSL_CTX *cctx = NULL, *sctx = NULL;
3168 SSL *clientssl = NULL, *serverssl = NULL;
3170 const sigalgs_list *curr;
3173 /* Should never happen */
3174 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3177 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3178 curr = testctx ? &testsigalgs[idx]
3179 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3182 TLS_client_method(), TLS1_VERSION, 0,
3183 &sctx, &cctx, cert, privkey)))
3186 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3191 if (curr->list != NULL)
3192 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3194 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3198 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3204 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3210 &clientssl, NULL, NULL)))
3216 if (curr->list != NULL)
3217 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3219 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3222 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3231 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3239 SSL_free(serverssl);
3240 SSL_free(clientssl);
3248 #ifndef OSSL_NO_USABLE_TLS1_3
3249 static int psk_client_cb_cnt = 0;
3250 static int psk_server_cb_cnt = 0;
3252 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3253 size_t *idlen, SSL_SESSION **sess)
3255 switch (++use_session_cb_cnt) {
3257 /* The first call should always have a NULL md */
3263 /* The second call should always have an md */
3269 /* We should only be called a maximum of twice */
3273 if (clientpsk != NULL)
3274 SSL_SESSION_up_ref(clientpsk);
3277 *id = (const unsigned char *)pskid;
3278 *idlen = strlen(pskid);
3283 #ifndef OPENSSL_NO_PSK
3284 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3285 unsigned int max_id_len,
3287 unsigned int max_psk_len)
3289 unsigned int psklen = 0;
3291 psk_client_cb_cnt++;
3293 if (strlen(pskid) + 1 > max_id_len)
3296 /* We should only ever be called a maximum of twice per connection */
3297 if (psk_client_cb_cnt > 2)
3300 if (clientpsk == NULL)
3303 /* We'll reuse the PSK we set up for TLSv1.3 */
3304 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3306 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3307 strncpy(id, pskid, max_id_len);
3311 #endif /* OPENSSL_NO_PSK */
3313 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3314 size_t identity_len, SSL_SESSION **sess)
3316 find_session_cb_cnt++;
3318 /* We should only ever be called a maximum of twice per connection */
3319 if (find_session_cb_cnt > 2)
3322 if (serverpsk == NULL)
3325 /* Identity should match that set by the client */
3326 if (strlen(srvid) != identity_len
3327 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3328 /* No PSK found, continue but without a PSK */
3333 SSL_SESSION_up_ref(serverpsk);
3339 #ifndef OPENSSL_NO_PSK
3340 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3341 unsigned char *psk, unsigned int max_psk_len)
3343 unsigned int psklen = 0;
3345 psk_server_cb_cnt++;
3347 /* We should only ever be called a maximum of twice per connection */
3348 if (find_session_cb_cnt > 2)
3351 if (serverpsk == NULL)
3354 /* Identity should match that set by the client */
3355 if (strcmp(srvid, identity) != 0) {
3359 /* We'll reuse the PSK we set up for TLSv1.3 */
3360 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3362 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3366 #endif /* OPENSSL_NO_PSK */
3368 #define MSG1 "Hello"
3369 #define MSG2 "World."
3374 #define MSG7 "message."
3376 static int artificial_ticket_time = 0;
3378 static int sub_session_time(SSL_SESSION *sess)
3380 OSSL_TIME tick_time;
3382 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3383 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3385 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3388 static int ed_gen_cb(SSL *s, void *arg)
3390 SSL_SESSION *sess = SSL_get0_session(s);
3396 * Artificially give the ticket some age. Just do it for the number of
3397 * tickets we've been told to do.
3399 if (artificial_ticket_time == 0)
3401 artificial_ticket_time--;
3403 return sub_session_time(sess);
3407 * Helper method to setup objects for early data test. Caller frees objects on
3410 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3411 SSL **serverssl, SSL_SESSION **sess, int idx,
3414 int artificial = (artificial_ticket_time > 0);
3417 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3418 TLS_client_method(),
3420 sctx, cctx, cert, privkey)))
3424 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3426 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3430 /* When idx == 1 we repeat the tests with read_ahead set */
3431 SSL_CTX_set_read_ahead(*cctx, 1);
3432 SSL_CTX_set_read_ahead(*sctx, 1);
3433 } else if (idx == 2) {
3434 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3435 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3436 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3437 use_session_cb_cnt = 0;
3438 find_session_cb_cnt = 0;
3442 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3447 * For one of the run throughs (doesn't matter which one), we'll try sending
3448 * some SNI data in the initial ClientHello. This will be ignored (because
3449 * there is no SNI cb set up by the server), so it should not impact
3453 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3457 clientpsk = create_a_psk(*clientssl, mdsize);
3458 if (!TEST_ptr(clientpsk)
3460 * We just choose an arbitrary value for max_early_data which
3461 * should be big enough for testing purposes.
3463 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3465 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3466 SSL_SESSION_free(clientpsk);
3470 serverpsk = clientpsk;
3473 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3474 SSL_SESSION_free(clientpsk);
3475 SSL_SESSION_free(serverpsk);
3476 clientpsk = serverpsk = NULL;
3487 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3491 *sess = SSL_get1_session(*clientssl);
3492 SSL_shutdown(*clientssl);
3493 SSL_shutdown(*serverssl);
3494 SSL_free(*serverssl);
3495 SSL_free(*clientssl);
3496 *serverssl = *clientssl = NULL;
3499 * Artificially give the ticket some age to match the artificial age we
3500 * gave it on the server side
3503 && !TEST_true(sub_session_time(*sess)))
3506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3507 clientssl, NULL, NULL))
3508 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3514 static int check_early_data_timeout(OSSL_TIME timer)
3519 * Early data is time sensitive. We have an approx 8 second allowance
3520 * between writing the early data and reading it. If we exceed that time
3521 * then this test will fail. This can sometimes (rarely) occur in normal CI
3522 * operation. We can try and detect this and just ignore the result of this
3523 * test if it has taken too long. We assume anything over 7 seconds is too
3526 timer = ossl_time_subtract(ossl_time_now(), timer);
3527 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3528 res = TEST_skip("Test took too long, ignoring result");
3533 static int test_early_data_read_write(int idx)
3535 SSL_CTX *cctx = NULL, *sctx = NULL;
3536 SSL *clientssl = NULL, *serverssl = NULL;
3538 SSL_SESSION *sess = NULL;
3539 unsigned char buf[20], data[1024];
3540 size_t readbytes, written, eoedlen, rawread, rawwritten;
3544 /* Artificially give the next 2 tickets some age for non PSK sessions */
3546 artificial_ticket_time = 2;
3547 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3548 &serverssl, &sess, idx,
3549 SHA384_DIGEST_LENGTH))) {
3550 artificial_ticket_time = 0;
3553 artificial_ticket_time = 0;
3555 /* Write and read some early data */
3556 timer = ossl_time_now();
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3562 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3564 SSL_READ_EARLY_DATA_SUCCESS)) {
3565 testresult = check_early_data_timeout(timer);
3569 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_ACCEPTED))
3575 * Server should be able to write data, and client should be able to
3578 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3580 || !TEST_size_t_eq(written, strlen(MSG2))
3581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3582 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3585 /* Even after reading normal data, client should be able write early data */
3586 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3588 || !TEST_size_t_eq(written, strlen(MSG3)))
3591 /* Server should still be able read early data after writing data */
3592 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3594 SSL_READ_EARLY_DATA_SUCCESS)
3595 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3598 /* Write more data from server and read it from client */
3599 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3601 || !TEST_size_t_eq(written, strlen(MSG4))
3602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3603 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3607 * If client writes normal data it should mean writing early data is no
3610 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG5))
3612 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3613 SSL_EARLY_DATA_ACCEPTED))
3617 * At this point the client has written EndOfEarlyData, ClientFinished and
3618 * normal (fully protected) data. We are going to cause a delay between the
3619 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3620 * in the read BIO, and then just put back the EndOfEarlyData message.
3622 rbio = SSL_get_rbio(serverssl);
3623 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3624 || !TEST_size_t_lt(rawread, sizeof(data))
3625 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3628 /* Record length is in the 4th and 5th bytes of the record header */
3629 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3630 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3631 || !TEST_size_t_eq(rawwritten, eoedlen))
3634 /* Server should be told that there is no more early data */
3635 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3637 SSL_READ_EARLY_DATA_FINISH)
3638 || !TEST_size_t_eq(readbytes, 0))
3642 * Server has not finished init yet, so should still be able to write early
3645 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3647 || !TEST_size_t_eq(written, strlen(MSG6)))
3650 /* Push the ClientFinished and the normal data back into the server rbio */
3651 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3653 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3656 /* Server should be able to read normal data */
3657 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3658 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3661 /* Client and server should not be able to write/read early data now */
3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3666 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3668 SSL_READ_EARLY_DATA_ERROR))
3672 /* Client should be able to read the data sent by the server */
3673 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3674 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3678 * Make sure we process the two NewSessionTickets. These arrive
3679 * post-handshake. We attempt reads which we do not expect to return any
3682 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3687 /* Server should be able to write normal data */
3688 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3689 || !TEST_size_t_eq(written, strlen(MSG7))
3690 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3694 SSL_SESSION_free(sess);
3695 sess = SSL_get1_session(clientssl);
3696 use_session_cb_cnt = 0;
3697 find_session_cb_cnt = 0;
3699 SSL_shutdown(clientssl);
3700 SSL_shutdown(serverssl);
3701 SSL_free(serverssl);
3702 SSL_free(clientssl);
3703 serverssl = clientssl = NULL;
3704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3705 &clientssl, NULL, NULL))
3706 || !TEST_true(SSL_set_session(clientssl, sess)))
3709 /* Write and read some early data */
3710 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3712 || !TEST_size_t_eq(written, strlen(MSG1))
3713 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3715 SSL_READ_EARLY_DATA_SUCCESS)
3716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3719 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3720 || !TEST_int_gt(SSL_accept(serverssl), 0))
3723 /* Client and server should not be able to write/read early data now */
3724 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3728 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3730 SSL_READ_EARLY_DATA_ERROR))
3734 /* Client and server should be able to write/read normal data */
3735 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3736 || !TEST_size_t_eq(written, strlen(MSG5))
3737 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3738 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3744 SSL_SESSION_free(sess);
3745 SSL_SESSION_free(clientpsk);
3746 SSL_SESSION_free(serverpsk);
3747 clientpsk = serverpsk = NULL;
3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
3755 static int allow_ed_cb_called = 0;
3757 static int allow_early_data_cb(SSL *s, void *arg)
3759 int *usecb = (int *)arg;
3761 allow_ed_cb_called++;
3770 * idx == 0: Standard early_data setup
3771 * idx == 1: early_data setup using read_ahead
3772 * usecb == 0: Don't use a custom early data callback
3773 * usecb == 1: Use a custom early data callback and reject the early data
3774 * usecb == 2: Use a custom early data callback and accept the early data
3775 * confopt == 0: Configure anti-replay directly
3776 * confopt == 1: Configure anti-replay using SSL_CONF
3778 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3780 SSL_CTX *cctx = NULL, *sctx = NULL;
3781 SSL *clientssl = NULL, *serverssl = NULL;
3783 SSL_SESSION *sess = NULL;
3784 size_t readbytes, written;
3785 unsigned char buf[20];
3788 allow_ed_cb_called = 0;
3790 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3791 TLS_client_method(), TLS1_VERSION, 0,
3792 &sctx, &cctx, cert, privkey)))
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3799 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3801 if (!TEST_ptr(confctx))
3803 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3804 | SSL_CONF_FLAG_SERVER);
3805 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3806 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3808 SSL_CONF_CTX_free(confctx);
3811 SSL_CONF_CTX_free(confctx);
3813 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3817 &serverssl, &sess, idx,
3818 SHA384_DIGEST_LENGTH)))
3822 * The server is configured to accept early data. Create a connection to
3823 * "use up" the ticket
3825 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3826 || !TEST_true(SSL_session_reused(clientssl)))
3829 SSL_shutdown(clientssl);
3830 SSL_shutdown(serverssl);
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 serverssl = clientssl = NULL;
3835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3836 &clientssl, NULL, NULL))
3837 || !TEST_true(SSL_set_session(clientssl, sess)))
3840 /* Write and read some early data */
3841 timer = ossl_time_now();
3842 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3844 || !TEST_size_t_eq(written, strlen(MSG1)))
3848 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3850 SSL_READ_EARLY_DATA_FINISH)
3852 * The ticket was reused, so the we should have rejected the
3855 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3856 SSL_EARLY_DATA_REJECTED))
3859 /* In this case the callback decides to accept the early data */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3862 SSL_READ_EARLY_DATA_SUCCESS)) {
3863 testresult = check_early_data_timeout(timer);
3866 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3868 * Server will have sent its flight so client can now send
3869 * end of early data and complete its half of the handshake
3871 || !TEST_int_gt(SSL_connect(clientssl), 0)
3872 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3874 SSL_READ_EARLY_DATA_FINISH)
3875 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3876 SSL_EARLY_DATA_ACCEPTED))
3880 /* Complete the connection */
3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3882 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3883 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3889 SSL_SESSION_free(sess);
3890 SSL_SESSION_free(clientpsk);
3891 SSL_SESSION_free(serverpsk);
3892 clientpsk = serverpsk = NULL;
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3900 static int test_early_data_replay(int idx)
3902 int ret = 1, usecb, confopt;
3904 for (usecb = 0; usecb < 3; usecb++) {
3905 for (confopt = 0; confopt < 2; confopt++)
3906 ret &= test_early_data_replay_int(idx, usecb, confopt);
3912 static const char *ciphersuites[] = {
3913 "TLS_AES_128_CCM_8_SHA256",
3914 "TLS_AES_128_GCM_SHA256",
3915 "TLS_AES_256_GCM_SHA384",
3916 "TLS_AES_128_CCM_SHA256",
3917 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3918 "TLS_CHACHA20_POLY1305_SHA256",
3922 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3923 "TLS_SHA256_SHA256",
3929 * Helper function to test that a server attempting to read early data can
3930 * handle a connection from a client where the early data should be skipped.
3931 * testtype: 0 == No HRR
3932 * testtype: 1 == HRR
3933 * testtype: 2 == HRR, invalid early_data sent after HRR
3934 * testtype: 3 == recv_max_early_data set to 0
3936 static int early_data_skip_helper(int testtype, int cipher, int idx)
3938 SSL_CTX *cctx = NULL, *sctx = NULL;
3939 SSL *clientssl = NULL, *serverssl = NULL;
3941 SSL_SESSION *sess = NULL;
3942 unsigned char buf[20];
3943 size_t readbytes, written;
3945 if (is_fips && cipher >= 4)
3948 if (ciphersuites[cipher] == NULL)
3949 return TEST_skip("Cipher not supported");
3951 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3952 TLS_client_method(),
3954 &sctx, &cctx, cert, privkey)))
3957 if (cipher == 0 || cipher == 5 || cipher == 6) {
3958 SSL_CTX_set_security_level(sctx, 0);
3959 SSL_CTX_set_security_level(cctx, 0);
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3966 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3967 &serverssl, &sess, idx,
3968 (cipher == 2 || cipher == 6)
3969 ? SHA384_DIGEST_LENGTH
3970 : SHA256_DIGEST_LENGTH)))
3973 if (testtype == 1 || testtype == 2) {
3974 /* Force an HRR to occur */
3975 #if defined(OPENSSL_NO_EC)
3976 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3979 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3982 } else if (idx == 2) {
3984 * We force early_data rejection by ensuring the PSK identity is
3987 srvid = "Dummy Identity";
3990 * Deliberately corrupt the creation time. We take 20 seconds off the
3991 * time. It could be any value as long as it is not within tolerance.
3992 * This should mean the ticket is rejected.
3994 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3999 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4002 /* Write some early data */
4003 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4005 || !TEST_size_t_eq(written, strlen(MSG1)))
4008 /* Server should reject the early data */
4009 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4011 SSL_READ_EARLY_DATA_FINISH)
4012 || !TEST_size_t_eq(readbytes, 0)
4013 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4014 SSL_EARLY_DATA_REJECTED))
4024 * Finish off the handshake. We perform the same writes and reads as
4025 * further down but we expect them to fail due to the incomplete
4028 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4029 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4036 BIO *wbio = SSL_get_wbio(clientssl);
4037 /* A record that will appear as bad early_data */
4038 const unsigned char bad_early_data[] = {
4039 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4043 * We force the client to attempt a write. This will fail because
4044 * we're still in the handshake. It will cause the second
4045 * ClientHello to be sent.
4047 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4052 * Inject some early_data after the second ClientHello. This should
4053 * cause the server to fail
4055 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4056 sizeof(bad_early_data), &written)))
4063 * This client has sent more early_data than we are willing to skip
4064 * (case 3) or sent invalid early_data (case 2) so the connection should
4067 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4068 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4071 /* Connection has failed - nothing more to do */
4076 TEST_error("Invalid test type");
4082 * Should be able to send normal data despite rejection of early data. The
4083 * early_data should be skipped.
4085 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4086 || !TEST_size_t_eq(written, strlen(MSG2))
4087 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4088 SSL_EARLY_DATA_REJECTED)
4089 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4090 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4094 * Failure to decrypt early data records should not leave spurious errors
4095 * on the error stack
4097 if (!TEST_long_eq(ERR_peek_error(), 0))
4103 SSL_SESSION_free(clientpsk);
4104 SSL_SESSION_free(serverpsk);
4105 clientpsk = serverpsk = NULL;
4106 SSL_SESSION_free(sess);
4107 SSL_free(serverssl);
4108 SSL_free(clientssl);
4115 * Test that a server attempting to read early data can handle a connection
4116 * from a client where the early data is not acceptable.
4118 static int test_early_data_skip(int idx)
4120 return early_data_skip_helper(0,
4121 idx % OSSL_NELEM(ciphersuites),
4122 idx / OSSL_NELEM(ciphersuites));
4126 * Test that a server attempting to read early data can handle a connection
4127 * from a client where an HRR occurs.
4129 static int test_early_data_skip_hrr(int idx)
4131 return early_data_skip_helper(1,
4132 idx % OSSL_NELEM(ciphersuites),
4133 idx / OSSL_NELEM(ciphersuites));
4137 * Test that a server attempting to read early data can handle a connection
4138 * from a client where an HRR occurs and correctly fails if early_data is sent
4141 static int test_early_data_skip_hrr_fail(int idx)
4143 return early_data_skip_helper(2,
4144 idx % OSSL_NELEM(ciphersuites),
4145 idx / OSSL_NELEM(ciphersuites));
4149 * Test that a server attempting to read early data will abort if it tries to
4150 * skip over too much.
4152 static int test_early_data_skip_abort(int idx)
4154 return early_data_skip_helper(3,
4155 idx % OSSL_NELEM(ciphersuites),
4156 idx / OSSL_NELEM(ciphersuites));
4160 * Test that a server attempting to read early data can handle a connection
4161 * from a client that doesn't send any.
4163 static int test_early_data_not_sent(int idx)
4165 SSL_CTX *cctx = NULL, *sctx = NULL;
4166 SSL *clientssl = NULL, *serverssl = NULL;
4168 SSL_SESSION *sess = NULL;
4169 unsigned char buf[20];
4170 size_t readbytes, written;
4172 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4173 &serverssl, &sess, idx,
4174 SHA384_DIGEST_LENGTH)))
4177 /* Write some data - should block due to handshake with server */
4178 SSL_set_connect_state(clientssl);
4179 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4182 /* Server should detect that early data has not been sent */
4183 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4185 SSL_READ_EARLY_DATA_FINISH)
4186 || !TEST_size_t_eq(readbytes, 0)
4187 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4188 SSL_EARLY_DATA_NOT_SENT)
4189 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4190 SSL_EARLY_DATA_NOT_SENT))
4193 /* Continue writing the message we started earlier */
4194 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4195 || !TEST_size_t_eq(written, strlen(MSG1))
4196 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4197 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4198 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4199 || !TEST_size_t_eq(written, strlen(MSG2)))
4202 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4203 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4209 SSL_SESSION_free(sess);
4210 SSL_SESSION_free(clientpsk);
4211 SSL_SESSION_free(serverpsk);
4212 clientpsk = serverpsk = NULL;
4213 SSL_free(serverssl);
4214 SSL_free(clientssl);
4220 static const char *servalpn;
4222 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4223 unsigned char *outlen, const unsigned char *in,
4224 unsigned int inlen, void *arg)
4226 unsigned int protlen = 0;
4227 const unsigned char *prot;
4229 for (prot = in; prot < in + inlen; prot += protlen) {
4231 if (in + inlen < prot + protlen)
4232 return SSL_TLSEXT_ERR_NOACK;
4234 if (protlen == strlen(servalpn)
4235 && memcmp(prot, servalpn, protlen) == 0) {
4238 return SSL_TLSEXT_ERR_OK;
4242 return SSL_TLSEXT_ERR_NOACK;
4245 /* Test that a PSK can be used to send early_data */
4246 static int test_early_data_psk(int idx)
4248 SSL_CTX *cctx = NULL, *sctx = NULL;
4249 SSL *clientssl = NULL, *serverssl = NULL;
4251 SSL_SESSION *sess = NULL;
4252 unsigned char alpnlist[] = {
4253 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4256 #define GOODALPNLEN 9
4257 #define BADALPNLEN 8
4258 #define GOODALPN (alpnlist)
4259 #define BADALPN (alpnlist + GOODALPNLEN)
4261 unsigned char buf[20];
4262 size_t readbytes, written;
4263 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4264 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4266 /* We always set this up with a final parameter of "2" for PSK */
4267 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4268 &serverssl, &sess, 2,
4269 SHA384_DIGEST_LENGTH)))
4272 servalpn = "goodalpn";
4275 * Note: There is no test for inconsistent SNI with late client detection.
4276 * This is because servers do not acknowledge SNI even if they are using
4277 * it in a resumption handshake - so it is not actually possible for a
4278 * client to detect a problem.
4282 /* Set inconsistent SNI (early client detection) */
4283 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4284 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4285 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4290 /* Set inconsistent ALPN (early client detection) */
4291 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4292 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4293 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4295 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4302 * Set invalid protocol version. Technically this affects PSKs without
4303 * early_data too, but we test it here because it is similar to the
4304 * SNI/ALPN consistency tests.
4306 err = SSL_R_BAD_PSK;
4307 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4313 * Set inconsistent SNI (server side). In this case the connection
4314 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4315 * is associated with each handshake - not the session. Therefore it
4316 * should not matter that we used a different server name last time.
4318 SSL_SESSION_free(serverpsk);
4319 serverpsk = SSL_SESSION_dup(clientpsk);
4320 if (!TEST_ptr(serverpsk)
4321 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4325 /* Set consistent SNI */
4326 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4327 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4328 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4335 * Set inconsistent ALPN (server detected). In this case the connection
4336 * will succeed but reject early_data.
4338 servalpn = "badalpn";
4339 edstatus = SSL_EARLY_DATA_REJECTED;
4340 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4344 * Set consistent ALPN.
4345 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4346 * accepts a list of protos (each one length prefixed).
4347 * SSL_set1_alpn_selected accepts a single protocol (not length
4350 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4352 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4356 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4360 /* Set inconsistent ALPN (late client detection) */
4361 SSL_SESSION_free(serverpsk);
4362 serverpsk = SSL_SESSION_dup(clientpsk);
4363 if (!TEST_ptr(serverpsk)
4364 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4367 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4370 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4373 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4374 edstatus = SSL_EARLY_DATA_ACCEPTED;
4375 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4376 /* SSL_connect() call should fail */
4381 TEST_error("Bad test index");
4385 SSL_set_connect_state(clientssl);
4387 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4389 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4390 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4393 OSSL_TIME timer = ossl_time_now();
4395 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4399 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4400 &readbytes), readearlyres)) {
4401 testresult = check_early_data_timeout(timer);
4405 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4406 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4407 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4408 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4415 SSL_SESSION_free(sess);
4416 SSL_SESSION_free(clientpsk);
4417 SSL_SESSION_free(serverpsk);
4418 clientpsk = serverpsk = NULL;
4419 SSL_free(serverssl);
4420 SSL_free(clientssl);
4427 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4428 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4429 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4430 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4431 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4432 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4433 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4434 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4436 static int test_early_data_psk_with_all_ciphers(int idx)
4438 SSL_CTX *cctx = NULL, *sctx = NULL;
4439 SSL *clientssl = NULL, *serverssl = NULL;
4441 SSL_SESSION *sess = NULL;
4442 unsigned char buf[20];
4443 size_t readbytes, written;
4444 const SSL_CIPHER *cipher;
4446 const char *cipher_str[] = {
4447 TLS1_3_RFC_AES_128_GCM_SHA256,
4448 TLS1_3_RFC_AES_256_GCM_SHA384,
4449 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4450 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4454 TLS1_3_RFC_AES_128_CCM_SHA256,
4455 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4456 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4457 TLS1_3_RFC_SHA256_SHA256,
4458 TLS1_3_RFC_SHA384_SHA384
4464 const unsigned char *cipher_bytes[] = {
4465 TLS13_AES_128_GCM_SHA256_BYTES,
4466 TLS13_AES_256_GCM_SHA384_BYTES,
4467 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4468 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4472 TLS13_AES_128_CCM_SHA256_BYTES,
4473 TLS13_AES_128_CCM_8_SHA256_BYTES,
4474 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4475 TLS13_SHA256_SHA256_BYTES,
4476 TLS13_SHA384_SHA384_BYTES
4483 if (cipher_str[idx] == NULL)
4486 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4487 * as currently FIPS module does not support them.
4489 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4492 /* We always set this up with a final parameter of "2" for PSK */
4493 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4494 &serverssl, &sess, 2,
4495 SHA384_DIGEST_LENGTH)))
4498 if (idx == 4 || idx == 5 || idx == 6) {
4500 * CCM8 ciphers are considered low security due to their short tag.
4501 * Integrity-only cipher do not provide any confidentiality.
4503 SSL_set_security_level(clientssl, 0);
4504 SSL_set_security_level(serverssl, 0);
4507 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4508 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4512 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4513 * and assigns to both client and server with incremented reference
4514 * and the same instance is updated in 'sess'.
4515 * So updating ciphersuite in 'sess' which will get reflected in
4516 * PSK handshake using psk use sess and find sess cb.
4518 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4519 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4522 SSL_set_connect_state(clientssl);
4523 timer = ossl_time_now();
4524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4528 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4530 SSL_READ_EARLY_DATA_SUCCESS)) {
4531 testresult = check_early_data_timeout(timer);
4535 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4536 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4537 SSL_EARLY_DATA_ACCEPTED)
4538 || !TEST_int_eq(SSL_connect(clientssl), 1)
4539 || !TEST_int_eq(SSL_accept(serverssl), 1))
4542 /* Send some normal data from client to server */
4543 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4544 || !TEST_size_t_eq(written, strlen(MSG2)))
4547 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4548 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4553 SSL_SESSION_free(sess);
4554 SSL_SESSION_free(clientpsk);
4555 SSL_SESSION_free(serverpsk);
4556 clientpsk = serverpsk = NULL;
4557 if (clientssl != NULL)
4558 SSL_shutdown(clientssl);
4559 if (serverssl != NULL)
4560 SSL_shutdown(serverssl);
4561 SSL_free(serverssl);
4562 SSL_free(clientssl);
4569 * Test that a server that doesn't try to read early data can handle a
4570 * client sending some.
4572 static int test_early_data_not_expected(int idx)
4574 SSL_CTX *cctx = NULL, *sctx = NULL;
4575 SSL *clientssl = NULL, *serverssl = NULL;
4577 SSL_SESSION *sess = NULL;
4578 unsigned char buf[20];
4579 size_t readbytes, written;
4581 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4582 &serverssl, &sess, idx,
4583 SHA384_DIGEST_LENGTH)))
4586 /* Write some early data */
4587 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4592 * Server should skip over early data and then block waiting for client to
4593 * continue handshake
4595 if (!TEST_int_le(SSL_accept(serverssl), 0)
4596 || !TEST_int_gt(SSL_connect(clientssl), 0)
4597 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4598 SSL_EARLY_DATA_REJECTED)
4599 || !TEST_int_gt(SSL_accept(serverssl), 0)
4600 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4601 SSL_EARLY_DATA_REJECTED))
4604 /* Send some normal data from client to server */
4605 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4606 || !TEST_size_t_eq(written, strlen(MSG2)))
4609 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4610 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4616 SSL_SESSION_free(sess);
4617 SSL_SESSION_free(clientpsk);
4618 SSL_SESSION_free(serverpsk);
4619 clientpsk = serverpsk = NULL;
4620 SSL_free(serverssl);
4621 SSL_free(clientssl);
4628 # ifndef OPENSSL_NO_TLS1_2
4630 * Test that a server attempting to read early data can handle a connection
4631 * from a TLSv1.2 client.
4633 static int test_early_data_tls1_2(int idx)
4635 SSL_CTX *cctx = NULL, *sctx = NULL;
4636 SSL *clientssl = NULL, *serverssl = NULL;
4638 unsigned char buf[20];
4639 size_t readbytes, written;
4641 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4642 &serverssl, NULL, idx,
4643 SHA384_DIGEST_LENGTH)))
4646 /* Write some data - should block due to handshake with server */
4647 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4648 SSL_set_connect_state(clientssl);
4649 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4653 * Server should do TLSv1.2 handshake. First it will block waiting for more
4654 * messages from client after ServerDone. Then SSL_read_early_data should
4655 * finish and detect that early data has not been sent
4657 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4659 SSL_READ_EARLY_DATA_ERROR))
4663 * Continue writing the message we started earlier. Will still block waiting
4664 * for the CCS/Finished from server
4666 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4667 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4669 SSL_READ_EARLY_DATA_FINISH)
4670 || !TEST_size_t_eq(readbytes, 0)
4671 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4672 SSL_EARLY_DATA_NOT_SENT))
4675 /* Continue writing the message we started earlier */
4676 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4677 || !TEST_size_t_eq(written, strlen(MSG1))
4678 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4679 SSL_EARLY_DATA_NOT_SENT)
4680 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4681 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4682 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4683 || !TEST_size_t_eq(written, strlen(MSG2))
4684 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4685 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4691 SSL_SESSION_free(clientpsk);
4692 SSL_SESSION_free(serverpsk);
4693 clientpsk = serverpsk = NULL;
4694 SSL_free(serverssl);
4695 SSL_free(clientssl);
4701 # endif /* OPENSSL_NO_TLS1_2 */
4704 * Test configuring the TLSv1.3 ciphersuites
4706 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4707 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4708 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4709 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4710 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4711 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4712 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4713 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4714 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4715 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4717 static int test_set_ciphersuite(int idx)
4719 SSL_CTX *cctx = NULL, *sctx = NULL;
4720 SSL *clientssl = NULL, *serverssl = NULL;
4723 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4724 TLS_client_method(), TLS1_VERSION, 0,
4725 &sctx, &cctx, cert, privkey))
4726 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4727 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4730 if (idx >=4 && idx <= 7) {
4731 /* SSL_CTX explicit cipher list */
4732 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4736 if (idx == 0 || idx == 4) {
4737 /* Default ciphersuite */
4738 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4739 "TLS_AES_128_GCM_SHA256")))
4741 } else if (idx == 1 || idx == 5) {
4742 /* Non default ciphersuite */
4743 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4744 "TLS_AES_128_CCM_SHA256")))
4748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4749 &clientssl, NULL, NULL)))
4752 if (idx == 8 || idx == 9) {
4753 /* SSL explicit cipher list */
4754 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4758 if (idx == 2 || idx == 6 || idx == 8) {
4759 /* Default ciphersuite */
4760 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4761 "TLS_AES_128_GCM_SHA256")))
4763 } else if (idx == 3 || idx == 7 || idx == 9) {
4764 /* Non default ciphersuite */
4765 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4766 "TLS_AES_128_CCM_SHA256")))
4770 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4776 SSL_free(serverssl);
4777 SSL_free(clientssl);
4784 static int test_ciphersuite_change(void)
4786 SSL_CTX *cctx = NULL, *sctx = NULL;
4787 SSL *clientssl = NULL, *serverssl = NULL;
4788 SSL_SESSION *clntsess = NULL;
4790 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4792 /* Create a session based on SHA-256 */
4793 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4794 TLS_client_method(), TLS1_VERSION, 0,
4795 &sctx, &cctx, cert, privkey))
4796 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4797 "TLS_AES_128_GCM_SHA256:"
4798 "TLS_AES_256_GCM_SHA384:"
4799 "TLS_AES_128_CCM_SHA256"))
4800 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4801 "TLS_AES_128_GCM_SHA256")))
4804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4810 clntsess = SSL_get1_session(clientssl);
4811 /* Save for later */
4812 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4813 SSL_shutdown(clientssl);
4814 SSL_shutdown(serverssl);
4815 SSL_free(serverssl);
4816 SSL_free(clientssl);
4817 serverssl = clientssl = NULL;
4819 /* Check we can resume a session with a different SHA-256 ciphersuite */
4820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4821 "TLS_AES_128_CCM_SHA256"))
4822 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4823 &clientssl, NULL, NULL))
4824 || !TEST_true(SSL_set_session(clientssl, clntsess))
4825 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4827 || !TEST_true(SSL_session_reused(clientssl)))
4830 SSL_SESSION_free(clntsess);
4831 clntsess = SSL_get1_session(clientssl);
4832 SSL_shutdown(clientssl);
4833 SSL_shutdown(serverssl);
4834 SSL_free(serverssl);
4835 SSL_free(clientssl);
4836 serverssl = clientssl = NULL;
4839 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4840 * succeeds but does not resume.
4842 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4843 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4845 || !TEST_true(SSL_set_session(clientssl, clntsess))
4846 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4848 || !TEST_false(SSL_session_reused(clientssl)))
4851 SSL_SESSION_free(clntsess);
4853 SSL_shutdown(clientssl);
4854 SSL_shutdown(serverssl);
4855 SSL_free(serverssl);
4856 SSL_free(clientssl);
4857 serverssl = clientssl = NULL;
4859 /* Create a session based on SHA384 */
4860 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4861 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4862 &clientssl, NULL, NULL))
4863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4867 clntsess = SSL_get1_session(clientssl);
4868 SSL_shutdown(clientssl);
4869 SSL_shutdown(serverssl);
4870 SSL_free(serverssl);
4871 SSL_free(clientssl);
4872 serverssl = clientssl = NULL;
4874 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4875 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4876 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4877 "TLS_AES_256_GCM_SHA384"))
4878 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4880 || !TEST_true(SSL_set_session(clientssl, clntsess))
4882 * We use SSL_ERROR_WANT_READ below so that we can pause the
4883 * connection after the initial ClientHello has been sent to
4884 * enable us to make some session changes.
4886 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4887 SSL_ERROR_WANT_READ)))
4890 /* Trick the client into thinking this session is for a different digest */
4891 clntsess->cipher = aes_128_gcm_sha256;
4892 clntsess->cipher_id = clntsess->cipher->id;
4895 * Continue the previously started connection. Server has selected a SHA-384
4896 * ciphersuite, but client thinks the session is for SHA-256, so it should
4899 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4901 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4902 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4908 SSL_SESSION_free(clntsess);
4909 SSL_free(serverssl);
4910 SSL_free(clientssl);
4918 * Test TLSv1.3 Key exchange
4919 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4920 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4921 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4922 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4923 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4924 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4925 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4926 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4927 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4928 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4929 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4930 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4931 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4932 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4934 # ifndef OPENSSL_NO_EC
4935 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4937 # ifndef OPENSSL_NO_ECX
4938 NID_X25519, NID_X448
4942 # ifndef OPENSSL_NO_DH
4943 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4944 NID_ffdhe6144, NID_ffdhe8192};
4946 static int test_key_exchange(int idx)
4948 SSL_CTX *sctx = NULL, *cctx = NULL;
4949 SSL *serverssl = NULL, *clientssl = NULL;
4952 int *kexch_groups = &kexch_alg;
4953 int kexch_groups_size = 1;
4954 int max_version = TLS1_3_VERSION;
4955 char *kexch_name0 = NULL;
4958 # ifndef OPENSSL_NO_EC
4959 # ifndef OPENSSL_NO_TLS1_2
4961 max_version = TLS1_2_VERSION;
4965 kexch_groups = ecdhe_kexch_groups;
4966 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4967 kexch_name0 = "secp256r1";
4970 kexch_alg = NID_X9_62_prime256v1;
4971 kexch_name0 = "secp256r1";
4974 kexch_alg = NID_secp384r1;
4975 kexch_name0 = "secp384r1";
4978 kexch_alg = NID_secp521r1;
4979 kexch_name0 = "secp521r1";
4981 # ifndef OPENSSL_NO_ECX
4984 return TEST_skip("X25519 might not be supported by fips provider.");
4985 kexch_alg = NID_X25519;
4986 kexch_name0 = "x25519";
4990 return TEST_skip("X448 might not be supported by fips provider.");
4991 kexch_alg = NID_X448;
4992 kexch_name0 = "x448";
4996 # ifndef OPENSSL_NO_DH
4997 # ifndef OPENSSL_NO_TLS1_2
4999 max_version = TLS1_2_VERSION;
5000 kexch_name0 = "ffdhe2048";
5004 kexch_groups = ffdhe_kexch_groups;
5005 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5006 kexch_name0 = "ffdhe2048";
5009 kexch_alg = NID_ffdhe2048;
5010 kexch_name0 = "ffdhe2048";
5013 kexch_alg = NID_ffdhe3072;
5014 kexch_name0 = "ffdhe3072";
5017 kexch_alg = NID_ffdhe4096;
5018 kexch_name0 = "ffdhe4096";
5021 kexch_alg = NID_ffdhe6144;
5022 kexch_name0 = "ffdhe6144";
5025 kexch_alg = NID_ffdhe8192;
5026 kexch_name0 = "ffdhe8192";
5030 /* We're skipping this test */
5034 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5035 TLS_client_method(), TLS1_VERSION,
5036 max_version, &sctx, &cctx, cert,
5040 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5041 TLS1_3_RFC_AES_128_GCM_SHA256)))
5044 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5045 TLS1_3_RFC_AES_128_GCM_SHA256)))
5048 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5049 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5050 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5051 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5055 * Must include an EC ciphersuite so that we send supported groups in
5058 # ifndef OPENSSL_NO_TLS1_2
5059 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5060 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5061 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5069 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5070 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5073 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5077 * If Handshake succeeds the negotiated kexch alg should be the first one in
5078 * configured, except in the case of FFDHE groups (idx 13), which are
5079 * TLSv1.3 only so we expect no shared group to exist.
5081 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5082 idx == 13 ? 0 : kexch_groups[0]))
5085 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5089 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5091 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5092 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5094 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5096 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5102 SSL_free(serverssl);
5103 SSL_free(clientssl);
5109 # if !defined(OPENSSL_NO_TLS1_2) \
5110 && !defined(OPENSSL_NO_EC) \
5111 && !defined(OPENSSL_NO_DH)
5112 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5113 int isecdhe, int idx)
5116 int *kexch_groups = &kexch_alg;
5119 numec = OSSL_NELEM(ecdhe_kexch_groups);
5120 numff = OSSL_NELEM(ffdhe_kexch_groups);
5122 kexch_alg = ecdhe_kexch_groups[idx];
5124 kexch_alg = ffdhe_kexch_groups[idx];
5127 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5130 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5134 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5139 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5142 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5146 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5155 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5156 * Run through both the ECDHE and FFDHE group lists used in the previous
5157 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5158 * confirming the expected result; then perform a resumption handshake
5159 * while offering the same group list, and another resumption handshake
5160 * offering a different group list. The returned value should be the
5161 * negotiated group for the initial handshake; for TLS 1.3 resumption
5162 * handshakes the returned value will be negotiated on the resumption
5163 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5164 * be cached in the session from the original handshake, regardless of what
5165 * was offered in the resumption ClientHello.
5167 * Using E for the number of EC groups and F for the number of FF groups:
5168 * E tests of ECDHE with TLS 1.3, server only has one group
5169 * F tests of FFDHE with TLS 1.3, server only has one group
5170 * E tests of ECDHE with TLS 1.2, server only has one group
5171 * F tests of FFDHE with TLS 1.2, server only has one group
5172 * E tests of ECDHE with TLS 1.3, client sends only one group
5173 * F tests of FFDHE with TLS 1.3, client sends only one group
5174 * E tests of ECDHE with TLS 1.2, client sends only one group
5175 * F tests of FFDHE with TLS 1.2, client sends only one group
5177 static int test_negotiated_group(int idx)
5179 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5181 SSL_CTX *sctx = NULL, *cctx = NULL;
5182 SSL *serverssl = NULL, *clientssl = NULL;
5183 SSL_SESSION *origsess = NULL;
5186 int max_version = TLS1_3_VERSION;
5188 numec = OSSL_NELEM(ecdhe_kexch_groups);
5189 numff = OSSL_NELEM(ffdhe_kexch_groups);
5190 numgroups = numec + numff;
5191 clientmulti = (idx < 2 * numgroups);
5192 idx = idx % (2 * numgroups);
5193 istls13 = (idx < numgroups);
5194 idx = idx % numgroups;
5195 isecdhe = (idx < numec);
5198 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5200 kexch_alg = ecdhe_kexch_groups[idx];
5202 kexch_alg = ffdhe_kexch_groups[idx];
5203 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5204 if (!istls13 && !isecdhe)
5205 expectednid = NID_undef;
5207 expectednid = kexch_alg;
5209 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5210 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5213 max_version = TLS1_2_VERSION;
5215 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5216 TLS_client_method(), TLS1_VERSION,
5217 max_version, &sctx, &cctx, cert,
5222 * Force (EC)DHE ciphers for TLS 1.2.
5223 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5225 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5226 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5227 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5228 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5230 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5231 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5232 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5235 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5239 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5243 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5246 /* Initial handshake; always the configured one */
5247 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5248 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5251 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5254 SSL_shutdown(clientssl);
5255 SSL_shutdown(serverssl);
5256 SSL_free(serverssl);
5257 SSL_free(clientssl);
5258 serverssl = clientssl = NULL;
5260 /* First resumption attempt; use the same config as initial handshake */
5261 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5263 || !TEST_true(SSL_set_session(clientssl, origsess))
5264 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5268 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5269 || !TEST_true(SSL_session_reused(clientssl)))
5272 /* Still had better agree, since nothing changed... */
5273 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5274 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5277 SSL_shutdown(clientssl);
5278 SSL_shutdown(serverssl);
5279 SSL_free(serverssl);
5280 SSL_free(clientssl);
5281 serverssl = clientssl = NULL;
5284 * Second resumption attempt
5285 * The party that picks one group changes it, which we effectuate by
5286 * changing 'idx' and updating what we expect.
5294 expectednid = ecdhe_kexch_groups[idx];
5296 expectednid = ffdhe_kexch_groups[idx];
5297 /* Verify that we are changing what we expect. */
5298 if (!TEST_int_ne(expectednid, kexch_alg))
5301 /* TLS 1.2 only supports named groups for ECDHE. */
5303 expectednid = kexch_alg;
5307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5309 || !TEST_true(SSL_set_session(clientssl, origsess))
5310 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5314 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5315 || !TEST_true(SSL_session_reused(clientssl)))
5318 /* Check that we get what we expected */
5319 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5320 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5325 SSL_free(serverssl);
5326 SSL_free(clientssl);
5329 SSL_SESSION_free(origsess);
5332 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5335 * Test TLSv1.3 Cipher Suite
5336 * Test 0 = Set TLS1.3 cipher on context
5337 * Test 1 = Set TLS1.3 cipher on SSL
5338 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5339 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5341 static int test_tls13_ciphersuite(int idx)
5343 SSL_CTX *sctx = NULL, *cctx = NULL;
5344 SSL *serverssl = NULL, *clientssl = NULL;
5345 static const struct {
5346 const char *ciphername;
5350 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5351 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5352 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5353 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5354 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5355 { TLS1_3_RFC_AES_256_GCM_SHA384
5356 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5358 /* CCM8 ciphers are considered low security due to their short tag */
5359 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5360 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
5361 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5362 /* Integrity-only cipher do not provide any confidentiality */
5363 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5364 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5367 const char *t13_cipher = NULL;
5368 const char *t12_cipher = NULL;
5369 const char *negotiated_scipher;
5370 const char *negotiated_ccipher;
5386 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5390 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5394 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5395 # ifdef OPENSSL_NO_TLS1_2
5396 if (max_ver == TLS1_2_VERSION)
5399 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5400 if (is_fips && !t13_ciphers[i].fipscapable)
5402 t13_cipher = t13_ciphers[i].ciphername;
5403 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5404 TLS_client_method(),
5405 TLS1_VERSION, max_ver,
5406 &sctx, &cctx, cert, privkey)))
5409 if (t13_ciphers[i].low_security) {
5410 SSL_CTX_set_security_level(sctx, 0);
5411 SSL_CTX_set_security_level(cctx, 0);
5415 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5416 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5418 if (t12_cipher != NULL) {
5419 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5420 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5427 &clientssl, NULL, NULL)))
5431 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5432 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5434 if (t12_cipher != NULL) {
5435 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5436 || !TEST_true(SSL_set_cipher_list(clientssl,
5442 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5446 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5448 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5450 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5454 * TEST_strn_eq is used below because t13_cipher can contain
5455 * multiple ciphersuites
5457 if (max_ver == TLS1_3_VERSION
5458 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5459 strlen(negotiated_scipher)))
5462 # ifndef OPENSSL_NO_TLS1_2
5463 /* Below validation is not done when t12_cipher is NULL */
5464 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5465 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5469 SSL_free(serverssl);
5471 SSL_free(clientssl);
5482 SSL_free(serverssl);
5483 SSL_free(clientssl);
5491 * Test 0 = Test new style callbacks
5492 * Test 1 = Test both new and old style callbacks
5493 * Test 2 = Test old style callbacks
5494 * Test 3 = Test old style callbacks with no certificate
5496 static int test_tls13_psk(int idx)
5498 SSL_CTX *sctx = NULL, *cctx = NULL;
5499 SSL *serverssl = NULL, *clientssl = NULL;
5500 const SSL_CIPHER *cipher = NULL;
5501 const unsigned char key[] = {
5502 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5503 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5504 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5505 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5509 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5510 TLS_client_method(), TLS1_VERSION, 0,
5511 &sctx, &cctx, idx == 3 ? NULL : cert,
5512 idx == 3 ? NULL : privkey)))
5517 * We use a ciphersuite with SHA256 to ease testing old style PSK
5518 * callbacks which will always default to SHA256. This should not be
5519 * necessary if we have no cert/priv key. In that case the server should
5520 * prefer SHA256 automatically.
5522 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5523 "TLS_AES_128_GCM_SHA256")))
5527 * As noted above the server should prefer SHA256 automatically. However
5528 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5529 * code works even if we are testing with only the FIPS provider loaded.
5531 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5532 "TLS_AES_256_GCM_SHA384:"
5533 "TLS_AES_128_GCM_SHA256")))
5538 * Test 0: New style callbacks only
5539 * Test 1: New and old style callbacks (only the new ones should be used)
5540 * Test 2: Old style callbacks only
5542 if (idx == 0 || idx == 1) {
5543 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5544 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5546 #ifndef OPENSSL_NO_PSK
5548 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5549 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5553 use_session_cb_cnt = 0;
5554 find_session_cb_cnt = 0;
5555 psk_client_cb_cnt = 0;
5556 psk_server_cb_cnt = 0;
5560 * Check we can create a connection if callback decides not to send a
5563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5565 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5567 || !TEST_false(SSL_session_reused(clientssl))
5568 || !TEST_false(SSL_session_reused(serverssl)))
5571 if (idx == 0 || idx == 1) {
5572 if (!TEST_true(use_session_cb_cnt == 1)
5573 || !TEST_true(find_session_cb_cnt == 0)
5575 * If no old style callback then below should be 0
5578 || !TEST_true(psk_client_cb_cnt == idx)
5579 || !TEST_true(psk_server_cb_cnt == 0))
5582 if (!TEST_true(use_session_cb_cnt == 0)
5583 || !TEST_true(find_session_cb_cnt == 0)
5584 || !TEST_true(psk_client_cb_cnt == 1)
5585 || !TEST_true(psk_server_cb_cnt == 0))
5589 shutdown_ssl_connection(serverssl, clientssl);
5590 serverssl = clientssl = NULL;
5591 use_session_cb_cnt = psk_client_cb_cnt = 0;
5594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5598 /* Create the PSK */
5599 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5600 clientpsk = SSL_SESSION_new();
5601 if (!TEST_ptr(clientpsk)
5602 || !TEST_ptr(cipher)
5603 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5605 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5606 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5608 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5610 serverpsk = clientpsk;
5612 /* Check we can create a connection and the PSK is used */
5613 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5614 || !TEST_true(SSL_session_reused(clientssl))
5615 || !TEST_true(SSL_session_reused(serverssl)))
5618 if (idx == 0 || idx == 1) {
5619 if (!TEST_true(use_session_cb_cnt == 1)
5620 || !TEST_true(find_session_cb_cnt == 1)
5621 || !TEST_true(psk_client_cb_cnt == 0)
5622 || !TEST_true(psk_server_cb_cnt == 0))
5625 if (!TEST_true(use_session_cb_cnt == 0)
5626 || !TEST_true(find_session_cb_cnt == 0)
5627 || !TEST_true(psk_client_cb_cnt == 1)
5628 || !TEST_true(psk_server_cb_cnt == 1))
5632 shutdown_ssl_connection(serverssl, clientssl);
5633 serverssl = clientssl = NULL;
5634 use_session_cb_cnt = find_session_cb_cnt = 0;
5635 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5637 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5642 #if defined(OPENSSL_NO_EC)
5643 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5646 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5651 * Check we can create a connection, the PSK is used and the callbacks are
5654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5655 || !TEST_true(SSL_session_reused(clientssl))
5656 || !TEST_true(SSL_session_reused(serverssl)))
5659 if (idx == 0 || idx == 1) {
5660 if (!TEST_true(use_session_cb_cnt == 2)
5661 || !TEST_true(find_session_cb_cnt == 2)
5662 || !TEST_true(psk_client_cb_cnt == 0)
5663 || !TEST_true(psk_server_cb_cnt == 0))
5666 if (!TEST_true(use_session_cb_cnt == 0)
5667 || !TEST_true(find_session_cb_cnt == 0)
5668 || !TEST_true(psk_client_cb_cnt == 2)
5669 || !TEST_true(psk_server_cb_cnt == 2))
5673 shutdown_ssl_connection(serverssl, clientssl);
5674 serverssl = clientssl = NULL;
5675 use_session_cb_cnt = find_session_cb_cnt = 0;
5676 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5680 * Check that if the server rejects the PSK we can still connect, but with
5683 srvid = "Dummy Identity";
5684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5686 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5688 || !TEST_false(SSL_session_reused(clientssl))
5689 || !TEST_false(SSL_session_reused(serverssl)))
5692 if (idx == 0 || idx == 1) {
5693 if (!TEST_true(use_session_cb_cnt == 1)
5694 || !TEST_true(find_session_cb_cnt == 1)
5695 || !TEST_true(psk_client_cb_cnt == 0)
5697 * If no old style callback then below should be 0
5700 || !TEST_true(psk_server_cb_cnt == idx))
5703 if (!TEST_true(use_session_cb_cnt == 0)
5704 || !TEST_true(find_session_cb_cnt == 0)
5705 || !TEST_true(psk_client_cb_cnt == 1)
5706 || !TEST_true(psk_server_cb_cnt == 1))
5710 shutdown_ssl_connection(serverssl, clientssl);
5711 serverssl = clientssl = NULL;
5716 SSL_SESSION_free(clientpsk);
5717 SSL_SESSION_free(serverpsk);
5718 clientpsk = serverpsk = NULL;
5719 SSL_free(serverssl);
5720 SSL_free(clientssl);
5726 #ifndef OSSL_NO_USABLE_TLS1_3
5728 * Test TLS1.3 connection establishment succeeds with various configurations of
5729 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5730 * The verification of whether the right KEX mode is chosen is not covered by
5731 * this test but by `test_tls13kexmodes`.
5733 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5734 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5735 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5737 static int test_tls13_no_dhe_kex(const int idx)
5739 SSL_CTX *sctx = NULL, *cctx = NULL;
5740 SSL *serverssl = NULL, *clientssl = NULL;
5743 SSL_SESSION *saved_session;
5745 int server_allow_no_dhe = (idx & 1) != 0;
5746 int server_prefer_no_dhe = (idx & 2) != 0;
5747 int client_allow_no_dhe = (idx & 4) != 0;
5749 uint64_t server_options = 0
5750 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5751 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5753 uint64_t client_options = 0
5754 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5760 TLS_client_method(), TLS1_3_VERSION, 0,
5761 &sctx, &cctx, cert, privkey)))
5764 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5765 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5767 SSL_CTX_set_options(sctx, server_options);
5768 SSL_CTX_set_options(cctx, client_options);
5770 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5773 &clientssl, NULL, NULL)))
5776 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5778 /* Check we got the number of tickets we were expecting */
5779 || !TEST_int_eq(2, new_called))
5782 /* We'll reuse the last ticket. */
5783 saved_session = sesscache[new_called - 1];
5785 SSL_shutdown(clientssl);
5786 SSL_shutdown(serverssl);
5787 SSL_free(serverssl);
5788 SSL_free(clientssl);
5790 clientssl = serverssl = NULL;
5794 * Now we resume with the last ticket we created.
5797 /* The server context already exists, so we only create the client. */
5798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5799 TLS_client_method(), TLS1_3_VERSION, 0,
5800 NULL, &cctx, cert, privkey)))
5803 SSL_CTX_set_options(cctx, client_options);
5805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5806 &clientssl, NULL, NULL))
5807 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5810 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5815 * Make sure, the session was resumed.
5817 if (!TEST_true(SSL_session_reused(clientssl)))
5820 SSL_shutdown(clientssl);
5821 SSL_shutdown(serverssl);
5826 SSL_free(serverssl);
5827 SSL_free(clientssl);
5828 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5829 SSL_SESSION_free(sesscache[j]);
5830 sesscache[j] = NULL;
5837 #endif /* OSSL_NO_USABLE_TLS1_3 */
5839 static unsigned char cookie_magic_value[] = "cookie magic";
5841 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5842 unsigned int *cookie_len)
5845 * Not suitable as a real cookie generation function but good enough for
5848 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5849 *cookie_len = sizeof(cookie_magic_value) - 1;
5854 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5855 unsigned int cookie_len)
5857 if (cookie_len == sizeof(cookie_magic_value) - 1
5858 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5864 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5868 int res = generate_cookie_callback(ssl, cookie, &temp);
5873 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5876 return verify_cookie_callback(ssl, cookie, cookie_len);
5879 static int test_stateless(void)
5881 SSL_CTX *sctx = NULL, *cctx = NULL;
5882 SSL *serverssl = NULL, *clientssl = NULL;
5885 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5886 TLS_client_method(), TLS1_VERSION, 0,
5887 &sctx, &cctx, cert, privkey)))
5890 /* The arrival of CCS messages can confuse the test */
5891 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5893 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5895 /* Send the first ClientHello */
5896 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5897 SSL_ERROR_WANT_READ))
5899 * This should fail with a -1 return because we have no callbacks
5902 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5905 /* Fatal error so abandon the connection from this client */
5906 SSL_free(clientssl);
5909 /* Set up the cookie generation and verification callbacks */
5910 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5911 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5914 * Create a new connection from the client (we can reuse the server SSL
5917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5919 /* Send the first ClientHello */
5920 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5921 SSL_ERROR_WANT_READ))
5922 /* This should fail because there is no cookie */
5923 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5926 /* Abandon the connection from this client */
5927 SSL_free(clientssl);
5931 * Now create a connection from a new client but with the same server SSL
5934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5936 /* Send the first ClientHello */
5937 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5938 SSL_ERROR_WANT_READ))
5939 /* This should fail because there is no cookie */
5940 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5941 /* Send the second ClientHello */
5942 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5943 SSL_ERROR_WANT_READ))
5944 /* This should succeed because a cookie is now present */
5945 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5946 /* Complete the connection */
5947 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5951 shutdown_ssl_connection(serverssl, clientssl);
5952 serverssl = clientssl = NULL;
5956 SSL_free(serverssl);
5957 SSL_free(clientssl);
5963 #endif /* OSSL_NO_USABLE_TLS1_3 */
5965 static int clntaddoldcb = 0;
5966 static int clntparseoldcb = 0;
5967 static int srvaddoldcb = 0;
5968 static int srvparseoldcb = 0;
5969 static int clntaddnewcb = 0;
5970 static int clntparsenewcb = 0;
5971 static int srvaddnewcb = 0;
5972 static int srvparsenewcb = 0;
5973 static int snicb = 0;
5975 #define TEST_EXT_TYPE1 0xff00
5977 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5978 size_t *outlen, int *al, void *add_arg)
5980 int *server = (int *)add_arg;
5981 unsigned char *data;
5983 if (SSL_is_server(s))
5988 if (*server != SSL_is_server(s)
5989 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5994 *outlen = sizeof(char);
5998 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6001 OPENSSL_free((unsigned char *)out);
6004 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6005 size_t inlen, int *al, void *parse_arg)
6007 int *server = (int *)parse_arg;
6009 if (SSL_is_server(s))
6014 if (*server != SSL_is_server(s)
6015 || inlen != sizeof(char)
6022 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6023 const unsigned char **out, size_t *outlen, X509 *x,
6024 size_t chainidx, int *al, void *add_arg)
6026 int *server = (int *)add_arg;
6027 unsigned char *data;
6029 if (SSL_is_server(s))
6034 if (*server != SSL_is_server(s)
6035 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6040 *outlen = sizeof(*data);
6044 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6045 const unsigned char *out, void *add_arg)
6047 OPENSSL_free((unsigned char *)out);
6050 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6051 const unsigned char *in, size_t inlen, X509 *x,
6052 size_t chainidx, int *al, void *parse_arg)
6054 int *server = (int *)parse_arg;
6056 if (SSL_is_server(s))
6061 if (*server != SSL_is_server(s)
6062 || inlen != sizeof(char) || *in != 1)
6068 static int sni_cb(SSL *s, int *al, void *arg)
6070 SSL_CTX *ctx = (SSL_CTX *)arg;
6072 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6073 *al = SSL_AD_INTERNAL_ERROR;
6074 return SSL_TLSEXT_ERR_ALERT_FATAL;
6077 return SSL_TLSEXT_ERR_OK;
6080 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6086 * Custom call back tests.
6087 * Test 0: Old style callbacks in TLSv1.2
6088 * Test 1: New style callbacks in TLSv1.2
6089 * Test 2: New style callbacks in TLSv1.2 with SNI
6090 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6091 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6092 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6094 static int test_custom_exts(int tst)
6096 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6099 static int server = 1;
6100 static int client = 0;
6101 SSL_SESSION *sess = NULL;
6102 unsigned int context;
6104 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6105 /* Skip tests for TLSv1.2 and below in this case */
6110 /* Reset callback counters */
6111 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6112 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6115 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6116 TLS_client_method(), TLS1_VERSION, 0,
6117 &sctx, &cctx, cert, privkey)))
6121 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6123 &sctx2, NULL, cert, privkey)))
6128 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6129 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6131 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6135 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6136 | SSL_EXT_TLS1_3_CERTIFICATE;
6137 SSL_CTX_set_verify(sctx,
6138 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6140 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6141 SSL_FILETYPE_PEM), 1)
6142 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6143 SSL_FILETYPE_PEM), 1)
6144 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6146 } else if (tst == 4) {
6147 context = SSL_EXT_CLIENT_HELLO
6148 | SSL_EXT_TLS1_2_SERVER_HELLO
6149 | SSL_EXT_TLS1_3_SERVER_HELLO
6150 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6151 | SSL_EXT_TLS1_3_CERTIFICATE
6152 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6154 context = SSL_EXT_CLIENT_HELLO
6155 | SSL_EXT_TLS1_2_SERVER_HELLO
6156 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6159 /* Create a client side custom extension */
6161 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6162 old_add_cb, old_free_cb,
6163 &client, old_parse_cb,
6167 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6168 new_add_cb, new_free_cb,
6169 &client, new_parse_cb, &client)))
6173 /* Should not be able to add duplicates */
6174 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6175 old_add_cb, old_free_cb,
6176 &client, old_parse_cb,
6178 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6179 context, new_add_cb,
6180 new_free_cb, &client,
6181 new_parse_cb, &client)))
6184 /* Create a server side custom extension */
6186 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6187 old_add_cb, old_free_cb,
6188 &server, old_parse_cb,
6192 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6193 new_add_cb, new_free_cb,
6194 &server, new_parse_cb, &server)))
6197 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6198 context, new_add_cb,
6199 new_free_cb, &server,
6200 new_parse_cb, &server)))
6204 /* Should not be able to add duplicates */
6205 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6206 old_add_cb, old_free_cb,
6207 &server, old_parse_cb,
6209 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6210 context, new_add_cb,
6211 new_free_cb, &server,
6212 new_parse_cb, &server)))
6217 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6218 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6223 &clientssl, NULL, NULL))
6224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6229 if (clntaddoldcb != 1
6230 || clntparseoldcb != 1
6232 || srvparseoldcb != 1)
6234 } else if (tst == 1 || tst == 2 || tst == 3) {
6235 if (clntaddnewcb != 1
6236 || clntparsenewcb != 1
6238 || srvparsenewcb != 1
6239 || (tst != 2 && snicb != 0)
6240 || (tst == 2 && snicb != 1))
6242 } else if (tst == 5) {
6243 if (clntaddnewcb != 1
6244 || clntparsenewcb != 1
6246 || srvparsenewcb != 1)
6249 /* In this case there 2 NewSessionTicket messages created */
6250 if (clntaddnewcb != 1
6251 || clntparsenewcb != 5
6253 || srvparsenewcb != 1)
6257 sess = SSL_get1_session(clientssl);
6258 SSL_shutdown(clientssl);
6259 SSL_shutdown(serverssl);
6260 SSL_free(serverssl);
6261 SSL_free(clientssl);
6262 serverssl = clientssl = NULL;
6264 if (tst == 3 || tst == 5) {
6265 /* We don't bother with the resumption aspects for these tests */
6270 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6272 || !TEST_true(SSL_set_session(clientssl, sess))
6273 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6278 * For a resumed session we expect to add the ClientHello extension. For the
6279 * old style callbacks we ignore it on the server side because they set
6280 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6284 if (clntaddoldcb != 2
6285 || clntparseoldcb != 1
6287 || srvparseoldcb != 1)
6289 } else if (tst == 1 || tst == 2 || tst == 3) {
6290 if (clntaddnewcb != 2
6291 || clntparsenewcb != 2
6293 || srvparsenewcb != 2)
6297 * No Certificate message extensions in the resumption handshake,
6298 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6300 if (clntaddnewcb != 2
6301 || clntparsenewcb != 8
6303 || srvparsenewcb != 2)
6310 SSL_SESSION_free(sess);
6311 SSL_free(serverssl);
6312 SSL_free(clientssl);
6313 SSL_CTX_free(sctx2);
6319 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6321 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6322 | SSL_EXT_CLIENT_HELLO \
6323 | SSL_EXT_TLS1_2_SERVER_HELLO \
6324 | SSL_EXT_IGNORE_ON_RESUMPTION)
6326 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6327 | SSL_EXT_TLS1_2_SERVER_HELLO \
6328 | SSL_EXT_CLIENT_HELLO)
6330 #define SERVERINFO_CUSTOM \
6331 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6335 static const unsigned char serverinfo_custom_tls13[] = {
6336 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6339 static const unsigned char serverinfo_custom_v2[] = {
6340 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6343 static const unsigned char serverinfo_custom_v1[] = {
6346 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6347 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6348 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6350 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6351 unsigned int context,
6352 const unsigned char *in,
6353 size_t inlen, X509 *x,
6354 size_t chainidx, int *al,
6357 const size_t len = serverinfo_custom_v1_len;
6358 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6359 int *p_cb_result = (int*)parse_arg;
6360 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6364 static int test_serverinfo_custom(const int idx)
6366 SSL_CTX *sctx = NULL, *cctx = NULL;
6367 SSL *clientssl = NULL, *serverssl = NULL;
6372 * Following variables are set in the switch statement
6373 * according to the test iteration.
6374 * Default values do not make much sense: test would fail with them.
6376 int serverinfo_version = 0;
6377 int protocol_version = 0;
6378 unsigned int extension_context = 0;
6379 const unsigned char *si = NULL;
6382 const int call_use_serverinfo_ex = idx > 0;
6384 case 0: /* FALLTHROUGH */
6386 serverinfo_version = SSL_SERVERINFOV1;
6387 protocol_version = TLS1_2_VERSION;
6388 extension_context = SYNTHV1CONTEXT;
6389 si = serverinfo_custom_v1;
6390 si_len = serverinfo_custom_v1_len;
6393 serverinfo_version = SSL_SERVERINFOV2;
6394 protocol_version = TLS1_2_VERSION;
6395 extension_context = SYNTHV1CONTEXT;
6396 si = serverinfo_custom_v2;
6397 si_len = serverinfo_custom_v2_len;
6400 serverinfo_version = SSL_SERVERINFOV2;
6401 protocol_version = TLS1_3_VERSION;
6402 extension_context = TLS13CONTEXT;
6403 si = serverinfo_custom_tls13;
6404 si_len = serverinfo_custom_tls13_len;
6408 if (!TEST_true(create_ssl_ctx_pair(libctx,
6413 &sctx, &cctx, cert, privkey)))
6416 if (call_use_serverinfo_ex) {
6417 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6421 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6425 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6428 serverinfo_custom_parse_cb,
6430 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6432 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6434 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6437 if (!TEST_true(cb_result))
6443 SSL_free(serverssl);
6444 SSL_free(clientssl);
6453 * Test that SSL_export_keying_material() produces expected results. There are
6454 * no test vectors so all we do is test that both sides of the communication
6455 * produce the same results for different protocol versions.
6457 #define SMALL_LABEL_LEN 10
6458 #define LONG_LABEL_LEN 249
6459 static int test_export_key_mat(int tst)
6462 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6463 SSL *clientssl = NULL, *serverssl = NULL;
6464 const char label[LONG_LABEL_LEN + 1] = "test label";
6465 const unsigned char context[] = "context";
6466 const unsigned char *emptycontext = NULL;
6467 unsigned char longcontext[1280];
6468 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6469 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6470 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6472 const int protocols[] = {
6481 #ifdef OPENSSL_NO_TLS1
6485 #ifdef OPENSSL_NO_TLS1_1
6489 if (is_fips && (tst == 0 || tst == 1))
6491 #ifdef OPENSSL_NO_TLS1_2
6495 #ifdef OSSL_NO_USABLE_TLS1_3
6499 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6500 TLS_client_method(), TLS1_VERSION, 0,
6501 &sctx, &cctx, cert, privkey)))
6504 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6505 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6506 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6507 if ((protocols[tst] < TLS1_2_VERSION) &&
6508 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6509 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6517 * Premature call of SSL_export_keying_material should just fail.
6519 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6520 sizeof(ckeymat1), label,
6521 SMALL_LABEL_LEN + 1, context,
6522 sizeof(context) - 1, 1), 0))
6525 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6531 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6534 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6535 sizeof(ckeymat1), label,
6536 LONG_LABEL_LEN + 1, context,
6537 sizeof(context) - 1, 1), 0))
6542 } else if (tst == 4) {
6543 labellen = LONG_LABEL_LEN;
6545 labellen = SMALL_LABEL_LEN;
6548 memset(longcontext, 1, sizeof(longcontext));
6550 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6551 sizeof(ckeymat1), label,
6553 sizeof(context) - 1, 1), 1)
6554 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6555 sizeof(ckeymat2), label,
6559 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6560 sizeof(ckeymat3), label,
6563 || (test_longcontext
6564 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6566 sizeof(ckeymat4), label,
6569 sizeof(longcontext), 1),
6571 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6572 sizeof(skeymat1), label,
6575 sizeof(context) -1, 1),
6577 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6578 sizeof(skeymat2), label,
6582 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6583 sizeof(skeymat3), label,
6586 || (test_longcontext
6587 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6588 sizeof(skeymat4), label,
6591 sizeof(longcontext), 1),
6594 * Check that both sides created the same key material with the
6597 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6600 * Check that both sides created the same key material with an
6603 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6606 * Check that both sides created the same key material without a
6609 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6612 * Check that both sides created the same key material with a
6615 || (test_longcontext
6616 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6618 /* Different contexts should produce different results */
6619 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6624 * Check that an empty context and no context produce different results in
6625 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6627 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6629 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6636 SSL_free(serverssl);
6637 SSL_free(clientssl);
6638 SSL_CTX_free(sctx2);
6645 #ifndef OSSL_NO_USABLE_TLS1_3
6647 * Test that SSL_export_keying_material_early() produces expected
6648 * results. There are no test vectors so all we do is test that both
6649 * sides of the communication produce the same results for different
6650 * protocol versions.
6652 static int test_export_key_mat_early(int idx)
6654 static const char label[] = "test label";
6655 static const unsigned char context[] = "context";
6657 SSL_CTX *cctx = NULL, *sctx = NULL;
6658 SSL *clientssl = NULL, *serverssl = NULL;
6659 SSL_SESSION *sess = NULL;
6660 const unsigned char *emptycontext = NULL;
6661 unsigned char ckeymat1[80], ckeymat2[80];
6662 unsigned char skeymat1[80], skeymat2[80];
6663 unsigned char buf[1];
6664 size_t readbytes, written;
6666 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6667 &sess, idx, SHA384_DIGEST_LENGTH)))
6670 /* Here writing 0 length early data is enough. */
6671 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6672 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6674 SSL_READ_EARLY_DATA_ERROR)
6675 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6676 SSL_EARLY_DATA_ACCEPTED))
6679 if (!TEST_int_eq(SSL_export_keying_material_early(
6680 clientssl, ckeymat1, sizeof(ckeymat1), label,
6681 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6682 || !TEST_int_eq(SSL_export_keying_material_early(
6683 clientssl, ckeymat2, sizeof(ckeymat2), label,
6684 sizeof(label) - 1, emptycontext, 0), 1)
6685 || !TEST_int_eq(SSL_export_keying_material_early(
6686 serverssl, skeymat1, sizeof(skeymat1), label,
6687 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6688 || !TEST_int_eq(SSL_export_keying_material_early(
6689 serverssl, skeymat2, sizeof(skeymat2), label,
6690 sizeof(label) - 1, emptycontext, 0), 1)
6692 * Check that both sides created the same key material with the
6695 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6698 * Check that both sides created the same key material with an
6701 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6703 /* Different contexts should produce different results */
6704 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6711 SSL_SESSION_free(sess);
6712 SSL_SESSION_free(clientpsk);
6713 SSL_SESSION_free(serverpsk);
6714 clientpsk = serverpsk = NULL;
6715 SSL_free(serverssl);
6716 SSL_free(clientssl);
6723 #define NUM_KEY_UPDATE_MESSAGES 40
6727 static int test_key_update(void)
6729 SSL_CTX *cctx = NULL, *sctx = NULL;
6730 SSL *clientssl = NULL, *serverssl = NULL;
6731 int testresult = 0, i, j;
6733 static char *mess = "A test message";
6735 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6736 TLS_client_method(),
6739 &sctx, &cctx, cert, privkey))
6740 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6742 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6746 for (j = 0; j < 2; j++) {
6747 /* Send lots of KeyUpdate messages */
6748 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6749 if (!TEST_true(SSL_key_update(clientssl,
6751 ? SSL_KEY_UPDATE_NOT_REQUESTED
6752 : SSL_KEY_UPDATE_REQUESTED))
6753 || !TEST_true(SSL_do_handshake(clientssl)))
6757 /* Check that sending and receiving app data is ok */
6758 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6759 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6763 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6764 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6772 SSL_free(serverssl);
6773 SSL_free(clientssl);
6781 * Test we can handle a KeyUpdate (update requested) message while
6782 * write data is pending in peer.
6783 * Test 0: Client sends KeyUpdate while Server is writing
6784 * Test 1: Server sends KeyUpdate while Client is writing
6786 static int test_key_update_peer_in_write(int tst)
6788 SSL_CTX *cctx = NULL, *sctx = NULL;
6789 SSL *clientssl = NULL, *serverssl = NULL;
6792 static char *mess = "A test message";
6793 BIO *bretry = BIO_new(bio_s_always_retry());
6795 SSL *peerupdate = NULL, *peerwrite = NULL;
6797 if (!TEST_ptr(bretry)
6798 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6799 TLS_client_method(),
6802 &sctx, &cctx, cert, privkey))
6803 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6809 peerupdate = tst == 0 ? clientssl : serverssl;
6810 peerwrite = tst == 0 ? serverssl : clientssl;
6812 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6813 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6816 /* Swap the writing endpoint's write BIO to force a retry */
6817 tmp = SSL_get_wbio(peerwrite);
6818 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6822 SSL_set0_wbio(peerwrite, bretry);
6825 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6826 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6827 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6828 || !TEST_true(SSL_want_write(peerwrite))
6829 || !TEST_true(SSL_net_write_desired(peerwrite)))
6832 /* Reinstate the original writing endpoint's write BIO */
6833 SSL_set0_wbio(peerwrite, tmp);
6836 /* Now read some data - we will read the key update */
6837 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6838 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6839 || !TEST_true(SSL_want_read(peerwrite))
6840 || !TEST_true(SSL_net_read_desired(peerwrite)))
6844 * Complete the write we started previously and read it from the other
6847 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6848 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6851 /* Write more data to ensure we send the KeyUpdate message back */
6852 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6853 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6856 if (!TEST_false(SSL_net_read_desired(peerwrite))
6857 || !TEST_false(SSL_net_write_desired(peerwrite))
6858 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6864 SSL_free(serverssl);
6865 SSL_free(clientssl);
6875 * Test we can handle a KeyUpdate (update requested) message while
6876 * peer read data is pending after peer accepted keyupdate(the msg header
6877 * had been read 5 bytes).
6878 * Test 0: Client sends KeyUpdate while Server is reading
6879 * Test 1: Server sends KeyUpdate while Client is reading
6881 static int test_key_update_peer_in_read(int tst)
6883 SSL_CTX *cctx = NULL, *sctx = NULL;
6884 SSL *clientssl = NULL, *serverssl = NULL;
6886 char prbuf[515], lwbuf[515] = {0};
6887 static char *mess = "A test message";
6888 BIO *lbio = NULL, *pbio = NULL;
6889 SSL *local = NULL, *peer = NULL;
6891 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6892 TLS_client_method(),
6895 &sctx, &cctx, cert, privkey))
6896 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6898 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6902 local = tst == 0 ? clientssl : serverssl;
6903 peer = tst == 0 ? serverssl : clientssl;
6905 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6908 SSL_set_bio(local, lbio, lbio);
6909 SSL_set_bio(peer, pbio, pbio);
6912 * we first write keyupdate msg then appdata in local
6913 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6914 * lwbuf app data msg size + key updata msg size > 512(the size of
6915 * the bio pair buffer)
6917 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6918 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6919 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6923 * first read keyupdate msg in peer in peer
6924 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6926 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6927 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6930 /* Now write some data in peer - we will write the key update */
6931 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6935 * write data in local previously that we will complete
6936 * read data in peer previously that we will complete
6938 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6939 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6942 /* check that sending and receiving appdata ok */
6943 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6944 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6950 SSL_free(serverssl);
6951 SSL_free(clientssl);
6959 * Test we can't send a KeyUpdate (update requested) message while
6960 * local write data is pending.
6961 * Test 0: Client sends KeyUpdate while Client is writing
6962 * Test 1: Server sends KeyUpdate while Server is writing
6964 static int test_key_update_local_in_write(int tst)
6966 SSL_CTX *cctx = NULL, *sctx = NULL;
6967 SSL *clientssl = NULL, *serverssl = NULL;
6970 static char *mess = "A test message";
6971 BIO *bretry = BIO_new(bio_s_always_retry());
6973 SSL *local = NULL, *peer = NULL;
6975 if (!TEST_ptr(bretry)
6976 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6977 TLS_client_method(),
6980 &sctx, &cctx, cert, privkey))
6981 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6987 local = tst == 0 ? clientssl : serverssl;
6988 peer = tst == 0 ? serverssl : clientssl;
6990 /* Swap the writing endpoint's write BIO to force a retry */
6991 tmp = SSL_get_wbio(local);
6992 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6996 SSL_set0_wbio(local, bretry);
6999 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7000 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7001 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7004 /* Reinstate the original writing endpoint's write BIO */
7005 SSL_set0_wbio(local, tmp);
7008 /* SSL_key_update will fail, because writing in local*/
7009 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7010 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7014 /* write data in local previously that we will complete */
7015 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7018 /* SSL_key_update will succeed because there is no pending write data */
7019 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7020 || !TEST_int_eq(SSL_do_handshake(local), 1))
7024 * we write some appdata in local
7025 * read data in peer - we will read the keyupdate msg
7027 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7028 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7031 /* Write more peer more data to ensure we send the keyupdate message back */
7032 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7033 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7039 SSL_free(serverssl);
7040 SSL_free(clientssl);
7050 * Test we can handle a KeyUpdate (update requested) message while
7051 * local read data is pending(the msg header had been read 5 bytes).
7052 * Test 0: Client sends KeyUpdate while Client is reading
7053 * Test 1: Server sends KeyUpdate while Server is reading
7055 static int test_key_update_local_in_read(int tst)
7057 SSL_CTX *cctx = NULL, *sctx = NULL;
7058 SSL *clientssl = NULL, *serverssl = NULL;
7060 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7061 static char *mess = "A test message";
7062 BIO *lbio = NULL, *pbio = NULL;
7063 SSL *local = NULL, *peer = NULL;
7065 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7066 TLS_client_method(),
7069 &sctx, &cctx, cert, privkey))
7070 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7072 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7076 local = tst == 0 ? clientssl : serverssl;
7077 peer = tst == 0 ? serverssl : clientssl;
7079 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7082 SSL_set_bio(local, lbio, lbio);
7083 SSL_set_bio(peer, pbio, pbio);
7085 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7086 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7087 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7090 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7091 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7092 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7095 /* SSL_do_handshake will send keyupdate msg */
7096 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7097 || !TEST_int_eq(SSL_do_handshake(local), 1))
7101 * write data in peer previously that we will complete
7102 * read data in local previously that we will complete
7104 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7105 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7109 * write data in local
7110 * read data in peer - we will read the key update
7112 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7113 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7116 /* Write more peer data to ensure we send the keyupdate message back */
7117 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7118 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7124 SSL_free(serverssl);
7125 SSL_free(clientssl);
7131 #endif /* OSSL_NO_USABLE_TLS1_3 */
7134 * Test clearing a connection via SSL_clear(), or resetting it via
7135 * SSL_set_connect_state()/SSL_set_accept_state()
7136 * Test 0: SSL_set_connect_state, TLSv1.3
7137 * Test 1: SSL_set_connect_state, TLSv1.2
7138 * Test 2: SSL_set_accept_state, TLSv1.3
7139 * Test 3: SSL_set_accept_state, TLSv1.2
7140 * Test 4: SSL_clear (client), TLSv1.3
7141 * Test 5: SSL_clear (client), TLSv1.2
7142 * Test 6: SSL_clear (server), TLSv1.3
7143 * Test 7: SSL_clear (server), TLSv1.2
7145 static int test_ssl_clear(int idx)
7147 SSL_CTX *cctx = NULL, *sctx = NULL;
7148 SSL *clientssl = NULL, *serverssl = NULL;
7149 SSL *writer, *reader;
7151 int tls12test, servertest, cleartest;
7152 size_t written, readbytes;
7153 const char *msg = "Hello World";
7154 unsigned char buf[5];
7156 tls12test = idx & 1;
7158 servertest = idx & 1;
7160 cleartest = idx & 1;
7162 #ifdef OPENSSL_NO_TLS1_2
7164 return TEST_skip("No TLSv1.2 in this build");
7167 /* Create an initial connection */
7168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7169 TLS_client_method(), TLS1_VERSION, 0,
7170 &sctx, &cctx, cert, privkey))
7172 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7174 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7175 &clientssl, NULL, NULL))
7176 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7188 /* Write some data */
7189 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7190 || written != strlen(msg))
7194 * Read a partial record. The remaining buffered data should be cleared by
7195 * the subsequent clear/reset
7197 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7198 || readbytes != sizeof(buf))
7201 SSL_shutdown(clientssl);
7202 SSL_shutdown(serverssl);
7204 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7207 if (!TEST_true(SSL_clear(serverssl)))
7210 SSL_set_accept_state(serverssl);
7213 * A peculiarity of SSL_clear() is that it does not clear the session.
7214 * This is intended behaviour so that a client can create a new
7215 * connection and reuse the session. But this doesn't make much sense
7216 * on the server side - and causes incorrect behaviour due to the
7217 * handshake failing (even though the documentation does say SSL_clear()
7218 * is supposed to work on the server side). We clear the session
7219 * explicitly - although note that the documentation for
7220 * SSL_set_session() says that its only useful for clients!
7222 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7224 SSL_free(clientssl);
7228 if (!TEST_true(SSL_clear(clientssl)))
7231 SSL_set_connect_state(clientssl);
7233 SSL_free(serverssl);
7237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7239 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7241 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7244 SSL_shutdown(clientssl);
7245 SSL_shutdown(serverssl);
7250 SSL_free(serverssl);
7251 SSL_free(clientssl);
7258 /* Parse CH and retrieve any MFL extension value if present */
7259 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7262 unsigned char *data;
7263 PACKET pkt, pkt2, pkt3;
7264 unsigned int MFL_code = 0, type = 0;
7266 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7269 memset(&pkt, 0, sizeof(pkt));
7270 memset(&pkt2, 0, sizeof(pkt2));
7271 memset(&pkt3, 0, sizeof(pkt3));
7273 if (!TEST_long_gt(len, 0)
7274 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7275 /* Skip the record header */
7276 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7277 /* Skip the handshake message header */
7278 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7279 /* Skip client version and random */
7280 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7281 + SSL3_RANDOM_SIZE))
7282 /* Skip session id */
7283 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7285 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7286 /* Skip compression */
7287 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7288 /* Extensions len */
7289 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7292 /* Loop through all extensions */
7293 while (PACKET_remaining(&pkt2)) {
7294 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7295 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7298 if (type == TLSEXT_TYPE_max_fragment_length) {
7299 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7300 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7303 *mfl_codemfl_code = MFL_code;
7312 /* Maximum-Fragment-Length TLS extension mode to test */
7313 static const unsigned char max_fragment_len_test[] = {
7314 TLSEXT_max_fragment_length_512,
7315 TLSEXT_max_fragment_length_1024,
7316 TLSEXT_max_fragment_length_2048,
7317 TLSEXT_max_fragment_length_4096
7320 static int test_max_fragment_len_ext(int idx_tst)
7322 SSL_CTX *ctx = NULL;
7324 int testresult = 0, MFL_mode = 0;
7327 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7328 TLS1_VERSION, 0, NULL, &ctx, NULL,
7332 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7333 ctx, max_fragment_len_test[idx_tst])))
7340 rbio = BIO_new(BIO_s_mem());
7341 wbio = BIO_new(BIO_s_mem());
7342 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7348 SSL_set_bio(con, rbio, wbio);
7350 if (!TEST_int_le(SSL_connect(con), 0)) {
7351 /* This shouldn't succeed because we don't have a server! */
7355 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7356 /* no MFL in client hello */
7358 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7370 #ifndef OSSL_NO_USABLE_TLS1_3
7371 static int test_pha_key_update(void)
7373 SSL_CTX *cctx = NULL, *sctx = NULL;
7374 SSL *clientssl = NULL, *serverssl = NULL;
7377 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7378 TLS_client_method(), TLS1_VERSION, 0,
7379 &sctx, &cctx, cert, privkey)))
7382 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7383 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7384 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7385 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7388 SSL_CTX_set_post_handshake_auth(cctx, 1);
7390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7394 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7398 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7399 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7402 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7405 /* Start handshake on the server */
7406 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7409 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7410 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7414 SSL_shutdown(clientssl);
7415 SSL_shutdown(serverssl);
7420 SSL_free(serverssl);
7421 SSL_free(clientssl);
7428 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7430 static SRP_VBASE *vbase = NULL;
7432 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7434 int ret = SSL3_AL_FATAL;
7436 SRP_user_pwd *user = NULL;
7438 username = SSL_get_srp_username(s);
7439 if (username == NULL) {
7440 *ad = SSL_AD_INTERNAL_ERROR;
7444 user = SRP_VBASE_get1_by_user(vbase, username);
7446 *ad = SSL_AD_INTERNAL_ERROR;
7450 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7452 *ad = SSL_AD_INTERNAL_ERROR;
7459 SRP_user_pwd_free(user);
7463 static int create_new_vfile(char *userid, char *password, const char *filename)
7466 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7469 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7472 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7475 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7476 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7477 if (!TEST_ptr(gNid))
7481 * The only way to create an empty TXT_DB is to provide a BIO with no data
7484 db = TXT_DB_read(dummy, DB_NUMBER);
7488 out = BIO_new_file(filename, "w");
7492 row[DB_srpid] = OPENSSL_strdup(userid);
7493 row[DB_srptype] = OPENSSL_strdup("V");
7494 row[DB_srpgN] = OPENSSL_strdup(gNid);
7496 if (!TEST_ptr(row[DB_srpid])
7497 || !TEST_ptr(row[DB_srptype])
7498 || !TEST_ptr(row[DB_srpgN])
7499 || !TEST_true(TXT_DB_insert(db, row)))
7504 if (TXT_DB_write(out, db) <= 0)
7510 for (i = 0; i < DB_NUMBER; i++)
7511 OPENSSL_free(row[i]);
7521 static int create_new_vbase(char *userid, char *password)
7523 BIGNUM *verifier = NULL, *salt = NULL;
7524 const SRP_gN *lgN = NULL;
7525 SRP_user_pwd *user_pwd = NULL;
7528 lgN = SRP_get_default_gN(NULL);
7532 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7533 lgN->N, lgN->g, libctx, NULL)))
7536 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7537 if (!TEST_ptr(user_pwd))
7540 user_pwd->N = lgN->N;
7541 user_pwd->g = lgN->g;
7542 user_pwd->id = OPENSSL_strdup(userid);
7543 if (!TEST_ptr(user_pwd->id))
7546 user_pwd->v = verifier;
7548 verifier = salt = NULL;
7550 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7556 SRP_user_pwd_free(user_pwd);
7566 * Test 0: Simple successful SRP connection, new vbase
7567 * Test 1: Connection failure due to bad password, new vbase
7568 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7569 * Test 3: Connection failure due to bad password, vbase loaded from existing
7571 * Test 4: Simple successful SRP connection, vbase loaded from new file
7572 * Test 5: Connection failure due to bad password, vbase loaded from new file
7574 static int test_srp(int tst)
7576 char *userid = "test", *password = "password", *tstsrpfile;
7577 SSL_CTX *cctx = NULL, *sctx = NULL;
7578 SSL *clientssl = NULL, *serverssl = NULL;
7579 int ret, testresult = 0;
7581 vbase = SRP_VBASE_new(NULL);
7582 if (!TEST_ptr(vbase))
7585 if (tst == 0 || tst == 1) {
7586 if (!TEST_true(create_new_vbase(userid, password)))
7589 if (tst == 4 || tst == 5) {
7590 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7592 tstsrpfile = tmpfilename;
7594 tstsrpfile = srpvfile;
7596 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7601 TLS_client_method(), TLS1_VERSION, 0,
7602 &sctx, &cctx, cert, privkey)))
7605 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7606 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7607 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7608 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7609 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7613 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7616 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7624 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7626 if (!TEST_true(tst % 2 == 0))
7629 if (!TEST_true(tst % 2 == 1))
7636 SRP_VBASE_free(vbase);
7638 SSL_free(serverssl);
7639 SSL_free(clientssl);
7647 static int info_cb_failed = 0;
7648 static int info_cb_offset = 0;
7649 static int info_cb_this_state = -1;
7651 static struct info_cb_states_st {
7653 const char *statestr;
7654 } info_cb_states[][60] = {
7656 /* TLSv1.2 server followed by resumption */
7657 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7658 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7659 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7660 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7661 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7662 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7664 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7665 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7666 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7667 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7668 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7669 {SSL_CB_EXIT, NULL}, {0, NULL},
7671 /* TLSv1.2 client followed by resumption */
7672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7673 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7674 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7675 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7676 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7677 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7678 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7679 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7680 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7681 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7682 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7683 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7685 /* TLSv1.3 server followed by resumption */
7686 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7687 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7688 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7689 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7690 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7691 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7692 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7693 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7694 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7695 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7696 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7697 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7698 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7700 /* TLSv1.3 client followed by resumption */
7701 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7702 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7703 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7704 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7705 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7706 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7707 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7708 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7709 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7710 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7711 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7712 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7713 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7714 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7715 {SSL_CB_EXIT, NULL}, {0, NULL},
7717 /* TLSv1.3 server, early_data */
7718 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7719 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7720 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7721 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7722 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7723 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7724 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7725 {SSL_CB_EXIT, NULL}, {0, NULL},
7727 /* TLSv1.3 client, early_data */
7728 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7729 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7730 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7731 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7732 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7733 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7734 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7735 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7736 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7738 /* TLSv1.3 server, certificate compression, followed by resumption */
7739 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7740 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7741 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7742 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7743 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7744 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7745 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7746 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7747 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7748 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7749 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7750 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7751 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7753 /* TLSv1.3 client, certificate compression, followed by resumption */
7754 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7755 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7756 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7757 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7758 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7759 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7760 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7761 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7762 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7763 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7764 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7765 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7766 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7767 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7768 {SSL_CB_EXIT, NULL}, {0, NULL},
7774 static void sslapi_info_callback(const SSL *s, int where, int ret)
7776 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7778 /* We do not ever expect a connection to fail in this test */
7779 if (!TEST_false(ret == 0)) {
7785 * Do some sanity checks. We never expect these things to happen in this
7788 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7789 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7790 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7795 /* Now check we're in the right state */
7796 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7800 if ((where & SSL_CB_LOOP) != 0
7801 && !TEST_int_eq(strcmp(SSL_state_string(s),
7802 state[info_cb_this_state].statestr), 0)) {
7808 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7810 if ((where & SSL_CB_HANDSHAKE_DONE)
7811 && SSL_in_init((SSL *)s) != 0) {
7818 * Test the info callback gets called when we expect it to.
7820 * Test 0: TLSv1.2, server
7821 * Test 1: TLSv1.2, client
7822 * Test 2: TLSv1.3, server
7823 * Test 3: TLSv1.3, client
7824 * Test 4: TLSv1.3, server, early_data
7825 * Test 5: TLSv1.3, client, early_data
7826 * Test 6: TLSv1.3, server, compressed certificate
7827 * Test 7: TLSv1.3, client, compressed certificate
7829 static int test_info_callback(int tst)
7831 SSL_CTX *cctx = NULL, *sctx = NULL;
7832 SSL *clientssl = NULL, *serverssl = NULL;
7833 SSL_SESSION *clntsess = NULL;
7838 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7839 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7840 || !defined(OPENSSL_NO_DH))
7841 tlsvers = TLS1_2_VERSION;
7846 #ifndef OSSL_NO_USABLE_TLS1_3
7847 tlsvers = TLS1_3_VERSION;
7855 info_cb_this_state = -1;
7856 info_cb_offset = tst;
7858 #ifndef OSSL_NO_USABLE_TLS1_3
7859 if (tst >= 4 && tst < 6) {
7860 SSL_SESSION *sess = NULL;
7861 size_t written, readbytes;
7862 unsigned char buf[80];
7865 /* early_data tests */
7866 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7867 &serverssl, &sess, 0,
7868 SHA384_DIGEST_LENGTH)))
7871 /* We don't actually need this reference */
7872 SSL_SESSION_free(sess);
7874 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7875 sslapi_info_callback);
7877 /* Write and read some early data and then complete the connection */
7878 timer = ossl_time_now();
7879 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7881 || !TEST_size_t_eq(written, strlen(MSG1)))
7884 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7885 sizeof(buf), &readbytes),
7886 SSL_READ_EARLY_DATA_SUCCESS)) {
7887 testresult = check_early_data_timeout(timer);
7891 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7892 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7893 SSL_EARLY_DATA_ACCEPTED)
7894 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7896 || !TEST_false(info_cb_failed))
7904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7905 TLS_client_method(),
7906 tlsvers, tlsvers, &sctx, &cctx, cert,
7910 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7914 * For even numbered tests we check the server callbacks. For odd numbers we
7917 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7918 sslapi_info_callback);
7920 if (!SSL_CTX_compress_certs(sctx, 0))
7924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7925 &clientssl, NULL, NULL))
7926 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7928 || !TEST_false(info_cb_failed))
7933 clntsess = SSL_get1_session(clientssl);
7934 SSL_shutdown(clientssl);
7935 SSL_shutdown(serverssl);
7936 SSL_free(serverssl);
7937 SSL_free(clientssl);
7938 serverssl = clientssl = NULL;
7940 /* Now do a resumption */
7941 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7943 || !TEST_true(SSL_set_session(clientssl, clntsess))
7944 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7946 || !TEST_true(SSL_session_reused(clientssl))
7947 || !TEST_false(info_cb_failed))
7953 SSL_free(serverssl);
7954 SSL_free(clientssl);
7955 SSL_SESSION_free(clntsess);
7961 static int test_ssl_pending(int tst)
7963 SSL_CTX *cctx = NULL, *sctx = NULL;
7964 SSL *clientssl = NULL, *serverssl = NULL;
7966 char msg[] = "A test message";
7968 size_t written, readbytes;
7971 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7972 TLS_client_method(),
7974 &sctx, &cctx, cert, privkey)))
7977 #ifndef OPENSSL_NO_DTLS
7978 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7979 DTLS_client_method(),
7981 &sctx, &cctx, cert, privkey)))
7984 # ifdef OPENSSL_NO_DTLS1_2
7985 /* Not supported in the FIPS provider */
7991 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7994 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7995 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7996 "DEFAULT:@SECLEVEL=0")))
8004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8006 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8010 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8011 || !TEST_false(SSL_has_pending(clientssl))
8012 || !TEST_int_eq(SSL_pending(serverssl), 0)
8013 || !TEST_false(SSL_has_pending(serverssl))
8014 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8015 || !TEST_size_t_eq(written, sizeof(msg))
8016 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8017 || !TEST_size_t_eq(readbytes, sizeof(buf))
8018 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8019 || !TEST_true(SSL_has_pending(clientssl)))
8025 SSL_free(serverssl);
8026 SSL_free(clientssl);
8034 unsigned int maxprot;
8035 const char *clntciphers;
8036 const char *clnttls13ciphers;
8037 const char *srvrciphers;
8038 const char *srvrtls13ciphers;
8040 const char *fipsshared;
8041 } shared_ciphers_data[] = {
8043 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8044 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8046 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8049 "AES128-SHA:AES256-SHA",
8051 "AES256-SHA:DHE-RSA-AES128-SHA",
8056 # if !defined(OPENSSL_NO_CHACHA) \
8057 && !defined(OPENSSL_NO_POLY1305) \
8058 && !defined(OPENSSL_NO_EC)
8061 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8063 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8065 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8071 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8073 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8075 "AES128-SHA:AES256-SHA",
8076 "AES128-SHA:AES256-SHA"
8080 "AES128-SHA:AES256-SHA",
8082 "AES128-SHA:DHE-RSA-AES128-SHA",
8089 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8092 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8093 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8096 "AES128-SHA:AES256-SHA",
8098 "AES256-SHA:AES128-SHA256",
8100 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8101 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8102 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8105 #ifndef OSSL_NO_USABLE_TLS1_3
8109 "TLS_AES_256_GCM_SHA384",
8111 "TLS_AES_256_GCM_SHA384",
8112 "TLS_AES_256_GCM_SHA384",
8113 "TLS_AES_256_GCM_SHA384"
8118 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8120 SSL_CTX *cctx = NULL, *sctx = NULL;
8121 SSL *clientssl = NULL, *serverssl = NULL;
8124 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8126 if (!TEST_ptr(tmplibctx))
8130 * Regardless of whether we're testing with the FIPS provider loaded into
8131 * libctx, we want one peer to always use the full set of ciphersuites
8132 * available. Therefore we use a separate libctx with the default provider
8133 * loaded into it. We run the same tests twice - once with the client side
8134 * having the full set of ciphersuites and once with the server side.
8137 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8138 if (!TEST_ptr(cctx))
8141 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8142 if (!TEST_ptr(sctx))
8146 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8147 TLS_client_method(),
8149 shared_ciphers_data[tst].maxprot,
8150 &sctx, &cctx, cert, privkey)))
8153 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8154 shared_ciphers_data[tst].clntciphers))
8155 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8156 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8157 shared_ciphers_data[tst].clnttls13ciphers)))
8158 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8159 shared_ciphers_data[tst].srvrciphers))
8160 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8161 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8162 shared_ciphers_data[tst].srvrtls13ciphers))))
8166 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8168 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8172 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8173 || !TEST_int_eq(strcmp(buf,
8175 ? shared_ciphers_data[tst].fipsshared
8176 : shared_ciphers_data[tst].shared),
8178 TEST_info("Shared ciphers are: %s\n", buf);
8185 SSL_free(serverssl);
8186 SSL_free(clientssl);
8189 OSSL_LIB_CTX_free(tmplibctx);
8194 static int test_ssl_get_shared_ciphers(int tst)
8196 return int_test_ssl_get_shared_ciphers(tst, 0)
8197 && int_test_ssl_get_shared_ciphers(tst, 1);
8201 static const char *appdata = "Hello World";
8202 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8203 static int tick_key_renew = 0;
8204 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8206 static int gen_tick_cb(SSL *s, void *arg)
8208 gen_tick_called = 1;
8210 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8214 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8215 const unsigned char *keyname,
8216 size_t keyname_length,
8217 SSL_TICKET_STATUS status,
8223 dec_tick_called = 1;
8225 if (status == SSL_TICKET_EMPTY)
8226 return SSL_TICKET_RETURN_IGNORE_RENEW;
8228 if (!TEST_true(status == SSL_TICKET_SUCCESS
8229 || status == SSL_TICKET_SUCCESS_RENEW))
8230 return SSL_TICKET_RETURN_ABORT;
8232 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8234 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8235 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8236 return SSL_TICKET_RETURN_ABORT;
8238 if (tick_key_cb_called) {
8239 /* Don't change what the ticket key callback wanted to do */
8241 case SSL_TICKET_NO_DECRYPT:
8242 return SSL_TICKET_RETURN_IGNORE_RENEW;
8244 case SSL_TICKET_SUCCESS:
8245 return SSL_TICKET_RETURN_USE;
8247 case SSL_TICKET_SUCCESS_RENEW:
8248 return SSL_TICKET_RETURN_USE_RENEW;
8251 return SSL_TICKET_RETURN_ABORT;
8254 return tick_dec_ret;
8258 #ifndef OPENSSL_NO_DEPRECATED_3_0
8259 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8260 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8261 HMAC_CTX *hctx, int enc)
8263 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8264 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8265 EVP_CIPHER *aes128cbc;
8269 tick_key_cb_called = 1;
8271 if (tick_key_renew == -1)
8274 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8275 if (!TEST_ptr(aes128cbc))
8277 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8278 if (!TEST_ptr(sha256)) {
8279 EVP_CIPHER_free(aes128cbc);
8283 memset(iv, 0, AES_BLOCK_SIZE);
8284 memset(key_name, 0, 16);
8285 if (aes128cbc == NULL
8287 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8288 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8292 ret = tick_key_renew ? 2 : 1;
8294 EVP_CIPHER_free(aes128cbc);
8295 EVP_MD_free(sha256);
8301 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8302 unsigned char iv[EVP_MAX_IV_LENGTH],
8303 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8305 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8306 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8307 OSSL_PARAM params[2];
8308 EVP_CIPHER *aes128cbc;
8311 tick_key_cb_called = 1;
8313 if (tick_key_renew == -1)
8316 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8317 if (!TEST_ptr(aes128cbc))
8320 memset(iv, 0, AES_BLOCK_SIZE);
8321 memset(key_name, 0, 16);
8322 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8324 params[1] = OSSL_PARAM_construct_end();
8325 if (aes128cbc == NULL
8326 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8327 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8331 ret = tick_key_renew ? 2 : 1;
8333 EVP_CIPHER_free(aes128cbc);
8339 * Test the various ticket callbacks
8340 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8341 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8342 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8343 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8344 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8345 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8346 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8347 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8348 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8349 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8350 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8351 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8352 * Test 12: TLSv1.2, old ticket key callback, no ticket
8353 * Test 13: TLSv1.3, old ticket key callback, no ticket
8354 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8355 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8356 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8357 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8358 * Test 18: TLSv1.2, ticket key callback, no ticket
8359 * Test 19: TLSv1.3, ticket key callback, no ticket
8361 static int test_ticket_callbacks(int tst)
8363 SSL_CTX *cctx = NULL, *sctx = NULL;
8364 SSL *clientssl = NULL, *serverssl = NULL;
8365 SSL_SESSION *clntsess = NULL;
8368 #ifdef OPENSSL_NO_TLS1_2
8372 #ifdef OSSL_NO_USABLE_TLS1_3
8376 #ifdef OPENSSL_NO_DEPRECATED_3_0
8377 if (tst >= 8 && tst <= 13)
8381 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8383 /* Which tests the ticket key callback should request renewal for */
8385 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8387 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8388 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8392 /* Which tests the decrypt ticket callback should request renewal for */
8396 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8401 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8406 tick_dec_ret = SSL_TICKET_RETURN_USE;
8411 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8415 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8419 TLS_client_method(),
8421 ((tst % 2) == 0) ? TLS1_2_VERSION
8423 &sctx, &cctx, cert, privkey)))
8427 * We only want sessions to resume from tickets - not the session cache. So
8428 * switch the cache off.
8430 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8433 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8438 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8440 #ifndef OPENSSL_NO_DEPRECATED_3_0
8441 } else if (tst >= 8) {
8442 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8449 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8454 * The decrypt ticket key callback in TLSv1.2 should be called even though
8455 * we have no ticket yet, because it gets called with a status of
8456 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8457 * actually send any ticket data). This does not happen in TLSv1.3 because
8458 * it is not valid to send empty ticket data in TLSv1.3.
8460 if (!TEST_int_eq(gen_tick_called, 1)
8461 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8464 gen_tick_called = dec_tick_called = 0;
8466 clntsess = SSL_get1_session(clientssl);
8467 SSL_shutdown(clientssl);
8468 SSL_shutdown(serverssl);
8469 SSL_free(serverssl);
8470 SSL_free(clientssl);
8471 serverssl = clientssl = NULL;
8473 /* Now do a resumption */
8474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8476 || !TEST_true(SSL_set_session(clientssl, clntsess))
8477 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8481 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8482 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8483 || tick_key_renew == -1) {
8484 if (!TEST_false(SSL_session_reused(clientssl)))
8487 if (!TEST_true(SSL_session_reused(clientssl)))
8491 if (!TEST_int_eq(gen_tick_called,
8493 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8494 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8496 /* There is no ticket to decrypt in tests 13 and 19 */
8497 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8503 SSL_SESSION_free(clntsess);
8504 SSL_free(serverssl);
8505 SSL_free(clientssl);
8513 * Test incorrect shutdown.
8514 * Test 0: client does not shutdown properly,
8515 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8516 * server should get SSL_ERROR_SSL
8517 * Test 1: client does not shutdown properly,
8518 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8519 * server should get SSL_ERROR_ZERO_RETURN
8521 static int test_incorrect_shutdown(int tst)
8523 SSL_CTX *cctx = NULL, *sctx = NULL;
8524 SSL *clientssl = NULL, *serverssl = NULL;
8529 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8530 TLS_client_method(), 0, 0,
8531 &sctx, &cctx, cert, privkey)))
8535 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8537 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8541 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8545 c2s = SSL_get_rbio(serverssl);
8546 BIO_set_mem_eof_return(c2s, 0);
8548 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8551 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8553 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8559 SSL_free(serverssl);
8560 SSL_free(clientssl);
8568 * Test bi-directional shutdown.
8570 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8571 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8572 * Test 3: TLSv1.3, pending NewSessionTicket messages
8573 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8574 * sends key update, client reads it
8575 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8576 * sends CertificateRequest, client reads and ignores it
8577 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8580 static int test_shutdown(int tst)
8582 SSL_CTX *cctx = NULL, *sctx = NULL;
8583 SSL *clientssl = NULL, *serverssl = NULL;
8585 char msg[] = "A test message";
8587 size_t written, readbytes;
8590 #ifdef OPENSSL_NO_TLS1_2
8594 #ifdef OSSL_NO_USABLE_TLS1_3
8599 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8600 TLS_client_method(),
8602 (tst <= 1) ? TLS1_2_VERSION
8604 &sctx, &cctx, cert, privkey)))
8608 SSL_CTX_set_post_handshake_auth(cctx, 1);
8610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8615 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8616 SSL_ERROR_NONE, 1, 0))
8617 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8618 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8620 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8622 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8623 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8627 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8632 * Reading on the server after the client has sent close_notify should
8633 * fail and provide SSL_ERROR_ZERO_RETURN
8635 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8636 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8637 SSL_ERROR_ZERO_RETURN)
8638 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8639 SSL_RECEIVED_SHUTDOWN)
8641 * Even though we're shutdown on receive we should still be
8644 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8647 && !TEST_true(SSL_key_update(serverssl,
8648 SSL_KEY_UPDATE_REQUESTED)))
8651 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8652 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8655 if ((tst == 4 || tst == 5)
8656 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8658 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8660 if (tst == 4 || tst == 5) {
8661 /* Should still be able to read data from server */
8662 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8664 || !TEST_size_t_eq(readbytes, sizeof(msg))
8665 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8666 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8668 || !TEST_size_t_eq(readbytes, sizeof(msg))
8669 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8674 /* Writing on the client after sending close_notify shouldn't be possible */
8675 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8680 * For these tests the client has sent close_notify but it has not yet
8681 * been received by the server. The server has not sent close_notify
8684 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8686 * Writing on the server after sending close_notify shouldn't
8689 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8690 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8691 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8692 || !TEST_true(SSL_SESSION_is_resumable(sess))
8693 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8695 } else if (tst == 4 || tst == 5) {
8697 * In this test the client has sent close_notify and it has been
8698 * received by the server which has responded with a close_notify. The
8699 * client needs to read the close_notify sent by the server.
8701 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8702 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8703 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8709 * The client has sent close_notify and is expecting a close_notify
8710 * back, but instead there is application data first. The shutdown
8711 * should fail with a fatal error.
8713 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8714 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8721 SSL_free(serverssl);
8722 SSL_free(clientssl);
8730 * Test that sending close_notify alerts works correctly in the case of a
8731 * retryable write failure.
8733 static int test_async_shutdown(void)
8735 SSL_CTX *cctx = NULL, *sctx = NULL;
8736 SSL *clientssl = NULL, *serverssl = NULL;
8738 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8740 if (!TEST_ptr(bretry))
8743 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8744 TLS_client_method(),
8746 &sctx, &cctx, cert, privkey)))
8749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8753 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8756 /* Close write side of clientssl */
8757 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8760 tmp = SSL_get_wbio(serverssl);
8761 if (!TEST_true(BIO_up_ref(tmp))) {
8765 SSL_set0_wbio(serverssl, bretry);
8768 /* First server shutdown should fail because of a retrable write failure */
8769 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8770 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8773 /* Second server shutdown should fail for the same reason */
8774 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8775 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8778 SSL_set0_wbio(serverssl, tmp);
8781 /* Third server shutdown should send close_notify */
8782 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8785 /* Fourth server shutdown should read close_notify from client and finish */
8786 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8789 /* Client should also successfully fully shutdown */
8790 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8795 SSL_free(serverssl);
8796 SSL_free(clientssl);
8805 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8806 static int cert_cb_cnt;
8808 static int cert_cb(SSL *s, void *arg)
8810 SSL_CTX *ctx = (SSL_CTX *)arg;
8812 EVP_PKEY *pkey = NULL;
8813 X509 *x509 = NULL, *rootx = NULL;
8814 STACK_OF(X509) *chain = NULL;
8815 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8818 if (cert_cb_cnt == 0) {
8819 /* Suspend the handshake */
8822 } else if (cert_cb_cnt == 1) {
8824 * Update the SSL_CTX, set the certificate and private key and then
8825 * continue the handshake normally.
8827 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8830 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8831 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8833 || !TEST_true(SSL_check_private_key(s)))
8837 } else if (cert_cb_cnt == 3) {
8840 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8841 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8842 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8843 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8845 chain = sk_X509_new_null();
8846 if (!TEST_ptr(chain))
8848 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8849 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8850 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8851 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8852 || !TEST_true(sk_X509_push(chain, rootx)))
8856 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8857 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8858 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8859 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8862 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8863 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8864 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8868 rv = SSL_check_chain(s, x509, pkey, chain);
8870 * If the cert doesn't show as valid here (e.g., because we don't
8871 * have any shared sigalgs), then we will not set it, and there will
8872 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8873 * will cause tls_choose_sigalgs() to fail the connection.
8875 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8876 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8877 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8884 /* Abort the handshake */
8886 OPENSSL_free(ecdsacert);
8887 OPENSSL_free(ecdsakey);
8888 OPENSSL_free(rootfile);
8890 EVP_PKEY_free(pkey);
8893 OSSL_STACK_OF_X509_free(chain);
8898 * Test the certificate callback.
8899 * Test 0: Callback fails
8900 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8901 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8902 * Test 3: Success - Call SSL_check_chain from the callback
8903 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8905 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8907 static int test_cert_cb_int(int prot, int tst)
8909 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8910 SSL *clientssl = NULL, *serverssl = NULL;
8911 int testresult = 0, ret;
8913 #ifdef OPENSSL_NO_EC
8914 /* We use an EC cert in these tests, so we skip in a no-ec build */
8919 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8920 TLS_client_method(),
8923 &sctx, &cctx, NULL, NULL)))
8934 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8935 if (!TEST_ptr(snictx))
8939 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8941 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8947 * We cause SSL_check_chain() to fail by specifying sig_algs that
8948 * the chain doesn't meet (the root uses an RSA cert)
8950 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8951 "ecdsa_secp256r1_sha256")))
8953 } else if (tst == 5) {
8955 * We cause SSL_check_chain() to fail by specifying sig_algs that
8956 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8958 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8959 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8963 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8964 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8966 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8973 SSL_free(serverssl);
8974 SSL_free(clientssl);
8977 SSL_CTX_free(snictx);
8983 static int test_cert_cb(int tst)
8987 #ifndef OPENSSL_NO_TLS1_2
8988 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8990 #ifndef OSSL_NO_USABLE_TLS1_3
8991 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8997 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9002 BIO *priv_in = NULL;
9004 /* Check that SSL_get0_peer_certificate() returns something sensible */
9005 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9008 in = BIO_new_file(cert, "r");
9012 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9013 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9014 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9015 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9033 static int test_client_cert_cb(int tst)
9035 SSL_CTX *cctx = NULL, *sctx = NULL;
9036 SSL *clientssl = NULL, *serverssl = NULL;
9039 #ifdef OPENSSL_NO_TLS1_2
9043 #ifdef OSSL_NO_USABLE_TLS1_3
9048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9049 TLS_client_method(),
9051 tst == 0 ? TLS1_2_VERSION
9053 &sctx, &cctx, cert, privkey)))
9057 * Test that setting a client_cert_cb results in a client certificate being
9060 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9061 SSL_CTX_set_verify(sctx,
9062 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9067 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9074 SSL_free(serverssl);
9075 SSL_free(clientssl);
9082 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9084 * Test setting certificate authorities on both client and server.
9086 * Test 0: SSL_CTX_set0_CA_list() only
9087 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9088 * Test 2: Only SSL_CTX_set_client_CA_list()
9090 static int test_ca_names_int(int prot, int tst)
9092 SSL_CTX *cctx = NULL, *sctx = NULL;
9093 SSL *clientssl = NULL, *serverssl = NULL;
9096 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9097 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9098 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9099 const STACK_OF(X509_NAME) *sktmp = NULL;
9101 for (i = 0; i < OSSL_NELEM(name); i++) {
9102 name[i] = X509_NAME_new();
9103 if (!TEST_ptr(name[i])
9104 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9113 TLS_client_method(),
9116 &sctx, &cctx, cert, privkey)))
9119 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9121 if (tst == 0 || tst == 1) {
9122 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9123 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9124 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9125 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9126 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9127 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9130 SSL_CTX_set0_CA_list(sctx, sk1);
9131 SSL_CTX_set0_CA_list(cctx, sk2);
9134 if (tst == 1 || tst == 2) {
9135 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9136 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9137 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9138 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9139 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9140 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9143 SSL_CTX_set_client_CA_list(sctx, sk1);
9144 SSL_CTX_set_client_CA_list(cctx, sk2);
9148 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9150 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9155 * We only expect certificate authorities to have been sent to the server
9156 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9158 sktmp = SSL_get0_peer_CA_list(serverssl);
9159 if (prot == TLS1_3_VERSION
9160 && (tst == 0 || tst == 1)) {
9161 if (!TEST_ptr(sktmp)
9162 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9163 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9165 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9168 } else if (!TEST_ptr_null(sktmp)) {
9173 * In all tests we expect certificate authorities to have been sent to the
9174 * client. However, SSL_set_client_CA_list() should override
9175 * SSL_set0_CA_list()
9177 sktmp = SSL_get0_peer_CA_list(clientssl);
9178 if (!TEST_ptr(sktmp)
9179 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9180 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9181 name[tst == 0 ? 0 : 2]), 0)
9182 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9183 name[tst == 0 ? 1 : 3]), 0))
9189 SSL_free(serverssl);
9190 SSL_free(clientssl);
9193 for (i = 0; i < OSSL_NELEM(name); i++)
9194 X509_NAME_free(name[i]);
9195 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9196 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9202 static int test_ca_names(int tst)
9206 #ifndef OPENSSL_NO_TLS1_2
9207 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9209 #ifndef OSSL_NO_USABLE_TLS1_3
9210 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9216 #ifndef OPENSSL_NO_TLS1_2
9217 static const char *multiblock_cipherlist_data[]=
9225 /* Reduce the fragment size - so the multiblock test buffer can be small */
9226 # define MULTIBLOCK_FRAGSIZE 512
9228 static int test_multiblock_write(int test_index)
9230 static const char *fetchable_ciphers[]=
9232 "AES-128-CBC-HMAC-SHA1",
9233 "AES-128-CBC-HMAC-SHA256",
9234 "AES-256-CBC-HMAC-SHA1",
9235 "AES-256-CBC-HMAC-SHA256"
9237 const char *cipherlist = multiblock_cipherlist_data[test_index];
9238 const SSL_METHOD *smeth = TLS_server_method();
9239 const SSL_METHOD *cmeth = TLS_client_method();
9240 int min_version = TLS1_VERSION;
9241 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9242 SSL_CTX *cctx = NULL, *sctx = NULL;
9243 SSL *clientssl = NULL, *serverssl = NULL;
9247 * Choose a buffer large enough to perform a multi-block operation
9248 * i.e: write_len >= 4 * frag_size
9249 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9251 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9252 unsigned char buf[sizeof(msg)], *p = buf;
9253 size_t readbytes, written, len;
9254 EVP_CIPHER *ciph = NULL;
9257 * Check if the cipher exists before attempting to use it since it only has
9258 * a hardware specific implementation.
9260 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9262 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9265 EVP_CIPHER_free(ciph);
9267 /* Set up a buffer with some data that will be sent to the client */
9268 RAND_bytes(msg, sizeof(msg));
9270 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9271 max_version, &sctx, &cctx, cert,
9275 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9282 /* settings to force it to use AES-CBC-HMAC_SHA */
9283 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9284 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9290 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9291 || !TEST_size_t_eq(written, sizeof(msg)))
9296 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9301 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9306 SSL_free(serverssl);
9307 SSL_free(clientssl);
9313 #endif /* OPENSSL_NO_TLS1_2 */
9315 static int test_session_timeout(int test)
9318 * Test session ordering and timeout
9319 * Can't explicitly test performance of the new code,
9320 * but can test to see if the ordering of the sessions
9321 * are correct, and they are removed as expected
9323 SSL_SESSION *early = NULL;
9324 SSL_SESSION *middle = NULL;
9325 SSL_SESSION *late = NULL;
9328 long now = (long)time(NULL);
9331 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9332 || !TEST_ptr(early = SSL_SESSION_new())
9333 || !TEST_ptr(middle = SSL_SESSION_new())
9334 || !TEST_ptr(late = SSL_SESSION_new()))
9337 /* assign unique session ids */
9338 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9339 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9340 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9341 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9342 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9343 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9345 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9346 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9347 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9350 /* Make sure they are all added */
9351 if (!TEST_ptr(early->prev)
9352 || !TEST_ptr(middle->prev)
9353 || !TEST_ptr(late->prev))
9356 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9357 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9358 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9361 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9362 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9363 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9366 /* Make sure they are all still there */
9367 if (!TEST_ptr(early->prev)
9368 || !TEST_ptr(middle->prev)
9369 || !TEST_ptr(late->prev))
9372 /* Make sure they are in the expected order */
9373 if (!TEST_ptr_eq(late->next, middle)
9374 || !TEST_ptr_eq(middle->next, early)
9375 || !TEST_ptr_eq(early->prev, middle)
9376 || !TEST_ptr_eq(middle->prev, late))
9379 /* This should remove "early" */
9380 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9381 if (!TEST_ptr_null(early->prev)
9382 || !TEST_ptr(middle->prev)
9383 || !TEST_ptr(late->prev))
9386 /* This should remove "middle" */
9387 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9388 if (!TEST_ptr_null(early->prev)
9389 || !TEST_ptr_null(middle->prev)
9390 || !TEST_ptr(late->prev))
9393 /* This should remove "late" */
9394 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9395 if (!TEST_ptr_null(early->prev)
9396 || !TEST_ptr_null(middle->prev)
9397 || !TEST_ptr_null(late->prev))
9400 /* Add them back in again */
9401 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9402 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9403 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9406 /* Make sure they are all added */
9407 if (!TEST_ptr(early->prev)
9408 || !TEST_ptr(middle->prev)
9409 || !TEST_ptr(late->prev))
9412 /* This should remove all of them */
9413 SSL_CTX_flush_sessions(ctx, 0);
9414 if (!TEST_ptr_null(early->prev)
9415 || !TEST_ptr_null(middle->prev)
9416 || !TEST_ptr_null(late->prev))
9419 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9420 | SSL_CTX_get_session_cache_mode(ctx));
9422 /* make sure |now| is NOT equal to the current time */
9424 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9425 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9426 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9432 SSL_SESSION_free(early);
9433 SSL_SESSION_free(middle);
9434 SSL_SESSION_free(late);
9439 * Test that a session cache overflow works as expected
9440 * Test 0: TLSv1.3, timeout on new session later than old session
9441 * Test 1: TLSv1.2, timeout on new session later than old session
9442 * Test 2: TLSv1.3, timeout on new session earlier than old session
9443 * Test 3: TLSv1.2, timeout on new session earlier than old session
9445 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9446 static int test_session_cache_overflow(int idx)
9448 SSL_CTX *sctx = NULL, *cctx = NULL;
9449 SSL *serverssl = NULL, *clientssl = NULL;
9451 SSL_SESSION *sess = NULL;
9453 #ifdef OSSL_NO_USABLE_TLS1_3
9454 /* If no TLSv1.3 available then do nothing in this case */
9456 return TEST_skip("No TLSv1.3 available");
9458 #ifdef OPENSSL_NO_TLS1_2
9459 /* If no TLSv1.2 available then do nothing in this case */
9461 return TEST_skip("No TLSv1.2 available");
9464 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9465 TLS_client_method(), TLS1_VERSION,
9466 (idx % 2 == 0) ? TLS1_3_VERSION
9468 &sctx, &cctx, cert, privkey))
9469 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9472 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9473 get_sess_val = NULL;
9475 SSL_CTX_sess_set_cache_size(sctx, 1);
9477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9481 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9485 sess = SSL_get_session(serverssl);
9486 if (!TEST_ptr(sess))
9490 * Cause this session to have a longer timeout than the next session to
9493 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9500 SSL_shutdown(serverssl);
9501 SSL_shutdown(clientssl);
9502 SSL_free(serverssl);
9503 SSL_free(clientssl);
9504 serverssl = clientssl = NULL;
9507 * Session cache size is 1 and we already populated the cache with a session
9508 * so the next connection should cause an overflow.
9511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9515 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9519 * The session we just negotiated may have been already removed from the
9520 * internal cache - but we will return it anyway from our external cache.
9522 get_sess_val = SSL_get_session(serverssl);
9523 if (!TEST_ptr(get_sess_val))
9525 sess = SSL_get1_session(clientssl);
9526 if (!TEST_ptr(sess))
9529 SSL_shutdown(serverssl);
9530 SSL_shutdown(clientssl);
9531 SSL_free(serverssl);
9532 SSL_free(clientssl);
9533 serverssl = clientssl = NULL;
9535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9539 if (!TEST_true(SSL_set_session(clientssl, sess)))
9542 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9548 SSL_free(serverssl);
9549 SSL_free(clientssl);
9552 SSL_SESSION_free(sess);
9556 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9559 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9560 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9561 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9562 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9563 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9564 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9565 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9566 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9567 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9568 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9570 static int test_servername(int tst)
9572 SSL_CTX *cctx = NULL, *sctx = NULL;
9573 SSL *clientssl = NULL, *serverssl = NULL;
9575 SSL_SESSION *sess = NULL;
9576 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9578 #ifdef OPENSSL_NO_TLS1_2
9582 #ifdef OSSL_NO_USABLE_TLS1_3
9587 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9588 TLS_client_method(),
9590 (tst <= 4) ? TLS1_2_VERSION
9592 &sctx, &cctx, cert, privkey))
9593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9597 if (tst != 1 && tst != 6) {
9598 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9603 if (tst != 3 && tst != 8) {
9604 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9606 sexpectedhost = cexpectedhost = "goodhost";
9609 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9612 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9614 || !TEST_str_eq(SSL_get_servername(serverssl,
9615 TLSEXT_NAMETYPE_host_name),
9619 /* Now repeat with a resumption handshake */
9621 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9622 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9623 || !TEST_true(SSL_SESSION_is_resumable(sess))
9624 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9627 SSL_free(clientssl);
9628 SSL_free(serverssl);
9629 clientssl = serverssl = NULL;
9631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9635 if (!TEST_true(SSL_set_session(clientssl, sess)))
9638 sexpectedhost = cexpectedhost = "goodhost";
9639 if (tst == 2 || tst == 7) {
9640 /* Set an inconsistent hostname */
9641 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9644 * In TLSv1.2 we expect the hostname from the original handshake, in
9645 * TLSv1.3 we expect the hostname from this handshake
9648 sexpectedhost = cexpectedhost = "altgoodhost";
9650 if (!TEST_str_eq(SSL_get_servername(clientssl,
9651 TLSEXT_NAMETYPE_host_name),
9654 } else if (tst == 4 || tst == 9) {
9656 * A TLSv1.3 session does not associate a session with a servername,
9657 * but a TLSv1.2 session does.
9660 sexpectedhost = cexpectedhost = NULL;
9662 if (!TEST_str_eq(SSL_get_servername(clientssl,
9663 TLSEXT_NAMETYPE_host_name),
9667 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9670 * In a TLSv1.2 resumption where the hostname was not acknowledged
9671 * we expect the hostname on the server to be empty. On the client we
9672 * return what was requested in this case.
9674 * Similarly if the client didn't set a hostname on an original TLSv1.2
9675 * session but is now, the server hostname will be empty, but the client
9678 if (tst == 1 || tst == 3)
9679 sexpectedhost = NULL;
9681 if (!TEST_str_eq(SSL_get_servername(clientssl,
9682 TLSEXT_NAMETYPE_host_name),
9687 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9690 if (!TEST_true(SSL_session_reused(clientssl))
9691 || !TEST_true(SSL_session_reused(serverssl))
9692 || !TEST_str_eq(SSL_get_servername(clientssl,
9693 TLSEXT_NAMETYPE_host_name),
9695 || !TEST_str_eq(SSL_get_servername(serverssl,
9696 TLSEXT_NAMETYPE_host_name),
9703 SSL_SESSION_free(sess);
9704 SSL_free(serverssl);
9705 SSL_free(clientssl);
9712 static int test_unknown_sigalgs_groups(void)
9715 SSL_CTX *ctx = NULL;
9717 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9720 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9721 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9724 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9725 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9726 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9729 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9730 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9733 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9734 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9735 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9738 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9743 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9744 "?nonexistent1:?nonexistent2:?nonexistent3"),
9748 #ifndef OPENSSL_NO_EC
9749 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9750 "P-256:nonexistent"),
9754 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9755 "P-384:?nonexistent:?P-521"),
9758 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9759 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9760 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9770 #if !defined(OPENSSL_NO_EC) \
9771 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9773 * Test that if signature algorithms are not available, then we do not offer or
9775 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9776 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9777 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9778 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9779 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9780 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9782 static int test_sigalgs_available(int idx)
9784 SSL_CTX *cctx = NULL, *sctx = NULL;
9785 SSL *clientssl = NULL, *serverssl = NULL;
9787 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9788 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9789 OSSL_PROVIDER *filterprov = NULL;
9792 if (!TEST_ptr(tmpctx))
9795 if (idx != 0 && idx != 3) {
9796 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9797 filter_provider_init)))
9800 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9801 if (!TEST_ptr(filterprov))
9806 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9807 * or accepted for the peer that uses this libctx. Note that libssl
9808 * *requires* SHA2-256 to be available so we cannot disable that. We
9809 * also need SHA1 for our certificate.
9811 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9815 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9817 # ifdef OPENSSL_NO_ECX
9818 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9820 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9827 if (idx == 1 || idx == 4)
9833 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9834 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9835 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9839 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9840 TLS_client_method(),
9843 &sctx, &cctx, cert, privkey)))
9846 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9847 TLS_client_method(),
9850 &sctx, &cctx, cert2, privkey2)))
9854 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9856 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9857 "ECDHE-RSA-AES128-GCM-SHA256")))
9860 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9861 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9866 if (!SSL_CTX_set1_sigalgs_list(cctx,
9867 "rsa_pss_rsae_sha384"
9868 ":rsa_pss_rsae_sha256")
9869 || !SSL_CTX_set1_sigalgs_list(sctx,
9870 "rsa_pss_rsae_sha384"
9871 ":rsa_pss_rsae_sha256"))
9874 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9875 || !SSL_CTX_set1_sigalgs_list(sctx,
9876 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9881 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9882 SSL_FILETYPE_PEM), 1)
9883 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9885 SSL_FILETYPE_PEM), 1)
9886 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9893 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9896 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9897 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9899 (idx == 0 || idx == 3) ? 2 : 1))
9902 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9905 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9909 testresult = filter_provider_check_clean_finish();
9912 SSL_free(serverssl);
9913 SSL_free(clientssl);
9916 OSSL_PROVIDER_unload(filterprov);
9917 OSSL_LIB_CTX_free(tmpctx);
9922 * !defined(OPENSSL_NO_EC) \
9923 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9926 #ifndef OPENSSL_NO_TLS1_3
9927 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9928 static int test_pluggable_group(int idx)
9930 SSL_CTX *cctx = NULL, *sctx = NULL;
9931 SSL *clientssl = NULL, *serverssl = NULL;
9933 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9934 /* Check that we are not impacted by a provider without any groups */
9935 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9936 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9938 if (!TEST_ptr(tlsprov))
9941 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9942 TLS_client_method(),
9945 &sctx, &cctx, cert, privkey))
9946 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9950 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9951 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9952 /* removing a single algorithm from the list makes the test pass */
9953 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9956 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9959 if (!TEST_str_eq(group_name,
9960 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9963 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9964 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9970 SSL_free(serverssl);
9971 SSL_free(clientssl);
9974 OSSL_PROVIDER_unload(tlsprov);
9975 OSSL_PROVIDER_unload(legacyprov);
9981 * This function triggers encode, decode and sign functions
9982 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9983 * creating private key and certificate files for use in TLS testing.
9985 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9987 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9988 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9989 EVP_PKEY *pkey = NULL;
9990 X509 *x509 = X509_new();
9991 X509_NAME *name = NULL;
9992 BIO *keybio = NULL, *certbio = NULL;
9995 if (!TEST_ptr(evpctx)
9996 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9997 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10000 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10001 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10002 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10003 || !TEST_true(X509_set_pubkey(x509, pkey))
10004 || !TEST_ptr(name = X509_get_subject_name(x509))
10005 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10006 (unsigned char *)"CH", -1, -1, 0))
10007 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10008 (unsigned char *)"test.org", -1, -1, 0))
10009 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10010 (unsigned char *)"localhost", -1, -1, 0))
10011 || !TEST_true(X509_set_issuer_name(x509, name))
10012 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10013 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10014 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10015 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10016 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10019 EVP_PKEY_free(pkey);
10021 EVP_PKEY_CTX_free(evpctx);
10028 * Test that signature algorithms loaded via the provider interface can
10029 * correctly establish a TLS (1.3) connection.
10030 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10031 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10032 * Test 2: Test 0 using RPK
10033 * Test 3: Test 1 using RPK
10035 static int test_pluggable_signature(int idx)
10037 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10038 SSL_CTX *cctx = NULL, *sctx = NULL;
10039 SSL *clientssl = NULL, *serverssl = NULL;
10040 int testresult = 0;
10041 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10042 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10043 char *certfilename = "tls-prov-cert.pem";
10044 char *privkeyfilename = "tls-prov-key.pem";
10045 int sigidx = idx % 2;
10046 int rpkidx = idx / 2;
10048 /* create key and certificate for the different algorithm types */
10049 if (!TEST_ptr(tlsprov)
10050 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10053 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10054 TLS_client_method(),
10057 &sctx, &cctx, certfilename, privkeyfilename))
10058 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10062 /* Enable RPK for server cert */
10064 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10065 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10069 /* This is necessary to pass minimal setup w/o other groups configured */
10070 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10071 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10075 * If this connection gets established, it must have been completed
10076 * via the tls-provider-implemented "hmacsig" algorithm, testing
10077 * both sign and verify functions during handshake.
10079 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10082 /* If using RPK, make sure we got one */
10083 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10089 SSL_free(serverssl);
10090 SSL_free(clientssl);
10091 SSL_CTX_free(sctx);
10092 SSL_CTX_free(cctx);
10093 OSSL_PROVIDER_unload(tlsprov);
10094 OSSL_PROVIDER_unload(defaultprov);
10100 #ifndef OPENSSL_NO_TLS1_2
10101 static int test_ssl_dup(void)
10103 SSL_CTX *cctx = NULL, *sctx = NULL;
10104 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10105 int testresult = 0;
10106 BIO *rbio = NULL, *wbio = NULL;
10108 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10109 TLS_client_method(),
10112 &sctx, &cctx, cert, privkey)))
10115 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10119 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10120 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10123 client2ssl = SSL_dup(clientssl);
10124 rbio = SSL_get_rbio(clientssl);
10125 if (!TEST_ptr(rbio)
10126 || !TEST_true(BIO_up_ref(rbio)))
10128 SSL_set0_rbio(client2ssl, rbio);
10131 wbio = SSL_get_wbio(clientssl);
10132 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10134 SSL_set0_wbio(client2ssl, wbio);
10137 if (!TEST_ptr(client2ssl)
10138 /* Handshake not started so pointers should be different */
10139 || !TEST_ptr_ne(clientssl, client2ssl))
10142 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10143 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10146 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10149 SSL_free(clientssl);
10150 clientssl = SSL_dup(client2ssl);
10151 if (!TEST_ptr(clientssl)
10152 /* Handshake has finished so pointers should be the same */
10153 || !TEST_ptr_eq(clientssl, client2ssl))
10159 SSL_free(serverssl);
10160 SSL_free(clientssl);
10161 SSL_free(client2ssl);
10162 SSL_CTX_free(sctx);
10163 SSL_CTX_free(cctx);
10168 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10169 STACK_OF(SSL_CIPHER) *peer_ciphers,
10170 const SSL_CIPHER **cipher, void *arg)
10173 unsigned char *secret = secretin;
10175 /* Just use a fixed master secret */
10176 for (i = 0; i < *secret_len; i++)
10179 /* We don't set a preferred cipher */
10185 * Test the session_secret_cb which is designed for use with EAP-FAST
10187 static int test_session_secret_cb(void)
10189 SSL_CTX *cctx = NULL, *sctx = NULL;
10190 SSL *clientssl = NULL, *serverssl = NULL;
10191 SSL_SESSION *secret_sess = NULL;
10192 int testresult = 0;
10194 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10195 TLS_client_method(),
10198 &sctx, &cctx, cert, privkey)))
10201 /* Create an initial connection and save the session */
10202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10206 /* session_secret_cb does not support TLSv1.3 */
10207 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10208 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10214 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10217 shutdown_ssl_connection(serverssl, clientssl);
10218 serverssl = clientssl = NULL;
10220 /* Resume the earlier session */
10221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10226 * No session ids for EAP-FAST - otherwise the state machine gets very
10229 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10232 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10233 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10234 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10236 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10238 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10241 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10247 SSL_SESSION_free(secret_sess);
10248 SSL_free(serverssl);
10249 SSL_free(clientssl);
10250 SSL_CTX_free(sctx);
10251 SSL_CTX_free(cctx);
10256 # ifndef OPENSSL_NO_DH
10258 static EVP_PKEY *tmp_dh_params = NULL;
10260 /* Helper function for the test_set_tmp_dh() tests */
10261 static EVP_PKEY *get_tmp_dh_params(void)
10263 if (tmp_dh_params == NULL) {
10265 OSSL_PARAM_BLD *tmpl = NULL;
10266 EVP_PKEY_CTX *pctx = NULL;
10267 OSSL_PARAM *params = NULL;
10268 EVP_PKEY *dhpkey = NULL;
10270 p = BN_get_rfc3526_prime_2048(NULL);
10274 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10275 if (!TEST_ptr(pctx)
10276 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10279 tmpl = OSSL_PARAM_BLD_new();
10280 if (!TEST_ptr(tmpl)
10281 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10282 OSSL_PKEY_PARAM_FFC_P,
10284 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10285 OSSL_PKEY_PARAM_FFC_G,
10289 params = OSSL_PARAM_BLD_to_param(tmpl);
10290 if (!TEST_ptr(params)
10291 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10292 EVP_PKEY_KEY_PARAMETERS,
10296 tmp_dh_params = dhpkey;
10299 EVP_PKEY_CTX_free(pctx);
10300 OSSL_PARAM_BLD_free(tmpl);
10301 OSSL_PARAM_free(params);
10304 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10307 return tmp_dh_params;
10310 # ifndef OPENSSL_NO_DEPRECATED_3_0
10311 /* Callback used by test_set_tmp_dh() */
10312 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10314 EVP_PKEY *dhpkey = get_tmp_dh_params();
10317 if (!TEST_ptr(dhpkey))
10321 * libssl does not free the returned DH, so we free it now knowing that even
10322 * after we free dhpkey, there will still be a reference to the owning
10323 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10324 * of time we need it for.
10326 ret = EVP_PKEY_get1_DH(dhpkey);
10329 EVP_PKEY_free(dhpkey);
10336 * Test the various methods for setting temporary DH parameters
10338 * Test 0: Default (no auto) setting
10339 * Test 1: Explicit SSL_CTX auto off
10340 * Test 2: Explicit SSL auto off
10341 * Test 3: Explicit SSL_CTX auto on
10342 * Test 4: Explicit SSL auto on
10343 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10344 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10346 * The following are testing deprecated APIs, so we only run them if available
10347 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10348 * Test 8: Explicit SSL auto off, custom DH params via DH
10349 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10350 * Test 10: Explicit SSL auto off, custom DH params via callback
10352 static int test_set_tmp_dh(int idx)
10354 SSL_CTX *cctx = NULL, *sctx = NULL;
10355 SSL *clientssl = NULL, *serverssl = NULL;
10356 int testresult = 0;
10357 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10358 int expected = (idx <= 2) ? 0 : 1;
10359 EVP_PKEY *dhpkey = NULL;
10360 # ifndef OPENSSL_NO_DEPRECATED_3_0
10368 if (idx >= 5 && idx <= 8) {
10369 dhpkey = get_tmp_dh_params();
10370 if (!TEST_ptr(dhpkey))
10373 # ifndef OPENSSL_NO_DEPRECATED_3_0
10374 if (idx == 7 || idx == 8) {
10375 dh = EVP_PKEY_get1_DH(dhpkey);
10381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10382 TLS_client_method(),
10385 &sctx, &cctx, cert, privkey)))
10388 if ((idx & 1) == 1) {
10389 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10394 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10398 # ifndef OPENSSL_NO_DEPRECATED_3_0
10399 else if (idx == 7) {
10400 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10402 } else if (idx == 9) {
10403 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10411 if ((idx & 1) == 0 && idx != 0) {
10412 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10416 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10420 # ifndef OPENSSL_NO_DEPRECATED_3_0
10421 else if (idx == 8) {
10422 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10424 } else if (idx == 10) {
10425 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10429 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10430 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10431 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10435 * If autoon then we should succeed. Otherwise we expect failure because
10436 * there are no parameters
10438 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10439 SSL_ERROR_NONE), expected))
10445 # ifndef OPENSSL_NO_DEPRECATED_3_0
10448 SSL_free(serverssl);
10449 SSL_free(clientssl);
10450 SSL_CTX_free(sctx);
10451 SSL_CTX_free(cctx);
10452 EVP_PKEY_free(dhpkey);
10458 * Test the auto DH keys are appropriately sized
10460 static int test_dh_auto(int idx)
10462 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10463 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10464 SSL *clientssl = NULL, *serverssl = NULL;
10465 int testresult = 0;
10466 EVP_PKEY *tmpkey = NULL;
10467 char *thiscert = NULL, *thiskey = NULL;
10468 size_t expdhsize = 0;
10469 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10471 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10476 /* The FIPS provider doesn't support this DH size - so we ignore it */
10481 thiscert = cert1024;
10482 thiskey = privkey1024;
10484 SSL_CTX_set_security_level(sctx, 1);
10485 SSL_CTX_set_security_level(cctx, 1);
10488 /* 2048 bit prime */
10494 thiscert = cert3072;
10495 thiskey = privkey3072;
10499 thiscert = cert4096;
10500 thiskey = privkey4096;
10504 thiscert = cert8192;
10505 thiskey = privkey8192;
10508 /* No certificate cases */
10510 /* The FIPS provider doesn't support this DH size - so we ignore it */
10515 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10519 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10523 TEST_error("Invalid text index");
10527 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10531 &sctx, &cctx, thiscert, thiskey)))
10534 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10538 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10539 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10540 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10541 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10542 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10546 * Send the server's first flight. At this point the server has created the
10547 * temporary DH key but hasn't finished using it yet. Once used it is
10548 * removed, so we cannot test it.
10550 if (!TEST_int_le(SSL_connect(clientssl), 0)
10551 || !TEST_int_le(SSL_accept(serverssl), 0))
10554 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10556 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10559 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10565 SSL_free(serverssl);
10566 SSL_free(clientssl);
10567 SSL_CTX_free(sctx);
10568 SSL_CTX_free(cctx);
10569 EVP_PKEY_free(tmpkey);
10574 # endif /* OPENSSL_NO_DH */
10575 #endif /* OPENSSL_NO_TLS1_2 */
10577 #ifndef OSSL_NO_USABLE_TLS1_3
10579 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10580 * that it works even without a certificate configured for the original
10583 static int test_sni_tls13(void)
10585 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10586 SSL *clientssl = NULL, *serverssl = NULL;
10587 int testresult = 0;
10589 /* Reset callback counter */
10592 /* Create an initial SSL_CTX with no certificate configured */
10593 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10594 if (!TEST_ptr(sctx))
10596 /* Require TLSv1.3 as a minimum */
10597 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10598 TLS_client_method(), TLS1_3_VERSION, 0,
10599 &sctx2, &cctx, cert, privkey)))
10603 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10604 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10608 * Connection should still succeed because the final SSL_CTX has the right
10609 * certificates configured.
10611 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10612 &clientssl, NULL, NULL))
10613 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10617 /* We should have had the SNI callback called exactly once */
10618 if (!TEST_int_eq(snicb, 1))
10624 SSL_free(serverssl);
10625 SSL_free(clientssl);
10626 SSL_CTX_free(sctx2);
10627 SSL_CTX_free(sctx);
10628 SSL_CTX_free(cctx);
10633 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10637 static int test_ticket_lifetime(int idx)
10639 SSL_CTX *cctx = NULL, *sctx = NULL;
10640 SSL *clientssl = NULL, *serverssl = NULL;
10641 int testresult = 0;
10642 int version = TLS1_3_VERSION;
10644 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10645 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10648 #ifdef OPENSSL_NO_TLS1_2
10649 return TEST_skip("TLS 1.2 is disabled.");
10651 version = TLS1_2_VERSION;
10655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10656 TLS_client_method(), version, version,
10657 &sctx, &cctx, cert, privkey)))
10660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10661 &clientssl, NULL, NULL)))
10665 * Set the timeout to be more than 1 week
10666 * make sure the returned value is the default
10668 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10669 SSL_get_default_timeout(serverssl)))
10672 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10676 /* TLSv1.2 uses the set value */
10677 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10680 /* TLSv1.3 uses the limited value */
10681 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10687 SSL_free(serverssl);
10688 SSL_free(clientssl);
10689 SSL_CTX_free(sctx);
10690 SSL_CTX_free(cctx);
10695 * Test that setting an ALPN does not violate RFC
10697 static int test_set_alpn(void)
10699 SSL_CTX *ctx = NULL;
10701 int testresult = 0;
10703 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10704 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10705 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10706 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10707 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10708 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10710 /* Create an initial SSL_CTX with no certificate configured */
10711 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10712 if (!TEST_ptr(ctx))
10715 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10716 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10718 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10720 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10722 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10724 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10726 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10728 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10730 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10732 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10735 ssl = SSL_new(ctx);
10736 if (!TEST_ptr(ssl))
10739 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10741 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10743 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10745 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10747 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10749 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10751 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10753 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10755 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10767 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10769 static int test_set_verify_cert_store_ssl_ctx(void)
10771 SSL_CTX *ctx = NULL;
10772 int testresult = 0;
10773 X509_STORE *store = NULL, *new_store = NULL,
10774 *cstore = NULL, *new_cstore = NULL;
10776 /* Create an initial SSL_CTX. */
10777 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10778 if (!TEST_ptr(ctx))
10781 /* Retrieve verify store pointer. */
10782 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10785 /* Retrieve chain store pointer. */
10786 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10789 /* We haven't set any yet, so this should be NULL. */
10790 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10793 /* Create stores. We use separate stores so pointers are different. */
10794 new_store = X509_STORE_new();
10795 if (!TEST_ptr(new_store))
10798 new_cstore = X509_STORE_new();
10799 if (!TEST_ptr(new_cstore))
10803 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10806 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10809 /* Should be able to retrieve the same pointer. */
10810 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10813 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10816 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10819 /* Should be able to unset again. */
10820 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10823 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10826 /* Should now be NULL. */
10827 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10830 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10833 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10839 X509_STORE_free(new_store);
10840 X509_STORE_free(new_cstore);
10846 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10848 static int test_set_verify_cert_store_ssl(void)
10850 SSL_CTX *ctx = NULL;
10852 int testresult = 0;
10853 X509_STORE *store = NULL, *new_store = NULL,
10854 *cstore = NULL, *new_cstore = NULL;
10856 /* Create an initial SSL_CTX. */
10857 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10858 if (!TEST_ptr(ctx))
10861 /* Create an SSL object. */
10862 ssl = SSL_new(ctx);
10863 if (!TEST_ptr(ssl))
10866 /* Retrieve verify store pointer. */
10867 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10870 /* Retrieve chain store pointer. */
10871 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10874 /* We haven't set any yet, so this should be NULL. */
10875 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10878 /* Create stores. We use separate stores so pointers are different. */
10879 new_store = X509_STORE_new();
10880 if (!TEST_ptr(new_store))
10883 new_cstore = X509_STORE_new();
10884 if (!TEST_ptr(new_cstore))
10888 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10891 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10894 /* Should be able to retrieve the same pointer. */
10895 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10898 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10901 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10904 /* Should be able to unset again. */
10905 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10908 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10911 /* Should now be NULL. */
10912 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10915 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10918 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10924 X509_STORE_free(new_store);
10925 X509_STORE_free(new_cstore);
10932 static int test_inherit_verify_param(void)
10934 int testresult = 0;
10936 SSL_CTX *ctx = NULL;
10937 X509_VERIFY_PARAM *cp = NULL;
10939 X509_VERIFY_PARAM *sp = NULL;
10940 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10942 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10943 if (!TEST_ptr(ctx))
10946 cp = SSL_CTX_get0_param(ctx);
10949 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10952 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10954 ssl = SSL_new(ctx);
10955 if (!TEST_ptr(ssl))
10958 sp = SSL_get0_param(ssl);
10961 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10973 static int test_load_dhfile(void)
10975 #ifndef OPENSSL_NO_DH
10976 int testresult = 0;
10978 SSL_CTX *ctx = NULL;
10979 SSL_CONF_CTX *cctx = NULL;
10981 if (dhfile == NULL)
10984 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10985 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10988 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10989 SSL_CONF_CTX_set_flags(cctx,
10990 SSL_CONF_FLAG_CERTIFICATE
10991 | SSL_CONF_FLAG_SERVER
10992 | SSL_CONF_FLAG_FILE);
10994 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10999 SSL_CONF_CTX_free(cctx);
11004 return TEST_skip("DH not supported by this build");
11008 #ifndef OSSL_NO_USABLE_TLS1_3
11009 /* Test that read_ahead works across a key change */
11010 static int test_read_ahead_key_change(void)
11012 SSL_CTX *cctx = NULL, *sctx = NULL;
11013 SSL *clientssl = NULL, *serverssl = NULL;
11014 int testresult = 0;
11015 char *msg = "Hello World";
11016 size_t written, readbytes;
11020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11021 TLS_client_method(), TLS1_3_VERSION, 0,
11022 &sctx, &cctx, cert, privkey)))
11025 SSL_CTX_set_read_ahead(sctx, 1);
11027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11028 &clientssl, NULL, NULL)))
11031 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11034 /* Write some data, send a key update, write more data */
11035 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11036 || !TEST_size_t_eq(written, strlen(msg)))
11039 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11042 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11043 || !TEST_size_t_eq(written, strlen(msg)))
11047 * Since read_ahead is on the first read below should read the record with
11048 * the first app data, the second record with the key update message, and
11049 * the third record with the app data all in one go. We should be able to
11050 * still process the read_ahead data correctly even though it crosses
11053 for (i = 0; i < 2; i++) {
11054 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11058 buf[readbytes] = '\0';
11059 if (!TEST_str_eq(buf, msg))
11066 SSL_free(serverssl);
11067 SSL_free(clientssl);
11068 SSL_CTX_free(sctx);
11069 SSL_CTX_free(cctx);
11073 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11077 switch ((*called)++) {
11079 /* Add some padding to first record */
11082 /* Maximally pad the second record */
11083 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11086 * Exceeding the maximum padding should be fine. It should just pad to
11087 * the maximum anyway
11089 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11092 * Very large padding should also be ok. Should just pad to the maximum
11102 * Test that setting record padding in TLSv1.3 works as expected
11103 * Test 0: Record padding callback on the SSL_CTX
11104 * Test 1: Record padding callback on the SSL
11105 * Test 2: Record block padding on the SSL_CTX
11106 * Test 3: Record block padding on the SSL
11108 static int test_tls13_record_padding(int idx)
11110 SSL_CTX *cctx = NULL, *sctx = NULL;
11111 SSL *clientssl = NULL, *serverssl = NULL;
11112 int testresult = 0;
11113 char *msg = "Hello World";
11114 size_t written, readbytes;
11119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11120 TLS_client_method(), TLS1_3_VERSION, 0,
11121 &sctx, &cctx, cert, privkey)))
11125 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11126 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11127 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11129 } else if (idx == 2) {
11130 /* Exceeding the max plain length should fail */
11131 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11132 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11134 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11138 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11139 &clientssl, NULL, NULL)))
11143 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11144 SSL_set_record_padding_callback_arg(clientssl, &called);
11145 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11147 } else if (idx == 3) {
11148 /* Exceeding the max plain length should fail */
11149 if (!TEST_false(SSL_set_block_padding(clientssl,
11150 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11152 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11156 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11161 * Write some data, then check we can read it. Do this four times to check
11162 * we can continue to write and read padded data after the initial record
11163 * padding has been added. We don't actually check that the padding has
11164 * been applied to the record - just that we can continue to communicate
11165 * normally and that the callback has been called (if appropriate).
11167 for (i = 0; i < 4; i++) {
11168 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11169 || !TEST_size_t_eq(written, strlen(msg)))
11172 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11174 || !TEST_size_t_eq(written, readbytes))
11177 buf[readbytes] = '\0';
11178 if (!TEST_str_eq(buf, msg))
11182 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11187 SSL_free(serverssl);
11188 SSL_free(clientssl);
11189 SSL_CTX_free(sctx);
11190 SSL_CTX_free(cctx);
11193 #endif /* OSSL_NO_USABLE_TLS1_3 */
11195 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11197 static ENGINE *load_dasync(void)
11201 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
11204 if (!TEST_true(ENGINE_init(e))) {
11209 if (!TEST_true(ENGINE_register_ciphers(e))) {
11218 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11219 * support this yet. The only pipeline capable cipher that we have is in the
11220 * dasync engine (providers don't support this yet), so we have to use
11221 * deprecated APIs for this test.
11223 * Test 0: Client has pipelining enabled, server does not
11224 * Test 1: Server has pipelining enabled, client does not
11225 * Test 2: Client has pipelining enabled, server does not: not enough data to
11226 * fill all the pipelines
11227 * Test 3: Client has pipelining enabled, server does not: not enough data to
11228 * fill all the pipelines by more than a full pipeline's worth
11229 * Test 4: Client has pipelining enabled, server does not: more data than all
11230 * the available pipelines can take
11231 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11232 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11235 static int test_pipelining(int idx)
11237 SSL_CTX *cctx = NULL, *sctx = NULL;
11238 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11239 int testresult = 0, numreads;
11240 /* A 55 byte message */
11241 unsigned char *msg = (unsigned char *)
11242 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11243 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11244 size_t expectedreads;
11245 unsigned char *buf = NULL;
11254 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11255 TLS_client_method(), 0,
11256 TLS1_2_VERSION, &sctx, &cctx, cert,
11264 /* Now act like test 0 */
11268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11269 &clientssl, NULL, NULL)))
11272 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11275 /* peera is always configured for pipelining, while peerb is not. */
11287 /* Maximum allowed fragment size */
11288 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11289 msglen = fragsize * numpipes;
11290 msg = OPENSSL_malloc(msglen);
11291 if (!TEST_ptr(msg))
11293 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11295 } else if (idx == 4) {
11301 msglen -= 2; /* Send 2 less bytes */
11303 msglen -= 12; /* Send 12 less bytes */
11305 buf = OPENSSL_malloc(msglen);
11306 if (!TEST_ptr(buf))
11311 * Test that setting a split send fragment longer than the maximum
11314 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11319 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11320 * (50 bytes in total). This is a ridiculously small number of bytes -
11321 * but sufficient for our purposes
11323 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11324 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11327 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11330 /* Write some data from peera to peerb */
11331 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11332 || !TEST_size_t_eq(written, msglen))
11336 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11337 * have been used - except in test 3 where only |numpipes - 1| pipelines
11338 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11339 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11340 * expect this to be read in |numpipes| or |numpipes - 1| separate
11341 * SSL_read_ex calls. In the case of test 4, there is then one additional
11342 * read for left over data that couldn't fit in the previous pipelines
11344 for (offset = 0, numreads = 0;
11346 offset += readbytes, numreads++) {
11347 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11348 msglen - offset, &readbytes)))
11352 expectedreads = idx == 4 ? numpipes + 1
11353 : (idx == 3 ? numpipes - 1 : numpipes);
11354 if (!TEST_mem_eq(msg, msglen, buf, offset)
11355 || !TEST_int_eq(numreads, expectedreads))
11359 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11360 * chunks to exercise the read pipelining code on peera.
11362 for (offset = 0; offset < msglen; offset += fragsize) {
11363 size_t sendlen = msglen - offset;
11365 if (sendlen > fragsize)
11366 sendlen = fragsize;
11367 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11368 || !TEST_size_t_eq(written, sendlen))
11373 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11374 * separate chunks (depending on which test we are running). If the
11375 * pipelining is working then we expect peera to read up to numpipes chunks
11376 * and process them in parallel, giving back the complete result in a single
11377 * call to SSL_read_ex
11379 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11380 || !TEST_size_t_le(readbytes, msglen))
11386 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11387 msglen - readbytes, &readbytes2)))
11389 readbytes += readbytes2;
11390 if (!TEST_size_t_le(readbytes, msglen))
11394 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11399 SSL_free(serverssl);
11400 SSL_free(clientssl);
11401 SSL_CTX_free(sctx);
11402 SSL_CTX_free(cctx);
11404 ENGINE_unregister_ciphers(e);
11409 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11413 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11415 static int check_version_string(SSL *s, int version)
11417 const char *verstr = NULL;
11426 case TLS1_1_VERSION:
11427 verstr = "TLSv1.1";
11429 case TLS1_2_VERSION:
11430 verstr = "TLSv1.2";
11432 case TLS1_3_VERSION:
11433 verstr = "TLSv1.3";
11435 case DTLS1_VERSION:
11438 case DTLS1_2_VERSION:
11439 verstr = "DTLSv1.2";
11442 return TEST_str_eq(verstr, SSL_get_version(s));
11446 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11447 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11448 * test_version() in quicapitest.c which does the same thing for QUIC
11451 static int test_version(int idx)
11453 SSL_CTX *cctx = NULL, *sctx = NULL;
11454 SSL *clientssl = NULL, *serverssl = NULL;
11455 int testresult = 0, version;
11456 const SSL_METHOD *servmeth = TLS_server_method();
11457 const SSL_METHOD *clientmeth = TLS_client_method();
11460 #if !defined(OPENSSL_NO_SSL3)
11462 version = SSL3_VERSION;
11465 #if !defined(OPENSSL_NO_TLS1)
11467 version = TLS1_VERSION;
11470 #if !defined(OPENSSL_NO_TLS1_2)
11472 version = TLS1_2_VERSION;
11475 #if !defined(OSSL_NO_USABLE_TLS1_3)
11477 version = TLS1_3_VERSION;
11480 #if !defined(OPENSSL_NO_DTLS1)
11482 version = DTLS1_VERSION;
11485 #if !defined(OPENSSL_NO_DTLS1_2)
11487 version = DTLS1_2_VERSION;
11491 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11492 * We also don't support DTLS1_BAD_VER since we have no server support for
11496 TEST_skip("Unsupported protocol version");
11501 && (version == SSL3_VERSION
11502 || version == TLS1_VERSION
11503 || version == DTLS1_VERSION)) {
11504 TEST_skip("Protocol version not supported with FIPS");
11508 #if !defined(OPENSSL_NO_DTLS)
11509 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11510 servmeth = DTLS_server_method();
11511 clientmeth = DTLS_client_method();
11515 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11516 version, &sctx, &cctx, cert, privkey)))
11519 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11520 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11521 "DEFAULT:@SECLEVEL=0")))
11524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11525 &clientssl, NULL, NULL)))
11528 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11531 if (!TEST_int_eq(SSL_version(serverssl), version)
11532 || !TEST_int_eq(SSL_version(clientssl), version)
11533 || !TEST_true(check_version_string(serverssl, version))
11534 || !TEST_true(check_version_string(clientssl, version)))
11537 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11538 if (!TEST_true(SSL_is_dtls(serverssl))
11539 || !TEST_true(SSL_is_dtls(clientssl))
11540 || !TEST_false(SSL_is_tls(serverssl))
11541 || !TEST_false(SSL_is_tls(clientssl))
11542 || !TEST_false(SSL_is_quic(serverssl))
11543 || !TEST_false(SSL_is_quic(clientssl)))
11546 if (!TEST_true(SSL_is_tls(serverssl))
11547 || !TEST_true(SSL_is_tls(clientssl))
11548 || !TEST_false(SSL_is_dtls(serverssl))
11549 || !TEST_false(SSL_is_dtls(clientssl))
11550 || !TEST_false(SSL_is_quic(serverssl))
11551 || !TEST_false(SSL_is_quic(clientssl)))
11557 SSL_free(serverssl);
11558 SSL_free(clientssl);
11559 SSL_CTX_free(sctx);
11560 SSL_CTX_free(cctx);
11565 * Test that the SSL_rstate_string*() APIs return sane results
11567 static int test_rstate_string(void)
11569 SSL_CTX *cctx = NULL, *sctx = NULL;
11570 SSL *clientssl = NULL, *serverssl = NULL;
11571 int testresult = 0, version;
11572 const SSL_METHOD *servmeth = TLS_server_method();
11573 const SSL_METHOD *clientmeth = TLS_client_method();
11574 size_t written, readbytes;
11575 unsigned char buf[2];
11576 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11577 SSL3_RT_APPLICATION_DATA,
11578 TLS1_2_VERSION_MAJOR,
11579 0, /* To be filled in later */
11584 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11585 0, &sctx, &cctx, cert, privkey)))
11588 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11589 &clientssl, NULL, NULL)))
11592 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11593 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11596 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11599 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11600 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11603 /* Fill in the correct version for the record header */
11604 version = SSL_version(serverssl);
11605 if (version == TLS1_3_VERSION)
11606 version = TLS1_2_VERSION;
11607 dummyheader[2] = version & 0xff;
11610 * Send a dummy header. If we continued to read the body as well this
11611 * would fail with a bad record mac, but we're not going to go that far.
11613 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11614 sizeof(dummyheader), &written))
11615 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11618 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11621 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11622 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11627 SSL_free(serverssl);
11628 SSL_free(clientssl);
11629 SSL_CTX_free(sctx);
11630 SSL_CTX_free(cctx);
11635 * Force a write retry during handshaking. We test various combinations of
11636 * scenarios. We test a large certificate message which will fill the buffering
11637 * BIO used in the handshake. We try with client auth on and off. Finally we
11638 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11639 * to indicate retry via -1 - but sometimes BIOs don't do that.
11641 * Test 0: Standard certificate message
11642 * Test 1: Large certificate message
11643 * Test 2: Standard cert, verify peer
11644 * Test 3: Large cert, verify peer
11645 * Test 4: Standard cert, BIO returns 0 on retry
11646 * Test 5: Large cert, BIO returns 0 on retry
11647 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11648 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11649 * Test 8-15: Repeat of above with TLSv1.2
11651 static int test_handshake_retry(int idx)
11653 SSL_CTX *cctx = NULL, *sctx = NULL;
11654 SSL *clientssl = NULL, *serverssl = NULL;
11655 int testresult = 0;
11656 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11657 int maxversion = 0;
11659 if (!TEST_ptr(bretry))
11662 #ifndef OPENSSL_NO_TLS1_2
11663 if ((idx & 8) == 8)
11664 maxversion = TLS1_2_VERSION;
11666 if ((idx & 8) == 8)
11667 return TEST_skip("No TLSv1.2");
11670 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11671 TLS_client_method(), 0, maxversion,
11672 &sctx, &cctx, cert, privkey)))
11676 * Add a large amount of data to fill the buffering BIO used by the SSL
11679 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11683 * We don't actually configure a client cert, but neither do we fail if one
11686 if ((idx & 2) == 2)
11687 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11689 if ((idx & 4) == 4)
11690 set_always_retry_err_val(0);
11692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11693 &clientssl, NULL, NULL)))
11696 tmp = SSL_get_wbio(serverssl);
11697 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11701 SSL_set0_wbio(serverssl, bretry);
11704 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11707 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11708 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11711 /* Restore a BIO that will let the write succeed */
11712 SSL_set0_wbio(serverssl, tmp);
11715 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11720 SSL_free(serverssl);
11721 SSL_free(clientssl);
11722 SSL_CTX_free(sctx);
11723 SSL_CTX_free(cctx);
11726 set_always_retry_err_val(-1);
11731 * Test that receiving retries when writing application data works as expected
11733 static int test_data_retry(void)
11735 SSL_CTX *cctx = NULL, *sctx = NULL;
11736 SSL *clientssl = NULL, *serverssl = NULL;
11737 int testresult = 0;
11738 unsigned char inbuf[1200], outbuf[1200];
11741 BIO *bretry = BIO_new(bio_s_maybe_retry());
11742 size_t written, readbytes, totread = 0;
11744 if (!TEST_ptr(bretry))
11747 for (i = 0; i < sizeof(inbuf); i++)
11748 inbuf[i] = (unsigned char)(0xff & i);
11749 memset(outbuf, 0, sizeof(outbuf));
11751 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11752 TLS_client_method(), 0, 0, &sctx, &cctx,
11756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11760 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11763 /* Smallest possible max send fragment is 512 */
11764 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11767 tmp = SSL_get_wbio(clientssl);
11768 if (!TEST_ptr(tmp))
11770 if (!TEST_true(BIO_up_ref(tmp)))
11772 BIO_push(bretry, tmp);
11774 SSL_set0_wbio(clientssl, bretry);
11775 if (!BIO_up_ref(bretry)) {
11780 for (i = 0; i < 3; i++) {
11781 /* We expect this call to make no progress and indicate retry */
11782 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11784 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11787 /* Allow one write to progress, but the next one to signal retry */
11788 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11796 * This call will hopefully make progress but will still indicate retry
11797 * because there is more data than will fit into a single record.
11799 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11801 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11805 /* The final call should write the last chunk of data and succeed */
11806 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11808 /* Read all the data available */
11809 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11811 totread += readbytes;
11812 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11817 SSL_free(serverssl);
11818 SSL_free(clientssl);
11819 SSL_CTX_free(sctx);
11820 SSL_CTX_free(cctx);
11821 BIO_free_all(bretry);
11826 struct resume_servername_cb_data {
11835 * Servername callback. We use it here to run another complete handshake using
11836 * the same session - and mark the session as not_resuamble at the end
11838 static int resume_servername_cb(SSL *s, int *ad, void *arg)
11840 struct resume_servername_cb_data *cbdata = arg;
11841 SSL *serverssl = NULL, *clientssl = NULL;
11842 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11844 if (cbdata->recurse)
11845 return SSL_TLSEXT_ERR_ALERT_FATAL;
11847 if ((cbdata->i % 3) != 1)
11848 return SSL_TLSEXT_ERR_OK;
11850 cbdata->recurse = 1;
11852 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11853 &clientssl, NULL, NULL))
11854 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11859 * We expect this to fail - because the servername cb will fail. This will
11860 * mark the session as not_resumable.
11862 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11863 ERR_clear_last_mark();
11868 ret = SSL_TLSEXT_ERR_OK;
11870 SSL_free(serverssl);
11871 SSL_free(clientssl);
11872 cbdata->recurse = 0;
11876 * Test multiple resumptions and cache size handling
11877 * Test 0: TLSv1.3 (max_early_data set)
11878 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11879 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11880 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11883 static int test_multi_resume(int idx)
11885 SSL_CTX *sctx = NULL, *cctx = NULL;
11886 SSL *serverssl = NULL, *clientssl = NULL;
11887 SSL_SESSION *sess = NULL;
11888 int max_version = TLS1_3_VERSION;
11889 int i, testresult = 0;
11890 struct resume_servername_cb_data cbdata;
11892 #if defined(OPENSSL_NO_TLS1_2)
11894 return TEST_skip("TLSv1.2 is disabled in this build");
11897 max_version = TLS1_2_VERSION;
11899 #if defined(OSSL_NO_USABLE_TLS1_3)
11901 return TEST_skip("No usable TLSv1.3 in this build");
11904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11905 TLS_client_method(), TLS1_VERSION,
11906 max_version, &sctx, &cctx, cert,
11911 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11912 * replay protection), or if SSL_OP_NO_TICKET is in use
11914 if (idx == 0 || idx == 2) {
11915 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11918 if (idx == 1 || idx == 2 || idx == 3)
11919 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11921 SSL_CTX_sess_set_cache_size(sctx, 5);
11924 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11925 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11926 cbdata.cctx = cctx;
11927 cbdata.sctx = sctx;
11928 cbdata.recurse = 0;
11931 for (i = 0; i < 30; i++) {
11932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11934 || !TEST_true(SSL_set_session(clientssl, sess)))
11938 * Check simultaneous resumes. We pause the connection part way through
11939 * the handshake by (mis)using the servername_cb. The pause occurs after
11940 * session resumption has already occurred, but before any session
11941 * tickets have been issued. While paused we run another complete
11942 * handshake resuming the same session.
11946 cbdata.sess = sess;
11950 * Recreate a bug where dynamically changing the max_early_data value
11951 * can cause sessions in the session cache which cannot be deleted.
11953 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11954 SSL_set_max_early_data(serverssl, 0);
11956 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11959 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11960 if (!TEST_false(SSL_session_reused(clientssl)))
11963 if (!TEST_true(SSL_session_reused(clientssl)))
11966 SSL_SESSION_free(sess);
11968 /* Do a full handshake, followed by two resumptions */
11969 if ((i % 3) == 2) {
11972 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11976 SSL_shutdown(clientssl);
11977 SSL_shutdown(serverssl);
11978 SSL_free(serverssl);
11979 SSL_free(clientssl);
11980 serverssl = clientssl = NULL;
11983 /* We should never exceed the session cache size limit */
11984 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11989 SSL_free(serverssl);
11990 SSL_free(clientssl);
11991 SSL_CTX_free(sctx);
11992 SSL_CTX_free(cctx);
11993 SSL_SESSION_free(sess);
11997 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11999 int setup_tests(void)
12004 libctx = OSSL_LIB_CTX_new();
12005 if (!TEST_ptr(libctx))
12008 defctxnull = OSSL_PROVIDER_load(NULL, "null");
12011 * Verify that the default and fips providers in the default libctx are not
12014 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
12015 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
12018 if (!test_skip_common_options()) {
12019 TEST_error("Error parsing test options\n");
12023 if (!TEST_ptr(certsdir = test_get_argument(0))
12024 || !TEST_ptr(srpvfile = test_get_argument(1))
12025 || !TEST_ptr(tmpfilename = test_get_argument(2))
12026 || !TEST_ptr(modulename = test_get_argument(3))
12027 || !TEST_ptr(configfile = test_get_argument(4))
12028 || !TEST_ptr(dhfile = test_get_argument(5)))
12031 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
12034 /* Check we have the expected provider available */
12035 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
12038 /* Check the default provider is not available */
12039 if (strcmp(modulename, "default") != 0
12040 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
12043 if (strcmp(modulename, "fips") == 0) {
12044 OSSL_PROVIDER *prov = NULL;
12045 OSSL_PARAM params[2];
12049 prov = OSSL_PROVIDER_load(libctx, "fips");
12050 if (prov != NULL) {
12051 /* Query the fips provider to check if the check ems option is enabled */
12053 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
12055 params[1] = OSSL_PARAM_construct_end();
12056 OSSL_PROVIDER_get_params(prov, params);
12057 OSSL_PROVIDER_unload(prov);
12062 * We add, but don't load the test "tls-provider". We'll load it when we
12065 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
12066 tls_provider_init)))
12070 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
12071 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
12072 TEST_error("not supported in this build");
12075 int i, mcount, rcount, fcount;
12077 for (i = 0; i < 4; i++)
12078 test_export_key_mat(i);
12079 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
12080 test_printf_stdout("malloc %d realloc %d free %d\n",
12081 mcount, rcount, fcount);
12086 cert = test_mk_file_path(certsdir, "servercert.pem");
12090 privkey = test_mk_file_path(certsdir, "serverkey.pem");
12091 if (privkey == NULL)
12094 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
12098 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
12099 if (privkey2 == NULL)
12102 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
12103 if (cert1024 == NULL)
12106 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
12107 if (privkey1024 == NULL)
12110 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
12111 if (cert3072 == NULL)
12114 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
12115 if (privkey3072 == NULL)
12118 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
12119 if (cert4096 == NULL)
12122 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
12123 if (privkey4096 == NULL)
12126 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
12127 if (cert8192 == NULL)
12130 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
12131 if (privkey8192 == NULL)
12134 if (fips_ems_check) {
12135 #ifndef OPENSSL_NO_TLS1_2
12136 ADD_TEST(test_no_ems);
12140 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
12141 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
12142 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
12143 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
12146 ADD_TEST(test_large_message_tls);
12147 ADD_TEST(test_large_message_tls_read_ahead);
12148 #ifndef OPENSSL_NO_DTLS
12149 ADD_TEST(test_large_message_dtls);
12151 ADD_ALL_TESTS(test_large_app_data, 28);
12152 ADD_TEST(test_cleanse_plaintext);
12153 #ifndef OPENSSL_NO_OCSP
12154 ADD_TEST(test_tlsext_status_type);
12156 ADD_TEST(test_session_with_only_int_cache);
12157 ADD_TEST(test_session_with_only_ext_cache);
12158 ADD_TEST(test_session_with_both_cache);
12159 ADD_TEST(test_session_wo_ca_names);
12160 #ifndef OSSL_NO_USABLE_TLS1_3
12161 ADD_ALL_TESTS(test_stateful_tickets, 3);
12162 ADD_ALL_TESTS(test_stateless_tickets, 3);
12163 ADD_TEST(test_psk_tickets);
12164 ADD_ALL_TESTS(test_extra_tickets, 6);
12166 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
12167 ADD_TEST(test_ssl_bio_pop_next_bio);
12168 ADD_TEST(test_ssl_bio_pop_ssl_bio);
12169 ADD_TEST(test_ssl_bio_change_rbio);
12170 ADD_TEST(test_ssl_bio_change_wbio);
12171 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
12172 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
12173 ADD_TEST(test_keylog);
12175 #ifndef OSSL_NO_USABLE_TLS1_3
12176 ADD_TEST(test_keylog_no_master_key);
12178 ADD_TEST(test_client_cert_verify_cb);
12179 ADD_TEST(test_ssl_build_cert_chain);
12180 ADD_TEST(test_ssl_ctx_build_cert_chain);
12181 #ifndef OPENSSL_NO_TLS1_2
12182 ADD_TEST(test_client_hello_cb);
12183 ADD_TEST(test_no_ems);
12184 ADD_TEST(test_ccs_change_cipher);
12186 #ifndef OSSL_NO_USABLE_TLS1_3
12187 ADD_ALL_TESTS(test_early_data_read_write, 6);
12189 * We don't do replay tests for external PSK. Replay protection isn't used
12190 * in that scenario.
12192 ADD_ALL_TESTS(test_early_data_replay, 2);
12193 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12194 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12195 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12196 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
12197 ADD_ALL_TESTS(test_early_data_not_sent, 3);
12198 ADD_ALL_TESTS(test_early_data_psk, 8);
12199 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
12200 ADD_ALL_TESTS(test_early_data_not_expected, 3);
12201 # ifndef OPENSSL_NO_TLS1_2
12202 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
12205 #ifndef OSSL_NO_USABLE_TLS1_3
12206 ADD_ALL_TESTS(test_set_ciphersuite, 10);
12207 ADD_TEST(test_ciphersuite_change);
12208 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12209 # ifdef OPENSSL_NO_PSK
12210 ADD_ALL_TESTS(test_tls13_psk, 1);
12212 ADD_ALL_TESTS(test_tls13_psk, 4);
12213 # endif /* OPENSSL_NO_PSK */
12214 #ifndef OSSL_NO_USABLE_TLS1_3
12215 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12216 #endif /* OSSL_NO_USABLE_TLS1_3 */
12217 # ifndef OPENSSL_NO_TLS1_2
12218 /* Test with both TLSv1.3 and 1.2 versions */
12219 ADD_ALL_TESTS(test_key_exchange, 14);
12220 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12221 ADD_ALL_TESTS(test_negotiated_group,
12222 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12223 + OSSL_NELEM(ffdhe_kexch_groups)));
12226 /* Test with only TLSv1.3 versions */
12227 ADD_ALL_TESTS(test_key_exchange, 12);
12229 ADD_ALL_TESTS(test_custom_exts, 6);
12230 ADD_TEST(test_stateless);
12231 ADD_TEST(test_pha_key_update);
12233 ADD_ALL_TESTS(test_custom_exts, 3);
12235 ADD_ALL_TESTS(test_export_key_mat, 6);
12236 #ifndef OSSL_NO_USABLE_TLS1_3
12237 ADD_ALL_TESTS(test_export_key_mat_early, 3);
12238 ADD_TEST(test_key_update);
12239 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12240 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12241 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12242 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
12244 ADD_ALL_TESTS(test_ssl_clear, 8);
12245 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
12246 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12247 ADD_ALL_TESTS(test_srp, 6);
12249 #if !defined(OPENSSL_NO_COMP_ALG)
12250 /* Add compression case */
12251 ADD_ALL_TESTS(test_info_callback, 8);
12253 ADD_ALL_TESTS(test_info_callback, 6);
12255 ADD_ALL_TESTS(test_ssl_pending, 2);
12256 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
12257 ADD_ALL_TESTS(test_ticket_callbacks, 20);
12258 ADD_ALL_TESTS(test_shutdown, 7);
12259 ADD_TEST(test_async_shutdown);
12260 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
12261 ADD_ALL_TESTS(test_cert_cb, 6);
12262 ADD_ALL_TESTS(test_client_cert_cb, 2);
12263 ADD_ALL_TESTS(test_ca_names, 3);
12264 #ifndef OPENSSL_NO_TLS1_2
12265 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12267 ADD_ALL_TESTS(test_servername, 10);
12268 ADD_TEST(test_unknown_sigalgs_groups);
12269 #if !defined(OPENSSL_NO_EC) \
12270 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
12271 ADD_ALL_TESTS(test_sigalgs_available, 6);
12273 #ifndef OPENSSL_NO_TLS1_3
12274 ADD_ALL_TESTS(test_pluggable_group, 2);
12275 ADD_ALL_TESTS(test_pluggable_signature, 4);
12277 #ifndef OPENSSL_NO_TLS1_2
12278 ADD_TEST(test_ssl_dup);
12279 ADD_TEST(test_session_secret_cb);
12280 # ifndef OPENSSL_NO_DH
12281 ADD_ALL_TESTS(test_set_tmp_dh, 11);
12282 ADD_ALL_TESTS(test_dh_auto, 7);
12285 #ifndef OSSL_NO_USABLE_TLS1_3
12286 ADD_TEST(test_sni_tls13);
12287 ADD_ALL_TESTS(test_ticket_lifetime, 2);
12289 ADD_TEST(test_inherit_verify_param);
12290 ADD_TEST(test_set_alpn);
12291 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12292 ADD_TEST(test_set_verify_cert_store_ssl);
12293 ADD_ALL_TESTS(test_session_timeout, 1);
12294 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12295 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12297 ADD_TEST(test_load_dhfile);
12298 #ifndef OSSL_NO_USABLE_TLS1_3
12299 ADD_TEST(test_read_ahead_key_change);
12300 ADD_ALL_TESTS(test_tls13_record_padding, 4);
12302 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12303 ADD_ALL_TESTS(test_serverinfo_custom, 4);
12305 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
12306 ADD_ALL_TESTS(test_pipelining, 7);
12308 ADD_ALL_TESTS(test_version, 6);
12309 ADD_TEST(test_rstate_string);
12310 ADD_ALL_TESTS(test_handshake_retry, 16);
12311 ADD_TEST(test_data_retry);
12312 ADD_ALL_TESTS(test_multi_resume, 5);
12316 OPENSSL_free(cert);
12317 OPENSSL_free(privkey);
12318 OPENSSL_free(cert2);
12319 OPENSSL_free(privkey2);
12323 void cleanup_tests(void)
12325 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
12326 EVP_PKEY_free(tmp_dh_params);
12328 OPENSSL_free(cert);
12329 OPENSSL_free(privkey);
12330 OPENSSL_free(cert2);
12331 OPENSSL_free(privkey2);
12332 OPENSSL_free(cert1024);
12333 OPENSSL_free(privkey1024);
12334 OPENSSL_free(cert3072);
12335 OPENSSL_free(privkey3072);
12336 OPENSSL_free(cert4096);
12337 OPENSSL_free(privkey4096);
12338 OPENSSL_free(cert8192);
12339 OPENSSL_free(privkey8192);
12340 bio_s_mempacket_test_free();
12341 bio_s_always_retry_free();
12342 bio_s_maybe_retry_free();
12343 OSSL_PROVIDER_unload(defctxnull);
12344 OSSL_LIB_CTX_free(libctx);