2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
61 static OSSL_LIB_CTX *libctx = NULL;
62 static OSSL_PROVIDER *defctxnull = NULL;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION *clientpsk = NULL;
67 static SSL_SESSION *serverpsk = NULL;
68 static const char *pskid = "Identity";
69 static const char *srvid;
71 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73 static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
76 static int use_session_cb_cnt = 0;
77 static int find_session_cb_cnt = 0;
79 static SSL_SESSION *create_a_psk(SSL *ssl);
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
97 static char *dhfile = NULL;
99 static int is_fips = 0;
101 #define LOG_BUFFER_SIZE 2048
102 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t server_log_buffer_index = 0;
104 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t client_log_buffer_index = 0;
106 static int error_writing_log = 0;
108 #ifndef OPENSSL_NO_OCSP
109 static const unsigned char orespder[] = "Dummy OCSP Response";
110 static int ocsp_server_called = 0;
111 static int ocsp_client_called = 0;
113 static int cdummyarg = 1;
114 static X509 *ocspcert = NULL;
117 #define NUM_EXTRA_CERTS 40
118 #define CLIENT_VERSION_LEN 2
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
124 struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
127 unsigned int client_early_secret_count;
128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
132 unsigned int early_exporter_secret_count;
133 unsigned int exporter_secret_count;
137 static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
143 static unsigned char serverinfov2[] = {
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
151 static int hostname_cb(SSL *s, int *al, void *arg)
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
159 return SSL_TLSEXT_ERR_NOACK;
162 static void client_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
169 error_writing_log = 1;
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
175 client_log_buffer[client_log_buffer_index++] = '\n';
178 static void server_keylog_callback(const SSL *ssl, const char *line)
180 int line_length = strlen(line);
182 /* If the log doesn't fit, error out. */
183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
184 TEST_info("Server log too full");
185 error_writing_log = 1;
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
191 server_log_buffer[server_log_buffer_index++] = '\n';
194 static int compare_hex_encoded_buffer(const char *hex_encoded,
202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
206 sprintf(hexed, "%02x", raw[i]);
207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
215 static int test_keylog_output(char *buffer, const SSL *ssl,
216 const SSL_SESSION *session,
217 struct sslapitest_log_counts *expected)
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
226 unsigned int client_early_secret_count = 0;
227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
231 unsigned int early_exporter_secret_count = 0;
232 unsigned int exporter_secret_count = 0;
234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
236 if (strcmp(token, "RSA") == 0) {
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
239 * hex-encoded encrypted secret, then the hex-encoded pre-master
242 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 if (!TEST_size_t_eq(strlen(token), 16))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
253 rsa_key_exchange_count++;
254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, then the hex-encoded master secret.
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
265 if (!TEST_ptr(token = strtok(NULL, " \n")))
267 if (!TEST_size_t_eq(strlen(token), 64))
269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
274 if (!TEST_ptr(token = strtok(NULL, " \n")))
276 master_key_size = SSL_SESSION_get_master_key(session,
279 if (!TEST_size_t_ne(master_key_size, 0))
281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
285 master_secret_count++;
286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
292 || strcmp(token, "EXPORTER_SECRET") == 0) {
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
320 if (!TEST_ptr(token = strtok(NULL, " \n")))
322 if (!TEST_size_t_eq(strlen(token), 64))
324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
329 if (!TEST_ptr(token = strtok(NULL, " \n")))
332 TEST_info("Unexpected token %s\n", token);
337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count,
339 expected->rsa_key_exchange_count)
340 || !TEST_size_t_eq(master_secret_count,
341 expected->master_secret_count)
342 || !TEST_size_t_eq(client_early_secret_count,
343 expected->client_early_secret_count)
344 || !TEST_size_t_eq(client_handshake_secret_count,
345 expected->client_handshake_secret_count)
346 || !TEST_size_t_eq(server_handshake_secret_count,
347 expected->server_handshake_secret_count)
348 || !TEST_size_t_eq(client_application_secret_count,
349 expected->client_application_secret_count)
350 || !TEST_size_t_eq(server_application_secret_count,
351 expected->server_application_secret_count)
352 || !TEST_size_t_eq(early_exporter_secret_count,
353 expected->early_exporter_secret_count)
354 || !TEST_size_t_eq(exporter_secret_count,
355 expected->exporter_secret_count))
360 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
361 static int test_keylog(void)
363 SSL_CTX *cctx = NULL, *sctx = NULL;
364 SSL *clientssl = NULL, *serverssl = NULL;
366 struct sslapitest_log_counts expected;
368 /* Clean up logging space */
369 memset(&expected, 0, sizeof(expected));
370 memset(client_log_buffer, 0, sizeof(client_log_buffer));
371 memset(server_log_buffer, 0, sizeof(server_log_buffer));
372 client_log_buffer_index = 0;
373 server_log_buffer_index = 0;
374 error_writing_log = 0;
376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
379 &sctx, &cctx, cert, privkey)))
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
384 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
386 /* We also want to ensure that we use RSA-based key exchange. */
387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 || !TEST_false(error_writing_log)
408 || !TEST_int_gt(client_log_buffer_index, 0)
409 || !TEST_int_gt(server_log_buffer_index, 0))
413 * Now we want to test that our output data was vaguely sensible. We
414 * do that by using strtok and confirming that we have more or less the
415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
418 expected.rsa_key_exchange_count = 1;
419 expected.master_secret_count = 1;
420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected)))
424 expected.rsa_key_exchange_count = 0;
425 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
426 SSL_get_session(serverssl), &expected)))
441 #ifndef OSSL_NO_USABLE_TLS1_3
442 static int test_keylog_no_master_key(void)
444 SSL_CTX *cctx = NULL, *sctx = NULL;
445 SSL *clientssl = NULL, *serverssl = NULL;
446 SSL_SESSION *sess = NULL;
448 struct sslapitest_log_counts expected;
449 unsigned char buf[1];
450 size_t readbytes, written;
452 /* Clean up logging space */
453 memset(&expected, 0, sizeof(expected));
454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458 error_writing_log = 0;
460 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION, 0,
462 &sctx, &cctx, cert, privkey))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
464 SSL3_RT_MAX_PLAIN_LENGTH)))
467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
471 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
473 == client_keylog_callback))
476 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
478 == server_keylog_callback))
481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
483 &clientssl, NULL, NULL))
484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 || !TEST_false(error_writing_log))
490 * Now we want to test that our output data was vaguely sensible. For this
491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
492 * TLSv1.3, but we do expect both client and server to emit keys.
494 expected.client_handshake_secret_count = 1;
495 expected.server_handshake_secret_count = 1;
496 expected.client_application_secret_count = 1;
497 expected.server_application_secret_count = 1;
498 expected.exporter_secret_count = 1;
499 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
500 SSL_get_session(clientssl), &expected))
501 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
502 SSL_get_session(serverssl),
506 /* Terminate old session and resume with early data. */
507 sess = SSL_get1_session(clientssl);
508 SSL_shutdown(clientssl);
509 SSL_shutdown(serverssl);
512 serverssl = clientssl = NULL;
515 memset(client_log_buffer, 0, sizeof(client_log_buffer));
516 memset(server_log_buffer, 0, sizeof(server_log_buffer));
517 client_log_buffer_index = 0;
518 server_log_buffer_index = 0;
520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
521 &clientssl, NULL, NULL))
522 || !TEST_true(SSL_set_session(clientssl, sess))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
527 SSL_READ_EARLY_DATA_ERROR)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
529 SSL_EARLY_DATA_ACCEPTED)
530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
532 || !TEST_true(SSL_session_reused(clientssl)))
535 /* In addition to the previous entries, expect early secrets. */
536 expected.client_early_secret_count = 1;
537 expected.early_exporter_secret_count = 1;
538 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
539 SSL_get_session(clientssl), &expected))
540 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
541 SSL_get_session(serverssl),
548 SSL_SESSION_free(sess);
558 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
560 int res = X509_verify_cert(ctx);
561 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
564 /* this should not happen but check anyway */
566 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
569 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl);
577 static int test_client_cert_verify_cb(void)
579 /* server key, cert, chain, and root */
580 char *skey = test_mk_file_path(certsdir, "leaf.key");
581 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
582 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
583 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
584 char *root = test_mk_file_path(certsdir, "rootCA.pem");
585 X509 *crt1 = NULL, *crt2 = NULL;
586 STACK_OF(X509) *server_chain;
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, NULL, NULL)))
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
597 SSL_FILETYPE_PEM), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
602 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
603 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
605 &clientssl, NULL, NULL)))
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_WANT_RETRY_VERIFY)))
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
615 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
616 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain, crt1)))
622 if (!TEST_true(sk_X509_push(server_chain, crt2)))
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
636 if (clientssl != NULL) {
637 SSL_shutdown(clientssl);
640 if (serverssl != NULL) {
641 SSL_shutdown(serverssl);
656 static int test_ssl_build_cert_chain(void)
659 SSL_CTX *ssl_ctx = NULL;
661 char *skey = test_mk_file_path(certsdir, "leaf.key");
662 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
664 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
666 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
673 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK)))
679 SSL_CTX_free(ssl_ctx);
680 OPENSSL_free(leaf_chain);
685 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
687 static const char pass[] = "testpass";
689 if (!TEST_int_eq(size, PEM_BUFSIZE))
692 memcpy(buf, pass, sizeof(pass) - 1);
693 return sizeof(pass) - 1;
696 static int test_ssl_ctx_build_cert_chain(void)
700 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
701 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
703 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
705 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
709 SSL_FILETYPE_PEM), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK)))
718 OPENSSL_free(leaf_chain);
723 #ifndef OPENSSL_NO_TLS1_2
724 static int full_client_hello_callback(SSL *s, int *al, void *arg)
727 const unsigned char *p;
729 /* We only configure two ciphers, but the SCSV is added automatically. */
731 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
733 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
736 const int expected_extensions[] = {
737 #ifndef OPENSSL_NO_EC
743 /* Make sure we can defer processing and get called back. */
745 return SSL_CLIENT_HELLO_RETRY;
747 len = SSL_client_hello_get0_ciphers(s, &p);
748 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
750 SSL_client_hello_get0_compression_methods(s, &p), 1)
751 || !TEST_int_eq(*p, 0))
752 return SSL_CLIENT_HELLO_ERROR;
753 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
754 return SSL_CLIENT_HELLO_ERROR;
755 if (len != OSSL_NELEM(expected_extensions) ||
756 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
757 printf("ClientHello callback expected extensions mismatch\n");
759 return SSL_CLIENT_HELLO_ERROR;
762 return SSL_CLIENT_HELLO_SUCCESS;
765 static int test_client_hello_cb(void)
767 SSL_CTX *cctx = NULL, *sctx = NULL;
768 SSL *clientssl = NULL, *serverssl = NULL;
769 int testctr = 0, testresult = 0;
771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION, 0,
773 &sctx, &cctx, cert, privkey)))
775 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
783 &clientssl, NULL, NULL))
784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
785 SSL_ERROR_WANT_CLIENT_HELLO_CB))
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
790 || !TEST_int_eq(SSL_get_error(serverssl, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB)
792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
807 static int test_no_ems(void)
809 SSL_CTX *cctx = NULL, *sctx = NULL;
810 SSL *clientssl = NULL, *serverssl = NULL;
813 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
814 TLS1_VERSION, TLS1_2_VERSION,
815 &sctx, &cctx, cert, privkey)) {
816 printf("Unable to create SSL_CTX pair\n");
820 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
822 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
823 printf("Unable to create SSL objects\n");
827 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
828 printf("Creating SSL connection failed\n");
832 if (SSL_get_extms_support(serverssl)) {
833 printf("Server reports Extended Master Secret support\n");
837 if (SSL_get_extms_support(clientssl)) {
838 printf("Client reports Extended Master Secret support\n");
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
856 * encryption to real encryption).
858 static int test_ccs_change_cipher(void)
860 SSL_CTX *cctx = NULL, *sctx = NULL;
861 SSL *clientssl = NULL, *serverssl = NULL;
862 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
869 * Create a conection so we can resume and potentially (but not) use
870 * a different cipher in the second connection.
872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
874 TLS1_VERSION, TLS1_2_VERSION,
875 &sctx, &cctx, cert, privkey))
876 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
882 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
883 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
886 shutdown_ssl_connection(serverssl, clientssl);
887 serverssl = clientssl = NULL;
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
893 || !TEST_true(SSL_set_session(clientssl, sess))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
897 || !TEST_true(SSL_session_reused(clientssl))
898 || !TEST_true(SSL_session_reused(serverssl))
899 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
900 || !TEST_ptr_eq(sesspre, sesspost)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
904 shutdown_ssl_connection(serverssl, clientssl);
905 serverssl = clientssl = NULL;
908 * Now create a fresh connection and try to renegotiate a different
911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
916 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
917 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl))
919 || !TEST_true(SSL_renegotiate_pending(clientssl)))
921 /* Actually drive the renegotiation. */
922 for (i = 0; i < 3; i++) {
923 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
926 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
927 SSL_ERROR_WANT_READ)) {
930 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
931 if (!TEST_ulong_eq(readbytes, 0))
933 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
934 SSL_ERROR_WANT_READ)) {
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl))
940 || !TEST_false(SSL_session_reused(clientssl))
941 || !TEST_false(SSL_session_reused(serverssl))
942 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
943 || !TEST_ptr_ne(sesspre, sesspost)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
948 shutdown_ssl_connection(serverssl, clientssl);
949 serverssl = clientssl = NULL;
958 SSL_SESSION_free(sess);
964 static int execute_test_large_message(const SSL_METHOD *smeth,
965 const SSL_METHOD *cmeth,
966 int min_version, int max_version,
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
974 X509 *chaincert = NULL;
977 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
980 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
983 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
988 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
989 max_version, &sctx, &cctx, cert,
993 #ifdef OPENSSL_NO_DTLS1_2
994 if (smeth == DTLS_server_method()) {
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1001 "DEFAULT:@SECLEVEL=0")))
1008 * Test that read_ahead works correctly when dealing with large
1011 SSL_CTX_set_read_ahead(cctx, 1);
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
1021 certlen = i2d_X509(chaincert, NULL);
1022 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1023 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1024 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1025 if (!X509_up_ref(chaincert))
1027 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1028 X509_free(chaincert);
1033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1043 if (!TEST_true(SSL_clear(serverssl)))
1049 X509_free(chaincert);
1050 SSL_free(serverssl);
1051 SSL_free(clientssl);
1058 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1060 /* sock must be connected */
1061 static int ktls_chk_platform(int sock)
1063 if (!ktls_enable(sock))
1068 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1070 static char count = 1;
1071 unsigned char cbuf[16000] = {0};
1072 unsigned char sbuf[16000];
1074 char crec_wseq_before[SEQ_NUM_SIZE];
1075 char crec_wseq_after[SEQ_NUM_SIZE];
1076 char crec_rseq_before[SEQ_NUM_SIZE];
1077 char crec_rseq_after[SEQ_NUM_SIZE];
1078 char srec_wseq_before[SEQ_NUM_SIZE];
1079 char srec_wseq_after[SEQ_NUM_SIZE];
1080 char srec_rseq_before[SEQ_NUM_SIZE];
1081 char srec_rseq_after[SEQ_NUM_SIZE];
1084 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1107 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1108 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1117 * If ktls is used then kernel sequences are used instead of
1120 if (!BIO_get_ktls_send(clientssl->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1130 if (!BIO_get_ktls_send(serverssl->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1140 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1150 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1165 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1174 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1177 /* Skip this test if the platform does not support ktls */
1178 if (!ktls_chk_platform(cfd)) {
1179 testresult = TEST_skip("Kernel does not support KTLS");
1183 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1184 testresult = TEST_skip("CHACHA is not supported in FIPS");
1188 /* Create a session based on SHA-256 */
1189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1190 TLS_client_method(),
1191 tls_version, tls_version,
1192 &sctx, &cctx, cert, privkey)))
1195 if (tls_version == TLS1_3_VERSION) {
1196 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1197 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1200 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1201 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1205 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1206 &clientssl, sfd, cfd)))
1210 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1215 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1223 * The running kernel may not support a given cipher suite
1224 * or direction, so just check that KTLS isn't used when it
1228 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1231 if (BIO_get_ktls_send(clientssl->wbio))
1236 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1239 if (BIO_get_ktls_send(serverssl->wbio))
1243 #if defined(OPENSSL_NO_KTLS_RX)
1246 rx_supported = (tls_version != TLS1_3_VERSION);
1248 if (!cis_ktls || !rx_supported) {
1249 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1252 if (BIO_get_ktls_send(clientssl->rbio))
1256 if (!sis_ktls || !rx_supported) {
1257 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1260 if (BIO_get_ktls_send(serverssl->rbio))
1264 if ((cis_ktls || sis_ktls) && !ktls_used) {
1265 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1266 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1271 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1277 SSL_shutdown(clientssl);
1278 SSL_free(clientssl);
1281 SSL_shutdown(serverssl);
1282 SSL_free(serverssl);
1286 serverssl = clientssl = NULL;
1294 #define SENDFILE_SZ (16 * 4096)
1295 #define SENDFILE_CHUNK (4 * 4096)
1296 #define min(a,b) ((a) > (b) ? (b) : (a))
1298 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1300 SSL_CTX *cctx = NULL, *sctx = NULL;
1301 SSL *clientssl = NULL, *serverssl = NULL;
1302 unsigned char *buf, *buf_dst;
1303 BIO *out = NULL, *in = NULL;
1304 int cfd = -1, sfd = -1, ffd, err;
1305 ssize_t chunk_size = 0;
1306 off_t chunk_off = 0;
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1348 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1351 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1355 if (!BIO_get_ktls_send(serverssl->wbio)) {
1356 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1357 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1362 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1365 out = BIO_new_file(tmpfilename, "wb");
1369 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1374 in = BIO_new_file(tmpfilename, "rb");
1375 BIO_get_fp(in, &ffdp);
1378 while (chunk_off < SENDFILE_SZ) {
1379 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1380 while ((err = SSL_sendfile(serverssl,
1384 0)) != chunk_size) {
1385 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1388 while ((err = SSL_read(clientssl,
1389 buf_dst + chunk_off,
1390 chunk_size)) != chunk_size) {
1391 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1395 /* verify the payload */
1396 if (!TEST_mem_eq(buf_dst + chunk_off,
1402 chunk_off += chunk_size;
1408 SSL_shutdown(clientssl);
1409 SSL_free(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1417 serverssl = clientssl = NULL;
1425 OPENSSL_free(buf_dst);
1429 static struct ktls_test_cipher {
1432 } ktls_test_ciphers[] = {
1433 # if !defined(OPENSSL_NO_TLS1_2)
1434 # ifdef OPENSSL_KTLS_AES_GCM_128
1435 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1437 # ifdef OPENSSL_KTLS_AES_CCM_128
1438 { TLS1_2_VERSION, "AES128-CCM"},
1440 # ifdef OPENSSL_KTLS_AES_GCM_256
1441 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1443 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1447 # if !defined(OSSL_NO_USABLE_TLS1_3)
1448 # ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451 # ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454 # ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1463 #define NUM_KTLS_TEST_CIPHERS \
1464 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466 static int test_ktls(int test)
1468 struct ktls_test_cipher *cipher;
1469 int cis_ktls, sis_ktls;
1471 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1472 cipher = &ktls_test_ciphers[test / 4];
1474 cis_ktls = (test & 1) != 0;
1475 sis_ktls = (test & 2) != 0;
1477 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1481 static int test_ktls_sendfile(int tst)
1483 struct ktls_test_cipher *cipher;
1485 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1486 cipher = &ktls_test_ciphers[tst];
1488 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1492 static int test_large_message_tls(void)
1494 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1495 TLS1_VERSION, 0, 0);
1498 static int test_large_message_tls_read_ahead(void)
1500 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1501 TLS1_VERSION, 0, 1);
1504 #ifndef OPENSSL_NO_DTLS
1505 static int test_large_message_dtls(void)
1507 # ifdef OPENSSL_NO_DTLS1_2
1508 /* Not supported in the FIPS provider */
1513 * read_ahead is not relevant to DTLS because DTLS always acts as if
1514 * read_ahead is set.
1516 return execute_test_large_message(DTLS_server_method(),
1517 DTLS_client_method(),
1518 DTLS1_VERSION, 0, 0);
1522 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1523 const SSL_METHOD *cmeth,
1524 int min_version, int max_version)
1527 SSL_CTX *cctx = NULL, *sctx = NULL;
1528 SSL *clientssl = NULL, *serverssl = NULL;
1533 static unsigned char cbuf[16000];
1534 static unsigned char sbuf[16000];
1536 if (!TEST_true(create_ssl_ctx_pair(libctx,
1538 min_version, max_version,
1543 #ifdef OPENSSL_NO_DTLS1_2
1544 if (smeth == DTLS_server_method()) {
1545 # ifdef OPENSSL_NO_DTLS1_2
1546 /* Not supported in the FIPS provider */
1553 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1556 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1557 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1558 "DEFAULT:@SECLEVEL=0")))
1563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1567 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1570 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1574 for (i = 0; i < sizeof(cbuf); i++) {
1578 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1581 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1584 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1588 * Since we called SSL_peek(), we know the data in the record
1589 * layer is a plaintext record. We can gather the pointer to check
1590 * for zeroization after SSL_read().
1592 rr = serverssl->rlayer.rrec;
1593 zbuf = &rr->data[rr->off];
1594 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1598 * After SSL_peek() the plaintext must still be stored in the
1601 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1604 memset(sbuf, 0, sizeof(sbuf));
1605 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1608 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1611 /* Check if rbuf is cleansed */
1612 memset(cbuf, 0, sizeof(cbuf));
1613 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1618 SSL_free(serverssl);
1619 SSL_free(clientssl);
1626 static int test_cleanse_plaintext(void)
1628 #if !defined(OPENSSL_NO_TLS1_2)
1629 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1630 TLS_client_method(),
1637 #if !defined(OSSL_NO_USABLE_TLS1_3)
1638 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1639 TLS_client_method(),
1645 #if !defined(OPENSSL_NO_DTLS)
1647 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1648 DTLS_client_method(),
1656 #ifndef OPENSSL_NO_OCSP
1657 static int ocsp_server_cb(SSL *s, void *arg)
1659 int *argi = (int *)arg;
1660 unsigned char *copy = NULL;
1661 STACK_OF(OCSP_RESPID) *ids = NULL;
1662 OCSP_RESPID *id = NULL;
1665 /* In this test we are expecting exactly 1 OCSP_RESPID */
1666 SSL_get_tlsext_status_ids(s, &ids);
1667 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1668 return SSL_TLSEXT_ERR_ALERT_FATAL;
1670 id = sk_OCSP_RESPID_value(ids, 0);
1671 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1672 return SSL_TLSEXT_ERR_ALERT_FATAL;
1673 } else if (*argi != 1) {
1674 return SSL_TLSEXT_ERR_ALERT_FATAL;
1677 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1678 return SSL_TLSEXT_ERR_ALERT_FATAL;
1680 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1681 sizeof(orespder)))) {
1683 return SSL_TLSEXT_ERR_ALERT_FATAL;
1685 ocsp_server_called = 1;
1686 return SSL_TLSEXT_ERR_OK;
1689 static int ocsp_client_cb(SSL *s, void *arg)
1691 int *argi = (int *)arg;
1692 const unsigned char *respderin;
1695 if (*argi != 1 && *argi != 2)
1698 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1699 if (!TEST_mem_eq(orespder, len, respderin, len))
1702 ocsp_client_called = 1;
1706 static int test_tlsext_status_type(void)
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1711 STACK_OF(OCSP_RESPID) *ids = NULL;
1712 OCSP_RESPID *id = NULL;
1713 BIO *certbio = NULL;
1715 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1717 &sctx, &cctx, cert, privkey))
1720 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1723 /* First just do various checks getting and setting tlsext_status_type */
1725 clientssl = SSL_new(cctx);
1726 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1727 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1728 TLSEXT_STATUSTYPE_ocsp))
1729 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1730 TLSEXT_STATUSTYPE_ocsp))
1733 SSL_free(clientssl);
1736 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1737 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1740 clientssl = SSL_new(cctx);
1741 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1743 SSL_free(clientssl);
1747 * Now actually do a handshake and check OCSP information is exchanged and
1748 * the callbacks get called
1750 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1751 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1752 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1753 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1755 &clientssl, NULL, NULL))
1756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1758 || !TEST_true(ocsp_client_called)
1759 || !TEST_true(ocsp_server_called))
1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1766 /* Try again but this time force the server side callback to fail */
1767 ocsp_client_called = 0;
1768 ocsp_server_called = 0;
1770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1771 &clientssl, NULL, NULL))
1772 /* This should fail because the callback will fail */
1773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1775 || !TEST_false(ocsp_client_called)
1776 || !TEST_false(ocsp_server_called))
1778 SSL_free(serverssl);
1779 SSL_free(clientssl);
1784 * This time we'll get the client to send an OCSP_RESPID that it will
1787 ocsp_client_called = 0;
1788 ocsp_server_called = 0;
1790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1791 &clientssl, NULL, NULL)))
1795 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1796 * specific one. We'll use the server cert.
1798 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1799 || !TEST_ptr(id = OCSP_RESPID_new())
1800 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1801 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1802 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1803 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1804 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1807 SSL_set_tlsext_status_ids(clientssl, ids);
1808 /* Control has been transferred */
1814 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1816 || !TEST_true(ocsp_client_called)
1817 || !TEST_true(ocsp_server_called))
1823 SSL_free(serverssl);
1824 SSL_free(clientssl);
1827 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1828 OCSP_RESPID_free(id);
1830 X509_free(ocspcert);
1837 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1838 static int new_called, remove_called, get_called;
1840 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1844 * sess has been up-refed for us, but we don't actually need it so free it
1847 SSL_SESSION_free(sess);
1851 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1856 static SSL_SESSION *get_sess_val = NULL;
1858 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1863 return get_sess_val;
1866 static int execute_test_session(int maxprot, int use_int_cache,
1867 int use_ext_cache, long s_options)
1869 SSL_CTX *sctx = NULL, *cctx = NULL;
1870 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1871 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1872 # ifndef OPENSSL_NO_TLS1_1
1873 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1875 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1876 int testresult = 0, numnewsesstick = 1;
1878 new_called = remove_called = 0;
1880 /* TLSv1.3 sends 2 NewSessionTickets */
1881 if (maxprot == TLS1_3_VERSION)
1884 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1885 TLS_client_method(), TLS1_VERSION, 0,
1886 &sctx, &cctx, cert, privkey)))
1890 * Only allow the max protocol version so we can force a connection failure
1893 SSL_CTX_set_min_proto_version(cctx, maxprot);
1894 SSL_CTX_set_max_proto_version(cctx, maxprot);
1896 /* Set up session cache */
1897 if (use_ext_cache) {
1898 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1899 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1901 if (use_int_cache) {
1902 /* Also covers instance where both are set */
1903 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1905 SSL_CTX_set_session_cache_mode(cctx,
1906 SSL_SESS_CACHE_CLIENT
1907 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1911 SSL_CTX_set_options(sctx, s_options);
1914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1916 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1918 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1921 /* Should fail because it should already be in the cache */
1922 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1925 && (!TEST_int_eq(new_called, numnewsesstick)
1927 || !TEST_int_eq(remove_called, 0)))
1930 new_called = remove_called = 0;
1931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1932 &clientssl2, NULL, NULL))
1933 || !TEST_true(SSL_set_session(clientssl2, sess1))
1934 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1936 || !TEST_true(SSL_session_reused(clientssl2)))
1939 if (maxprot == TLS1_3_VERSION) {
1941 * In TLSv1.3 we should have created a new session even though we have
1942 * resumed. Since we attempted a resume we should also have removed the
1943 * old ticket from the cache so that we try to only use tickets once.
1946 && (!TEST_int_eq(new_called, 1)
1947 || !TEST_int_eq(remove_called, 1)))
1951 * In TLSv1.2 we expect to have resumed so no sessions added or
1955 && (!TEST_int_eq(new_called, 0)
1956 || !TEST_int_eq(remove_called, 0)))
1960 SSL_SESSION_free(sess1);
1961 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1963 shutdown_ssl_connection(serverssl2, clientssl2);
1964 serverssl2 = clientssl2 = NULL;
1966 new_called = remove_called = 0;
1967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1968 &clientssl2, NULL, NULL))
1969 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1973 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1977 && (!TEST_int_eq(new_called, numnewsesstick)
1978 || !TEST_int_eq(remove_called, 0)))
1981 new_called = remove_called = 0;
1983 * This should clear sess2 from the cache because it is a "bad" session.
1984 * See SSL_set_session() documentation.
1986 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1989 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1991 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1994 if (use_int_cache) {
1995 /* Should succeeded because it should not already be in the cache */
1996 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1997 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2001 new_called = remove_called = 0;
2002 /* This shouldn't be in the cache so should fail */
2003 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2007 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2010 # if !defined(OPENSSL_NO_TLS1_1)
2011 new_called = remove_called = 0;
2012 /* Force a connection failure */
2013 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2015 &clientssl3, NULL, NULL))
2016 || !TEST_true(SSL_set_session(clientssl3, sess1))
2017 /* This should fail because of the mismatched protocol versions */
2018 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2022 /* We should have automatically removed the session from the cache */
2024 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2027 /* Should succeed because it should not already be in the cache */
2028 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2032 /* Now do some tests for server side caching */
2033 if (use_ext_cache) {
2034 SSL_CTX_sess_set_new_cb(cctx, NULL);
2035 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2036 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2037 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2038 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2039 get_sess_val = NULL;
2042 SSL_CTX_set_session_cache_mode(cctx, 0);
2043 /* Internal caching is the default on the server side */
2045 SSL_CTX_set_session_cache_mode(sctx,
2046 SSL_SESS_CACHE_SERVER
2047 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2049 SSL_free(serverssl1);
2050 SSL_free(clientssl1);
2051 serverssl1 = clientssl1 = NULL;
2052 SSL_free(serverssl2);
2053 SSL_free(clientssl2);
2054 serverssl2 = clientssl2 = NULL;
2055 SSL_SESSION_free(sess1);
2057 SSL_SESSION_free(sess2);
2060 SSL_CTX_set_max_proto_version(sctx, maxprot);
2061 if (maxprot == TLS1_2_VERSION)
2062 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2063 new_called = remove_called = get_called = 0;
2064 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2066 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2068 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2069 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2072 if (use_int_cache) {
2073 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2075 * In TLSv1.3 it should not have been added to the internal cache,
2076 * except in the case where we also have an external cache (in that
2077 * case it gets added to the cache in order to generate remove
2078 * events after timeout).
2080 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2083 /* Should fail because it should already be in the cache */
2084 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2089 if (use_ext_cache) {
2090 SSL_SESSION *tmp = sess2;
2092 if (!TEST_int_eq(new_called, numnewsesstick)
2093 || !TEST_int_eq(remove_called, 0)
2094 || !TEST_int_eq(get_called, 0))
2097 * Delete the session from the internal cache to force a lookup from
2098 * the external cache. We take a copy first because
2099 * SSL_CTX_remove_session() also marks the session as non-resumable.
2101 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2102 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2103 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2105 SSL_SESSION_free(sess2);
2110 new_called = remove_called = get_called = 0;
2111 get_sess_val = sess2;
2112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2113 &clientssl2, NULL, NULL))
2114 || !TEST_true(SSL_set_session(clientssl2, sess1))
2115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2117 || !TEST_true(SSL_session_reused(clientssl2)))
2120 if (use_ext_cache) {
2121 if (!TEST_int_eq(remove_called, 0))
2124 if (maxprot == TLS1_3_VERSION) {
2125 if (!TEST_int_eq(new_called, 1)
2126 || !TEST_int_eq(get_called, 0))
2129 if (!TEST_int_eq(new_called, 0)
2130 || !TEST_int_eq(get_called, 1))
2138 SSL_free(serverssl1);
2139 SSL_free(clientssl1);
2140 SSL_free(serverssl2);
2141 SSL_free(clientssl2);
2142 # ifndef OPENSSL_NO_TLS1_1
2143 SSL_free(serverssl3);
2144 SSL_free(clientssl3);
2146 SSL_SESSION_free(sess1);
2147 SSL_SESSION_free(sess2);
2153 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2155 static int test_session_with_only_int_cache(void)
2157 #ifndef OSSL_NO_USABLE_TLS1_3
2158 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2162 #ifndef OPENSSL_NO_TLS1_2
2163 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2169 static int test_session_with_only_ext_cache(void)
2171 #ifndef OSSL_NO_USABLE_TLS1_3
2172 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2176 #ifndef OPENSSL_NO_TLS1_2
2177 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2183 static int test_session_with_both_cache(void)
2185 #ifndef OSSL_NO_USABLE_TLS1_3
2186 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2190 #ifndef OPENSSL_NO_TLS1_2
2191 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2197 static int test_session_wo_ca_names(void)
2199 #ifndef OSSL_NO_USABLE_TLS1_3
2200 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2204 #ifndef OPENSSL_NO_TLS1_2
2205 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2212 #ifndef OSSL_NO_USABLE_TLS1_3
2213 static SSL_SESSION *sesscache[6];
2214 static int do_cache;
2216 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2219 sesscache[new_called] = sess;
2221 /* We don't need the reference to the session, so free it */
2222 SSL_SESSION_free(sess);
2229 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2231 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2232 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2235 /* Start handshake on the server and client */
2236 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2237 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2238 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2239 || !TEST_true(create_ssl_connection(sssl, cssl,
2246 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2249 int sess_id_ctx = 1;
2251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2252 TLS_client_method(), TLS1_VERSION, 0,
2253 sctx, cctx, cert, privkey))
2254 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2255 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2256 (void *)&sess_id_ctx,
2257 sizeof(sess_id_ctx))))
2261 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2263 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2264 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2265 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2270 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2272 SSL *serverssl = NULL, *clientssl = NULL;
2275 /* Test that we can resume with all the tickets we got given */
2276 for (i = 0; i < idx * 2; i++) {
2278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2279 &clientssl, NULL, NULL))
2280 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2283 SSL_set_post_handshake_auth(clientssl, 1);
2285 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2290 * Following a successful resumption we only get 1 ticket. After a
2291 * failed one we should get idx tickets.
2294 if (!TEST_true(SSL_session_reused(clientssl))
2295 || !TEST_int_eq(new_called, 1))
2298 if (!TEST_false(SSL_session_reused(clientssl))
2299 || !TEST_int_eq(new_called, idx))
2304 /* After a post-handshake authentication we should get 1 new ticket */
2306 && (!post_handshake_verify(serverssl, clientssl)
2307 || !TEST_int_eq(new_called, 1)))
2310 SSL_shutdown(clientssl);
2311 SSL_shutdown(serverssl);
2312 SSL_free(serverssl);
2313 SSL_free(clientssl);
2314 serverssl = clientssl = NULL;
2315 SSL_SESSION_free(sesscache[i]);
2316 sesscache[i] = NULL;
2322 SSL_free(clientssl);
2323 SSL_free(serverssl);
2327 static int test_tickets(int stateful, int idx)
2329 SSL_CTX *sctx = NULL, *cctx = NULL;
2330 SSL *serverssl = NULL, *clientssl = NULL;
2334 /* idx is the test number, but also the number of tickets we want */
2339 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2343 &clientssl, NULL, NULL)))
2346 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2348 /* Check we got the number of tickets we were expecting */
2349 || !TEST_int_eq(idx, new_called))
2352 SSL_shutdown(clientssl);
2353 SSL_shutdown(serverssl);
2354 SSL_free(serverssl);
2355 SSL_free(clientssl);
2358 clientssl = serverssl = NULL;
2362 * Now we try to resume with the tickets we previously created. The
2363 * resumption attempt is expected to fail (because we're now using a new
2364 * SSL_CTX). We should see idx number of tickets issued again.
2367 /* Stop caching sessions - just count them */
2370 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2373 if (!check_resumption(idx, sctx, cctx, 0))
2376 /* Start again with caching sessions */
2383 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL)))
2390 SSL_set_post_handshake_auth(clientssl, 1);
2392 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2394 /* Check we got the number of tickets we were expecting */
2395 || !TEST_int_eq(idx, new_called))
2398 /* After a post-handshake authentication we should get new tickets issued */
2399 if (!post_handshake_verify(serverssl, clientssl)
2400 || !TEST_int_eq(idx * 2, new_called))
2403 SSL_shutdown(clientssl);
2404 SSL_shutdown(serverssl);
2405 SSL_free(serverssl);
2406 SSL_free(clientssl);
2407 serverssl = clientssl = NULL;
2409 /* Stop caching sessions - just count them */
2413 * Check we can resume with all the tickets we created. This time around the
2414 * resumptions should all be successful.
2416 if (!check_resumption(idx, sctx, cctx, 1))
2422 SSL_free(serverssl);
2423 SSL_free(clientssl);
2424 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2425 SSL_SESSION_free(sesscache[j]);
2426 sesscache[j] = NULL;
2434 static int test_stateless_tickets(int idx)
2436 return test_tickets(0, idx);
2439 static int test_stateful_tickets(int idx)
2441 return test_tickets(1, idx);
2444 static int test_psk_tickets(void)
2446 SSL_CTX *sctx = NULL, *cctx = NULL;
2447 SSL *serverssl = NULL, *clientssl = NULL;
2449 int sess_id_ctx = 1;
2451 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2452 TLS_client_method(), TLS1_VERSION, 0,
2453 &sctx, &cctx, NULL, NULL))
2454 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2455 (void *)&sess_id_ctx,
2456 sizeof(sess_id_ctx))))
2459 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2460 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2461 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2462 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2463 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2464 use_session_cb_cnt = 0;
2465 find_session_cb_cnt = 0;
2469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2472 clientpsk = serverpsk = create_a_psk(clientssl);
2473 if (!TEST_ptr(clientpsk))
2475 SSL_SESSION_up_ref(clientpsk);
2477 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2479 || !TEST_int_eq(1, find_session_cb_cnt)
2480 || !TEST_int_eq(1, use_session_cb_cnt)
2481 /* We should always get 1 ticket when using external PSK */
2482 || !TEST_int_eq(1, new_called))
2488 SSL_free(serverssl);
2489 SSL_free(clientssl);
2492 SSL_SESSION_free(clientpsk);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2499 static int test_extra_tickets(int idx)
2501 SSL_CTX *sctx = NULL, *cctx = NULL;
2502 SSL *serverssl = NULL, *clientssl = NULL;
2503 BIO *bretry = BIO_new(bio_s_always_retry());
2508 unsigned char c, buf[1];
2518 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2520 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2521 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2522 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2525 &clientssl, NULL, NULL)))
2529 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2530 * incremented by both client and server.
2532 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2534 /* Check we got the number of tickets we were expecting */
2535 || !TEST_int_eq(idx * 2, new_called)
2536 || !TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_int_eq(idx * 2, new_called))
2541 /* Now try a (real) write to actually send the tickets */
2543 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2544 || !TEST_size_t_eq(1, nbytes)
2545 || !TEST_int_eq(idx * 2 + 2, new_called)
2546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2547 || !TEST_int_eq(idx * 2 + 4, new_called)
2548 || !TEST_int_eq(sizeof(buf), nbytes)
2549 || !TEST_int_eq(c, buf[0])
2550 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2553 /* Try with only requesting one new ticket, too */
2556 if (!TEST_true(SSL_new_session_ticket(serverssl))
2557 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2558 || !TEST_size_t_eq(sizeof(c), nbytes)
2559 || !TEST_int_eq(1, new_called)
2560 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2561 || !TEST_int_eq(2, new_called)
2562 || !TEST_size_t_eq(sizeof(buf), nbytes)
2563 || !TEST_int_eq(c, buf[0]))
2566 /* Do it again but use dummy writes to drive the ticket generation */
2569 if (!TEST_true(SSL_new_session_ticket(serverssl))
2570 || !TEST_true(SSL_new_session_ticket(serverssl))
2571 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2572 || !TEST_size_t_eq(0, nbytes)
2573 || !TEST_int_eq(2, new_called)
2574 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2575 || !TEST_int_eq(4, new_called))
2578 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2581 if (!TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_new_session_ticket(serverssl))
2583 || !TEST_true(SSL_do_handshake(serverssl))
2584 || !TEST_int_eq(2, new_called)
2585 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2586 || !TEST_int_eq(4, new_called))
2590 * Use the always-retry BIO to exercise the logic that forces ticket
2591 * generation to wait until a record boundary.
2595 tmp = SSL_get_wbio(serverssl);
2596 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2600 SSL_set0_wbio(serverssl, bretry);
2602 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2603 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2604 || !TEST_size_t_eq(nbytes, 0))
2606 /* Restore a BIO that will let the write succeed */
2607 SSL_set0_wbio(serverssl, tmp);
2610 * These calls should just queue the request and not send anything
2611 * even if we explicitly try to hit the state machine.
2613 if (!TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_new_session_ticket(serverssl))
2615 || !TEST_int_eq(0, new_called)
2616 || !TEST_true(SSL_do_handshake(serverssl))
2617 || !TEST_int_eq(0, new_called))
2619 /* Re-do the write; still no tickets sent */
2620 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2621 || !TEST_size_t_eq(1, nbytes)
2622 || !TEST_int_eq(0, new_called)
2623 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2624 || !TEST_int_eq(0, new_called)
2625 || !TEST_int_eq(sizeof(buf), nbytes)
2626 || !TEST_int_eq(c, buf[0])
2627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2629 /* Even trying to hit the state machine now will still not send tickets */
2630 if (!TEST_true(SSL_do_handshake(serverssl))
2631 || !TEST_int_eq(0, new_called))
2633 /* Now the *next* write should send the tickets */
2635 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2636 || !TEST_size_t_eq(1, nbytes)
2637 || !TEST_int_eq(2, new_called)
2638 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2639 || !TEST_int_eq(4, new_called)
2640 || !TEST_int_eq(sizeof(buf), nbytes)
2641 || !TEST_int_eq(c, buf[0])
2642 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2645 SSL_shutdown(clientssl);
2646 SSL_shutdown(serverssl);
2652 SSL_free(serverssl);
2653 SSL_free(clientssl);
2656 clientssl = serverssl = NULL;
2665 #define USE_DEFAULT 3
2667 #define CONNTYPE_CONNECTION_SUCCESS 0
2668 #define CONNTYPE_CONNECTION_FAIL 1
2669 #define CONNTYPE_NO_CONNECTION 2
2671 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2672 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2673 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2674 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2676 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2679 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2680 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2681 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2683 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2700 * Tests calls to SSL_set_bio() under various conditions.
2702 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2703 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2704 * then do more tests where we create a successful connection first using our
2705 * standard connection setup functions, and then call SSL_set_bio() with
2706 * various combinations of valid BIOs or NULL. We then repeat these tests
2707 * following a failed connection. In this last case we are looking to check that
2708 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2710 static int test_ssl_set_bio(int idx)
2712 SSL_CTX *sctx = NULL, *cctx = NULL;
2715 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2716 SSL *serverssl = NULL, *clientssl = NULL;
2717 int initrbio, initwbio, newrbio, newwbio, conntype;
2720 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2728 conntype = CONNTYPE_NO_CONNECTION;
2730 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2731 initrbio = initwbio = USE_DEFAULT;
2739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2740 TLS_client_method(), TLS1_VERSION, 0,
2741 &sctx, &cctx, cert, privkey)))
2744 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2746 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2747 * because we reduced the number of tests in the definition of
2748 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2749 * mismatched protocol versions we will force a connection failure.
2751 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2752 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2759 if (initrbio == USE_BIO_1
2760 || initwbio == USE_BIO_1
2761 || newrbio == USE_BIO_1
2762 || newwbio == USE_BIO_1) {
2763 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2767 if (initrbio == USE_BIO_2
2768 || initwbio == USE_BIO_2
2769 || newrbio == USE_BIO_2
2770 || newwbio == USE_BIO_2) {
2771 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2775 if (initrbio != USE_DEFAULT) {
2776 setupbio(&irbio, bio1, bio2, initrbio);
2777 setupbio(&iwbio, bio1, bio2, initwbio);
2778 SSL_set_bio(clientssl, irbio, iwbio);
2781 * We want to maintain our own refs to these BIO, so do an up ref for
2782 * each BIO that will have ownership transferred in the SSL_set_bio()
2787 if (iwbio != NULL && iwbio != irbio)
2791 if (conntype != CONNTYPE_NO_CONNECTION
2792 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2794 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2797 setupbio(&nrbio, bio1, bio2, newrbio);
2798 setupbio(&nwbio, bio1, bio2, newwbio);
2801 * We will (maybe) transfer ownership again so do more up refs.
2802 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2807 && (nwbio != iwbio || nrbio != nwbio))
2811 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2814 SSL_set_bio(clientssl, nrbio, nwbio);
2823 * This test is checking that the ref counting for SSL_set_bio is correct.
2824 * If we get here and we did too many frees then we will fail in the above
2827 SSL_free(serverssl);
2828 SSL_free(clientssl);
2834 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2836 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2838 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2843 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2844 || !TEST_ptr(ssl = SSL_new(ctx))
2845 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2846 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2849 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2852 * If anything goes wrong here then we could leak memory.
2854 BIO_push(sslbio, membio1);
2856 /* Verify changing the rbio/wbio directly does not cause leaks */
2857 if (change_bio != NO_BIO_CHANGE) {
2858 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2862 if (change_bio == CHANGE_RBIO)
2863 SSL_set0_rbio(ssl, membio2);
2865 SSL_set0_wbio(ssl, membio2);
2884 static int test_ssl_bio_pop_next_bio(void)
2886 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2889 static int test_ssl_bio_pop_ssl_bio(void)
2891 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2894 static int test_ssl_bio_change_rbio(void)
2896 return execute_test_ssl_bio(0, CHANGE_RBIO);
2899 static int test_ssl_bio_change_wbio(void)
2901 return execute_test_ssl_bio(0, CHANGE_WBIO);
2904 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2906 /* The list of sig algs */
2908 /* The length of the list */
2910 /* A sigalgs list in string format */
2911 const char *liststr;
2912 /* Whether setting the list should succeed */
2914 /* Whether creating a connection with the list should succeed */
2918 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2919 # ifndef OPENSSL_NO_EC
2920 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2921 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2923 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2924 static const int invalidlist2[] = {NID_sha256, NID_undef};
2925 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2926 static const int invalidlist4[] = {NID_sha256};
2927 static const sigalgs_list testsigalgs[] = {
2928 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2929 # ifndef OPENSSL_NO_EC
2930 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2931 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2933 {NULL, 0, "RSA+SHA256", 1, 1},
2934 # ifndef OPENSSL_NO_EC
2935 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2936 {NULL, 0, "ECDSA+SHA512", 1, 0},
2938 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2939 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2940 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2941 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2942 {NULL, 0, "RSA", 0, 0},
2943 {NULL, 0, "SHA256", 0, 0},
2944 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2945 {NULL, 0, "Invalid", 0, 0}
2948 static int test_set_sigalgs(int idx)
2950 SSL_CTX *cctx = NULL, *sctx = NULL;
2951 SSL *clientssl = NULL, *serverssl = NULL;
2953 const sigalgs_list *curr;
2956 /* Should never happen */
2957 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2960 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2961 curr = testctx ? &testsigalgs[idx]
2962 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2974 if (curr->list != NULL)
2975 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2977 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2981 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2987 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2993 &clientssl, NULL, NULL)))
2999 if (curr->list != NULL)
3000 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3002 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3005 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3014 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3022 SSL_free(serverssl);
3023 SSL_free(clientssl);
3031 #ifndef OSSL_NO_USABLE_TLS1_3
3032 static int psk_client_cb_cnt = 0;
3033 static int psk_server_cb_cnt = 0;
3035 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3036 size_t *idlen, SSL_SESSION **sess)
3038 switch (++use_session_cb_cnt) {
3040 /* The first call should always have a NULL md */
3046 /* The second call should always have an md */
3052 /* We should only be called a maximum of twice */
3056 if (clientpsk != NULL)
3057 SSL_SESSION_up_ref(clientpsk);
3060 *id = (const unsigned char *)pskid;
3061 *idlen = strlen(pskid);
3066 #ifndef OPENSSL_NO_PSK
3067 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3068 unsigned int max_id_len,
3070 unsigned int max_psk_len)
3072 unsigned int psklen = 0;
3074 psk_client_cb_cnt++;
3076 if (strlen(pskid) + 1 > max_id_len)
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (psk_client_cb_cnt > 2)
3083 if (clientpsk == NULL)
3086 /* We'll reuse the PSK we set up for TLSv1.3 */
3087 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3089 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3090 strncpy(id, pskid, max_id_len);
3094 #endif /* OPENSSL_NO_PSK */
3096 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3097 size_t identity_len, SSL_SESSION **sess)
3099 find_session_cb_cnt++;
3101 /* We should only ever be called a maximum of twice per connection */
3102 if (find_session_cb_cnt > 2)
3105 if (serverpsk == NULL)
3108 /* Identity should match that set by the client */
3109 if (strlen(srvid) != identity_len
3110 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3111 /* No PSK found, continue but without a PSK */
3116 SSL_SESSION_up_ref(serverpsk);
3122 #ifndef OPENSSL_NO_PSK
3123 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3124 unsigned char *psk, unsigned int max_psk_len)
3126 unsigned int psklen = 0;
3128 psk_server_cb_cnt++;
3130 /* We should only ever be called a maximum of twice per connection */
3131 if (find_session_cb_cnt > 2)
3134 if (serverpsk == NULL)
3137 /* Identity should match that set by the client */
3138 if (strcmp(srvid, identity) != 0) {
3142 /* We'll reuse the PSK we set up for TLSv1.3 */
3143 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3145 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3149 #endif /* OPENSSL_NO_PSK */
3151 #define MSG1 "Hello"
3152 #define MSG2 "World."
3157 #define MSG7 "message."
3159 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3160 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3161 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3162 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3163 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3166 static SSL_SESSION *create_a_psk(SSL *ssl)
3168 const SSL_CIPHER *cipher = NULL;
3169 const unsigned char key[] = {
3170 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3171 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3172 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3173 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3174 0x2c, 0x2d, 0x2e, 0x2f
3176 SSL_SESSION *sess = NULL;
3178 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3179 sess = SSL_SESSION_new();
3181 || !TEST_ptr(cipher)
3182 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3184 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3186 SSL_SESSION_set_protocol_version(sess,
3188 SSL_SESSION_free(sess);
3195 * Helper method to setup objects for early data test. Caller frees objects on
3198 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3199 SSL **serverssl, SSL_SESSION **sess, int idx)
3202 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3203 TLS_client_method(),
3205 sctx, cctx, cert, privkey)))
3208 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3212 /* When idx == 1 we repeat the tests with read_ahead set */
3213 SSL_CTX_set_read_ahead(*cctx, 1);
3214 SSL_CTX_set_read_ahead(*sctx, 1);
3215 } else if (idx == 2) {
3216 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3217 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3218 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3219 use_session_cb_cnt = 0;
3220 find_session_cb_cnt = 0;
3224 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3229 * For one of the run throughs (doesn't matter which one), we'll try sending
3230 * some SNI data in the initial ClientHello. This will be ignored (because
3231 * there is no SNI cb set up by the server), so it should not impact
3235 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3239 clientpsk = create_a_psk(*clientssl);
3240 if (!TEST_ptr(clientpsk)
3242 * We just choose an arbitrary value for max_early_data which
3243 * should be big enough for testing purposes.
3245 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3247 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3248 SSL_SESSION_free(clientpsk);
3252 serverpsk = clientpsk;
3255 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3256 SSL_SESSION_free(clientpsk);
3257 SSL_SESSION_free(serverpsk);
3258 clientpsk = serverpsk = NULL;
3269 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3273 *sess = SSL_get1_session(*clientssl);
3274 SSL_shutdown(*clientssl);
3275 SSL_shutdown(*serverssl);
3276 SSL_free(*serverssl);
3277 SSL_free(*clientssl);
3278 *serverssl = *clientssl = NULL;
3280 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3281 clientssl, NULL, NULL))
3282 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3288 static int test_early_data_read_write(int idx)
3290 SSL_CTX *cctx = NULL, *sctx = NULL;
3291 SSL *clientssl = NULL, *serverssl = NULL;
3293 SSL_SESSION *sess = NULL;
3294 unsigned char buf[20], data[1024];
3295 size_t readbytes, written, eoedlen, rawread, rawwritten;
3298 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3299 &serverssl, &sess, idx)))
3302 /* Write and read some early data */
3303 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3305 || !TEST_size_t_eq(written, strlen(MSG1))
3306 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3307 sizeof(buf), &readbytes),
3308 SSL_READ_EARLY_DATA_SUCCESS)
3309 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3310 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3311 SSL_EARLY_DATA_ACCEPTED))
3315 * Server should be able to write data, and client should be able to
3318 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3320 || !TEST_size_t_eq(written, strlen(MSG2))
3321 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3322 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3325 /* Even after reading normal data, client should be able write early data */
3326 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3328 || !TEST_size_t_eq(written, strlen(MSG3)))
3331 /* Server should still be able read early data after writing data */
3332 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3334 SSL_READ_EARLY_DATA_SUCCESS)
3335 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3338 /* Write more data from server and read it from client */
3339 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3341 || !TEST_size_t_eq(written, strlen(MSG4))
3342 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3347 * If client writes normal data it should mean writing early data is no
3350 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3351 || !TEST_size_t_eq(written, strlen(MSG5))
3352 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3353 SSL_EARLY_DATA_ACCEPTED))
3357 * At this point the client has written EndOfEarlyData, ClientFinished and
3358 * normal (fully protected) data. We are going to cause a delay between the
3359 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3360 * in the read BIO, and then just put back the EndOfEarlyData message.
3362 rbio = SSL_get_rbio(serverssl);
3363 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3364 || !TEST_size_t_lt(rawread, sizeof(data))
3365 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3368 /* Record length is in the 4th and 5th bytes of the record header */
3369 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3370 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3371 || !TEST_size_t_eq(rawwritten, eoedlen))
3374 /* Server should be told that there is no more early data */
3375 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3377 SSL_READ_EARLY_DATA_FINISH)
3378 || !TEST_size_t_eq(readbytes, 0))
3382 * Server has not finished init yet, so should still be able to write early
3385 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3387 || !TEST_size_t_eq(written, strlen(MSG6)))
3390 /* Push the ClientFinished and the normal data back into the server rbio */
3391 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3393 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3396 /* Server should be able to read normal data */
3397 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3401 /* Client and server should not be able to write/read early data now */
3402 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3408 SSL_READ_EARLY_DATA_ERROR))
3412 /* Client should be able to read the data sent by the server */
3413 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3414 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3418 * Make sure we process the two NewSessionTickets. These arrive
3419 * post-handshake. We attempt reads which we do not expect to return any
3422 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3423 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3427 /* Server should be able to write normal data */
3428 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3429 || !TEST_size_t_eq(written, strlen(MSG7))
3430 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3431 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3434 SSL_SESSION_free(sess);
3435 sess = SSL_get1_session(clientssl);
3436 use_session_cb_cnt = 0;
3437 find_session_cb_cnt = 0;
3439 SSL_shutdown(clientssl);
3440 SSL_shutdown(serverssl);
3441 SSL_free(serverssl);
3442 SSL_free(clientssl);
3443 serverssl = clientssl = NULL;
3444 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3445 &clientssl, NULL, NULL))
3446 || !TEST_true(SSL_set_session(clientssl, sess)))
3449 /* Write and read some early data */
3450 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3452 || !TEST_size_t_eq(written, strlen(MSG1))
3453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3455 SSL_READ_EARLY_DATA_SUCCESS)
3456 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3459 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3460 || !TEST_int_gt(SSL_accept(serverssl), 0))
3463 /* Client and server should not be able to write/read early data now */
3464 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3468 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3470 SSL_READ_EARLY_DATA_ERROR))
3474 /* Client and server should be able to write/read normal data */
3475 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3476 || !TEST_size_t_eq(written, strlen(MSG5))
3477 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3478 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3484 SSL_SESSION_free(sess);
3485 SSL_SESSION_free(clientpsk);
3486 SSL_SESSION_free(serverpsk);
3487 clientpsk = serverpsk = NULL;
3488 SSL_free(serverssl);
3489 SSL_free(clientssl);
3495 static int allow_ed_cb_called = 0;
3497 static int allow_early_data_cb(SSL *s, void *arg)
3499 int *usecb = (int *)arg;
3501 allow_ed_cb_called++;
3510 * idx == 0: Standard early_data setup
3511 * idx == 1: early_data setup using read_ahead
3512 * usecb == 0: Don't use a custom early data callback
3513 * usecb == 1: Use a custom early data callback and reject the early data
3514 * usecb == 2: Use a custom early data callback and accept the early data
3515 * confopt == 0: Configure anti-replay directly
3516 * confopt == 1: Configure anti-replay using SSL_CONF
3518 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3520 SSL_CTX *cctx = NULL, *sctx = NULL;
3521 SSL *clientssl = NULL, *serverssl = NULL;
3523 SSL_SESSION *sess = NULL;
3524 size_t readbytes, written;
3525 unsigned char buf[20];
3527 allow_ed_cb_called = 0;
3529 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3530 TLS_client_method(), TLS1_VERSION, 0,
3531 &sctx, &cctx, cert, privkey)))
3536 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3538 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3540 if (!TEST_ptr(confctx))
3542 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3543 | SSL_CONF_FLAG_SERVER);
3544 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3545 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3547 SSL_CONF_CTX_free(confctx);
3550 SSL_CONF_CTX_free(confctx);
3552 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3555 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3556 &serverssl, &sess, idx)))
3560 * The server is configured to accept early data. Create a connection to
3561 * "use up" the ticket
3563 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3564 || !TEST_true(SSL_session_reused(clientssl)))
3567 SSL_shutdown(clientssl);
3568 SSL_shutdown(serverssl);
3569 SSL_free(serverssl);
3570 SSL_free(clientssl);
3571 serverssl = clientssl = NULL;
3573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3574 &clientssl, NULL, NULL))
3575 || !TEST_true(SSL_set_session(clientssl, sess)))
3578 /* Write and read some early data */
3579 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3581 || !TEST_size_t_eq(written, strlen(MSG1)))
3585 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3587 SSL_READ_EARLY_DATA_FINISH)
3589 * The ticket was reused, so the we should have rejected the
3592 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3593 SSL_EARLY_DATA_REJECTED))
3596 /* In this case the callback decides to accept the early data */
3597 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3599 SSL_READ_EARLY_DATA_SUCCESS)
3600 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3602 * Server will have sent its flight so client can now send
3603 * end of early data and complete its half of the handshake
3605 || !TEST_int_gt(SSL_connect(clientssl), 0)
3606 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3608 SSL_READ_EARLY_DATA_FINISH)
3609 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3610 SSL_EARLY_DATA_ACCEPTED))
3614 /* Complete the connection */
3615 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3616 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3617 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3623 SSL_SESSION_free(sess);
3624 SSL_SESSION_free(clientpsk);
3625 SSL_SESSION_free(serverpsk);
3626 clientpsk = serverpsk = NULL;
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3634 static int test_early_data_replay(int idx)
3636 int ret = 1, usecb, confopt;
3638 for (usecb = 0; usecb < 3; usecb++) {
3639 for (confopt = 0; confopt < 2; confopt++)
3640 ret &= test_early_data_replay_int(idx, usecb, confopt);
3647 * Helper function to test that a server attempting to read early data can
3648 * handle a connection from a client where the early data should be skipped.
3649 * testtype: 0 == No HRR
3650 * testtype: 1 == HRR
3651 * testtype: 2 == HRR, invalid early_data sent after HRR
3652 * testtype: 3 == recv_max_early_data set to 0
3654 static int early_data_skip_helper(int testtype, int idx)
3656 SSL_CTX *cctx = NULL, *sctx = NULL;
3657 SSL *clientssl = NULL, *serverssl = NULL;
3659 SSL_SESSION *sess = NULL;
3660 unsigned char buf[20];
3661 size_t readbytes, written;
3663 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3664 &serverssl, &sess, idx)))
3667 if (testtype == 1 || testtype == 2) {
3668 /* Force an HRR to occur */
3669 #if defined(OPENSSL_NO_EC)
3670 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3673 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3676 } else if (idx == 2) {
3678 * We force early_data rejection by ensuring the PSK identity is
3681 srvid = "Dummy Identity";
3684 * Deliberately corrupt the creation time. We take 20 seconds off the
3685 * time. It could be any value as long as it is not within tolerance.
3686 * This should mean the ticket is rejected.
3688 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3693 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3696 /* Write some early data */
3697 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3699 || !TEST_size_t_eq(written, strlen(MSG1)))
3702 /* Server should reject the early data */
3703 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3705 SSL_READ_EARLY_DATA_FINISH)
3706 || !TEST_size_t_eq(readbytes, 0)
3707 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3708 SSL_EARLY_DATA_REJECTED))
3718 * Finish off the handshake. We perform the same writes and reads as
3719 * further down but we expect them to fail due to the incomplete
3722 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3723 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3730 BIO *wbio = SSL_get_wbio(clientssl);
3731 /* A record that will appear as bad early_data */
3732 const unsigned char bad_early_data[] = {
3733 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3737 * We force the client to attempt a write. This will fail because
3738 * we're still in the handshake. It will cause the second
3739 * ClientHello to be sent.
3741 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3746 * Inject some early_data after the second ClientHello. This should
3747 * cause the server to fail
3749 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3750 sizeof(bad_early_data), &written)))
3757 * This client has sent more early_data than we are willing to skip
3758 * (case 3) or sent invalid early_data (case 2) so the connection should
3761 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3762 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3765 /* Connection has failed - nothing more to do */
3770 TEST_error("Invalid test type");
3775 * Should be able to send normal data despite rejection of early data. The
3776 * early_data should be skipped.
3778 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3779 || !TEST_size_t_eq(written, strlen(MSG2))
3780 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3781 SSL_EARLY_DATA_REJECTED)
3782 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3783 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3789 SSL_SESSION_free(clientpsk);
3790 SSL_SESSION_free(serverpsk);
3791 clientpsk = serverpsk = NULL;
3792 SSL_SESSION_free(sess);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3801 * Test that a server attempting to read early data can handle a connection
3802 * from a client where the early data is not acceptable.
3804 static int test_early_data_skip(int idx)
3806 return early_data_skip_helper(0, idx);
3810 * Test that a server attempting to read early data can handle a connection
3811 * from a client where an HRR occurs.
3813 static int test_early_data_skip_hrr(int idx)
3815 return early_data_skip_helper(1, idx);
3819 * Test that a server attempting to read early data can handle a connection
3820 * from a client where an HRR occurs and correctly fails if early_data is sent
3823 static int test_early_data_skip_hrr_fail(int idx)
3825 return early_data_skip_helper(2, idx);
3829 * Test that a server attempting to read early data will abort if it tries to
3830 * skip over too much.
3832 static int test_early_data_skip_abort(int idx)
3834 return early_data_skip_helper(3, idx);
3838 * Test that a server attempting to read early data can handle a connection
3839 * from a client that doesn't send any.
3841 static int test_early_data_not_sent(int idx)
3843 SSL_CTX *cctx = NULL, *sctx = NULL;
3844 SSL *clientssl = NULL, *serverssl = NULL;
3846 SSL_SESSION *sess = NULL;
3847 unsigned char buf[20];
3848 size_t readbytes, written;
3850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3851 &serverssl, &sess, idx)))
3854 /* Write some data - should block due to handshake with server */
3855 SSL_set_connect_state(clientssl);
3856 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3859 /* Server should detect that early data has not been sent */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3862 SSL_READ_EARLY_DATA_FINISH)
3863 || !TEST_size_t_eq(readbytes, 0)
3864 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3865 SSL_EARLY_DATA_NOT_SENT)
3866 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3867 SSL_EARLY_DATA_NOT_SENT))
3870 /* Continue writing the message we started earlier */
3871 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3872 || !TEST_size_t_eq(written, strlen(MSG1))
3873 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3874 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3875 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3876 || !TEST_size_t_eq(written, strlen(MSG2)))
3879 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3880 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3886 SSL_SESSION_free(sess);
3887 SSL_SESSION_free(clientpsk);
3888 SSL_SESSION_free(serverpsk);
3889 clientpsk = serverpsk = NULL;
3890 SSL_free(serverssl);
3891 SSL_free(clientssl);
3897 static const char *servalpn;
3899 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3900 unsigned char *outlen, const unsigned char *in,
3901 unsigned int inlen, void *arg)
3903 unsigned int protlen = 0;
3904 const unsigned char *prot;
3906 for (prot = in; prot < in + inlen; prot += protlen) {
3908 if (in + inlen < prot + protlen)
3909 return SSL_TLSEXT_ERR_NOACK;
3911 if (protlen == strlen(servalpn)
3912 && memcmp(prot, servalpn, protlen) == 0) {
3915 return SSL_TLSEXT_ERR_OK;
3919 return SSL_TLSEXT_ERR_NOACK;
3922 /* Test that a PSK can be used to send early_data */
3923 static int test_early_data_psk(int idx)
3925 SSL_CTX *cctx = NULL, *sctx = NULL;
3926 SSL *clientssl = NULL, *serverssl = NULL;
3928 SSL_SESSION *sess = NULL;
3929 unsigned char alpnlist[] = {
3930 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3933 #define GOODALPNLEN 9
3934 #define BADALPNLEN 8
3935 #define GOODALPN (alpnlist)
3936 #define BADALPN (alpnlist + GOODALPNLEN)
3938 unsigned char buf[20];
3939 size_t readbytes, written;
3940 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3941 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3943 /* We always set this up with a final parameter of "2" for PSK */
3944 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3945 &serverssl, &sess, 2)))
3948 servalpn = "goodalpn";
3951 * Note: There is no test for inconsistent SNI with late client detection.
3952 * This is because servers do not acknowledge SNI even if they are using
3953 * it in a resumption handshake - so it is not actually possible for a
3954 * client to detect a problem.
3958 /* Set inconsistent SNI (early client detection) */
3959 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3960 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3961 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3966 /* Set inconsistent ALPN (early client detection) */
3967 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3968 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3969 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3971 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3978 * Set invalid protocol version. Technically this affects PSKs without
3979 * early_data too, but we test it here because it is similar to the
3980 * SNI/ALPN consistency tests.
3982 err = SSL_R_BAD_PSK;
3983 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3989 * Set inconsistent SNI (server side). In this case the connection
3990 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3991 * is associated with each handshake - not the session. Therefore it
3992 * should not matter that we used a different server name last time.
3994 SSL_SESSION_free(serverpsk);
3995 serverpsk = SSL_SESSION_dup(clientpsk);
3996 if (!TEST_ptr(serverpsk)
3997 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4001 /* Set consistent SNI */
4002 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4003 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4004 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4011 * Set inconsistent ALPN (server detected). In this case the connection
4012 * will succeed but reject early_data.
4014 servalpn = "badalpn";
4015 edstatus = SSL_EARLY_DATA_REJECTED;
4016 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4020 * Set consistent ALPN.
4021 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4022 * accepts a list of protos (each one length prefixed).
4023 * SSL_set1_alpn_selected accepts a single protocol (not length
4026 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4028 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4032 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4036 /* Set inconsistent ALPN (late client detection) */
4037 SSL_SESSION_free(serverpsk);
4038 serverpsk = SSL_SESSION_dup(clientpsk);
4039 if (!TEST_ptr(serverpsk)
4040 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4043 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4046 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4049 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4050 edstatus = SSL_EARLY_DATA_ACCEPTED;
4051 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4052 /* SSL_connect() call should fail */
4057 TEST_error("Bad test index");
4061 SSL_set_connect_state(clientssl);
4063 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4065 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4066 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4069 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4073 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4074 &readbytes), readearlyres)
4075 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4076 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4077 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4078 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4085 SSL_SESSION_free(sess);
4086 SSL_SESSION_free(clientpsk);
4087 SSL_SESSION_free(serverpsk);
4088 clientpsk = serverpsk = NULL;
4089 SSL_free(serverssl);
4090 SSL_free(clientssl);
4097 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4098 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4099 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4100 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4101 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4102 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4104 static int test_early_data_psk_with_all_ciphers(int idx)
4106 SSL_CTX *cctx = NULL, *sctx = NULL;
4107 SSL *clientssl = NULL, *serverssl = NULL;
4109 SSL_SESSION *sess = NULL;
4110 unsigned char buf[20];
4111 size_t readbytes, written;
4112 const SSL_CIPHER *cipher;
4113 const char *cipher_str[] = {
4114 TLS1_3_RFC_AES_128_GCM_SHA256,
4115 TLS1_3_RFC_AES_256_GCM_SHA384,
4116 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4117 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4121 TLS1_3_RFC_AES_128_CCM_SHA256,
4122 TLS1_3_RFC_AES_128_CCM_8_SHA256
4124 const unsigned char *cipher_bytes[] = {
4125 TLS13_AES_128_GCM_SHA256_BYTES,
4126 TLS13_AES_256_GCM_SHA384_BYTES,
4127 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4128 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4132 TLS13_AES_128_CCM_SHA256_BYTES,
4133 TLS13_AES_128_CCM_8_SHA256_BYTES
4136 if (cipher_str[idx] == NULL)
4138 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4139 if (idx == 2 && is_fips == 1)
4142 /* We always set this up with a final parameter of "2" for PSK */
4143 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4144 &serverssl, &sess, 2)))
4147 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4148 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4152 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4153 * and assigns to both client and server with incremented reference
4154 * and the same instance is updated in 'sess'.
4155 * So updating ciphersuite in 'sess' which will get reflected in
4156 * PSK handshake using psk use sess and find sess cb.
4158 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4159 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4162 SSL_set_connect_state(clientssl);
4163 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4167 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4169 SSL_READ_EARLY_DATA_SUCCESS)
4170 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4171 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4172 SSL_EARLY_DATA_ACCEPTED)
4173 || !TEST_int_eq(SSL_connect(clientssl), 1)
4174 || !TEST_int_eq(SSL_accept(serverssl), 1))
4177 /* Send some normal data from client to server */
4178 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4179 || !TEST_size_t_eq(written, strlen(MSG2)))
4182 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4183 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4188 SSL_SESSION_free(sess);
4189 SSL_SESSION_free(clientpsk);
4190 SSL_SESSION_free(serverpsk);
4191 clientpsk = serverpsk = NULL;
4192 if (clientssl != NULL)
4193 SSL_shutdown(clientssl);
4194 if (serverssl != NULL)
4195 SSL_shutdown(serverssl);
4196 SSL_free(serverssl);
4197 SSL_free(clientssl);
4204 * Test that a server that doesn't try to read early data can handle a
4205 * client sending some.
4207 static int test_early_data_not_expected(int idx)
4209 SSL_CTX *cctx = NULL, *sctx = NULL;
4210 SSL *clientssl = NULL, *serverssl = NULL;
4212 SSL_SESSION *sess = NULL;
4213 unsigned char buf[20];
4214 size_t readbytes, written;
4216 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4217 &serverssl, &sess, idx)))
4220 /* Write some early data */
4221 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4226 * Server should skip over early data and then block waiting for client to
4227 * continue handshake
4229 if (!TEST_int_le(SSL_accept(serverssl), 0)
4230 || !TEST_int_gt(SSL_connect(clientssl), 0)
4231 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4232 SSL_EARLY_DATA_REJECTED)
4233 || !TEST_int_gt(SSL_accept(serverssl), 0)
4234 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4235 SSL_EARLY_DATA_REJECTED))
4238 /* Send some normal data from client to server */
4239 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4240 || !TEST_size_t_eq(written, strlen(MSG2)))
4243 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4244 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4250 SSL_SESSION_free(sess);
4251 SSL_SESSION_free(clientpsk);
4252 SSL_SESSION_free(serverpsk);
4253 clientpsk = serverpsk = NULL;
4254 SSL_free(serverssl);
4255 SSL_free(clientssl);
4262 # ifndef OPENSSL_NO_TLS1_2
4264 * Test that a server attempting to read early data can handle a connection
4265 * from a TLSv1.2 client.
4267 static int test_early_data_tls1_2(int idx)
4269 SSL_CTX *cctx = NULL, *sctx = NULL;
4270 SSL *clientssl = NULL, *serverssl = NULL;
4272 unsigned char buf[20];
4273 size_t readbytes, written;
4275 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4276 &serverssl, NULL, idx)))
4279 /* Write some data - should block due to handshake with server */
4280 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4281 SSL_set_connect_state(clientssl);
4282 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4286 * Server should do TLSv1.2 handshake. First it will block waiting for more
4287 * messages from client after ServerDone. Then SSL_read_early_data should
4288 * finish and detect that early data has not been sent
4290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4292 SSL_READ_EARLY_DATA_ERROR))
4296 * Continue writing the message we started earlier. Will still block waiting
4297 * for the CCS/Finished from server
4299 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4300 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4302 SSL_READ_EARLY_DATA_FINISH)
4303 || !TEST_size_t_eq(readbytes, 0)
4304 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4305 SSL_EARLY_DATA_NOT_SENT))
4308 /* Continue writing the message we started earlier */
4309 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4310 || !TEST_size_t_eq(written, strlen(MSG1))
4311 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4312 SSL_EARLY_DATA_NOT_SENT)
4313 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4314 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4315 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4316 || !TEST_size_t_eq(written, strlen(MSG2))
4317 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4318 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4324 SSL_SESSION_free(clientpsk);
4325 SSL_SESSION_free(serverpsk);
4326 clientpsk = serverpsk = NULL;
4327 SSL_free(serverssl);
4328 SSL_free(clientssl);
4334 # endif /* OPENSSL_NO_TLS1_2 */
4337 * Test configuring the TLSv1.3 ciphersuites
4339 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4340 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4341 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4342 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4343 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4344 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4345 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4346 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4347 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4348 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4350 static int test_set_ciphersuite(int idx)
4352 SSL_CTX *cctx = NULL, *sctx = NULL;
4353 SSL *clientssl = NULL, *serverssl = NULL;
4356 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4357 TLS_client_method(), TLS1_VERSION, 0,
4358 &sctx, &cctx, cert, privkey))
4359 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4360 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4363 if (idx >=4 && idx <= 7) {
4364 /* SSL_CTX explicit cipher list */
4365 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4369 if (idx == 0 || idx == 4) {
4370 /* Default ciphersuite */
4371 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4372 "TLS_AES_128_GCM_SHA256")))
4374 } else if (idx == 1 || idx == 5) {
4375 /* Non default ciphersuite */
4376 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4377 "TLS_AES_128_CCM_SHA256")))
4381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4382 &clientssl, NULL, NULL)))
4385 if (idx == 8 || idx == 9) {
4386 /* SSL explicit cipher list */
4387 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4391 if (idx == 2 || idx == 6 || idx == 8) {
4392 /* Default ciphersuite */
4393 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4394 "TLS_AES_128_GCM_SHA256")))
4396 } else if (idx == 3 || idx == 7 || idx == 9) {
4397 /* Non default ciphersuite */
4398 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4399 "TLS_AES_128_CCM_SHA256")))
4403 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4409 SSL_free(serverssl);
4410 SSL_free(clientssl);
4417 static int test_ciphersuite_change(void)
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4421 SSL_SESSION *clntsess = NULL;
4423 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4425 /* Create a session based on SHA-256 */
4426 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4427 TLS_client_method(), TLS1_VERSION, 0,
4428 &sctx, &cctx, cert, privkey))
4429 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4430 "TLS_AES_128_GCM_SHA256:"
4431 "TLS_AES_256_GCM_SHA384:"
4432 "TLS_AES_128_CCM_SHA256"))
4433 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4434 "TLS_AES_128_GCM_SHA256"))
4435 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4436 &clientssl, NULL, NULL))
4437 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4441 clntsess = SSL_get1_session(clientssl);
4442 /* Save for later */
4443 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4444 SSL_shutdown(clientssl);
4445 SSL_shutdown(serverssl);
4446 SSL_free(serverssl);
4447 SSL_free(clientssl);
4448 serverssl = clientssl = NULL;
4450 /* Check we can resume a session with a different SHA-256 ciphersuite */
4451 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4452 "TLS_AES_128_CCM_SHA256"))
4453 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4454 &clientssl, NULL, NULL))
4455 || !TEST_true(SSL_set_session(clientssl, clntsess))
4456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4458 || !TEST_true(SSL_session_reused(clientssl)))
4461 SSL_SESSION_free(clntsess);
4462 clntsess = SSL_get1_session(clientssl);
4463 SSL_shutdown(clientssl);
4464 SSL_shutdown(serverssl);
4465 SSL_free(serverssl);
4466 SSL_free(clientssl);
4467 serverssl = clientssl = NULL;
4470 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4471 * succeeds but does not resume.
4473 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4474 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4476 || !TEST_true(SSL_set_session(clientssl, clntsess))
4477 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4479 || !TEST_false(SSL_session_reused(clientssl)))
4482 SSL_SESSION_free(clntsess);
4484 SSL_shutdown(clientssl);
4485 SSL_shutdown(serverssl);
4486 SSL_free(serverssl);
4487 SSL_free(clientssl);
4488 serverssl = clientssl = NULL;
4490 /* Create a session based on SHA384 */
4491 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4492 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4493 &clientssl, NULL, NULL))
4494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4498 clntsess = SSL_get1_session(clientssl);
4499 SSL_shutdown(clientssl);
4500 SSL_shutdown(serverssl);
4501 SSL_free(serverssl);
4502 SSL_free(clientssl);
4503 serverssl = clientssl = NULL;
4505 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4506 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4507 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4508 "TLS_AES_256_GCM_SHA384"))
4509 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4511 || !TEST_true(SSL_set_session(clientssl, clntsess))
4513 * We use SSL_ERROR_WANT_READ below so that we can pause the
4514 * connection after the initial ClientHello has been sent to
4515 * enable us to make some session changes.
4517 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4518 SSL_ERROR_WANT_READ)))
4521 /* Trick the client into thinking this session is for a different digest */
4522 clntsess->cipher = aes_128_gcm_sha256;
4523 clntsess->cipher_id = clntsess->cipher->id;
4526 * Continue the previously started connection. Server has selected a SHA-384
4527 * ciphersuite, but client thinks the session is for SHA-256, so it should
4530 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4532 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4533 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4539 SSL_SESSION_free(clntsess);
4540 SSL_free(serverssl);
4541 SSL_free(clientssl);
4549 * Test TLSv1.3 Key exchange
4550 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4551 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4552 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4553 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4554 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4555 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4556 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4557 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4558 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4559 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4560 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4561 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4562 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4563 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4565 # ifndef OPENSSL_NO_EC
4566 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4567 NID_secp521r1, NID_X25519, NID_X448};
4569 # ifndef OPENSSL_NO_DH
4570 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4571 NID_ffdhe6144, NID_ffdhe8192};
4573 static int test_key_exchange(int idx)
4575 SSL_CTX *sctx = NULL, *cctx = NULL;
4576 SSL *serverssl = NULL, *clientssl = NULL;
4579 int *kexch_groups = &kexch_alg;
4580 int kexch_groups_size = 1;
4581 int max_version = TLS1_3_VERSION;
4582 char *kexch_name0 = NULL;
4585 # ifndef OPENSSL_NO_EC
4586 # ifndef OPENSSL_NO_TLS1_2
4588 max_version = TLS1_2_VERSION;
4592 kexch_groups = ecdhe_kexch_groups;
4593 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4594 kexch_name0 = "secp256r1";
4597 kexch_alg = NID_X9_62_prime256v1;
4598 kexch_name0 = "secp256r1";
4601 kexch_alg = NID_secp384r1;
4602 kexch_name0 = "secp384r1";
4605 kexch_alg = NID_secp521r1;
4606 kexch_name0 = "secp521r1";
4609 kexch_alg = NID_X25519;
4610 kexch_name0 = "x25519";
4613 kexch_alg = NID_X448;
4614 kexch_name0 = "x448";
4617 # ifndef OPENSSL_NO_DH
4618 # ifndef OPENSSL_NO_TLS1_2
4620 max_version = TLS1_2_VERSION;
4621 kexch_name0 = "ffdhe2048";
4625 kexch_groups = ffdhe_kexch_groups;
4626 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4627 kexch_name0 = "ffdhe2048";
4630 kexch_alg = NID_ffdhe2048;
4631 kexch_name0 = "ffdhe2048";
4634 kexch_alg = NID_ffdhe3072;
4635 kexch_name0 = "ffdhe3072";
4638 kexch_alg = NID_ffdhe4096;
4639 kexch_name0 = "ffdhe4096";
4642 kexch_alg = NID_ffdhe6144;
4643 kexch_name0 = "ffdhe6144";
4646 kexch_alg = NID_ffdhe8192;
4647 kexch_name0 = "ffdhe8192";
4651 /* We're skipping this test */
4655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4656 TLS_client_method(), TLS1_VERSION,
4657 max_version, &sctx, &cctx, cert,
4661 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4662 TLS1_3_RFC_AES_128_GCM_SHA256)))
4665 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4666 TLS1_3_RFC_AES_128_GCM_SHA256)))
4669 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4670 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4671 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4672 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4676 * Must include an EC ciphersuite so that we send supported groups in
4679 # ifndef OPENSSL_NO_TLS1_2
4680 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4681 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4682 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4690 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4691 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4694 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4698 * If Handshake succeeds the negotiated kexch alg should be the first one in
4699 * configured, except in the case of FFDHE groups (idx 13), which are
4700 * TLSv1.3 only so we expect no shared group to exist.
4702 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4703 idx == 13 ? 0 : kexch_groups[0]))
4706 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4710 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4712 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4714 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4720 SSL_free(serverssl);
4721 SSL_free(clientssl);
4727 # if !defined(OPENSSL_NO_TLS1_2) \
4728 && !defined(OPENSSL_NO_EC) \
4729 && !defined(OPENSSL_NO_DH)
4730 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4731 int isecdhe, int idx)
4734 int *kexch_groups = &kexch_alg;
4737 numec = OSSL_NELEM(ecdhe_kexch_groups);
4738 numff = OSSL_NELEM(ffdhe_kexch_groups);
4740 kexch_alg = ecdhe_kexch_groups[idx];
4742 kexch_alg = ffdhe_kexch_groups[idx];
4745 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4748 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4752 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4757 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4760 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4764 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4773 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4774 * Run through both the ECDHE and FFDHE group lists used in the previous
4775 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4776 * confirming the expected result; then perform a resumption handshake
4777 * while offering the same group list, and another resumption handshake
4778 * offering a different group list. The returned value should be the
4779 * negotiated group for the initial handshake; for TLS 1.3 resumption
4780 * handshakes the returned value will be negotiated on the resumption
4781 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4782 * be cached in the session from the original handshake, regardless of what
4783 * was offered in the resumption ClientHello.
4785 * Using E for the number of EC groups and F for the number of FF groups:
4786 * E tests of ECDHE with TLS 1.3, server only has one group
4787 * F tests of FFDHE with TLS 1.3, server only has one group
4788 * E tests of ECDHE with TLS 1.2, server only has one group
4789 * F tests of FFDHE with TLS 1.2, server only has one group
4790 * E tests of ECDHE with TLS 1.3, client sends only one group
4791 * F tests of FFDHE with TLS 1.3, client sends only one group
4792 * E tests of ECDHE with TLS 1.2, client sends only one group
4793 * F tests of FFDHE with TLS 1.2, client sends only one group
4795 static int test_negotiated_group(int idx)
4797 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4799 SSL_CTX *sctx = NULL, *cctx = NULL;
4800 SSL *serverssl = NULL, *clientssl = NULL;
4801 SSL_SESSION *origsess = NULL;
4804 int max_version = TLS1_3_VERSION;
4806 numec = OSSL_NELEM(ecdhe_kexch_groups);
4807 numff = OSSL_NELEM(ffdhe_kexch_groups);
4808 numgroups = numec + numff;
4809 clientmulti = (idx < 2 * numgroups);
4810 idx = idx % (2 * numgroups);
4811 istls13 = (idx < numgroups);
4812 idx = idx % numgroups;
4813 isecdhe = (idx < numec);
4816 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4818 kexch_alg = ecdhe_kexch_groups[idx];
4820 kexch_alg = ffdhe_kexch_groups[idx];
4821 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4822 if (!istls13 && !isecdhe)
4823 expectednid = NID_undef;
4825 expectednid = kexch_alg;
4828 max_version = TLS1_2_VERSION;
4830 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4831 TLS_client_method(), TLS1_VERSION,
4832 max_version, &sctx, &cctx, cert,
4837 * Force (EC)DHE ciphers for TLS 1.2.
4838 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4840 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4841 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4842 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4843 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4845 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4846 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4847 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4854 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4861 /* Initial handshake; always the configured one */
4862 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4863 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4866 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4869 SSL_shutdown(clientssl);
4870 SSL_shutdown(serverssl);
4871 SSL_free(serverssl);
4872 SSL_free(clientssl);
4873 serverssl = clientssl = NULL;
4875 /* First resumption attempt; use the same config as initial handshake */
4876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4878 || !TEST_true(SSL_set_session(clientssl, origsess))
4879 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4883 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4884 || !TEST_true(SSL_session_reused(clientssl)))
4887 /* Still had better agree, since nothing changed... */
4888 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4889 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4892 SSL_shutdown(clientssl);
4893 SSL_shutdown(serverssl);
4894 SSL_free(serverssl);
4895 SSL_free(clientssl);
4896 serverssl = clientssl = NULL;
4899 * Second resumption attempt
4900 * The party that picks one group changes it, which we effectuate by
4901 * changing 'idx' and updating what we expect.
4909 expectednid = ecdhe_kexch_groups[idx];
4911 expectednid = ffdhe_kexch_groups[idx];
4912 /* Verify that we are changing what we expect. */
4913 if (!TEST_int_ne(expectednid, kexch_alg))
4916 /* TLS 1.2 only supports named groups for ECDHE. */
4918 expectednid = kexch_alg;
4922 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4924 || !TEST_true(SSL_set_session(clientssl, origsess))
4925 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4929 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4930 || !TEST_true(SSL_session_reused(clientssl)))
4933 /* Check that we get what we expected */
4934 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4935 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4940 SSL_free(serverssl);
4941 SSL_free(clientssl);
4944 SSL_SESSION_free(origsess);
4947 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4950 * Test TLSv1.3 Cipher Suite
4951 * Test 0 = Set TLS1.3 cipher on context
4952 * Test 1 = Set TLS1.3 cipher on SSL
4953 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4954 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4956 static int test_tls13_ciphersuite(int idx)
4958 SSL_CTX *sctx = NULL, *cctx = NULL;
4959 SSL *serverssl = NULL, *clientssl = NULL;
4960 static const struct {
4961 const char *ciphername;
4964 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4965 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4966 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4967 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4968 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4969 { TLS1_3_RFC_AES_256_GCM_SHA384
4970 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4972 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4974 const char *t13_cipher = NULL;
4975 const char *t12_cipher = NULL;
4976 const char *negotiated_scipher;
4977 const char *negotiated_ccipher;
4993 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4997 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5001 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5002 # ifdef OPENSSL_NO_TLS1_2
5003 if (max_ver == TLS1_2_VERSION)
5006 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5007 if (is_fips && !t13_ciphers[i].fipscapable)
5009 t13_cipher = t13_ciphers[i].ciphername;
5010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5011 TLS_client_method(),
5012 TLS1_VERSION, max_ver,
5013 &sctx, &cctx, cert, privkey)))
5017 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5018 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5020 if (t12_cipher != NULL) {
5021 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5022 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5029 &clientssl, NULL, NULL)))
5033 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5034 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5036 if (t12_cipher != NULL) {
5037 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5038 || !TEST_true(SSL_set_cipher_list(clientssl,
5044 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5048 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5050 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5052 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5056 * TEST_strn_eq is used below because t13_cipher can contain
5057 * multiple ciphersuites
5059 if (max_ver == TLS1_3_VERSION
5060 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5061 strlen(negotiated_scipher)))
5064 # ifndef OPENSSL_NO_TLS1_2
5065 /* Below validation is not done when t12_cipher is NULL */
5066 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5067 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5071 SSL_free(serverssl);
5073 SSL_free(clientssl);
5084 SSL_free(serverssl);
5085 SSL_free(clientssl);
5093 * Test 0 = Test new style callbacks
5094 * Test 1 = Test both new and old style callbacks
5095 * Test 2 = Test old style callbacks
5096 * Test 3 = Test old style callbacks with no certificate
5098 static int test_tls13_psk(int idx)
5100 SSL_CTX *sctx = NULL, *cctx = NULL;
5101 SSL *serverssl = NULL, *clientssl = NULL;
5102 const SSL_CIPHER *cipher = NULL;
5103 const unsigned char key[] = {
5104 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5105 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5106 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5107 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5111 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5112 TLS_client_method(), TLS1_VERSION, 0,
5113 &sctx, &cctx, idx == 3 ? NULL : cert,
5114 idx == 3 ? NULL : privkey)))
5119 * We use a ciphersuite with SHA256 to ease testing old style PSK
5120 * callbacks which will always default to SHA256. This should not be
5121 * necessary if we have no cert/priv key. In that case the server should
5122 * prefer SHA256 automatically.
5124 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5125 "TLS_AES_128_GCM_SHA256")))
5129 * As noted above the server should prefer SHA256 automatically. However
5130 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5131 * code works even if we are testing with only the FIPS provider loaded.
5133 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5134 "TLS_AES_256_GCM_SHA384:"
5135 "TLS_AES_128_GCM_SHA256")))
5140 * Test 0: New style callbacks only
5141 * Test 1: New and old style callbacks (only the new ones should be used)
5142 * Test 2: Old style callbacks only
5144 if (idx == 0 || idx == 1) {
5145 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5146 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5148 #ifndef OPENSSL_NO_PSK
5150 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5151 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5155 use_session_cb_cnt = 0;
5156 find_session_cb_cnt = 0;
5157 psk_client_cb_cnt = 0;
5158 psk_server_cb_cnt = 0;
5162 * Check we can create a connection if callback decides not to send a
5165 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5169 || !TEST_false(SSL_session_reused(clientssl))
5170 || !TEST_false(SSL_session_reused(serverssl)))
5173 if (idx == 0 || idx == 1) {
5174 if (!TEST_true(use_session_cb_cnt == 1)
5175 || !TEST_true(find_session_cb_cnt == 0)
5177 * If no old style callback then below should be 0
5180 || !TEST_true(psk_client_cb_cnt == idx)
5181 || !TEST_true(psk_server_cb_cnt == 0))
5184 if (!TEST_true(use_session_cb_cnt == 0)
5185 || !TEST_true(find_session_cb_cnt == 0)
5186 || !TEST_true(psk_client_cb_cnt == 1)
5187 || !TEST_true(psk_server_cb_cnt == 0))
5191 shutdown_ssl_connection(serverssl, clientssl);
5192 serverssl = clientssl = NULL;
5193 use_session_cb_cnt = psk_client_cb_cnt = 0;
5196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5200 /* Create the PSK */
5201 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5202 clientpsk = SSL_SESSION_new();
5203 if (!TEST_ptr(clientpsk)
5204 || !TEST_ptr(cipher)
5205 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5207 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5208 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5210 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5212 serverpsk = clientpsk;
5214 /* Check we can create a connection and the PSK is used */
5215 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5216 || !TEST_true(SSL_session_reused(clientssl))
5217 || !TEST_true(SSL_session_reused(serverssl)))
5220 if (idx == 0 || idx == 1) {
5221 if (!TEST_true(use_session_cb_cnt == 1)
5222 || !TEST_true(find_session_cb_cnt == 1)
5223 || !TEST_true(psk_client_cb_cnt == 0)
5224 || !TEST_true(psk_server_cb_cnt == 0))
5227 if (!TEST_true(use_session_cb_cnt == 0)
5228 || !TEST_true(find_session_cb_cnt == 0)
5229 || !TEST_true(psk_client_cb_cnt == 1)
5230 || !TEST_true(psk_server_cb_cnt == 1))
5234 shutdown_ssl_connection(serverssl, clientssl);
5235 serverssl = clientssl = NULL;
5236 use_session_cb_cnt = find_session_cb_cnt = 0;
5237 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5244 #if defined(OPENSSL_NO_EC)
5245 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5248 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5253 * Check we can create a connection, the PSK is used and the callbacks are
5256 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5257 || !TEST_true(SSL_session_reused(clientssl))
5258 || !TEST_true(SSL_session_reused(serverssl)))
5261 if (idx == 0 || idx == 1) {
5262 if (!TEST_true(use_session_cb_cnt == 2)
5263 || !TEST_true(find_session_cb_cnt == 2)
5264 || !TEST_true(psk_client_cb_cnt == 0)
5265 || !TEST_true(psk_server_cb_cnt == 0))
5268 if (!TEST_true(use_session_cb_cnt == 0)
5269 || !TEST_true(find_session_cb_cnt == 0)
5270 || !TEST_true(psk_client_cb_cnt == 2)
5271 || !TEST_true(psk_server_cb_cnt == 2))
5275 shutdown_ssl_connection(serverssl, clientssl);
5276 serverssl = clientssl = NULL;
5277 use_session_cb_cnt = find_session_cb_cnt = 0;
5278 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5282 * Check that if the server rejects the PSK we can still connect, but with
5285 srvid = "Dummy Identity";
5286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5290 || !TEST_false(SSL_session_reused(clientssl))
5291 || !TEST_false(SSL_session_reused(serverssl)))
5294 if (idx == 0 || idx == 1) {
5295 if (!TEST_true(use_session_cb_cnt == 1)
5296 || !TEST_true(find_session_cb_cnt == 1)
5297 || !TEST_true(psk_client_cb_cnt == 0)
5299 * If no old style callback then below should be 0
5302 || !TEST_true(psk_server_cb_cnt == idx))
5305 if (!TEST_true(use_session_cb_cnt == 0)
5306 || !TEST_true(find_session_cb_cnt == 0)
5307 || !TEST_true(psk_client_cb_cnt == 1)
5308 || !TEST_true(psk_server_cb_cnt == 1))
5312 shutdown_ssl_connection(serverssl, clientssl);
5313 serverssl = clientssl = NULL;
5318 SSL_SESSION_free(clientpsk);
5319 SSL_SESSION_free(serverpsk);
5320 clientpsk = serverpsk = NULL;
5321 SSL_free(serverssl);
5322 SSL_free(clientssl);
5328 static unsigned char cookie_magic_value[] = "cookie magic";
5330 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5331 unsigned int *cookie_len)
5334 * Not suitable as a real cookie generation function but good enough for
5337 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5338 *cookie_len = sizeof(cookie_magic_value) - 1;
5343 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5344 unsigned int cookie_len)
5346 if (cookie_len == sizeof(cookie_magic_value) - 1
5347 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5353 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5357 int res = generate_cookie_callback(ssl, cookie, &temp);
5362 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5365 return verify_cookie_callback(ssl, cookie, cookie_len);
5368 static int test_stateless(void)
5370 SSL_CTX *sctx = NULL, *cctx = NULL;
5371 SSL *serverssl = NULL, *clientssl = NULL;
5374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5375 TLS_client_method(), TLS1_VERSION, 0,
5376 &sctx, &cctx, cert, privkey)))
5379 /* The arrival of CCS messages can confuse the test */
5380 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5384 /* Send the first ClientHello */
5385 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5386 SSL_ERROR_WANT_READ))
5388 * This should fail with a -1 return because we have no callbacks
5391 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5394 /* Fatal error so abandon the connection from this client */
5395 SSL_free(clientssl);
5398 /* Set up the cookie generation and verification callbacks */
5399 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5400 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5403 * Create a new connection from the client (we can reuse the server SSL
5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5408 /* Send the first ClientHello */
5409 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_WANT_READ))
5411 /* This should fail because there is no cookie */
5412 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5415 /* Abandon the connection from this client */
5416 SSL_free(clientssl);
5420 * Now create a connection from a new client but with the same server SSL
5423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5425 /* Send the first ClientHello */
5426 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5427 SSL_ERROR_WANT_READ))
5428 /* This should fail because there is no cookie */
5429 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5430 /* Send the second ClientHello */
5431 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5432 SSL_ERROR_WANT_READ))
5433 /* This should succeed because a cookie is now present */
5434 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5435 /* Complete the connection */
5436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5440 shutdown_ssl_connection(serverssl, clientssl);
5441 serverssl = clientssl = NULL;
5445 SSL_free(serverssl);
5446 SSL_free(clientssl);
5452 #endif /* OSSL_NO_USABLE_TLS1_3 */
5454 static int clntaddoldcb = 0;
5455 static int clntparseoldcb = 0;
5456 static int srvaddoldcb = 0;
5457 static int srvparseoldcb = 0;
5458 static int clntaddnewcb = 0;
5459 static int clntparsenewcb = 0;
5460 static int srvaddnewcb = 0;
5461 static int srvparsenewcb = 0;
5462 static int snicb = 0;
5464 #define TEST_EXT_TYPE1 0xff00
5466 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5467 size_t *outlen, int *al, void *add_arg)
5469 int *server = (int *)add_arg;
5470 unsigned char *data;
5472 if (SSL_is_server(s))
5477 if (*server != SSL_is_server(s)
5478 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5483 *outlen = sizeof(char);
5487 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5490 OPENSSL_free((unsigned char *)out);
5493 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5494 size_t inlen, int *al, void *parse_arg)
5496 int *server = (int *)parse_arg;
5498 if (SSL_is_server(s))
5503 if (*server != SSL_is_server(s)
5504 || inlen != sizeof(char)
5511 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5512 const unsigned char **out, size_t *outlen, X509 *x,
5513 size_t chainidx, int *al, void *add_arg)
5515 int *server = (int *)add_arg;
5516 unsigned char *data;
5518 if (SSL_is_server(s))
5523 if (*server != SSL_is_server(s)
5524 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5529 *outlen = sizeof(*data);
5533 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5534 const unsigned char *out, void *add_arg)
5536 OPENSSL_free((unsigned char *)out);
5539 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5540 const unsigned char *in, size_t inlen, X509 *x,
5541 size_t chainidx, int *al, void *parse_arg)
5543 int *server = (int *)parse_arg;
5545 if (SSL_is_server(s))
5550 if (*server != SSL_is_server(s)
5551 || inlen != sizeof(char) || *in != 1)
5557 static int sni_cb(SSL *s, int *al, void *arg)
5559 SSL_CTX *ctx = (SSL_CTX *)arg;
5561 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5562 *al = SSL_AD_INTERNAL_ERROR;
5563 return SSL_TLSEXT_ERR_ALERT_FATAL;
5566 return SSL_TLSEXT_ERR_OK;
5569 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5575 * Custom call back tests.
5576 * Test 0: Old style callbacks in TLSv1.2
5577 * Test 1: New style callbacks in TLSv1.2
5578 * Test 2: New style callbacks in TLSv1.2 with SNI
5579 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5580 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5581 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5583 static int test_custom_exts(int tst)
5585 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5586 SSL *clientssl = NULL, *serverssl = NULL;
5588 static int server = 1;
5589 static int client = 0;
5590 SSL_SESSION *sess = NULL;
5591 unsigned int context;
5593 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5594 /* Skip tests for TLSv1.2 and below in this case */
5599 /* Reset callback counters */
5600 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5601 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5604 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5605 TLS_client_method(), TLS1_VERSION, 0,
5606 &sctx, &cctx, cert, privkey)))
5610 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5612 &sctx2, NULL, cert, privkey)))
5617 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5618 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5620 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5624 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5625 | SSL_EXT_TLS1_3_CERTIFICATE;
5626 SSL_CTX_set_verify(sctx,
5627 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5629 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5630 SSL_FILETYPE_PEM), 1)
5631 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5632 SSL_FILETYPE_PEM), 1)
5633 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5635 } else if (tst == 4) {
5636 context = SSL_EXT_CLIENT_HELLO
5637 | SSL_EXT_TLS1_2_SERVER_HELLO
5638 | SSL_EXT_TLS1_3_SERVER_HELLO
5639 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5640 | SSL_EXT_TLS1_3_CERTIFICATE
5641 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5643 context = SSL_EXT_CLIENT_HELLO
5644 | SSL_EXT_TLS1_2_SERVER_HELLO
5645 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5648 /* Create a client side custom extension */
5650 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5651 old_add_cb, old_free_cb,
5652 &client, old_parse_cb,
5656 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5657 new_add_cb, new_free_cb,
5658 &client, new_parse_cb, &client)))
5662 /* Should not be able to add duplicates */
5663 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5664 old_add_cb, old_free_cb,
5665 &client, old_parse_cb,
5667 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5668 context, new_add_cb,
5669 new_free_cb, &client,
5670 new_parse_cb, &client)))
5673 /* Create a server side custom extension */
5675 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5676 old_add_cb, old_free_cb,
5677 &server, old_parse_cb,
5681 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5682 new_add_cb, new_free_cb,
5683 &server, new_parse_cb, &server)))
5686 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5687 context, new_add_cb,
5688 new_free_cb, &server,
5689 new_parse_cb, &server)))
5693 /* Should not be able to add duplicates */
5694 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5695 old_add_cb, old_free_cb,
5696 &server, old_parse_cb,
5698 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5699 context, new_add_cb,
5700 new_free_cb, &server,
5701 new_parse_cb, &server)))
5706 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5707 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5712 &clientssl, NULL, NULL))
5713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5718 if (clntaddoldcb != 1
5719 || clntparseoldcb != 1
5721 || srvparseoldcb != 1)
5723 } else if (tst == 1 || tst == 2 || tst == 3) {
5724 if (clntaddnewcb != 1
5725 || clntparsenewcb != 1
5727 || srvparsenewcb != 1
5728 || (tst != 2 && snicb != 0)
5729 || (tst == 2 && snicb != 1))
5731 } else if (tst == 5) {
5732 if (clntaddnewcb != 1
5733 || clntparsenewcb != 1
5735 || srvparsenewcb != 1)
5738 /* In this case there 2 NewSessionTicket messages created */
5739 if (clntaddnewcb != 1
5740 || clntparsenewcb != 5
5742 || srvparsenewcb != 1)
5746 sess = SSL_get1_session(clientssl);
5747 SSL_shutdown(clientssl);
5748 SSL_shutdown(serverssl);
5749 SSL_free(serverssl);
5750 SSL_free(clientssl);
5751 serverssl = clientssl = NULL;
5753 if (tst == 3 || tst == 5) {
5754 /* We don't bother with the resumption aspects for these tests */
5759 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5761 || !TEST_true(SSL_set_session(clientssl, sess))
5762 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5767 * For a resumed session we expect to add the ClientHello extension. For the
5768 * old style callbacks we ignore it on the server side because they set
5769 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5773 if (clntaddoldcb != 2
5774 || clntparseoldcb != 1
5776 || srvparseoldcb != 1)
5778 } else if (tst == 1 || tst == 2 || tst == 3) {
5779 if (clntaddnewcb != 2
5780 || clntparsenewcb != 2
5782 || srvparsenewcb != 2)
5786 * No Certificate message extensions in the resumption handshake,
5787 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5789 if (clntaddnewcb != 2
5790 || clntparsenewcb != 8
5792 || srvparsenewcb != 2)
5799 SSL_SESSION_free(sess);
5800 SSL_free(serverssl);
5801 SSL_free(clientssl);
5802 SSL_CTX_free(sctx2);
5809 * Test loading of serverinfo data in various formats. test_sslmessages actually
5810 * tests to make sure the extensions appear in the handshake
5812 static int test_serverinfo(int tst)
5814 unsigned int version;
5815 unsigned char *sibuf;
5817 int ret, expected, testresult = 0;
5820 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5824 if ((tst & 0x01) == 0x01)
5825 version = SSL_SERVERINFOV2;
5827 version = SSL_SERVERINFOV1;
5829 if ((tst & 0x02) == 0x02) {
5830 sibuf = serverinfov2;
5831 sibuflen = sizeof(serverinfov2);
5832 expected = (version == SSL_SERVERINFOV2);
5834 sibuf = serverinfov1;
5835 sibuflen = sizeof(serverinfov1);
5836 expected = (version == SSL_SERVERINFOV1);
5839 if ((tst & 0x04) == 0x04) {
5840 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5842 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5845 * The version variable is irrelevant in this case - it's what is in the
5846 * buffer that matters
5848 if ((tst & 0x02) == 0x02)
5854 if (!TEST_true(ret == expected))
5866 * Test that SSL_export_keying_material() produces expected results. There are
5867 * no test vectors so all we do is test that both sides of the communication
5868 * produce the same results for different protocol versions.
5870 #define SMALL_LABEL_LEN 10
5871 #define LONG_LABEL_LEN 249
5872 static int test_export_key_mat(int tst)
5875 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5876 SSL *clientssl = NULL, *serverssl = NULL;
5877 const char label[LONG_LABEL_LEN + 1] = "test label";
5878 const unsigned char context[] = "context";
5879 const unsigned char *emptycontext = NULL;
5880 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5881 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5883 const int protocols[] = {
5892 #ifdef OPENSSL_NO_TLS1
5896 #ifdef OPENSSL_NO_TLS1_1
5900 if (is_fips && (tst == 0 || tst == 1))
5902 #ifdef OPENSSL_NO_TLS1_2
5906 #ifdef OSSL_NO_USABLE_TLS1_3
5910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5911 TLS_client_method(), TLS1_VERSION, 0,
5912 &sctx, &cctx, cert, privkey)))
5915 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5916 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5917 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5918 if ((protocols[tst] < TLS1_2_VERSION) &&
5919 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5920 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5928 * Premature call of SSL_export_keying_material should just fail.
5930 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5931 sizeof(ckeymat1), label,
5932 SMALL_LABEL_LEN + 1, context,
5933 sizeof(context) - 1, 1), 0))
5936 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5942 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5945 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5946 sizeof(ckeymat1), label,
5947 LONG_LABEL_LEN + 1, context,
5948 sizeof(context) - 1, 1), 0))
5953 } else if (tst == 4) {
5954 labellen = LONG_LABEL_LEN;
5956 labellen = SMALL_LABEL_LEN;
5959 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5960 sizeof(ckeymat1), label,
5962 sizeof(context) - 1, 1), 1)
5963 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5964 sizeof(ckeymat2), label,
5968 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5969 sizeof(ckeymat3), label,
5972 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5973 sizeof(skeymat1), label,
5976 sizeof(context) -1, 1),
5978 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5979 sizeof(skeymat2), label,
5983 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5984 sizeof(skeymat3), label,
5988 * Check that both sides created the same key material with the
5991 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5994 * Check that both sides created the same key material with an
5997 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6000 * Check that both sides created the same key material without a
6003 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6005 /* Different contexts should produce different results */
6006 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6011 * Check that an empty context and no context produce different results in
6012 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6014 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6016 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6023 SSL_free(serverssl);
6024 SSL_free(clientssl);
6025 SSL_CTX_free(sctx2);
6032 #ifndef OSSL_NO_USABLE_TLS1_3
6034 * Test that SSL_export_keying_material_early() produces expected
6035 * results. There are no test vectors so all we do is test that both
6036 * sides of the communication produce the same results for different
6037 * protocol versions.
6039 static int test_export_key_mat_early(int idx)
6041 static const char label[] = "test label";
6042 static const unsigned char context[] = "context";
6044 SSL_CTX *cctx = NULL, *sctx = NULL;
6045 SSL *clientssl = NULL, *serverssl = NULL;
6046 SSL_SESSION *sess = NULL;
6047 const unsigned char *emptycontext = NULL;
6048 unsigned char ckeymat1[80], ckeymat2[80];
6049 unsigned char skeymat1[80], skeymat2[80];
6050 unsigned char buf[1];
6051 size_t readbytes, written;
6053 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6057 /* Here writing 0 length early data is enough. */
6058 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6059 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6061 SSL_READ_EARLY_DATA_ERROR)
6062 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6063 SSL_EARLY_DATA_ACCEPTED))
6066 if (!TEST_int_eq(SSL_export_keying_material_early(
6067 clientssl, ckeymat1, sizeof(ckeymat1), label,
6068 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6069 || !TEST_int_eq(SSL_export_keying_material_early(
6070 clientssl, ckeymat2, sizeof(ckeymat2), label,
6071 sizeof(label) - 1, emptycontext, 0), 1)
6072 || !TEST_int_eq(SSL_export_keying_material_early(
6073 serverssl, skeymat1, sizeof(skeymat1), label,
6074 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6075 || !TEST_int_eq(SSL_export_keying_material_early(
6076 serverssl, skeymat2, sizeof(skeymat2), label,
6077 sizeof(label) - 1, emptycontext, 0), 1)
6079 * Check that both sides created the same key material with the
6082 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6085 * Check that both sides created the same key material with an
6088 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6090 /* Different contexts should produce different results */
6091 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6098 SSL_SESSION_free(sess);
6099 SSL_SESSION_free(clientpsk);
6100 SSL_SESSION_free(serverpsk);
6101 clientpsk = serverpsk = NULL;
6102 SSL_free(serverssl);
6103 SSL_free(clientssl);
6110 #define NUM_KEY_UPDATE_MESSAGES 40
6114 static int test_key_update(void)
6116 SSL_CTX *cctx = NULL, *sctx = NULL;
6117 SSL *clientssl = NULL, *serverssl = NULL;
6118 int testresult = 0, i, j;
6120 static char *mess = "A test message";
6122 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6123 TLS_client_method(),
6126 &sctx, &cctx, cert, privkey))
6127 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6129 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6133 for (j = 0; j < 2; j++) {
6134 /* Send lots of KeyUpdate messages */
6135 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6136 if (!TEST_true(SSL_key_update(clientssl,
6138 ? SSL_KEY_UPDATE_NOT_REQUESTED
6139 : SSL_KEY_UPDATE_REQUESTED))
6140 || !TEST_true(SSL_do_handshake(clientssl)))
6144 /* Check that sending and receiving app data is ok */
6145 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6146 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6150 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6151 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6159 SSL_free(serverssl);
6160 SSL_free(clientssl);
6168 * Test we can handle a KeyUpdate (update requested) message while
6169 * write data is pending in peer.
6170 * Test 0: Client sends KeyUpdate while Server is writing
6171 * Test 1: Server sends KeyUpdate while Client is writing
6173 static int test_key_update_peer_in_write(int tst)
6175 SSL_CTX *cctx = NULL, *sctx = NULL;
6176 SSL *clientssl = NULL, *serverssl = NULL;
6179 static char *mess = "A test message";
6180 BIO *bretry = BIO_new(bio_s_always_retry());
6182 SSL *peerupdate = NULL, *peerwrite = NULL;
6184 if (!TEST_ptr(bretry)
6185 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6186 TLS_client_method(),
6189 &sctx, &cctx, cert, privkey))
6190 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6192 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6196 peerupdate = tst == 0 ? clientssl : serverssl;
6197 peerwrite = tst == 0 ? serverssl : clientssl;
6199 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6200 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6203 /* Swap the writing endpoint's write BIO to force a retry */
6204 tmp = SSL_get_wbio(peerwrite);
6205 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6209 SSL_set0_wbio(peerwrite, bretry);
6212 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6213 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6214 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6217 /* Reinstate the original writing endpoint's write BIO */
6218 SSL_set0_wbio(peerwrite, tmp);
6221 /* Now read some data - we will read the key update */
6222 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6223 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6227 * Complete the write we started previously and read it from the other
6230 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6231 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6234 /* Write more data to ensure we send the KeyUpdate message back */
6235 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6236 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6242 SSL_free(serverssl);
6243 SSL_free(clientssl);
6253 * Test we can handle a KeyUpdate (update requested) message while
6254 * peer read data is pending after peer accepted keyupdate(the msg header
6255 * had been read 5 bytes).
6256 * Test 0: Client sends KeyUpdate while Server is reading
6257 * Test 1: Server sends KeyUpdate while Client is reading
6259 static int test_key_update_peer_in_read(int tst)
6261 SSL_CTX *cctx = NULL, *sctx = NULL;
6262 SSL *clientssl = NULL, *serverssl = NULL;
6264 char prbuf[515], lwbuf[515] = {0};
6265 static char *mess = "A test message";
6266 BIO *lbio = NULL, *pbio = NULL;
6267 SSL *local = NULL, *peer = NULL;
6269 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6270 TLS_client_method(),
6273 &sctx, &cctx, cert, privkey))
6274 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6276 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6280 local = tst == 0 ? clientssl : serverssl;
6281 peer = tst == 0 ? serverssl : clientssl;
6283 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6286 SSL_set_bio(local, lbio, lbio);
6287 SSL_set_bio(peer, pbio, pbio);
6290 * we first write keyupdate msg then appdata in local
6291 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6292 * lwbuf app data msg size + key updata msg size > 512(the size of
6293 * the bio pair buffer)
6295 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6296 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6297 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6301 * first read keyupdate msg in peer in peer
6302 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6304 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6305 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6308 /* Now write some data in peer - we will write the key update */
6309 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6313 * write data in local previously that we will complete
6314 * read data in peer previously that we will complete
6316 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6317 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6320 /* check that sending and receiving appdata ok */
6321 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6322 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6328 SSL_free(serverssl);
6329 SSL_free(clientssl);
6337 * Test we can't send a KeyUpdate (update requested) message while
6338 * local write data is pending.
6339 * Test 0: Client sends KeyUpdate while Client is writing
6340 * Test 1: Server sends KeyUpdate while Server is writing
6342 static int test_key_update_local_in_write(int tst)
6344 SSL_CTX *cctx = NULL, *sctx = NULL;
6345 SSL *clientssl = NULL, *serverssl = NULL;
6348 static char *mess = "A test message";
6349 BIO *bretry = BIO_new(bio_s_always_retry());
6351 SSL *local = NULL, *peer = NULL;
6353 if (!TEST_ptr(bretry)
6354 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6355 TLS_client_method(),
6358 &sctx, &cctx, cert, privkey))
6359 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6361 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6365 local = tst == 0 ? clientssl : serverssl;
6366 peer = tst == 0 ? serverssl : clientssl;
6368 /* Swap the writing endpoint's write BIO to force a retry */
6369 tmp = SSL_get_wbio(local);
6370 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6374 SSL_set0_wbio(local, bretry);
6377 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6378 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6379 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6382 /* Reinstate the original writing endpoint's write BIO */
6383 SSL_set0_wbio(local, tmp);
6386 /* SSL_key_update will fail, because writing in local*/
6387 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6388 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6392 /* write data in local previously that we will complete */
6393 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6396 /* SSL_key_update will succeed because there is no pending write data */
6397 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6398 || !TEST_int_eq(SSL_do_handshake(local), 1))
6402 * we write some appdata in local
6403 * read data in peer - we will read the keyupdate msg
6405 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6406 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6409 /* Write more peer more data to ensure we send the keyupdate message back */
6410 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6411 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6417 SSL_free(serverssl);
6418 SSL_free(clientssl);
6428 * Test we can handle a KeyUpdate (update requested) message while
6429 * local read data is pending(the msg header had been read 5 bytes).
6430 * Test 0: Client sends KeyUpdate while Client is reading
6431 * Test 1: Server sends KeyUpdate while Server is reading
6433 static int test_key_update_local_in_read(int tst)
6435 SSL_CTX *cctx = NULL, *sctx = NULL;
6436 SSL *clientssl = NULL, *serverssl = NULL;
6438 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6439 static char *mess = "A test message";
6440 BIO *lbio = NULL, *pbio = NULL;
6441 SSL *local = NULL, *peer = NULL;
6443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6444 TLS_client_method(),
6447 &sctx, &cctx, cert, privkey))
6448 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6454 local = tst == 0 ? clientssl : serverssl;
6455 peer = tst == 0 ? serverssl : clientssl;
6457 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6460 SSL_set_bio(local, lbio, lbio);
6461 SSL_set_bio(peer, pbio, pbio);
6463 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6464 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6465 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6468 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6469 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6470 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6473 /* SSL_do_handshake will send keyupdate msg */
6474 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6475 || !TEST_int_eq(SSL_do_handshake(local), 1))
6479 * write data in peer previously that we will complete
6480 * read data in local previously that we will complete
6482 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6483 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6487 * write data in local
6488 * read data in peer - we will read the key update
6490 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6491 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6494 /* Write more peer data to ensure we send the keyupdate message back */
6495 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6496 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6502 SSL_free(serverssl);
6503 SSL_free(clientssl);
6509 #endif /* OSSL_NO_USABLE_TLS1_3 */
6511 static int test_ssl_clear(int idx)
6513 SSL_CTX *cctx = NULL, *sctx = NULL;
6514 SSL *clientssl = NULL, *serverssl = NULL;
6517 #ifdef OPENSSL_NO_TLS1_2
6522 /* Create an initial connection */
6523 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6524 TLS_client_method(), TLS1_VERSION, 0,
6525 &sctx, &cctx, cert, privkey))
6527 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6529 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6530 &clientssl, NULL, NULL))
6531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6535 SSL_shutdown(clientssl);
6536 SSL_shutdown(serverssl);
6537 SSL_free(serverssl);
6540 /* Clear clientssl - we're going to reuse the object */
6541 if (!TEST_true(SSL_clear(clientssl)))
6544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6548 || !TEST_true(SSL_session_reused(clientssl)))
6551 SSL_shutdown(clientssl);
6552 SSL_shutdown(serverssl);
6557 SSL_free(serverssl);
6558 SSL_free(clientssl);
6565 /* Parse CH and retrieve any MFL extension value if present */
6566 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6569 unsigned char *data;
6570 PACKET pkt, pkt2, pkt3;
6571 unsigned int MFL_code = 0, type = 0;
6573 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6576 memset(&pkt, 0, sizeof(pkt));
6577 memset(&pkt2, 0, sizeof(pkt2));
6578 memset(&pkt3, 0, sizeof(pkt3));
6580 if (!TEST_long_gt(len, 0)
6581 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6582 /* Skip the record header */
6583 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6584 /* Skip the handshake message header */
6585 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6586 /* Skip client version and random */
6587 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6588 + SSL3_RANDOM_SIZE))
6589 /* Skip session id */
6590 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6592 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6593 /* Skip compression */
6594 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6595 /* Extensions len */
6596 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6599 /* Loop through all extensions */
6600 while (PACKET_remaining(&pkt2)) {
6601 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6602 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6605 if (type == TLSEXT_TYPE_max_fragment_length) {
6606 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6607 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6610 *mfl_codemfl_code = MFL_code;
6619 /* Maximum-Fragment-Length TLS extension mode to test */
6620 static const unsigned char max_fragment_len_test[] = {
6621 TLSEXT_max_fragment_length_512,
6622 TLSEXT_max_fragment_length_1024,
6623 TLSEXT_max_fragment_length_2048,
6624 TLSEXT_max_fragment_length_4096
6627 static int test_max_fragment_len_ext(int idx_tst)
6629 SSL_CTX *ctx = NULL;
6631 int testresult = 0, MFL_mode = 0;
6634 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6635 TLS1_VERSION, 0, NULL, &ctx, NULL,
6639 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6640 ctx, max_fragment_len_test[idx_tst])))
6647 rbio = BIO_new(BIO_s_mem());
6648 wbio = BIO_new(BIO_s_mem());
6649 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6655 SSL_set_bio(con, rbio, wbio);
6657 if (!TEST_int_le(SSL_connect(con), 0)) {
6658 /* This shouldn't succeed because we don't have a server! */
6662 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6663 /* no MFL in client hello */
6665 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6677 #ifndef OSSL_NO_USABLE_TLS1_3
6678 static int test_pha_key_update(void)
6680 SSL_CTX *cctx = NULL, *sctx = NULL;
6681 SSL *clientssl = NULL, *serverssl = NULL;
6684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6685 TLS_client_method(), TLS1_VERSION, 0,
6686 &sctx, &cctx, cert, privkey)))
6689 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6690 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6691 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6692 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6695 SSL_CTX_set_post_handshake_auth(cctx, 1);
6697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6701 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6705 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6706 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6709 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6712 /* Start handshake on the server */
6713 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6716 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6721 SSL_shutdown(clientssl);
6722 SSL_shutdown(serverssl);
6727 SSL_free(serverssl);
6728 SSL_free(clientssl);
6735 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6737 static SRP_VBASE *vbase = NULL;
6739 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6741 int ret = SSL3_AL_FATAL;
6743 SRP_user_pwd *user = NULL;
6745 username = SSL_get_srp_username(s);
6746 if (username == NULL) {
6747 *ad = SSL_AD_INTERNAL_ERROR;
6751 user = SRP_VBASE_get1_by_user(vbase, username);
6753 *ad = SSL_AD_INTERNAL_ERROR;
6757 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6759 *ad = SSL_AD_INTERNAL_ERROR;
6766 SRP_user_pwd_free(user);
6770 static int create_new_vfile(char *userid, char *password, const char *filename)
6773 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6776 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6779 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6782 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6783 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6784 if (!TEST_ptr(gNid))
6788 * The only way to create an empty TXT_DB is to provide a BIO with no data
6791 db = TXT_DB_read(dummy, DB_NUMBER);
6795 out = BIO_new_file(filename, "w");
6799 row[DB_srpid] = OPENSSL_strdup(userid);
6800 row[DB_srptype] = OPENSSL_strdup("V");
6801 row[DB_srpgN] = OPENSSL_strdup(gNid);
6803 if (!TEST_ptr(row[DB_srpid])
6804 || !TEST_ptr(row[DB_srptype])
6805 || !TEST_ptr(row[DB_srpgN])
6806 || !TEST_true(TXT_DB_insert(db, row)))
6811 if (TXT_DB_write(out, db) <= 0)
6817 for (i = 0; i < DB_NUMBER; i++)
6818 OPENSSL_free(row[i]);
6828 static int create_new_vbase(char *userid, char *password)
6830 BIGNUM *verifier = NULL, *salt = NULL;
6831 const SRP_gN *lgN = NULL;
6832 SRP_user_pwd *user_pwd = NULL;
6835 lgN = SRP_get_default_gN(NULL);
6839 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6840 lgN->N, lgN->g, libctx, NULL)))
6843 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6844 if (!TEST_ptr(user_pwd))
6847 user_pwd->N = lgN->N;
6848 user_pwd->g = lgN->g;
6849 user_pwd->id = OPENSSL_strdup(userid);
6850 if (!TEST_ptr(user_pwd->id))
6853 user_pwd->v = verifier;
6855 verifier = salt = NULL;
6857 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6863 SRP_user_pwd_free(user_pwd);
6873 * Test 0: Simple successful SRP connection, new vbase
6874 * Test 1: Connection failure due to bad password, new vbase
6875 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6876 * Test 3: Connection failure due to bad password, vbase loaded from existing
6878 * Test 4: Simple successful SRP connection, vbase loaded from new file
6879 * Test 5: Connection failure due to bad password, vbase loaded from new file
6881 static int test_srp(int tst)
6883 char *userid = "test", *password = "password", *tstsrpfile;
6884 SSL_CTX *cctx = NULL, *sctx = NULL;
6885 SSL *clientssl = NULL, *serverssl = NULL;
6886 int ret, testresult = 0;
6888 vbase = SRP_VBASE_new(NULL);
6889 if (!TEST_ptr(vbase))
6892 if (tst == 0 || tst == 1) {
6893 if (!TEST_true(create_new_vbase(userid, password)))
6896 if (tst == 4 || tst == 5) {
6897 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6899 tstsrpfile = tmpfilename;
6901 tstsrpfile = srpvfile;
6903 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6908 TLS_client_method(), TLS1_VERSION, 0,
6909 &sctx, &cctx, cert, privkey)))
6912 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6913 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6914 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6915 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6916 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6920 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6923 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6931 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6933 if (!TEST_true(tst % 2 == 0))
6936 if (!TEST_true(tst % 2 == 1))
6943 SRP_VBASE_free(vbase);
6945 SSL_free(serverssl);
6946 SSL_free(clientssl);
6954 static int info_cb_failed = 0;
6955 static int info_cb_offset = 0;
6956 static int info_cb_this_state = -1;
6958 static struct info_cb_states_st {
6960 const char *statestr;
6961 } info_cb_states[][60] = {
6963 /* TLSv1.2 server followed by resumption */
6964 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6965 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6966 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6967 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6968 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6969 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6970 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6971 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6972 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6973 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6974 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6975 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6976 {SSL_CB_EXIT, NULL}, {0, NULL},
6978 /* TLSv1.2 client followed by resumption */
6979 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6980 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6981 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6982 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6983 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6984 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6985 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6986 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6987 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6988 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6989 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6990 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6992 /* TLSv1.3 server followed by resumption */
6993 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6994 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6995 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6996 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6997 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6998 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6999 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7000 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7001 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7002 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7003 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7004 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7005 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7007 /* TLSv1.3 client followed by resumption */
7008 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7009 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7010 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7011 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7012 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7013 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7014 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7015 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7016 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7017 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7018 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7019 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7020 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7021 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7022 {SSL_CB_EXIT, NULL}, {0, NULL},
7024 /* TLSv1.3 server, early_data */
7025 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7026 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7027 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7028 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7029 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7030 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7031 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7032 {SSL_CB_EXIT, NULL}, {0, NULL},
7034 /* TLSv1.3 client, early_data */
7035 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7036 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7037 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7038 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7039 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7040 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7041 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7042 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7043 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7049 static void sslapi_info_callback(const SSL *s, int where, int ret)
7051 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7053 /* We do not ever expect a connection to fail in this test */
7054 if (!TEST_false(ret == 0)) {
7060 * Do some sanity checks. We never expect these things to happen in this
7063 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7064 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7065 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7070 /* Now check we're in the right state */
7071 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7075 if ((where & SSL_CB_LOOP) != 0
7076 && !TEST_int_eq(strcmp(SSL_state_string(s),
7077 state[info_cb_this_state].statestr), 0)) {
7083 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7085 if ((where & SSL_CB_HANDSHAKE_DONE)
7086 && SSL_in_init((SSL *)s) != 0) {
7093 * Test the info callback gets called when we expect it to.
7095 * Test 0: TLSv1.2, server
7096 * Test 1: TLSv1.2, client
7097 * Test 2: TLSv1.3, server
7098 * Test 3: TLSv1.3, client
7099 * Test 4: TLSv1.3, server, early_data
7100 * Test 5: TLSv1.3, client, early_data
7102 static int test_info_callback(int tst)
7104 SSL_CTX *cctx = NULL, *sctx = NULL;
7105 SSL *clientssl = NULL, *serverssl = NULL;
7106 SSL_SESSION *clntsess = NULL;
7111 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7112 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7113 || !defined(OPENSSL_NO_DH))
7114 tlsvers = TLS1_2_VERSION;
7119 #ifndef OSSL_NO_USABLE_TLS1_3
7120 tlsvers = TLS1_3_VERSION;
7128 info_cb_this_state = -1;
7129 info_cb_offset = tst;
7131 #ifndef OSSL_NO_USABLE_TLS1_3
7133 SSL_SESSION *sess = NULL;
7134 size_t written, readbytes;
7135 unsigned char buf[80];
7137 /* early_data tests */
7138 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7139 &serverssl, &sess, 0)))
7142 /* We don't actually need this reference */
7143 SSL_SESSION_free(sess);
7145 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7146 sslapi_info_callback);
7148 /* Write and read some early data and then complete the connection */
7149 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7151 || !TEST_size_t_eq(written, strlen(MSG1))
7152 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7153 sizeof(buf), &readbytes),
7154 SSL_READ_EARLY_DATA_SUCCESS)
7155 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7156 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7157 SSL_EARLY_DATA_ACCEPTED)
7158 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7160 || !TEST_false(info_cb_failed))
7168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7169 TLS_client_method(),
7170 tlsvers, tlsvers, &sctx, &cctx, cert,
7174 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7178 * For even numbered tests we check the server callbacks. For odd numbers we
7181 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7182 sslapi_info_callback);
7184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7185 &clientssl, NULL, NULL))
7186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7188 || !TEST_false(info_cb_failed))
7193 clntsess = SSL_get1_session(clientssl);
7194 SSL_shutdown(clientssl);
7195 SSL_shutdown(serverssl);
7196 SSL_free(serverssl);
7197 SSL_free(clientssl);
7198 serverssl = clientssl = NULL;
7200 /* Now do a resumption */
7201 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7203 || !TEST_true(SSL_set_session(clientssl, clntsess))
7204 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7206 || !TEST_true(SSL_session_reused(clientssl))
7207 || !TEST_false(info_cb_failed))
7213 SSL_free(serverssl);
7214 SSL_free(clientssl);
7215 SSL_SESSION_free(clntsess);
7221 static int test_ssl_pending(int tst)
7223 SSL_CTX *cctx = NULL, *sctx = NULL;
7224 SSL *clientssl = NULL, *serverssl = NULL;
7226 char msg[] = "A test message";
7228 size_t written, readbytes;
7231 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7232 TLS_client_method(),
7234 &sctx, &cctx, cert, privkey)))
7237 #ifndef OPENSSL_NO_DTLS
7238 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7239 DTLS_client_method(),
7241 &sctx, &cctx, cert, privkey)))
7244 # ifdef OPENSSL_NO_DTLS1_2
7245 /* Not supported in the FIPS provider */
7251 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7254 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7255 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7256 "DEFAULT:@SECLEVEL=0")))
7264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7270 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7271 || !TEST_false(SSL_has_pending(clientssl))
7272 || !TEST_int_eq(SSL_pending(serverssl), 0)
7273 || !TEST_false(SSL_has_pending(serverssl))
7274 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7275 || !TEST_size_t_eq(written, sizeof(msg))
7276 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7277 || !TEST_size_t_eq(readbytes, sizeof(buf))
7278 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7279 || !TEST_true(SSL_has_pending(clientssl)))
7285 SSL_free(serverssl);
7286 SSL_free(clientssl);
7294 unsigned int maxprot;
7295 const char *clntciphers;
7296 const char *clnttls13ciphers;
7297 const char *srvrciphers;
7298 const char *srvrtls13ciphers;
7300 const char *fipsshared;
7301 } shared_ciphers_data[] = {
7303 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7304 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7306 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7309 "AES128-SHA:AES256-SHA",
7311 "AES256-SHA:DHE-RSA-AES128-SHA",
7316 # if !defined(OPENSSL_NO_CHACHA) \
7317 && !defined(OPENSSL_NO_POLY1305) \
7318 && !defined(OPENSSL_NO_EC)
7321 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7323 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7325 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7331 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7333 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7335 "AES128-SHA:AES256-SHA",
7336 "AES128-SHA:AES256-SHA"
7340 "AES128-SHA:AES256-SHA",
7342 "AES128-SHA:DHE-RSA-AES128-SHA",
7349 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7352 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7353 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7356 "AES128-SHA:AES256-SHA",
7358 "AES256-SHA:AES128-SHA256",
7360 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7361 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7362 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7365 #ifndef OSSL_NO_USABLE_TLS1_3
7369 "TLS_AES_256_GCM_SHA384",
7371 "TLS_AES_256_GCM_SHA384",
7372 "TLS_AES_256_GCM_SHA384",
7373 "TLS_AES_256_GCM_SHA384"
7378 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7380 SSL_CTX *cctx = NULL, *sctx = NULL;
7381 SSL *clientssl = NULL, *serverssl = NULL;
7384 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7386 if (!TEST_ptr(tmplibctx))
7390 * Regardless of whether we're testing with the FIPS provider loaded into
7391 * libctx, we want one peer to always use the full set of ciphersuites
7392 * available. Therefore we use a separate libctx with the default provider
7393 * loaded into it. We run the same tests twice - once with the client side
7394 * having the full set of ciphersuites and once with the server side.
7397 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7398 if (!TEST_ptr(cctx))
7401 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7402 if (!TEST_ptr(sctx))
7406 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7407 TLS_client_method(),
7409 shared_ciphers_data[tst].maxprot,
7410 &sctx, &cctx, cert, privkey)))
7413 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7414 shared_ciphers_data[tst].clntciphers))
7415 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7416 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7417 shared_ciphers_data[tst].clnttls13ciphers)))
7418 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7419 shared_ciphers_data[tst].srvrciphers))
7420 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7421 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7422 shared_ciphers_data[tst].srvrtls13ciphers))))
7426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7428 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7432 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7433 || !TEST_int_eq(strcmp(buf,
7435 ? shared_ciphers_data[tst].fipsshared
7436 : shared_ciphers_data[tst].shared),
7438 TEST_info("Shared ciphers are: %s\n", buf);
7445 SSL_free(serverssl);
7446 SSL_free(clientssl);
7449 OSSL_LIB_CTX_free(tmplibctx);
7454 static int test_ssl_get_shared_ciphers(int tst)
7456 return int_test_ssl_get_shared_ciphers(tst, 0)
7457 && int_test_ssl_get_shared_ciphers(tst, 1);
7461 static const char *appdata = "Hello World";
7462 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7463 static int tick_key_renew = 0;
7464 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7466 static int gen_tick_cb(SSL *s, void *arg)
7468 gen_tick_called = 1;
7470 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7474 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7475 const unsigned char *keyname,
7476 size_t keyname_length,
7477 SSL_TICKET_STATUS status,
7483 dec_tick_called = 1;
7485 if (status == SSL_TICKET_EMPTY)
7486 return SSL_TICKET_RETURN_IGNORE_RENEW;
7488 if (!TEST_true(status == SSL_TICKET_SUCCESS
7489 || status == SSL_TICKET_SUCCESS_RENEW))
7490 return SSL_TICKET_RETURN_ABORT;
7492 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7494 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7495 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7496 return SSL_TICKET_RETURN_ABORT;
7498 if (tick_key_cb_called) {
7499 /* Don't change what the ticket key callback wanted to do */
7501 case SSL_TICKET_NO_DECRYPT:
7502 return SSL_TICKET_RETURN_IGNORE_RENEW;
7504 case SSL_TICKET_SUCCESS:
7505 return SSL_TICKET_RETURN_USE;
7507 case SSL_TICKET_SUCCESS_RENEW:
7508 return SSL_TICKET_RETURN_USE_RENEW;
7511 return SSL_TICKET_RETURN_ABORT;
7514 return tick_dec_ret;
7518 #ifndef OPENSSL_NO_DEPRECATED_3_0
7519 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7520 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7521 HMAC_CTX *hctx, int enc)
7523 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7524 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7525 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7526 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7529 tick_key_cb_called = 1;
7530 memset(iv, 0, AES_BLOCK_SIZE);
7531 memset(key_name, 0, 16);
7532 if (aes128cbc == NULL
7534 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7535 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7539 ret = tick_key_renew ? 2 : 1;
7541 EVP_CIPHER_free(aes128cbc);
7542 EVP_MD_free(sha256);
7548 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7549 unsigned char iv[EVP_MAX_IV_LENGTH],
7550 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7552 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7553 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7554 OSSL_PARAM params[2];
7555 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7558 tick_key_cb_called = 1;
7559 memset(iv, 0, AES_BLOCK_SIZE);
7560 memset(key_name, 0, 16);
7561 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7563 params[1] = OSSL_PARAM_construct_end();
7564 if (aes128cbc == NULL
7565 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7566 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7570 ret = tick_key_renew ? 2 : 1;
7572 EVP_CIPHER_free(aes128cbc);
7578 * Test the various ticket callbacks
7579 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7580 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7581 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7582 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7583 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7584 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7585 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7586 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7587 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7588 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7589 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7590 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7591 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7592 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7593 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7594 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7596 static int test_ticket_callbacks(int tst)
7598 SSL_CTX *cctx = NULL, *sctx = NULL;
7599 SSL *clientssl = NULL, *serverssl = NULL;
7600 SSL_SESSION *clntsess = NULL;
7603 #ifdef OPENSSL_NO_TLS1_2
7607 #ifdef OSSL_NO_USABLE_TLS1_3
7611 #ifdef OPENSSL_NO_DEPRECATED_3_0
7612 if (tst >= 8 && tst <= 11)
7616 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7618 /* Which tests the ticket key callback should request renewal for */
7619 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7624 /* Which tests the decrypt ticket callback should request renewal for */
7628 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7633 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7638 tick_dec_ret = SSL_TICKET_RETURN_USE;
7643 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7647 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7650 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7651 TLS_client_method(),
7653 ((tst % 2) == 0) ? TLS1_2_VERSION
7655 &sctx, &cctx, cert, privkey)))
7659 * We only want sessions to resume from tickets - not the session cache. So
7660 * switch the cache off.
7662 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7665 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7670 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7672 #ifndef OPENSSL_NO_DEPRECATED_3_0
7673 } else if (tst >= 8) {
7674 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7686 * The decrypt ticket key callback in TLSv1.2 should be called even though
7687 * we have no ticket yet, because it gets called with a status of
7688 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7689 * actually send any ticket data). This does not happen in TLSv1.3 because
7690 * it is not valid to send empty ticket data in TLSv1.3.
7692 if (!TEST_int_eq(gen_tick_called, 1)
7693 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7696 gen_tick_called = dec_tick_called = 0;
7698 clntsess = SSL_get1_session(clientssl);
7699 SSL_shutdown(clientssl);
7700 SSL_shutdown(serverssl);
7701 SSL_free(serverssl);
7702 SSL_free(clientssl);
7703 serverssl = clientssl = NULL;
7705 /* Now do a resumption */
7706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7708 || !TEST_true(SSL_set_session(clientssl, clntsess))
7709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7713 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7714 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7715 if (!TEST_false(SSL_session_reused(clientssl)))
7718 if (!TEST_true(SSL_session_reused(clientssl)))
7722 if (!TEST_int_eq(gen_tick_called,
7724 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7725 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7727 || !TEST_int_eq(dec_tick_called, 1))
7733 SSL_SESSION_free(clntsess);
7734 SSL_free(serverssl);
7735 SSL_free(clientssl);
7743 * Test incorrect shutdown.
7744 * Test 0: client does not shutdown properly,
7745 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7746 * server should get SSL_ERROR_SSL
7747 * Test 1: client does not shutdown properly,
7748 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7749 * server should get SSL_ERROR_ZERO_RETURN
7751 static int test_incorrect_shutdown(int tst)
7753 SSL_CTX *cctx = NULL, *sctx = NULL;
7754 SSL *clientssl = NULL, *serverssl = NULL;
7759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7760 TLS_client_method(), 0, 0,
7761 &sctx, &cctx, cert, privkey)))
7765 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7767 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7771 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7775 c2s = SSL_get_rbio(serverssl);
7776 BIO_set_mem_eof_return(c2s, 0);
7778 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7781 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7783 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7789 SSL_free(serverssl);
7790 SSL_free(clientssl);
7798 * Test bi-directional shutdown.
7800 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7801 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7802 * Test 3: TLSv1.3, pending NewSessionTicket messages
7803 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7804 * sends key update, client reads it
7805 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7806 * sends CertificateRequest, client reads and ignores it
7807 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7810 static int test_shutdown(int tst)
7812 SSL_CTX *cctx = NULL, *sctx = NULL;
7813 SSL *clientssl = NULL, *serverssl = NULL;
7815 char msg[] = "A test message";
7817 size_t written, readbytes;
7820 #ifdef OPENSSL_NO_TLS1_2
7824 #ifdef OSSL_NO_USABLE_TLS1_3
7829 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7830 TLS_client_method(),
7832 (tst <= 1) ? TLS1_2_VERSION
7834 &sctx, &cctx, cert, privkey)))
7838 SSL_CTX_set_post_handshake_auth(cctx, 1);
7840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7845 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7847 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7848 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7850 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7852 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7853 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7857 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7862 * Reading on the server after the client has sent close_notify should
7863 * fail and provide SSL_ERROR_ZERO_RETURN
7865 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7866 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7867 SSL_ERROR_ZERO_RETURN)
7868 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7869 SSL_RECEIVED_SHUTDOWN)
7871 * Even though we're shutdown on receive we should still be
7874 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7877 && !TEST_true(SSL_key_update(serverssl,
7878 SSL_KEY_UPDATE_REQUESTED)))
7881 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7882 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7885 if ((tst == 4 || tst == 5)
7886 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7888 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7890 if (tst == 4 || tst == 5) {
7891 /* Should still be able to read data from server */
7892 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7894 || !TEST_size_t_eq(readbytes, sizeof(msg))
7895 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7896 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7898 || !TEST_size_t_eq(readbytes, sizeof(msg))
7899 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7904 /* Writing on the client after sending close_notify shouldn't be possible */
7905 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7910 * For these tests the client has sent close_notify but it has not yet
7911 * been received by the server. The server has not sent close_notify
7914 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7916 * Writing on the server after sending close_notify shouldn't
7919 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7920 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7921 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7922 || !TEST_true(SSL_SESSION_is_resumable(sess))
7923 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7925 } else if (tst == 4 || tst == 5) {
7927 * In this test the client has sent close_notify and it has been
7928 * received by the server which has responded with a close_notify. The
7929 * client needs to read the close_notify sent by the server.
7931 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7932 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7933 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7939 * The client has sent close_notify and is expecting a close_notify
7940 * back, but instead there is application data first. The shutdown
7941 * should fail with a fatal error.
7943 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7944 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7951 SSL_free(serverssl);
7952 SSL_free(clientssl);
7959 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7960 static int cert_cb_cnt;
7962 static int cert_cb(SSL *s, void *arg)
7964 SSL_CTX *ctx = (SSL_CTX *)arg;
7966 EVP_PKEY *pkey = NULL;
7967 X509 *x509 = NULL, *rootx = NULL;
7968 STACK_OF(X509) *chain = NULL;
7969 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7972 if (cert_cb_cnt == 0) {
7973 /* Suspend the handshake */
7976 } else if (cert_cb_cnt == 1) {
7978 * Update the SSL_CTX, set the certificate and private key and then
7979 * continue the handshake normally.
7981 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7984 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7985 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7987 || !TEST_true(SSL_check_private_key(s)))
7991 } else if (cert_cb_cnt == 3) {
7994 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7995 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7996 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7997 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7999 chain = sk_X509_new_null();
8000 if (!TEST_ptr(chain))
8002 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8003 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8004 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8005 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8006 || !TEST_true(sk_X509_push(chain, rootx)))
8010 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8011 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8012 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8013 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8016 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8017 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8018 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8022 rv = SSL_check_chain(s, x509, pkey, chain);
8024 * If the cert doesn't show as valid here (e.g., because we don't
8025 * have any shared sigalgs), then we will not set it, and there will
8026 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8027 * will cause tls_choose_sigalgs() to fail the connection.
8029 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8030 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8031 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8038 /* Abort the handshake */
8040 OPENSSL_free(ecdsacert);
8041 OPENSSL_free(ecdsakey);
8042 OPENSSL_free(rootfile);
8044 EVP_PKEY_free(pkey);
8047 sk_X509_pop_free(chain, X509_free);
8052 * Test the certificate callback.
8053 * Test 0: Callback fails
8054 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8055 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8056 * Test 3: Success - Call SSL_check_chain from the callback
8057 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8059 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8061 static int test_cert_cb_int(int prot, int tst)
8063 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8064 SSL *clientssl = NULL, *serverssl = NULL;
8065 int testresult = 0, ret;
8067 #ifdef OPENSSL_NO_EC
8068 /* We use an EC cert in these tests, so we skip in a no-ec build */
8073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8074 TLS_client_method(),
8077 &sctx, &cctx, NULL, NULL)))
8088 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8089 if (!TEST_ptr(snictx))
8093 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8101 * We cause SSL_check_chain() to fail by specifying sig_algs that
8102 * the chain doesn't meet (the root uses an RSA cert)
8104 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8105 "ecdsa_secp256r1_sha256")))
8107 } else if (tst == 5) {
8109 * We cause SSL_check_chain() to fail by specifying sig_algs that
8110 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8112 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8113 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8117 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8118 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8120 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8127 SSL_free(serverssl);
8128 SSL_free(clientssl);
8131 SSL_CTX_free(snictx);
8137 static int test_cert_cb(int tst)
8141 #ifndef OPENSSL_NO_TLS1_2
8142 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8144 #ifndef OSSL_NO_USABLE_TLS1_3
8145 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8151 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8156 BIO *priv_in = NULL;
8158 /* Check that SSL_get0_peer_certificate() returns something sensible */
8159 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8162 in = BIO_new_file(cert, "r");
8166 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8167 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8168 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8169 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8187 static int test_client_cert_cb(int tst)
8189 SSL_CTX *cctx = NULL, *sctx = NULL;
8190 SSL *clientssl = NULL, *serverssl = NULL;
8193 #ifdef OPENSSL_NO_TLS1_2
8197 #ifdef OSSL_NO_USABLE_TLS1_3
8202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8203 TLS_client_method(),
8205 tst == 0 ? TLS1_2_VERSION
8207 &sctx, &cctx, cert, privkey)))
8211 * Test that setting a client_cert_cb results in a client certificate being
8214 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8215 SSL_CTX_set_verify(sctx,
8216 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8228 SSL_free(serverssl);
8229 SSL_free(clientssl);
8236 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8238 * Test setting certificate authorities on both client and server.
8240 * Test 0: SSL_CTX_set0_CA_list() only
8241 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8242 * Test 2: Only SSL_CTX_set_client_CA_list()
8244 static int test_ca_names_int(int prot, int tst)
8246 SSL_CTX *cctx = NULL, *sctx = NULL;
8247 SSL *clientssl = NULL, *serverssl = NULL;
8250 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8251 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8252 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8253 const STACK_OF(X509_NAME) *sktmp = NULL;
8255 for (i = 0; i < OSSL_NELEM(name); i++) {
8256 name[i] = X509_NAME_new();
8257 if (!TEST_ptr(name[i])
8258 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8266 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8267 TLS_client_method(),
8270 &sctx, &cctx, cert, privkey)))
8273 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8275 if (tst == 0 || tst == 1) {
8276 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8277 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8278 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8279 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8280 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8281 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8284 SSL_CTX_set0_CA_list(sctx, sk1);
8285 SSL_CTX_set0_CA_list(cctx, sk2);
8288 if (tst == 1 || tst == 2) {
8289 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8290 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8291 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8292 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8293 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8294 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8297 SSL_CTX_set_client_CA_list(sctx, sk1);
8298 SSL_CTX_set_client_CA_list(cctx, sk2);
8302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8309 * We only expect certificate authorities to have been sent to the server
8310 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8312 sktmp = SSL_get0_peer_CA_list(serverssl);
8313 if (prot == TLS1_3_VERSION
8314 && (tst == 0 || tst == 1)) {
8315 if (!TEST_ptr(sktmp)
8316 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8317 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8319 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8322 } else if (!TEST_ptr_null(sktmp)) {
8327 * In all tests we expect certificate authorities to have been sent to the
8328 * client. However, SSL_set_client_CA_list() should override
8329 * SSL_set0_CA_list()
8331 sktmp = SSL_get0_peer_CA_list(clientssl);
8332 if (!TEST_ptr(sktmp)
8333 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8334 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8335 name[tst == 0 ? 0 : 2]), 0)
8336 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8337 name[tst == 0 ? 1 : 3]), 0))
8343 SSL_free(serverssl);
8344 SSL_free(clientssl);
8347 for (i = 0; i < OSSL_NELEM(name); i++)
8348 X509_NAME_free(name[i]);
8349 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8350 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8356 static int test_ca_names(int tst)
8360 #ifndef OPENSSL_NO_TLS1_2
8361 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8363 #ifndef OSSL_NO_USABLE_TLS1_3
8364 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8370 #ifndef OPENSSL_NO_TLS1_2
8371 static const char *multiblock_cipherlist_data[]=
8379 /* Reduce the fragment size - so the multiblock test buffer can be small */
8380 # define MULTIBLOCK_FRAGSIZE 512
8382 static int test_multiblock_write(int test_index)
8384 static const char *fetchable_ciphers[]=
8386 "AES-128-CBC-HMAC-SHA1",
8387 "AES-128-CBC-HMAC-SHA256",
8388 "AES-256-CBC-HMAC-SHA1",
8389 "AES-256-CBC-HMAC-SHA256"
8391 const char *cipherlist = multiblock_cipherlist_data[test_index];
8392 const SSL_METHOD *smeth = TLS_server_method();
8393 const SSL_METHOD *cmeth = TLS_client_method();
8394 int min_version = TLS1_VERSION;
8395 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8396 SSL_CTX *cctx = NULL, *sctx = NULL;
8397 SSL *clientssl = NULL, *serverssl = NULL;
8401 * Choose a buffer large enough to perform a multi-block operation
8402 * i.e: write_len >= 4 * frag_size
8403 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8405 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8406 unsigned char buf[sizeof(msg)], *p = buf;
8407 size_t readbytes, written, len;
8408 EVP_CIPHER *ciph = NULL;
8411 * Check if the cipher exists before attempting to use it since it only has
8412 * a hardware specific implementation.
8414 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8416 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8419 EVP_CIPHER_free(ciph);
8421 /* Set up a buffer with some data that will be sent to the client */
8422 RAND_bytes(msg, sizeof(msg));
8424 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8425 max_version, &sctx, &cctx, cert,
8429 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8436 /* settings to force it to use AES-CBC-HMAC_SHA */
8437 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8438 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8441 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8444 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8445 || !TEST_size_t_eq(written, sizeof(msg)))
8450 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8455 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8460 SSL_free(serverssl);
8461 SSL_free(clientssl);
8467 #endif /* OPENSSL_NO_TLS1_2 */
8469 static int test_session_timeout(int test)
8472 * Test session ordering and timeout
8473 * Can't explicitly test performance of the new code,
8474 * but can test to see if the ordering of the sessions
8475 * are correct, and they they are removed as expected
8477 SSL_SESSION *early = NULL;
8478 SSL_SESSION *middle = NULL;
8479 SSL_SESSION *late = NULL;
8482 long now = (long)time(NULL);
8485 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8486 || !TEST_ptr(early = SSL_SESSION_new())
8487 || !TEST_ptr(middle = SSL_SESSION_new())
8488 || !TEST_ptr(late = SSL_SESSION_new()))
8491 /* assign unique session ids */
8492 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8493 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8494 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8495 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8496 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8497 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8499 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8500 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8501 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8504 /* Make sure they are all added */
8505 if (!TEST_ptr(early->prev)
8506 || !TEST_ptr(middle->prev)
8507 || !TEST_ptr(late->prev))
8510 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8511 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8512 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8515 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8516 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8517 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8520 /* Make sure they are all still there */
8521 if (!TEST_ptr(early->prev)
8522 || !TEST_ptr(middle->prev)
8523 || !TEST_ptr(late->prev))
8526 /* Make sure they are in the expected order */
8527 if (!TEST_ptr_eq(late->next, middle)
8528 || !TEST_ptr_eq(middle->next, early)
8529 || !TEST_ptr_eq(early->prev, middle)
8530 || !TEST_ptr_eq(middle->prev, late))
8533 /* This should remove "early" */
8534 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8535 if (!TEST_ptr_null(early->prev)
8536 || !TEST_ptr(middle->prev)
8537 || !TEST_ptr(late->prev))
8540 /* This should remove "middle" */
8541 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8542 if (!TEST_ptr_null(early->prev)
8543 || !TEST_ptr_null(middle->prev)
8544 || !TEST_ptr(late->prev))
8547 /* This should remove "late" */
8548 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8549 if (!TEST_ptr_null(early->prev)
8550 || !TEST_ptr_null(middle->prev)
8551 || !TEST_ptr_null(late->prev))
8554 /* Add them back in again */
8555 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8556 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8557 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8560 /* Make sure they are all added */
8561 if (!TEST_ptr(early->prev)
8562 || !TEST_ptr(middle->prev)
8563 || !TEST_ptr(late->prev))
8566 /* This should remove all of them */
8567 SSL_CTX_flush_sessions(ctx, 0);
8568 if (!TEST_ptr_null(early->prev)
8569 || !TEST_ptr_null(middle->prev)
8570 || !TEST_ptr_null(late->prev))
8573 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8574 | SSL_CTX_get_session_cache_mode(ctx));
8576 /* make sure |now| is NOT equal to the current time */
8578 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8579 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8580 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8586 SSL_SESSION_free(early);
8587 SSL_SESSION_free(middle);
8588 SSL_SESSION_free(late);
8593 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8594 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8595 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8596 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8597 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8598 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8599 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8600 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8601 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8602 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8604 static int test_servername(int tst)
8606 SSL_CTX *cctx = NULL, *sctx = NULL;
8607 SSL *clientssl = NULL, *serverssl = NULL;
8609 SSL_SESSION *sess = NULL;
8610 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8612 #ifdef OPENSSL_NO_TLS1_2
8616 #ifdef OSSL_NO_USABLE_TLS1_3
8621 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8622 TLS_client_method(),
8624 (tst <= 4) ? TLS1_2_VERSION
8626 &sctx, &cctx, cert, privkey))
8627 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8631 if (tst != 1 && tst != 6) {
8632 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8637 if (tst != 3 && tst != 8) {
8638 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8640 sexpectedhost = cexpectedhost = "goodhost";
8643 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8646 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8648 || !TEST_str_eq(SSL_get_servername(serverssl,
8649 TLSEXT_NAMETYPE_host_name),
8653 /* Now repeat with a resumption handshake */
8655 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8656 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8657 || !TEST_true(SSL_SESSION_is_resumable(sess))
8658 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8661 SSL_free(clientssl);
8662 SSL_free(serverssl);
8663 clientssl = serverssl = NULL;
8665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8669 if (!TEST_true(SSL_set_session(clientssl, sess)))
8672 sexpectedhost = cexpectedhost = "goodhost";
8673 if (tst == 2 || tst == 7) {
8674 /* Set an inconsistent hostname */
8675 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8678 * In TLSv1.2 we expect the hostname from the original handshake, in
8679 * TLSv1.3 we expect the hostname from this handshake
8682 sexpectedhost = cexpectedhost = "altgoodhost";
8684 if (!TEST_str_eq(SSL_get_servername(clientssl,
8685 TLSEXT_NAMETYPE_host_name),
8688 } else if (tst == 4 || tst == 9) {
8690 * A TLSv1.3 session does not associate a session with a servername,
8691 * but a TLSv1.2 session does.
8694 sexpectedhost = cexpectedhost = NULL;
8696 if (!TEST_str_eq(SSL_get_servername(clientssl,
8697 TLSEXT_NAMETYPE_host_name),
8701 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8704 * In a TLSv1.2 resumption where the hostname was not acknowledged
8705 * we expect the hostname on the server to be empty. On the client we
8706 * return what was requested in this case.
8708 * Similarly if the client didn't set a hostname on an original TLSv1.2
8709 * session but is now, the server hostname will be empty, but the client
8712 if (tst == 1 || tst == 3)
8713 sexpectedhost = NULL;
8715 if (!TEST_str_eq(SSL_get_servername(clientssl,
8716 TLSEXT_NAMETYPE_host_name),
8721 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8724 if (!TEST_true(SSL_session_reused(clientssl))
8725 || !TEST_true(SSL_session_reused(serverssl))
8726 || !TEST_str_eq(SSL_get_servername(clientssl,
8727 TLSEXT_NAMETYPE_host_name),
8729 || !TEST_str_eq(SSL_get_servername(serverssl,
8730 TLSEXT_NAMETYPE_host_name),
8737 SSL_SESSION_free(sess);
8738 SSL_free(serverssl);
8739 SSL_free(clientssl);
8746 #if !defined(OPENSSL_NO_EC) \
8747 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8749 * Test that if signature algorithms are not available, then we do not offer or
8751 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8752 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8753 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8754 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8755 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8756 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8758 static int test_sigalgs_available(int idx)
8760 SSL_CTX *cctx = NULL, *sctx = NULL;
8761 SSL *clientssl = NULL, *serverssl = NULL;
8763 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8764 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8765 OSSL_PROVIDER *filterprov = NULL;
8768 if (!TEST_ptr(tmpctx))
8771 if (idx != 0 && idx != 3) {
8772 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8773 filter_provider_init)))
8776 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8777 if (!TEST_ptr(filterprov))
8782 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8783 * or accepted for the peer that uses this libctx. Note that libssl
8784 * *requires* SHA2-256 to be available so we cannot disable that. We
8785 * also need SHA1 for our certificate.
8787 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8791 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8793 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8798 if (idx == 1 || idx == 4)
8804 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8805 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8806 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8811 TLS_client_method(),
8814 &sctx, &cctx, cert, privkey)))
8817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8818 TLS_client_method(),
8821 &sctx, &cctx, cert2, privkey2)))
8825 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8827 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8828 "ECDHE-RSA-AES128-GCM-SHA256")))
8831 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8832 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8837 if (!SSL_CTX_set1_sigalgs_list(cctx,
8838 "rsa_pss_rsae_sha384"
8839 ":rsa_pss_rsae_sha256")
8840 || !SSL_CTX_set1_sigalgs_list(sctx,
8841 "rsa_pss_rsae_sha384"
8842 ":rsa_pss_rsae_sha256"))
8845 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8846 || !SSL_CTX_set1_sigalgs_list(sctx,
8847 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8852 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8853 SSL_FILETYPE_PEM), 1)
8854 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8856 SSL_FILETYPE_PEM), 1)
8857 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8864 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8867 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8868 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8870 (idx == 0 || idx == 3) ? 2 : 1))
8873 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8876 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8880 testresult = filter_provider_check_clean_finish();
8883 SSL_free(serverssl);
8884 SSL_free(clientssl);
8887 OSSL_PROVIDER_unload(filterprov);
8888 OSSL_LIB_CTX_free(tmpctx);
8893 * !defined(OPENSSL_NO_EC) \
8894 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8897 #ifndef OPENSSL_NO_TLS1_3
8898 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8899 static int test_pluggable_group(int idx)
8901 SSL_CTX *cctx = NULL, *sctx = NULL;
8902 SSL *clientssl = NULL, *serverssl = NULL;
8904 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8905 /* Check that we are not impacted by a provider without any groups */
8906 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8907 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8909 if (!TEST_ptr(tlsprov))
8912 if (legacyprov == NULL) {
8914 * In this case we assume we've been built with "no-legacy" and skip
8915 * this test (there is no OPENSSL_NO_LEGACY)
8921 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8922 TLS_client_method(),
8925 &sctx, &cctx, cert, privkey))
8926 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8930 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8931 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8934 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8937 if (!TEST_str_eq(group_name,
8938 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8944 SSL_free(serverssl);
8945 SSL_free(clientssl);
8948 OSSL_PROVIDER_unload(tlsprov);
8949 OSSL_PROVIDER_unload(legacyprov);
8955 #ifndef OPENSSL_NO_TLS1_2
8956 static int test_ssl_dup(void)
8958 SSL_CTX *cctx = NULL, *sctx = NULL;
8959 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8961 BIO *rbio = NULL, *wbio = NULL;
8963 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8964 TLS_client_method(),
8967 &sctx, &cctx, cert, privkey)))
8970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8974 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8975 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8978 client2ssl = SSL_dup(clientssl);
8979 rbio = SSL_get_rbio(clientssl);
8981 || !TEST_true(BIO_up_ref(rbio)))
8983 SSL_set0_rbio(client2ssl, rbio);
8986 wbio = SSL_get_wbio(clientssl);
8987 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8989 SSL_set0_wbio(client2ssl, wbio);
8992 if (!TEST_ptr(client2ssl)
8993 /* Handshake not started so pointers should be different */
8994 || !TEST_ptr_ne(clientssl, client2ssl))
8997 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8998 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9001 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9004 SSL_free(clientssl);
9005 clientssl = SSL_dup(client2ssl);
9006 if (!TEST_ptr(clientssl)
9007 /* Handshake has finished so pointers should be the same */
9008 || !TEST_ptr_eq(clientssl, client2ssl))
9014 SSL_free(serverssl);
9015 SSL_free(clientssl);
9016 SSL_free(client2ssl);
9023 # ifndef OPENSSL_NO_DH
9025 static EVP_PKEY *tmp_dh_params = NULL;
9027 /* Helper function for the test_set_tmp_dh() tests */
9028 static EVP_PKEY *get_tmp_dh_params(void)
9030 if (tmp_dh_params == NULL) {
9032 OSSL_PARAM_BLD *tmpl = NULL;
9033 EVP_PKEY_CTX *pctx = NULL;
9034 OSSL_PARAM *params = NULL;
9035 EVP_PKEY *dhpkey = NULL;
9037 p = BN_get_rfc3526_prime_2048(NULL);
9041 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9043 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9046 tmpl = OSSL_PARAM_BLD_new();
9048 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9049 OSSL_PKEY_PARAM_FFC_P,
9051 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9052 OSSL_PKEY_PARAM_FFC_G,
9056 params = OSSL_PARAM_BLD_to_param(tmpl);
9057 if (!TEST_ptr(params)
9058 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9059 EVP_PKEY_KEY_PARAMETERS,
9063 tmp_dh_params = dhpkey;
9066 EVP_PKEY_CTX_free(pctx);
9067 OSSL_PARAM_BLD_free(tmpl);
9068 OSSL_PARAM_free(params);
9071 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9074 return tmp_dh_params;
9077 # ifndef OPENSSL_NO_DEPRECATED_3_0
9078 /* Callback used by test_set_tmp_dh() */
9079 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9081 EVP_PKEY *dhpkey = get_tmp_dh_params();
9084 if (!TEST_ptr(dhpkey))
9088 * libssl does not free the returned DH, so we free it now knowing that even
9089 * after we free dhpkey, there will still be a reference to the owning
9090 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9091 * of time we need it for.
9093 ret = EVP_PKEY_get1_DH(dhpkey);
9096 EVP_PKEY_free(dhpkey);
9103 * Test the various methods for setting temporary DH parameters
9105 * Test 0: Default (no auto) setting
9106 * Test 1: Explicit SSL_CTX auto off
9107 * Test 2: Explicit SSL auto off
9108 * Test 3: Explicit SSL_CTX auto on
9109 * Test 4: Explicit SSL auto on
9110 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9111 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9113 * The following are testing deprecated APIs, so we only run them if available
9114 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9115 * Test 8: Explicit SSL auto off, custom DH params via DH
9116 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9117 * Test 10: Explicit SSL auto off, custom DH params via callback
9119 static int test_set_tmp_dh(int idx)
9121 SSL_CTX *cctx = NULL, *sctx = NULL;
9122 SSL *clientssl = NULL, *serverssl = NULL;
9124 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9125 int expected = (idx <= 2) ? 0 : 1;
9126 EVP_PKEY *dhpkey = NULL;
9127 # ifndef OPENSSL_NO_DEPRECATED_3_0
9135 if (idx >= 5 && idx <= 8) {
9136 dhpkey = get_tmp_dh_params();
9137 if (!TEST_ptr(dhpkey))
9140 # ifndef OPENSSL_NO_DEPRECATED_3_0
9141 if (idx == 7 || idx == 8) {
9142 dh = EVP_PKEY_get1_DH(dhpkey);
9148 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9149 TLS_client_method(),
9152 &sctx, &cctx, cert, privkey)))
9155 if ((idx & 1) == 1) {
9156 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9161 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9165 # ifndef OPENSSL_NO_DEPRECATED_3_0
9166 else if (idx == 7) {
9167 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9169 } else if (idx == 9) {
9170 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9178 if ((idx & 1) == 0 && idx != 0) {
9179 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9183 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9187 # ifndef OPENSSL_NO_DEPRECATED_3_0
9188 else if (idx == 8) {
9189 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9191 } else if (idx == 10) {
9192 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9196 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9197 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9198 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9202 * If autoon then we should succeed. Otherwise we expect failure because
9203 * there are no parameters
9205 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9206 SSL_ERROR_NONE), expected))
9212 # ifndef OPENSSL_NO_DEPRECATED_3_0
9215 SSL_free(serverssl);
9216 SSL_free(clientssl);
9219 EVP_PKEY_free(dhpkey);
9225 * Test the auto DH keys are appropriately sized
9227 static int test_dh_auto(int idx)
9229 SSL_CTX *cctx = NULL, *sctx = NULL;
9230 SSL *clientssl = NULL, *serverssl = NULL;
9232 EVP_PKEY *tmpkey = NULL;
9233 char *thiscert = NULL, *thiskey = NULL;
9234 size_t expdhsize = 0;
9235 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9239 /* The FIPS provider doesn't support this DH size - so we ignore it */
9242 thiscert = cert1024;
9243 thiskey = privkey1024;
9247 /* 2048 bit prime */
9253 thiscert = cert3072;
9254 thiskey = privkey3072;
9258 thiscert = cert4096;
9259 thiskey = privkey4096;
9263 thiscert = cert8192;
9264 thiskey = privkey8192;
9267 /* No certificate cases */
9269 /* The FIPS provider doesn't support this DH size - so we ignore it */
9272 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9276 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9280 TEST_error("Invalid text index");
9284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9285 TLS_client_method(),
9288 &sctx, &cctx, thiscert, thiskey)))
9291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9295 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9296 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9297 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9298 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9299 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9303 * Send the server's first flight. At this point the server has created the
9304 * temporary DH key but hasn't finished using it yet. Once used it is
9305 * removed, so we cannot test it.
9307 if (!TEST_int_le(SSL_connect(clientssl), 0)
9308 || !TEST_int_le(SSL_accept(serverssl), 0))
9311 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9313 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9316 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9322 SSL_free(serverssl);
9323 SSL_free(clientssl);
9326 EVP_PKEY_free(tmpkey);
9331 # endif /* OPENSSL_NO_DH */
9332 #endif /* OPENSSL_NO_TLS1_2 */
9334 #ifndef OSSL_NO_USABLE_TLS1_3
9336 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9337 * that it works even without a certificate configured for the original
9340 static int test_sni_tls13(void)
9342 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9343 SSL *clientssl = NULL, *serverssl = NULL;
9346 /* Reset callback counter */
9349 /* Create an initial SSL_CTX with no certificate configured */
9350 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9351 if (!TEST_ptr(sctx))
9353 /* Require TLSv1.3 as a minimum */
9354 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9355 TLS_client_method(), TLS1_3_VERSION, 0,
9356 &sctx2, &cctx, cert, privkey)))
9360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9361 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9365 * Connection should still succeed because the final SSL_CTX has the right
9366 * certificates configured.
9368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9369 &clientssl, NULL, NULL))
9370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9374 /* We should have had the SNI callback called exactly once */
9375 if (!TEST_int_eq(snicb, 1))
9381 SSL_free(serverssl);
9382 SSL_free(clientssl);
9383 SSL_CTX_free(sctx2);
9390 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9394 static int test_ticket_lifetime(int idx)
9396 SSL_CTX *cctx = NULL, *sctx = NULL;
9397 SSL *clientssl = NULL, *serverssl = NULL;
9399 int version = TLS1_3_VERSION;
9401 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9402 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9405 #ifdef OPENSSL_NO_TLS1_2
9406 return TEST_skip("TLS 1.2 is disabled.");
9408 version = TLS1_2_VERSION;
9412 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9413 TLS_client_method(), version, version,
9414 &sctx, &cctx, cert, privkey)))
9417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9418 &clientssl, NULL, NULL)))
9422 * Set the timeout to be more than 1 week
9423 * make sure the returned value is the default
9425 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9426 SSL_get_default_timeout(serverssl)))
9429 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9433 /* TLSv1.2 uses the set value */
9434 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9437 /* TLSv1.3 uses the limited value */
9438 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9444 SSL_free(serverssl);
9445 SSL_free(clientssl);
9452 * Test that setting an ALPN does not violate RFC
9454 static int test_set_alpn(void)
9456 SSL_CTX *ctx = NULL;
9460 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9461 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9462 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9463 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9464 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9465 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9467 /* Create an initial SSL_CTX with no certificate configured */
9468 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9472 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9473 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9475 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9477 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9479 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9481 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9483 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9485 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9487 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9489 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9496 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9498 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9500 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9502 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9504 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9506 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9508 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9510 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9512 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9524 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9526 static int test_set_verify_cert_store_ssl_ctx(void)
9528 SSL_CTX *ctx = NULL;
9530 X509_STORE *store = NULL, *new_store = NULL,
9531 *cstore = NULL, *new_cstore = NULL;
9533 /* Create an initial SSL_CTX. */
9534 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9538 /* Retrieve verify store pointer. */
9539 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9542 /* Retrieve chain store pointer. */
9543 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9546 /* We haven't set any yet, so this should be NULL. */
9547 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9550 /* Create stores. We use separate stores so pointers are different. */
9551 new_store = X509_STORE_new();
9552 if (!TEST_ptr(new_store))
9555 new_cstore = X509_STORE_new();
9556 if (!TEST_ptr(new_cstore))
9560 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9563 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9566 /* Should be able to retrieve the same pointer. */
9567 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9570 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9573 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9576 /* Should be able to unset again. */
9577 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9580 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9583 /* Should now be NULL. */
9584 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9587 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9590 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9596 X509_STORE_free(new_store);
9597 X509_STORE_free(new_cstore);
9603 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9605 static int test_set_verify_cert_store_ssl(void)
9607 SSL_CTX *ctx = NULL;
9610 X509_STORE *store = NULL, *new_store = NULL,
9611 *cstore = NULL, *new_cstore = NULL;
9613 /* Create an initial SSL_CTX. */
9614 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9618 /* Create an SSL object. */
9623 /* Retrieve verify store pointer. */
9624 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9627 /* Retrieve chain store pointer. */
9628 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9631 /* We haven't set any yet, so this should be NULL. */
9632 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9635 /* Create stores. We use separate stores so pointers are different. */
9636 new_store = X509_STORE_new();
9637 if (!TEST_ptr(new_store))
9640 new_cstore = X509_STORE_new();
9641 if (!TEST_ptr(new_cstore))
9645 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9648 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9651 /* Should be able to retrieve the same pointer. */
9652 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9655 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9658 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9661 /* Should be able to unset again. */
9662 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9665 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9668 /* Should now be NULL. */
9669 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9672 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9675 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9681 X509_STORE_free(new_store);
9682 X509_STORE_free(new_cstore);
9689 static int test_inherit_verify_param(void)
9693 SSL_CTX *ctx = NULL;
9694 X509_VERIFY_PARAM *cp = NULL;
9696 X509_VERIFY_PARAM *sp = NULL;
9697 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9699 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9703 cp = SSL_CTX_get0_param(ctx);
9706 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9709 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9715 sp = SSL_get0_param(ssl);
9718 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9730 static int test_load_dhfile(void)
9732 #ifndef OPENSSL_NO_DH
9735 SSL_CTX *ctx = NULL;
9736 SSL_CONF_CTX *cctx = NULL;
9741 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9742 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9745 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9746 SSL_CONF_CTX_set_flags(cctx,
9747 SSL_CONF_FLAG_CERTIFICATE
9748 | SSL_CONF_FLAG_SERVER
9749 | SSL_CONF_FLAG_FILE);
9751 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9756 SSL_CONF_CTX_free(cctx);
9761 return TEST_skip("DH not supported by this build");
9765 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
9767 int setup_tests(void)
9772 libctx = OSSL_LIB_CTX_new();
9773 if (!TEST_ptr(libctx))
9776 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9779 * Verify that the default and fips providers in the default libctx are not
9782 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9783 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9786 if (!test_skip_common_options()) {
9787 TEST_error("Error parsing test options\n");
9791 if (!TEST_ptr(certsdir = test_get_argument(0))
9792 || !TEST_ptr(srpvfile = test_get_argument(1))
9793 || !TEST_ptr(tmpfilename = test_get_argument(2))
9794 || !TEST_ptr(modulename = test_get_argument(3))
9795 || !TEST_ptr(configfile = test_get_argument(4))
9796 || !TEST_ptr(dhfile = test_get_argument(5)))
9799 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9802 /* Check we have the expected provider available */
9803 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9806 /* Check the default provider is not available */
9807 if (strcmp(modulename, "default") != 0
9808 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9811 if (strcmp(modulename, "fips") == 0)
9815 * We add, but don't load the test "tls-provider". We'll load it when we
9818 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9819 tls_provider_init)))
9823 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9824 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9825 TEST_error("not supported in this build");
9828 int i, mcount, rcount, fcount;
9830 for (i = 0; i < 4; i++)
9831 test_export_key_mat(i);
9832 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9833 test_printf_stdout("malloc %d realloc %d free %d\n",
9834 mcount, rcount, fcount);
9839 cert = test_mk_file_path(certsdir, "servercert.pem");
9843 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9844 if (privkey == NULL)
9847 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9851 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9852 if (privkey2 == NULL)
9855 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9856 if (cert1024 == NULL)
9859 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9860 if (privkey1024 == NULL)
9863 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9864 if (cert3072 == NULL)
9867 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9868 if (privkey3072 == NULL)
9871 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9872 if (cert4096 == NULL)
9875 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9876 if (privkey4096 == NULL)
9879 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9880 if (cert8192 == NULL)
9883 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9884 if (privkey8192 == NULL)
9887 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9888 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9889 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9890 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9893 ADD_TEST(test_large_message_tls);
9894 ADD_TEST(test_large_message_tls_read_ahead);
9895 #ifndef OPENSSL_NO_DTLS
9896 ADD_TEST(test_large_message_dtls);
9898 ADD_TEST(test_cleanse_plaintext);
9899 #ifndef OPENSSL_NO_OCSP
9900 ADD_TEST(test_tlsext_status_type);
9902 ADD_TEST(test_session_with_only_int_cache);
9903 ADD_TEST(test_session_with_only_ext_cache);
9904 ADD_TEST(test_session_with_both_cache);
9905 ADD_TEST(test_session_wo_ca_names);
9906 #ifndef OSSL_NO_USABLE_TLS1_3
9907 ADD_ALL_TESTS(test_stateful_tickets, 3);
9908 ADD_ALL_TESTS(test_stateless_tickets, 3);
9909 ADD_TEST(test_psk_tickets);
9910 ADD_ALL_TESTS(test_extra_tickets, 6);
9912 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9913 ADD_TEST(test_ssl_bio_pop_next_bio);
9914 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9915 ADD_TEST(test_ssl_bio_change_rbio);
9916 ADD_TEST(test_ssl_bio_change_wbio);
9917 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9918 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9919 ADD_TEST(test_keylog);
9921 #ifndef OSSL_NO_USABLE_TLS1_3
9922 ADD_TEST(test_keylog_no_master_key);
9924 ADD_TEST(test_client_cert_verify_cb);
9925 ADD_TEST(test_ssl_build_cert_chain);
9926 ADD_TEST(test_ssl_ctx_build_cert_chain);
9927 #ifndef OPENSSL_NO_TLS1_2
9928 ADD_TEST(test_client_hello_cb);
9929 ADD_TEST(test_no_ems);
9930 ADD_TEST(test_ccs_change_cipher);
9932 #ifndef OSSL_NO_USABLE_TLS1_3
9933 ADD_ALL_TESTS(test_early_data_read_write, 3);
9935 * We don't do replay tests for external PSK. Replay protection isn't used
9938 ADD_ALL_TESTS(test_early_data_replay, 2);
9939 ADD_ALL_TESTS(test_early_data_skip, 3);
9940 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9941 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9942 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9943 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9944 ADD_ALL_TESTS(test_early_data_psk, 8);
9945 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9946 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9947 # ifndef OPENSSL_NO_TLS1_2
9948 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9951 #ifndef OSSL_NO_USABLE_TLS1_3
9952 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9953 ADD_TEST(test_ciphersuite_change);
9954 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9955 # ifdef OPENSSL_NO_PSK
9956 ADD_ALL_TESTS(test_tls13_psk, 1);
9958 ADD_ALL_TESTS(test_tls13_psk, 4);
9959 # endif /* OPENSSL_NO_PSK */
9960 # ifndef OPENSSL_NO_TLS1_2
9961 /* Test with both TLSv1.3 and 1.2 versions */
9962 ADD_ALL_TESTS(test_key_exchange, 14);
9963 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9964 ADD_ALL_TESTS(test_negotiated_group,
9965 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9966 + OSSL_NELEM(ffdhe_kexch_groups)));
9969 /* Test with only TLSv1.3 versions */
9970 ADD_ALL_TESTS(test_key_exchange, 12);
9972 ADD_ALL_TESTS(test_custom_exts, 6);
9973 ADD_TEST(test_stateless);
9974 ADD_TEST(test_pha_key_update);
9976 ADD_ALL_TESTS(test_custom_exts, 3);
9978 ADD_ALL_TESTS(test_serverinfo, 8);
9979 ADD_ALL_TESTS(test_export_key_mat, 6);
9980 #ifndef OSSL_NO_USABLE_TLS1_3
9981 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9982 ADD_TEST(test_key_update);
9983 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9984 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9985 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9986 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9988 ADD_ALL_TESTS(test_ssl_clear, 2);
9989 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9990 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9991 ADD_ALL_TESTS(test_srp, 6);
9993 ADD_ALL_TESTS(test_info_callback, 6);
9994 ADD_ALL_TESTS(test_ssl_pending, 2);
9995 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9996 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9997 ADD_ALL_TESTS(test_shutdown, 7);
9998 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9999 ADD_ALL_TESTS(test_cert_cb, 6);
10000 ADD_ALL_TESTS(test_client_cert_cb, 2);
10001 ADD_ALL_TESTS(test_ca_names, 3);
10002 #ifndef OPENSSL_NO_TLS1_2
10003 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10005 ADD_ALL_TESTS(test_servername, 10);
10006 #if !defined(OPENSSL_NO_EC) \
10007 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10008 ADD_ALL_TESTS(test_sigalgs_available, 6);
10010 #ifndef OPENSSL_NO_TLS1_3
10011 ADD_ALL_TESTS(test_pluggable_group, 2);
10013 #ifndef OPENSSL_NO_TLS1_2
10014 ADD_TEST(test_ssl_dup);
10015 # ifndef OPENSSL_NO_DH
10016 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10017 ADD_ALL_TESTS(test_dh_auto, 7);
10020 #ifndef OSSL_NO_USABLE_TLS1_3
10021 ADD_TEST(test_sni_tls13);
10022 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10024 ADD_TEST(test_inherit_verify_param);
10025 ADD_TEST(test_set_alpn);
10026 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10027 ADD_TEST(test_set_verify_cert_store_ssl);
10028 ADD_ALL_TESTS(test_session_timeout, 1);
10029 ADD_TEST(test_load_dhfile);
10033 OPENSSL_free(cert);
10034 OPENSSL_free(privkey);
10035 OPENSSL_free(cert2);
10036 OPENSSL_free(privkey2);
10040 void cleanup_tests(void)
10042 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10043 EVP_PKEY_free(tmp_dh_params);
10045 OPENSSL_free(cert);
10046 OPENSSL_free(privkey);
10047 OPENSSL_free(cert2);
10048 OPENSSL_free(privkey2);
10049 OPENSSL_free(cert1024);
10050 OPENSSL_free(privkey1024);
10051 OPENSSL_free(cert3072);
10052 OPENSSL_free(privkey3072);
10053 OPENSSL_free(cert4096);
10054 OPENSSL_free(privkey4096);
10055 OPENSSL_free(cert8192);
10056 OPENSSL_free(privkey8192);
10057 bio_s_mempacket_test_free();
10058 bio_s_always_retry_free();
10059 OSSL_PROVIDER_unload(defctxnull);
10060 OSSL_LIB_CTX_free(libctx);