2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
119 #define NUM_EXTRA_CERTS 40
120 #define CLIENT_VERSION_LEN 2
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
126 struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
139 static int hostname_cb(SSL *s, int *al, void *arg)
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
147 return SSL_TLSEXT_ERR_NOACK;
150 static void client_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
166 static void server_keylog_callback(const SSL *ssl, const char *line)
168 int line_length = strlen(line);
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
182 static int compare_hex_encoded_buffer(const char *hex_encoded,
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
203 static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
232 if (!TEST_size_t_eq(strlen(token), 16))
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
255 if (!TEST_size_t_eq(strlen(token), 64))
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
264 master_key_size = SSL_SESSION_get_master_key(session,
267 if (!TEST_size_t_ne(master_key_size, 0))
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
310 if (!TEST_size_t_eq(strlen(token), 64))
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 TEST_info("Unexpected token %s\n", token);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
354 struct sslapitest_log_counts expected;
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
367 &sctx, &cctx, cert, privkey)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
429 #ifndef OSSL_NO_USABLE_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 || !TEST_false(error_writing_log))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
500 serverssl = clientssl = NULL;
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 || !TEST_true(SSL_session_reused(clientssl)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
536 SSL_SESSION_free(sess);
546 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
552 /* this should not happen but check anyway */
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
565 static int test_client_cert_verify_cb(void)
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
644 static int test_ssl_build_cert_chain(void)
647 SSL_CTX *ssl_ctx = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
673 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
675 static const char pass[] = "testpass";
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
684 static int test_ssl_ctx_build_cert_chain(void)
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
706 OPENSSL_free(leaf_chain);
711 #ifndef OPENSSL_NO_TLS1_2
712 static int full_client_hello_callback(SSL *s, int *al, void *arg)
715 const unsigned char *p;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
724 const int expected_extensions[] = {
725 #ifndef OPENSSL_NO_EC
731 /* Make sure we can defer processing and get called back. */
733 return SSL_CLIENT_HELLO_RETRY;
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
747 return SSL_CLIENT_HELLO_ERROR;
750 return SSL_CLIENT_HELLO_SUCCESS;
753 static int test_client_hello_cb(void)
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
795 static int test_no_ems(void)
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
844 * encryption to real encryption).
846 static int test_ccs_change_cipher(void)
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 * Create a connection so we can resume and potentially (but not) use
858 * a different cipher in the second connection.
860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
896 * Now create a fresh connection and try to renegotiate a different
899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
946 SSL_SESSION_free(sess);
952 static int execute_test_large_message(const SSL_METHOD *smeth,
953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
962 X509 *chaincert = NULL;
965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
996 * Test that read_ahead works correctly when dealing with large
999 SSL_CTX_set_read_ahead(cctx, 1);
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
1009 certlen = i2d_X509(chaincert, NULL);
1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1013 if (!X509_up_ref(chaincert))
1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1016 X509_free(chaincert);
1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1031 if (!TEST_true(SSL_clear(serverssl)))
1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1046 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1048 /* sock must be connected */
1049 static int ktls_chk_platform(int sock)
1051 if (!ktls_enable(sock))
1056 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
1070 SSL_CONNECTION *clientsc, *serversc;
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1110 * If ktls is used then kernel sequences are used instead of
1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
1123 if (!BIO_get_ktls_send(serversc->wbio)) {
1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
1158 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1159 int tls_version, const char *cipher)
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1166 SSL_CONNECTION *clientsc, *serversc;
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version, tls_version,
1186 &sctx, &cctx, cert, privkey)))
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1229 if (BIO_get_ktls_send(clientsc->wbio))
1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1237 if (BIO_get_ktls_send(serversc->wbio))
1241 #if defined(OPENSSL_NO_KTLS_RX)
1246 if (!cis_ktls || !rx_supported) {
1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1250 if (BIO_get_ktls_send(clientsc->rbio))
1254 if (!sis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1258 if (BIO_get_ktls_send(serversc->rbio))
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1284 serverssl = clientssl = NULL;
1292 #define SENDFILE_SZ (16 * 4096)
1293 #define SENDFILE_CHUNK (4 * 4096)
1294 #define min(a,b) ((a) > (b) ? (b) : (a))
1296 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1308 SSL_CONNECTION *serversc;
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1364 if (!BIO_get_ktls_send(serversc->wbio)) {
1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1374 out = BIO_new_file(tmpfilename, "wb");
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1411 chunk_off += chunk_size;
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1426 serverssl = clientssl = NULL;
1434 OPENSSL_free(buf_dst);
1438 static struct ktls_test_cipher {
1441 } ktls_test_ciphers[] = {
1442 # if !defined(OPENSSL_NO_TLS1_2)
1443 # ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1446 # ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1449 # ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1452 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1453 # ifndef OPENSSL_NO_EC
1454 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1458 # if !defined(OSSL_NO_USABLE_TLS1_3)
1459 # ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1462 # ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1465 # ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1468 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1474 #define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1477 static int test_ktls(int test)
1479 struct ktls_test_cipher *cipher;
1480 int cis_ktls, sis_ktls;
1482 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1483 cipher = &ktls_test_ciphers[test / 4];
1485 cis_ktls = (test & 1) != 0;
1486 sis_ktls = (test & 2) != 0;
1488 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1492 static int test_ktls_sendfile(int test)
1494 struct ktls_test_cipher *cipher;
1495 int tst = test >> 1;
1497 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1498 cipher = &ktls_test_ciphers[tst];
1500 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1505 static int test_large_message_tls(void)
1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1508 TLS1_VERSION, 0, 0);
1511 static int test_large_message_tls_read_ahead(void)
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1514 TLS1_VERSION, 0, 1);
1517 #ifndef OPENSSL_NO_DTLS
1518 static int test_large_message_dtls(void)
1520 # ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1529 return execute_test_large_message(DTLS_server_method(),
1530 DTLS_client_method(),
1531 DTLS1_VERSION, 0, 0);
1535 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1536 const SSL_METHOD *cmeth,
1537 int min_version, int max_version)
1540 SSL_CTX *cctx = NULL, *sctx = NULL;
1541 SSL *clientssl = NULL, *serverssl = NULL;
1544 SSL_CONNECTION *serversc;
1547 static unsigned char cbuf[16000];
1548 static unsigned char sbuf[16000];
1550 if (!TEST_true(create_ssl_ctx_pair(libctx,
1552 min_version, max_version,
1557 #ifdef OPENSSL_NO_DTLS1_2
1558 if (smeth == DTLS_server_method()) {
1559 # ifdef OPENSSL_NO_DTLS1_2
1560 /* Not supported in the FIPS provider */
1567 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1571 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1572 "DEFAULT:@SECLEVEL=0")))
1577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1581 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1584 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1588 for (i = 0; i < sizeof(cbuf); i++) {
1592 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1595 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1598 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1602 * Since we called SSL_peek(), we know the data in the record
1603 * layer is a plaintext record. We can gather the pointer to check
1604 * for zeroization after SSL_read().
1606 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1608 rr = serversc->rlayer.tlsrecs;
1610 zbuf = &rr->data[rr->off];
1611 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1615 * After SSL_peek() the plaintext must still be stored in the
1618 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1621 memset(sbuf, 0, sizeof(sbuf));
1622 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1625 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1628 /* Check if rbuf is cleansed */
1629 memset(cbuf, 0, sizeof(cbuf));
1630 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1635 SSL_free(serverssl);
1636 SSL_free(clientssl);
1643 static int test_cleanse_plaintext(void)
1645 #if !defined(OPENSSL_NO_TLS1_2)
1646 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1647 TLS_client_method(),
1654 #if !defined(OSSL_NO_USABLE_TLS1_3)
1655 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1656 TLS_client_method(),
1662 #if !defined(OPENSSL_NO_DTLS)
1664 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1665 DTLS_client_method(),
1673 #ifndef OPENSSL_NO_OCSP
1674 static int ocsp_server_cb(SSL *s, void *arg)
1676 int *argi = (int *)arg;
1677 unsigned char *copy = NULL;
1678 STACK_OF(OCSP_RESPID) *ids = NULL;
1679 OCSP_RESPID *id = NULL;
1682 /* In this test we are expecting exactly 1 OCSP_RESPID */
1683 SSL_get_tlsext_status_ids(s, &ids);
1684 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1685 return SSL_TLSEXT_ERR_ALERT_FATAL;
1687 id = sk_OCSP_RESPID_value(ids, 0);
1688 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1689 return SSL_TLSEXT_ERR_ALERT_FATAL;
1690 } else if (*argi != 1) {
1691 return SSL_TLSEXT_ERR_ALERT_FATAL;
1694 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1695 return SSL_TLSEXT_ERR_ALERT_FATAL;
1697 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1698 sizeof(orespder)))) {
1700 return SSL_TLSEXT_ERR_ALERT_FATAL;
1702 ocsp_server_called = 1;
1703 return SSL_TLSEXT_ERR_OK;
1706 static int ocsp_client_cb(SSL *s, void *arg)
1708 int *argi = (int *)arg;
1709 const unsigned char *respderin;
1712 if (*argi != 1 && *argi != 2)
1715 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1716 if (!TEST_mem_eq(orespder, len, respderin, len))
1719 ocsp_client_called = 1;
1723 static int test_tlsext_status_type(void)
1725 SSL_CTX *cctx = NULL, *sctx = NULL;
1726 SSL *clientssl = NULL, *serverssl = NULL;
1728 STACK_OF(OCSP_RESPID) *ids = NULL;
1729 OCSP_RESPID *id = NULL;
1730 BIO *certbio = NULL;
1732 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1734 &sctx, &cctx, cert, privkey))
1737 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1740 /* First just do various checks getting and setting tlsext_status_type */
1742 clientssl = SSL_new(cctx);
1743 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1744 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1745 TLSEXT_STATUSTYPE_ocsp))
1746 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1747 TLSEXT_STATUSTYPE_ocsp))
1750 SSL_free(clientssl);
1753 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1754 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1757 clientssl = SSL_new(cctx);
1758 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1760 SSL_free(clientssl);
1764 * Now actually do a handshake and check OCSP information is exchanged and
1765 * the callbacks get called
1767 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1768 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1769 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1770 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1772 &clientssl, NULL, NULL))
1773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1775 || !TEST_true(ocsp_client_called)
1776 || !TEST_true(ocsp_server_called))
1778 SSL_free(serverssl);
1779 SSL_free(clientssl);
1783 /* Try again but this time force the server side callback to fail */
1784 ocsp_client_called = 0;
1785 ocsp_server_called = 0;
1787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1788 &clientssl, NULL, NULL))
1789 /* This should fail because the callback will fail */
1790 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1792 || !TEST_false(ocsp_client_called)
1793 || !TEST_false(ocsp_server_called))
1795 SSL_free(serverssl);
1796 SSL_free(clientssl);
1801 * This time we'll get the client to send an OCSP_RESPID that it will
1804 ocsp_client_called = 0;
1805 ocsp_server_called = 0;
1807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1808 &clientssl, NULL, NULL)))
1812 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1813 * specific one. We'll use the server cert.
1815 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1816 || !TEST_ptr(id = OCSP_RESPID_new())
1817 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1818 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1819 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1820 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1821 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1824 SSL_set_tlsext_status_ids(clientssl, ids);
1825 /* Control has been transferred */
1831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1833 || !TEST_true(ocsp_client_called)
1834 || !TEST_true(ocsp_server_called))
1840 SSL_free(serverssl);
1841 SSL_free(clientssl);
1844 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1845 OCSP_RESPID_free(id);
1847 X509_free(ocspcert);
1854 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1855 static int new_called, remove_called, get_called;
1857 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1861 * sess has been up-refed for us, but we don't actually need it so free it
1864 SSL_SESSION_free(sess);
1868 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1873 static SSL_SESSION *get_sess_val = NULL;
1875 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1880 return get_sess_val;
1883 static int execute_test_session(int maxprot, int use_int_cache,
1884 int use_ext_cache, long s_options)
1886 SSL_CTX *sctx = NULL, *cctx = NULL;
1887 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1888 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1889 # ifndef OPENSSL_NO_TLS1_1
1890 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1892 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1893 int testresult = 0, numnewsesstick = 1;
1895 new_called = remove_called = 0;
1897 /* TLSv1.3 sends 2 NewSessionTickets */
1898 if (maxprot == TLS1_3_VERSION)
1901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1902 TLS_client_method(), TLS1_VERSION, 0,
1903 &sctx, &cctx, cert, privkey)))
1907 * Only allow the max protocol version so we can force a connection failure
1910 SSL_CTX_set_min_proto_version(cctx, maxprot);
1911 SSL_CTX_set_max_proto_version(cctx, maxprot);
1913 /* Set up session cache */
1914 if (use_ext_cache) {
1915 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1916 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1918 if (use_int_cache) {
1919 /* Also covers instance where both are set */
1920 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1922 SSL_CTX_set_session_cache_mode(cctx,
1923 SSL_SESS_CACHE_CLIENT
1924 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1928 SSL_CTX_set_options(sctx, s_options);
1931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1933 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1935 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1938 /* Should fail because it should already be in the cache */
1939 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1942 && (!TEST_int_eq(new_called, numnewsesstick)
1944 || !TEST_int_eq(remove_called, 0)))
1947 new_called = remove_called = 0;
1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1949 &clientssl2, NULL, NULL))
1950 || !TEST_true(SSL_set_session(clientssl2, sess1))
1951 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1953 || !TEST_true(SSL_session_reused(clientssl2)))
1956 if (maxprot == TLS1_3_VERSION) {
1958 * In TLSv1.3 we should have created a new session even though we have
1959 * resumed. Since we attempted a resume we should also have removed the
1960 * old ticket from the cache so that we try to only use tickets once.
1963 && (!TEST_int_eq(new_called, 1)
1964 || !TEST_int_eq(remove_called, 1)))
1968 * In TLSv1.2 we expect to have resumed so no sessions added or
1972 && (!TEST_int_eq(new_called, 0)
1973 || !TEST_int_eq(remove_called, 0)))
1977 SSL_SESSION_free(sess1);
1978 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1980 shutdown_ssl_connection(serverssl2, clientssl2);
1981 serverssl2 = clientssl2 = NULL;
1983 new_called = remove_called = 0;
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1985 &clientssl2, NULL, NULL))
1986 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1990 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1994 && (!TEST_int_eq(new_called, numnewsesstick)
1995 || !TEST_int_eq(remove_called, 0)))
1998 new_called = remove_called = 0;
2000 * This should clear sess2 from the cache because it is a "bad" session.
2001 * See SSL_set_session() documentation.
2003 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2006 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2008 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2011 if (use_int_cache) {
2012 /* Should succeeded because it should not already be in the cache */
2013 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2014 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2018 new_called = remove_called = 0;
2019 /* This shouldn't be in the cache so should fail */
2020 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2024 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2027 # if !defined(OPENSSL_NO_TLS1_1)
2028 new_called = remove_called = 0;
2029 /* Force a connection failure */
2030 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2032 &clientssl3, NULL, NULL))
2033 || !TEST_true(SSL_set_session(clientssl3, sess1))
2034 /* This should fail because of the mismatched protocol versions */
2035 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2039 /* We should have automatically removed the session from the cache */
2041 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2044 /* Should succeed because it should not already be in the cache */
2045 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2049 /* Now do some tests for server side caching */
2050 if (use_ext_cache) {
2051 SSL_CTX_sess_set_new_cb(cctx, NULL);
2052 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2053 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2054 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2055 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2056 get_sess_val = NULL;
2059 SSL_CTX_set_session_cache_mode(cctx, 0);
2060 /* Internal caching is the default on the server side */
2062 SSL_CTX_set_session_cache_mode(sctx,
2063 SSL_SESS_CACHE_SERVER
2064 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2066 SSL_free(serverssl1);
2067 SSL_free(clientssl1);
2068 serverssl1 = clientssl1 = NULL;
2069 SSL_free(serverssl2);
2070 SSL_free(clientssl2);
2071 serverssl2 = clientssl2 = NULL;
2072 SSL_SESSION_free(sess1);
2074 SSL_SESSION_free(sess2);
2077 SSL_CTX_set_max_proto_version(sctx, maxprot);
2078 if (maxprot == TLS1_2_VERSION)
2079 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2080 new_called = remove_called = get_called = 0;
2081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2083 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2085 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2086 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2089 if (use_int_cache) {
2090 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2092 * In TLSv1.3 it should not have been added to the internal cache,
2093 * except in the case where we also have an external cache (in that
2094 * case it gets added to the cache in order to generate remove
2095 * events after timeout).
2097 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2100 /* Should fail because it should already be in the cache */
2101 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2106 if (use_ext_cache) {
2107 SSL_SESSION *tmp = sess2;
2109 if (!TEST_int_eq(new_called, numnewsesstick)
2110 || !TEST_int_eq(remove_called, 0)
2111 || !TEST_int_eq(get_called, 0))
2114 * Delete the session from the internal cache to force a lookup from
2115 * the external cache. We take a copy first because
2116 * SSL_CTX_remove_session() also marks the session as non-resumable.
2118 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2119 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2120 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2122 SSL_SESSION_free(sess2);
2127 new_called = remove_called = get_called = 0;
2128 get_sess_val = sess2;
2129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2130 &clientssl2, NULL, NULL))
2131 || !TEST_true(SSL_set_session(clientssl2, sess1))
2132 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2134 || !TEST_true(SSL_session_reused(clientssl2)))
2137 if (use_ext_cache) {
2138 if (!TEST_int_eq(remove_called, 0))
2141 if (maxprot == TLS1_3_VERSION) {
2142 if (!TEST_int_eq(new_called, 1)
2143 || !TEST_int_eq(get_called, 0))
2146 if (!TEST_int_eq(new_called, 0)
2147 || !TEST_int_eq(get_called, 1))
2152 * Make a small cache, force out all other sessions but
2153 * sess2, try to add sess1, which should succeed. Then
2154 * make sure it's there by checking the owners. Despite
2155 * the timeouts, sess1 should have kicked out sess2
2158 /* Make sess1 expire before sess2 */
2159 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2160 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2161 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2162 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2165 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2168 /* Don't care about results - cache should only be sess2 at end */
2169 SSL_CTX_add_session(sctx, sess1);
2170 SSL_CTX_add_session(sctx, sess2);
2172 /* Now add sess1, and make sure it remains, despite timeout */
2173 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2174 || !TEST_ptr(sess1->owner)
2175 || !TEST_ptr_null(sess2->owner))
2181 SSL_free(serverssl1);
2182 SSL_free(clientssl1);
2183 SSL_free(serverssl2);
2184 SSL_free(clientssl2);
2185 # ifndef OPENSSL_NO_TLS1_1
2186 SSL_free(serverssl3);
2187 SSL_free(clientssl3);
2189 SSL_SESSION_free(sess1);
2190 SSL_SESSION_free(sess2);
2196 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2198 static int test_session_with_only_int_cache(void)
2200 #ifndef OSSL_NO_USABLE_TLS1_3
2201 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2205 #ifndef OPENSSL_NO_TLS1_2
2206 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2212 static int test_session_with_only_ext_cache(void)
2214 #ifndef OSSL_NO_USABLE_TLS1_3
2215 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2219 #ifndef OPENSSL_NO_TLS1_2
2220 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2226 static int test_session_with_both_cache(void)
2228 #ifndef OSSL_NO_USABLE_TLS1_3
2229 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2233 #ifndef OPENSSL_NO_TLS1_2
2234 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2240 static int test_session_wo_ca_names(void)
2242 #ifndef OSSL_NO_USABLE_TLS1_3
2243 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2247 #ifndef OPENSSL_NO_TLS1_2
2248 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2255 #ifndef OSSL_NO_USABLE_TLS1_3
2256 static SSL_SESSION *sesscache[6];
2257 static int do_cache;
2259 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2262 sesscache[new_called] = sess;
2264 /* We don't need the reference to the session, so free it */
2265 SSL_SESSION_free(sess);
2272 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2274 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2275 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2278 /* Start handshake on the server and client */
2279 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2280 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2281 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2282 || !TEST_true(create_ssl_connection(sssl, cssl,
2289 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2292 int sess_id_ctx = 1;
2294 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2295 TLS_client_method(), TLS1_VERSION, 0,
2296 sctx, cctx, cert, privkey))
2297 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2298 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2299 (void *)&sess_id_ctx,
2300 sizeof(sess_id_ctx))))
2304 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2306 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2307 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2308 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2313 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2315 SSL *serverssl = NULL, *clientssl = NULL;
2318 /* Test that we can resume with all the tickets we got given */
2319 for (i = 0; i < idx * 2; i++) {
2321 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2322 &clientssl, NULL, NULL))
2323 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2326 SSL_set_post_handshake_auth(clientssl, 1);
2328 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2333 * Following a successful resumption we only get 1 ticket. After a
2334 * failed one we should get idx tickets.
2337 if (!TEST_true(SSL_session_reused(clientssl))
2338 || !TEST_int_eq(new_called, 1))
2341 if (!TEST_false(SSL_session_reused(clientssl))
2342 || !TEST_int_eq(new_called, idx))
2347 /* After a post-handshake authentication we should get 1 new ticket */
2349 && (!post_handshake_verify(serverssl, clientssl)
2350 || !TEST_int_eq(new_called, 1)))
2353 SSL_shutdown(clientssl);
2354 SSL_shutdown(serverssl);
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
2357 serverssl = clientssl = NULL;
2358 SSL_SESSION_free(sesscache[i]);
2359 sesscache[i] = NULL;
2365 SSL_free(clientssl);
2366 SSL_free(serverssl);
2370 static int test_tickets(int stateful, int idx)
2372 SSL_CTX *sctx = NULL, *cctx = NULL;
2373 SSL *serverssl = NULL, *clientssl = NULL;
2377 /* idx is the test number, but also the number of tickets we want */
2382 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2386 &clientssl, NULL, NULL)))
2389 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2391 /* Check we got the number of tickets we were expecting */
2392 || !TEST_int_eq(idx, new_called))
2395 SSL_shutdown(clientssl);
2396 SSL_shutdown(serverssl);
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2401 clientssl = serverssl = NULL;
2405 * Now we try to resume with the tickets we previously created. The
2406 * resumption attempt is expected to fail (because we're now using a new
2407 * SSL_CTX). We should see idx number of tickets issued again.
2410 /* Stop caching sessions - just count them */
2413 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2416 if (!check_resumption(idx, sctx, cctx, 0))
2419 /* Start again with caching sessions */
2426 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2430 &clientssl, NULL, NULL)))
2433 SSL_set_post_handshake_auth(clientssl, 1);
2435 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2437 /* Check we got the number of tickets we were expecting */
2438 || !TEST_int_eq(idx, new_called))
2441 /* After a post-handshake authentication we should get new tickets issued */
2442 if (!post_handshake_verify(serverssl, clientssl)
2443 || !TEST_int_eq(idx * 2, new_called))
2446 SSL_shutdown(clientssl);
2447 SSL_shutdown(serverssl);
2448 SSL_free(serverssl);
2449 SSL_free(clientssl);
2450 serverssl = clientssl = NULL;
2452 /* Stop caching sessions - just count them */
2456 * Check we can resume with all the tickets we created. This time around the
2457 * resumptions should all be successful.
2459 if (!check_resumption(idx, sctx, cctx, 1))
2465 SSL_free(serverssl);
2466 SSL_free(clientssl);
2467 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2468 SSL_SESSION_free(sesscache[j]);
2469 sesscache[j] = NULL;
2477 static int test_stateless_tickets(int idx)
2479 return test_tickets(0, idx);
2482 static int test_stateful_tickets(int idx)
2484 return test_tickets(1, idx);
2487 static int test_psk_tickets(void)
2489 SSL_CTX *sctx = NULL, *cctx = NULL;
2490 SSL *serverssl = NULL, *clientssl = NULL;
2492 int sess_id_ctx = 1;
2494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2495 TLS_client_method(), TLS1_VERSION, 0,
2496 &sctx, &cctx, NULL, NULL))
2497 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2498 (void *)&sess_id_ctx,
2499 sizeof(sess_id_ctx))))
2502 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2503 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2504 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2505 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2506 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2507 use_session_cb_cnt = 0;
2508 find_session_cb_cnt = 0;
2512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2515 clientpsk = serverpsk = create_a_psk(clientssl);
2516 if (!TEST_ptr(clientpsk))
2518 SSL_SESSION_up_ref(clientpsk);
2520 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2522 || !TEST_int_eq(1, find_session_cb_cnt)
2523 || !TEST_int_eq(1, use_session_cb_cnt)
2524 /* We should always get 1 ticket when using external PSK */
2525 || !TEST_int_eq(1, new_called))
2531 SSL_free(serverssl);
2532 SSL_free(clientssl);
2535 SSL_SESSION_free(clientpsk);
2536 SSL_SESSION_free(serverpsk);
2537 clientpsk = serverpsk = NULL;
2542 static int test_extra_tickets(int idx)
2544 SSL_CTX *sctx = NULL, *cctx = NULL;
2545 SSL *serverssl = NULL, *clientssl = NULL;
2546 BIO *bretry = BIO_new(bio_s_always_retry());
2551 unsigned char c, buf[1];
2561 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2563 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2564 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2565 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2568 &clientssl, NULL, NULL)))
2572 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2573 * incremented by both client and server.
2575 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2577 /* Check we got the number of tickets we were expecting */
2578 || !TEST_int_eq(idx * 2, new_called)
2579 || !TEST_true(SSL_new_session_ticket(serverssl))
2580 || !TEST_true(SSL_new_session_ticket(serverssl))
2581 || !TEST_int_eq(idx * 2, new_called))
2584 /* Now try a (real) write to actually send the tickets */
2586 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2587 || !TEST_size_t_eq(1, nbytes)
2588 || !TEST_int_eq(idx * 2 + 2, new_called)
2589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2590 || !TEST_int_eq(idx * 2 + 4, new_called)
2591 || !TEST_int_eq(sizeof(buf), nbytes)
2592 || !TEST_int_eq(c, buf[0])
2593 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2596 /* Try with only requesting one new ticket, too */
2599 if (!TEST_true(SSL_new_session_ticket(serverssl))
2600 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2601 || !TEST_size_t_eq(sizeof(c), nbytes)
2602 || !TEST_int_eq(1, new_called)
2603 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2604 || !TEST_int_eq(2, new_called)
2605 || !TEST_size_t_eq(sizeof(buf), nbytes)
2606 || !TEST_int_eq(c, buf[0]))
2609 /* Do it again but use dummy writes to drive the ticket generation */
2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2615 || !TEST_size_t_eq(0, nbytes)
2616 || !TEST_int_eq(2, new_called)
2617 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2618 || !TEST_int_eq(4, new_called))
2621 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2624 if (!TEST_true(SSL_new_session_ticket(serverssl))
2625 || !TEST_true(SSL_new_session_ticket(serverssl))
2626 || !TEST_true(SSL_do_handshake(serverssl))
2627 || !TEST_int_eq(2, new_called)
2628 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2629 || !TEST_int_eq(4, new_called))
2633 * Use the always-retry BIO to exercise the logic that forces ticket
2634 * generation to wait until a record boundary.
2638 tmp = SSL_get_wbio(serverssl);
2639 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2643 SSL_set0_wbio(serverssl, bretry);
2645 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2646 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2647 || !TEST_size_t_eq(nbytes, 0))
2649 /* Restore a BIO that will let the write succeed */
2650 SSL_set0_wbio(serverssl, tmp);
2653 * These calls should just queue the request and not send anything
2654 * even if we explicitly try to hit the state machine.
2656 if (!TEST_true(SSL_new_session_ticket(serverssl))
2657 || !TEST_true(SSL_new_session_ticket(serverssl))
2658 || !TEST_int_eq(0, new_called)
2659 || !TEST_true(SSL_do_handshake(serverssl))
2660 || !TEST_int_eq(0, new_called))
2662 /* Re-do the write; still no tickets sent */
2663 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2664 || !TEST_size_t_eq(1, nbytes)
2665 || !TEST_int_eq(0, new_called)
2666 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2667 || !TEST_int_eq(0, new_called)
2668 || !TEST_int_eq(sizeof(buf), nbytes)
2669 || !TEST_int_eq(c, buf[0])
2670 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2672 /* Even trying to hit the state machine now will still not send tickets */
2673 if (!TEST_true(SSL_do_handshake(serverssl))
2674 || !TEST_int_eq(0, new_called))
2676 /* Now the *next* write should send the tickets */
2678 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2679 || !TEST_size_t_eq(1, nbytes)
2680 || !TEST_int_eq(2, new_called)
2681 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2682 || !TEST_int_eq(4, new_called)
2683 || !TEST_int_eq(sizeof(buf), nbytes)
2684 || !TEST_int_eq(c, buf[0])
2685 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2688 SSL_shutdown(clientssl);
2689 SSL_shutdown(serverssl);
2695 SSL_free(serverssl);
2696 SSL_free(clientssl);
2699 clientssl = serverssl = NULL;
2708 #define USE_DEFAULT 3
2710 #define CONNTYPE_CONNECTION_SUCCESS 0
2711 #define CONNTYPE_CONNECTION_FAIL 1
2712 #define CONNTYPE_NO_CONNECTION 2
2714 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2715 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2716 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2717 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2719 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2722 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2723 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2724 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2726 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2743 * Tests calls to SSL_set_bio() under various conditions.
2745 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2746 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2747 * then do more tests where we create a successful connection first using our
2748 * standard connection setup functions, and then call SSL_set_bio() with
2749 * various combinations of valid BIOs or NULL. We then repeat these tests
2750 * following a failed connection. In this last case we are looking to check that
2751 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2753 static int test_ssl_set_bio(int idx)
2755 SSL_CTX *sctx = NULL, *cctx = NULL;
2758 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2759 SSL *serverssl = NULL, *clientssl = NULL;
2760 int initrbio, initwbio, newrbio, newwbio, conntype;
2763 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2771 conntype = CONNTYPE_NO_CONNECTION;
2773 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2774 initrbio = initwbio = USE_DEFAULT;
2782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2783 TLS_client_method(), TLS1_VERSION, 0,
2784 &sctx, &cctx, cert, privkey)))
2787 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2789 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2790 * because we reduced the number of tests in the definition of
2791 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2792 * mismatched protocol versions we will force a connection failure.
2794 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2795 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2802 if (initrbio == USE_BIO_1
2803 || initwbio == USE_BIO_1
2804 || newrbio == USE_BIO_1
2805 || newwbio == USE_BIO_1) {
2806 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2810 if (initrbio == USE_BIO_2
2811 || initwbio == USE_BIO_2
2812 || newrbio == USE_BIO_2
2813 || newwbio == USE_BIO_2) {
2814 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2818 if (initrbio != USE_DEFAULT) {
2819 setupbio(&irbio, bio1, bio2, initrbio);
2820 setupbio(&iwbio, bio1, bio2, initwbio);
2821 SSL_set_bio(clientssl, irbio, iwbio);
2824 * We want to maintain our own refs to these BIO, so do an up ref for
2825 * each BIO that will have ownership transferred in the SSL_set_bio()
2830 if (iwbio != NULL && iwbio != irbio)
2834 if (conntype != CONNTYPE_NO_CONNECTION
2835 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2837 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2840 setupbio(&nrbio, bio1, bio2, newrbio);
2841 setupbio(&nwbio, bio1, bio2, newwbio);
2844 * We will (maybe) transfer ownership again so do more up refs.
2845 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2850 && (nwbio != iwbio || nrbio != nwbio))
2854 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2857 SSL_set_bio(clientssl, nrbio, nwbio);
2866 * This test is checking that the ref counting for SSL_set_bio is correct.
2867 * If we get here and we did too many frees then we will fail in the above
2870 SSL_free(serverssl);
2871 SSL_free(clientssl);
2877 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2879 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2881 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2886 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2887 || !TEST_ptr(ssl = SSL_new(ctx))
2888 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2889 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2892 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2895 * If anything goes wrong here then we could leak memory.
2897 BIO_push(sslbio, membio1);
2899 /* Verify changing the rbio/wbio directly does not cause leaks */
2900 if (change_bio != NO_BIO_CHANGE) {
2901 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2905 if (change_bio == CHANGE_RBIO)
2906 SSL_set0_rbio(ssl, membio2);
2908 SSL_set0_wbio(ssl, membio2);
2927 static int test_ssl_bio_pop_next_bio(void)
2929 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2932 static int test_ssl_bio_pop_ssl_bio(void)
2934 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2937 static int test_ssl_bio_change_rbio(void)
2939 return execute_test_ssl_bio(0, CHANGE_RBIO);
2942 static int test_ssl_bio_change_wbio(void)
2944 return execute_test_ssl_bio(0, CHANGE_WBIO);
2947 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2949 /* The list of sig algs */
2951 /* The length of the list */
2953 /* A sigalgs list in string format */
2954 const char *liststr;
2955 /* Whether setting the list should succeed */
2957 /* Whether creating a connection with the list should succeed */
2961 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2962 # ifndef OPENSSL_NO_EC
2963 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2964 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2966 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2967 static const int invalidlist2[] = {NID_sha256, NID_undef};
2968 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2969 static const int invalidlist4[] = {NID_sha256};
2970 static const sigalgs_list testsigalgs[] = {
2971 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2972 # ifndef OPENSSL_NO_EC
2973 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2974 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2976 {NULL, 0, "RSA+SHA256", 1, 1},
2977 # ifndef OPENSSL_NO_EC
2978 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2979 {NULL, 0, "ECDSA+SHA512", 1, 0},
2981 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2982 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2983 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2984 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2985 {NULL, 0, "RSA", 0, 0},
2986 {NULL, 0, "SHA256", 0, 0},
2987 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2988 {NULL, 0, "Invalid", 0, 0}
2991 static int test_set_sigalgs(int idx)
2993 SSL_CTX *cctx = NULL, *sctx = NULL;
2994 SSL *clientssl = NULL, *serverssl = NULL;
2996 const sigalgs_list *curr;
2999 /* Should never happen */
3000 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3003 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3004 curr = testctx ? &testsigalgs[idx]
3005 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3007 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3008 TLS_client_method(), TLS1_VERSION, 0,
3009 &sctx, &cctx, cert, privkey)))
3012 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3017 if (curr->list != NULL)
3018 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3020 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3024 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3030 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3036 &clientssl, NULL, NULL)))
3042 if (curr->list != NULL)
3043 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3045 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3048 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3057 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3065 SSL_free(serverssl);
3066 SSL_free(clientssl);
3074 #ifndef OSSL_NO_USABLE_TLS1_3
3075 static int psk_client_cb_cnt = 0;
3076 static int psk_server_cb_cnt = 0;
3078 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3079 size_t *idlen, SSL_SESSION **sess)
3081 switch (++use_session_cb_cnt) {
3083 /* The first call should always have a NULL md */
3089 /* The second call should always have an md */
3095 /* We should only be called a maximum of twice */
3099 if (clientpsk != NULL)
3100 SSL_SESSION_up_ref(clientpsk);
3103 *id = (const unsigned char *)pskid;
3104 *idlen = strlen(pskid);
3109 #ifndef OPENSSL_NO_PSK
3110 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3111 unsigned int max_id_len,
3113 unsigned int max_psk_len)
3115 unsigned int psklen = 0;
3117 psk_client_cb_cnt++;
3119 if (strlen(pskid) + 1 > max_id_len)
3122 /* We should only ever be called a maximum of twice per connection */
3123 if (psk_client_cb_cnt > 2)
3126 if (clientpsk == NULL)
3129 /* We'll reuse the PSK we set up for TLSv1.3 */
3130 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3132 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3133 strncpy(id, pskid, max_id_len);
3137 #endif /* OPENSSL_NO_PSK */
3139 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3140 size_t identity_len, SSL_SESSION **sess)
3142 find_session_cb_cnt++;
3144 /* We should only ever be called a maximum of twice per connection */
3145 if (find_session_cb_cnt > 2)
3148 if (serverpsk == NULL)
3151 /* Identity should match that set by the client */
3152 if (strlen(srvid) != identity_len
3153 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3154 /* No PSK found, continue but without a PSK */
3159 SSL_SESSION_up_ref(serverpsk);
3165 #ifndef OPENSSL_NO_PSK
3166 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3167 unsigned char *psk, unsigned int max_psk_len)
3169 unsigned int psklen = 0;
3171 psk_server_cb_cnt++;
3173 /* We should only ever be called a maximum of twice per connection */
3174 if (find_session_cb_cnt > 2)
3177 if (serverpsk == NULL)
3180 /* Identity should match that set by the client */
3181 if (strcmp(srvid, identity) != 0) {
3185 /* We'll reuse the PSK we set up for TLSv1.3 */
3186 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3188 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3192 #endif /* OPENSSL_NO_PSK */
3194 #define MSG1 "Hello"
3195 #define MSG2 "World."
3200 #define MSG7 "message."
3202 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3203 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3204 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3205 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3206 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3209 static SSL_SESSION *create_a_psk(SSL *ssl)
3211 const SSL_CIPHER *cipher = NULL;
3212 const unsigned char key[] = {
3213 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3214 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3215 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3216 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3217 0x2c, 0x2d, 0x2e, 0x2f
3219 SSL_SESSION *sess = NULL;
3221 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3222 sess = SSL_SESSION_new();
3224 || !TEST_ptr(cipher)
3225 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3227 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3229 SSL_SESSION_set_protocol_version(sess,
3231 SSL_SESSION_free(sess);
3238 * Helper method to setup objects for early data test. Caller frees objects on
3241 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3242 SSL **serverssl, SSL_SESSION **sess, int idx)
3245 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3246 TLS_client_method(),
3248 sctx, cctx, cert, privkey)))
3251 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3255 /* When idx == 1 we repeat the tests with read_ahead set */
3256 SSL_CTX_set_read_ahead(*cctx, 1);
3257 SSL_CTX_set_read_ahead(*sctx, 1);
3258 } else if (idx == 2) {
3259 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3260 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3261 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3262 use_session_cb_cnt = 0;
3263 find_session_cb_cnt = 0;
3267 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3272 * For one of the run throughs (doesn't matter which one), we'll try sending
3273 * some SNI data in the initial ClientHello. This will be ignored (because
3274 * there is no SNI cb set up by the server), so it should not impact
3278 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3282 clientpsk = create_a_psk(*clientssl);
3283 if (!TEST_ptr(clientpsk)
3285 * We just choose an arbitrary value for max_early_data which
3286 * should be big enough for testing purposes.
3288 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3290 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3291 SSL_SESSION_free(clientpsk);
3295 serverpsk = clientpsk;
3298 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3299 SSL_SESSION_free(clientpsk);
3300 SSL_SESSION_free(serverpsk);
3301 clientpsk = serverpsk = NULL;
3312 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3316 *sess = SSL_get1_session(*clientssl);
3317 SSL_shutdown(*clientssl);
3318 SSL_shutdown(*serverssl);
3319 SSL_free(*serverssl);
3320 SSL_free(*clientssl);
3321 *serverssl = *clientssl = NULL;
3323 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3324 clientssl, NULL, NULL))
3325 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3331 static int test_early_data_read_write(int idx)
3333 SSL_CTX *cctx = NULL, *sctx = NULL;
3334 SSL *clientssl = NULL, *serverssl = NULL;
3336 SSL_SESSION *sess = NULL;
3337 unsigned char buf[20], data[1024];
3338 size_t readbytes, written, eoedlen, rawread, rawwritten;
3341 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3342 &serverssl, &sess, idx)))
3345 /* Write and read some early data */
3346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3348 || !TEST_size_t_eq(written, strlen(MSG1))
3349 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3350 sizeof(buf), &readbytes),
3351 SSL_READ_EARLY_DATA_SUCCESS)
3352 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3353 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3354 SSL_EARLY_DATA_ACCEPTED))
3358 * Server should be able to write data, and client should be able to
3361 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3363 || !TEST_size_t_eq(written, strlen(MSG2))
3364 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3365 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3368 /* Even after reading normal data, client should be able write early data */
3369 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3371 || !TEST_size_t_eq(written, strlen(MSG3)))
3374 /* Server should still be able read early data after writing data */
3375 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3377 SSL_READ_EARLY_DATA_SUCCESS)
3378 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3381 /* Write more data from server and read it from client */
3382 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3384 || !TEST_size_t_eq(written, strlen(MSG4))
3385 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3386 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3390 * If client writes normal data it should mean writing early data is no
3393 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3394 || !TEST_size_t_eq(written, strlen(MSG5))
3395 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3396 SSL_EARLY_DATA_ACCEPTED))
3400 * At this point the client has written EndOfEarlyData, ClientFinished and
3401 * normal (fully protected) data. We are going to cause a delay between the
3402 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3403 * in the read BIO, and then just put back the EndOfEarlyData message.
3405 rbio = SSL_get_rbio(serverssl);
3406 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3407 || !TEST_size_t_lt(rawread, sizeof(data))
3408 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3411 /* Record length is in the 4th and 5th bytes of the record header */
3412 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3413 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3414 || !TEST_size_t_eq(rawwritten, eoedlen))
3417 /* Server should be told that there is no more early data */
3418 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3420 SSL_READ_EARLY_DATA_FINISH)
3421 || !TEST_size_t_eq(readbytes, 0))
3425 * Server has not finished init yet, so should still be able to write early
3428 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3430 || !TEST_size_t_eq(written, strlen(MSG6)))
3433 /* Push the ClientFinished and the normal data back into the server rbio */
3434 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3436 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3439 /* Server should be able to read normal data */
3440 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3441 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3444 /* Client and server should not be able to write/read early data now */
3445 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3449 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3451 SSL_READ_EARLY_DATA_ERROR))
3455 /* Client should be able to read the data sent by the server */
3456 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3457 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3461 * Make sure we process the two NewSessionTickets. These arrive
3462 * post-handshake. We attempt reads which we do not expect to return any
3465 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3466 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3470 /* Server should be able to write normal data */
3471 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3472 || !TEST_size_t_eq(written, strlen(MSG7))
3473 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3474 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3477 SSL_SESSION_free(sess);
3478 sess = SSL_get1_session(clientssl);
3479 use_session_cb_cnt = 0;
3480 find_session_cb_cnt = 0;
3482 SSL_shutdown(clientssl);
3483 SSL_shutdown(serverssl);
3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 serverssl = clientssl = NULL;
3487 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3488 &clientssl, NULL, NULL))
3489 || !TEST_true(SSL_set_session(clientssl, sess)))
3492 /* Write and read some early data */
3493 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3495 || !TEST_size_t_eq(written, strlen(MSG1))
3496 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3498 SSL_READ_EARLY_DATA_SUCCESS)
3499 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3502 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3503 || !TEST_int_gt(SSL_accept(serverssl), 0))
3506 /* Client and server should not be able to write/read early data now */
3507 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3511 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3513 SSL_READ_EARLY_DATA_ERROR))
3517 /* Client and server should be able to write/read normal data */
3518 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3519 || !TEST_size_t_eq(written, strlen(MSG5))
3520 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3521 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3527 SSL_SESSION_free(sess);
3528 SSL_SESSION_free(clientpsk);
3529 SSL_SESSION_free(serverpsk);
3530 clientpsk = serverpsk = NULL;
3531 SSL_free(serverssl);
3532 SSL_free(clientssl);
3538 static int allow_ed_cb_called = 0;
3540 static int allow_early_data_cb(SSL *s, void *arg)
3542 int *usecb = (int *)arg;
3544 allow_ed_cb_called++;
3553 * idx == 0: Standard early_data setup
3554 * idx == 1: early_data setup using read_ahead
3555 * usecb == 0: Don't use a custom early data callback
3556 * usecb == 1: Use a custom early data callback and reject the early data
3557 * usecb == 2: Use a custom early data callback and accept the early data
3558 * confopt == 0: Configure anti-replay directly
3559 * confopt == 1: Configure anti-replay using SSL_CONF
3561 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3563 SSL_CTX *cctx = NULL, *sctx = NULL;
3564 SSL *clientssl = NULL, *serverssl = NULL;
3566 SSL_SESSION *sess = NULL;
3567 size_t readbytes, written;
3568 unsigned char buf[20];
3570 allow_ed_cb_called = 0;
3572 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3573 TLS_client_method(), TLS1_VERSION, 0,
3574 &sctx, &cctx, cert, privkey)))
3579 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3581 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3583 if (!TEST_ptr(confctx))
3585 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3586 | SSL_CONF_FLAG_SERVER);
3587 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3588 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3590 SSL_CONF_CTX_free(confctx);
3593 SSL_CONF_CTX_free(confctx);
3595 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3598 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3599 &serverssl, &sess, idx)))
3603 * The server is configured to accept early data. Create a connection to
3604 * "use up" the ticket
3606 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3607 || !TEST_true(SSL_session_reused(clientssl)))
3610 SSL_shutdown(clientssl);
3611 SSL_shutdown(serverssl);
3612 SSL_free(serverssl);
3613 SSL_free(clientssl);
3614 serverssl = clientssl = NULL;
3616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3617 &clientssl, NULL, NULL))
3618 || !TEST_true(SSL_set_session(clientssl, sess)))
3621 /* Write and read some early data */
3622 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3624 || !TEST_size_t_eq(written, strlen(MSG1)))
3628 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3630 SSL_READ_EARLY_DATA_FINISH)
3632 * The ticket was reused, so the we should have rejected the
3635 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3636 SSL_EARLY_DATA_REJECTED))
3639 /* In this case the callback decides to accept the early data */
3640 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3642 SSL_READ_EARLY_DATA_SUCCESS)
3643 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3645 * Server will have sent its flight so client can now send
3646 * end of early data and complete its half of the handshake
3648 || !TEST_int_gt(SSL_connect(clientssl), 0)
3649 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3651 SSL_READ_EARLY_DATA_FINISH)
3652 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3653 SSL_EARLY_DATA_ACCEPTED))
3657 /* Complete the connection */
3658 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3659 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3660 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3666 SSL_SESSION_free(sess);
3667 SSL_SESSION_free(clientpsk);
3668 SSL_SESSION_free(serverpsk);
3669 clientpsk = serverpsk = NULL;
3670 SSL_free(serverssl);
3671 SSL_free(clientssl);
3677 static int test_early_data_replay(int idx)
3679 int ret = 1, usecb, confopt;
3681 for (usecb = 0; usecb < 3; usecb++) {
3682 for (confopt = 0; confopt < 2; confopt++)
3683 ret &= test_early_data_replay_int(idx, usecb, confopt);
3690 * Helper function to test that a server attempting to read early data can
3691 * handle a connection from a client where the early data should be skipped.
3692 * testtype: 0 == No HRR
3693 * testtype: 1 == HRR
3694 * testtype: 2 == HRR, invalid early_data sent after HRR
3695 * testtype: 3 == recv_max_early_data set to 0
3697 static int early_data_skip_helper(int testtype, int idx)
3699 SSL_CTX *cctx = NULL, *sctx = NULL;
3700 SSL *clientssl = NULL, *serverssl = NULL;
3702 SSL_SESSION *sess = NULL;
3703 unsigned char buf[20];
3704 size_t readbytes, written;
3706 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3707 &serverssl, &sess, idx)))
3710 if (testtype == 1 || testtype == 2) {
3711 /* Force an HRR to occur */
3712 #if defined(OPENSSL_NO_EC)
3713 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3716 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3719 } else if (idx == 2) {
3721 * We force early_data rejection by ensuring the PSK identity is
3724 srvid = "Dummy Identity";
3727 * Deliberately corrupt the creation time. We take 20 seconds off the
3728 * time. It could be any value as long as it is not within tolerance.
3729 * This should mean the ticket is rejected.
3731 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3736 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3739 /* Write some early data */
3740 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3742 || !TEST_size_t_eq(written, strlen(MSG1)))
3745 /* Server should reject the early data */
3746 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3748 SSL_READ_EARLY_DATA_FINISH)
3749 || !TEST_size_t_eq(readbytes, 0)
3750 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3751 SSL_EARLY_DATA_REJECTED))
3761 * Finish off the handshake. We perform the same writes and reads as
3762 * further down but we expect them to fail due to the incomplete
3765 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3766 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3773 BIO *wbio = SSL_get_wbio(clientssl);
3774 /* A record that will appear as bad early_data */
3775 const unsigned char bad_early_data[] = {
3776 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3780 * We force the client to attempt a write. This will fail because
3781 * we're still in the handshake. It will cause the second
3782 * ClientHello to be sent.
3784 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3789 * Inject some early_data after the second ClientHello. This should
3790 * cause the server to fail
3792 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3793 sizeof(bad_early_data), &written)))
3800 * This client has sent more early_data than we are willing to skip
3801 * (case 3) or sent invalid early_data (case 2) so the connection should
3804 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3805 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3808 /* Connection has failed - nothing more to do */
3813 TEST_error("Invalid test type");
3818 * Should be able to send normal data despite rejection of early data. The
3819 * early_data should be skipped.
3821 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3822 || !TEST_size_t_eq(written, strlen(MSG2))
3823 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3824 SSL_EARLY_DATA_REJECTED)
3825 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3826 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3832 SSL_SESSION_free(clientpsk);
3833 SSL_SESSION_free(serverpsk);
3834 clientpsk = serverpsk = NULL;
3835 SSL_SESSION_free(sess);
3836 SSL_free(serverssl);
3837 SSL_free(clientssl);
3844 * Test that a server attempting to read early data can handle a connection
3845 * from a client where the early data is not acceptable.
3847 static int test_early_data_skip(int idx)
3849 return early_data_skip_helper(0, idx);
3853 * Test that a server attempting to read early data can handle a connection
3854 * from a client where an HRR occurs.
3856 static int test_early_data_skip_hrr(int idx)
3858 return early_data_skip_helper(1, idx);
3862 * Test that a server attempting to read early data can handle a connection
3863 * from a client where an HRR occurs and correctly fails if early_data is sent
3866 static int test_early_data_skip_hrr_fail(int idx)
3868 return early_data_skip_helper(2, idx);
3872 * Test that a server attempting to read early data will abort if it tries to
3873 * skip over too much.
3875 static int test_early_data_skip_abort(int idx)
3877 return early_data_skip_helper(3, idx);
3881 * Test that a server attempting to read early data can handle a connection
3882 * from a client that doesn't send any.
3884 static int test_early_data_not_sent(int idx)
3886 SSL_CTX *cctx = NULL, *sctx = NULL;
3887 SSL *clientssl = NULL, *serverssl = NULL;
3889 SSL_SESSION *sess = NULL;
3890 unsigned char buf[20];
3891 size_t readbytes, written;
3893 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3894 &serverssl, &sess, idx)))
3897 /* Write some data - should block due to handshake with server */
3898 SSL_set_connect_state(clientssl);
3899 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3902 /* Server should detect that early data has not been sent */
3903 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3905 SSL_READ_EARLY_DATA_FINISH)
3906 || !TEST_size_t_eq(readbytes, 0)
3907 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3908 SSL_EARLY_DATA_NOT_SENT)
3909 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3910 SSL_EARLY_DATA_NOT_SENT))
3913 /* Continue writing the message we started earlier */
3914 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3915 || !TEST_size_t_eq(written, strlen(MSG1))
3916 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3917 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3918 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3919 || !TEST_size_t_eq(written, strlen(MSG2)))
3922 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3923 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3929 SSL_SESSION_free(sess);
3930 SSL_SESSION_free(clientpsk);
3931 SSL_SESSION_free(serverpsk);
3932 clientpsk = serverpsk = NULL;
3933 SSL_free(serverssl);
3934 SSL_free(clientssl);
3940 static const char *servalpn;
3942 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3943 unsigned char *outlen, const unsigned char *in,
3944 unsigned int inlen, void *arg)
3946 unsigned int protlen = 0;
3947 const unsigned char *prot;
3949 for (prot = in; prot < in + inlen; prot += protlen) {
3951 if (in + inlen < prot + protlen)
3952 return SSL_TLSEXT_ERR_NOACK;
3954 if (protlen == strlen(servalpn)
3955 && memcmp(prot, servalpn, protlen) == 0) {
3958 return SSL_TLSEXT_ERR_OK;
3962 return SSL_TLSEXT_ERR_NOACK;
3965 /* Test that a PSK can be used to send early_data */
3966 static int test_early_data_psk(int idx)
3968 SSL_CTX *cctx = NULL, *sctx = NULL;
3969 SSL *clientssl = NULL, *serverssl = NULL;
3971 SSL_SESSION *sess = NULL;
3972 unsigned char alpnlist[] = {
3973 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3976 #define GOODALPNLEN 9
3977 #define BADALPNLEN 8
3978 #define GOODALPN (alpnlist)
3979 #define BADALPN (alpnlist + GOODALPNLEN)
3981 unsigned char buf[20];
3982 size_t readbytes, written;
3983 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3984 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3986 /* We always set this up with a final parameter of "2" for PSK */
3987 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3988 &serverssl, &sess, 2)))
3991 servalpn = "goodalpn";
3994 * Note: There is no test for inconsistent SNI with late client detection.
3995 * This is because servers do not acknowledge SNI even if they are using
3996 * it in a resumption handshake - so it is not actually possible for a
3997 * client to detect a problem.
4001 /* Set inconsistent SNI (early client detection) */
4002 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4003 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4004 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4009 /* Set inconsistent ALPN (early client detection) */
4010 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4011 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4012 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4014 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4021 * Set invalid protocol version. Technically this affects PSKs without
4022 * early_data too, but we test it here because it is similar to the
4023 * SNI/ALPN consistency tests.
4025 err = SSL_R_BAD_PSK;
4026 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4032 * Set inconsistent SNI (server side). In this case the connection
4033 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4034 * is associated with each handshake - not the session. Therefore it
4035 * should not matter that we used a different server name last time.
4037 SSL_SESSION_free(serverpsk);
4038 serverpsk = SSL_SESSION_dup(clientpsk);
4039 if (!TEST_ptr(serverpsk)
4040 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4044 /* Set consistent SNI */
4045 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4046 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4047 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4054 * Set inconsistent ALPN (server detected). In this case the connection
4055 * will succeed but reject early_data.
4057 servalpn = "badalpn";
4058 edstatus = SSL_EARLY_DATA_REJECTED;
4059 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4063 * Set consistent ALPN.
4064 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4065 * accepts a list of protos (each one length prefixed).
4066 * SSL_set1_alpn_selected accepts a single protocol (not length
4069 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4071 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4075 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4079 /* Set inconsistent ALPN (late client detection) */
4080 SSL_SESSION_free(serverpsk);
4081 serverpsk = SSL_SESSION_dup(clientpsk);
4082 if (!TEST_ptr(serverpsk)
4083 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4086 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4089 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4092 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4093 edstatus = SSL_EARLY_DATA_ACCEPTED;
4094 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4095 /* SSL_connect() call should fail */
4100 TEST_error("Bad test index");
4104 SSL_set_connect_state(clientssl);
4106 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4108 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4109 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4112 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4116 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4117 &readbytes), readearlyres)
4118 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4119 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4120 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4121 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4128 SSL_SESSION_free(sess);
4129 SSL_SESSION_free(clientpsk);
4130 SSL_SESSION_free(serverpsk);
4131 clientpsk = serverpsk = NULL;
4132 SSL_free(serverssl);
4133 SSL_free(clientssl);
4140 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4141 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4142 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4143 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4144 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4145 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4147 static int test_early_data_psk_with_all_ciphers(int idx)
4149 SSL_CTX *cctx = NULL, *sctx = NULL;
4150 SSL *clientssl = NULL, *serverssl = NULL;
4152 SSL_SESSION *sess = NULL;
4153 unsigned char buf[20];
4154 size_t readbytes, written;
4155 const SSL_CIPHER *cipher;
4156 const char *cipher_str[] = {
4157 TLS1_3_RFC_AES_128_GCM_SHA256,
4158 TLS1_3_RFC_AES_256_GCM_SHA384,
4159 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4160 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4164 TLS1_3_RFC_AES_128_CCM_SHA256,
4165 TLS1_3_RFC_AES_128_CCM_8_SHA256
4167 const unsigned char *cipher_bytes[] = {
4168 TLS13_AES_128_GCM_SHA256_BYTES,
4169 TLS13_AES_256_GCM_SHA384_BYTES,
4170 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4171 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4175 TLS13_AES_128_CCM_SHA256_BYTES,
4176 TLS13_AES_128_CCM_8_SHA256_BYTES
4179 if (cipher_str[idx] == NULL)
4181 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4182 if (idx == 2 && is_fips == 1)
4185 /* We always set this up with a final parameter of "2" for PSK */
4186 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4187 &serverssl, &sess, 2)))
4191 /* CCM8 ciphers are considered low security due to their short tag */
4192 SSL_set_security_level(clientssl, 0);
4193 SSL_set_security_level(serverssl, 0);
4196 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4197 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4201 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4202 * and assigns to both client and server with incremented reference
4203 * and the same instance is updated in 'sess'.
4204 * So updating ciphersuite in 'sess' which will get reflected in
4205 * PSK handshake using psk use sess and find sess cb.
4207 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4208 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4211 SSL_set_connect_state(clientssl);
4212 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4216 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4218 SSL_READ_EARLY_DATA_SUCCESS)
4219 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4220 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4221 SSL_EARLY_DATA_ACCEPTED)
4222 || !TEST_int_eq(SSL_connect(clientssl), 1)
4223 || !TEST_int_eq(SSL_accept(serverssl), 1))
4226 /* Send some normal data from client to server */
4227 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4228 || !TEST_size_t_eq(written, strlen(MSG2)))
4231 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4232 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4237 SSL_SESSION_free(sess);
4238 SSL_SESSION_free(clientpsk);
4239 SSL_SESSION_free(serverpsk);
4240 clientpsk = serverpsk = NULL;
4241 if (clientssl != NULL)
4242 SSL_shutdown(clientssl);
4243 if (serverssl != NULL)
4244 SSL_shutdown(serverssl);
4245 SSL_free(serverssl);
4246 SSL_free(clientssl);
4253 * Test that a server that doesn't try to read early data can handle a
4254 * client sending some.
4256 static int test_early_data_not_expected(int idx)
4258 SSL_CTX *cctx = NULL, *sctx = NULL;
4259 SSL *clientssl = NULL, *serverssl = NULL;
4261 SSL_SESSION *sess = NULL;
4262 unsigned char buf[20];
4263 size_t readbytes, written;
4265 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4266 &serverssl, &sess, idx)))
4269 /* Write some early data */
4270 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4275 * Server should skip over early data and then block waiting for client to
4276 * continue handshake
4278 if (!TEST_int_le(SSL_accept(serverssl), 0)
4279 || !TEST_int_gt(SSL_connect(clientssl), 0)
4280 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4281 SSL_EARLY_DATA_REJECTED)
4282 || !TEST_int_gt(SSL_accept(serverssl), 0)
4283 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4284 SSL_EARLY_DATA_REJECTED))
4287 /* Send some normal data from client to server */
4288 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4289 || !TEST_size_t_eq(written, strlen(MSG2)))
4292 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4293 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4299 SSL_SESSION_free(sess);
4300 SSL_SESSION_free(clientpsk);
4301 SSL_SESSION_free(serverpsk);
4302 clientpsk = serverpsk = NULL;
4303 SSL_free(serverssl);
4304 SSL_free(clientssl);
4311 # ifndef OPENSSL_NO_TLS1_2
4313 * Test that a server attempting to read early data can handle a connection
4314 * from a TLSv1.2 client.
4316 static int test_early_data_tls1_2(int idx)
4318 SSL_CTX *cctx = NULL, *sctx = NULL;
4319 SSL *clientssl = NULL, *serverssl = NULL;
4321 unsigned char buf[20];
4322 size_t readbytes, written;
4324 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4325 &serverssl, NULL, idx)))
4328 /* Write some data - should block due to handshake with server */
4329 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4330 SSL_set_connect_state(clientssl);
4331 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4335 * Server should do TLSv1.2 handshake. First it will block waiting for more
4336 * messages from client after ServerDone. Then SSL_read_early_data should
4337 * finish and detect that early data has not been sent
4339 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4341 SSL_READ_EARLY_DATA_ERROR))
4345 * Continue writing the message we started earlier. Will still block waiting
4346 * for the CCS/Finished from server
4348 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4349 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4351 SSL_READ_EARLY_DATA_FINISH)
4352 || !TEST_size_t_eq(readbytes, 0)
4353 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4354 SSL_EARLY_DATA_NOT_SENT))
4357 /* Continue writing the message we started earlier */
4358 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4359 || !TEST_size_t_eq(written, strlen(MSG1))
4360 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4361 SSL_EARLY_DATA_NOT_SENT)
4362 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4363 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4364 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4365 || !TEST_size_t_eq(written, strlen(MSG2))
4366 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4367 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4373 SSL_SESSION_free(clientpsk);
4374 SSL_SESSION_free(serverpsk);
4375 clientpsk = serverpsk = NULL;
4376 SSL_free(serverssl);
4377 SSL_free(clientssl);
4383 # endif /* OPENSSL_NO_TLS1_2 */
4386 * Test configuring the TLSv1.3 ciphersuites
4388 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4389 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4390 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4391 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4392 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4393 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4394 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4395 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4396 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4397 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4399 static int test_set_ciphersuite(int idx)
4401 SSL_CTX *cctx = NULL, *sctx = NULL;
4402 SSL *clientssl = NULL, *serverssl = NULL;
4405 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4406 TLS_client_method(), TLS1_VERSION, 0,
4407 &sctx, &cctx, cert, privkey))
4408 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4409 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4412 if (idx >=4 && idx <= 7) {
4413 /* SSL_CTX explicit cipher list */
4414 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4418 if (idx == 0 || idx == 4) {
4419 /* Default ciphersuite */
4420 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4421 "TLS_AES_128_GCM_SHA256")))
4423 } else if (idx == 1 || idx == 5) {
4424 /* Non default ciphersuite */
4425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4426 "TLS_AES_128_CCM_SHA256")))
4430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4431 &clientssl, NULL, NULL)))
4434 if (idx == 8 || idx == 9) {
4435 /* SSL explicit cipher list */
4436 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4440 if (idx == 2 || idx == 6 || idx == 8) {
4441 /* Default ciphersuite */
4442 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4443 "TLS_AES_128_GCM_SHA256")))
4445 } else if (idx == 3 || idx == 7 || idx == 9) {
4446 /* Non default ciphersuite */
4447 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4448 "TLS_AES_128_CCM_SHA256")))
4452 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4458 SSL_free(serverssl);
4459 SSL_free(clientssl);
4466 static int test_ciphersuite_change(void)
4468 SSL_CTX *cctx = NULL, *sctx = NULL;
4469 SSL *clientssl = NULL, *serverssl = NULL;
4470 SSL_SESSION *clntsess = NULL;
4472 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4474 /* Create a session based on SHA-256 */
4475 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4476 TLS_client_method(), TLS1_VERSION, 0,
4477 &sctx, &cctx, cert, privkey))
4478 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4479 "TLS_AES_128_GCM_SHA256:"
4480 "TLS_AES_256_GCM_SHA384:"
4481 "TLS_AES_128_CCM_SHA256"))
4482 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4483 "TLS_AES_128_GCM_SHA256")))
4486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4492 clntsess = SSL_get1_session(clientssl);
4493 /* Save for later */
4494 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4495 SSL_shutdown(clientssl);
4496 SSL_shutdown(serverssl);
4497 SSL_free(serverssl);
4498 SSL_free(clientssl);
4499 serverssl = clientssl = NULL;
4501 /* Check we can resume a session with a different SHA-256 ciphersuite */
4502 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4503 "TLS_AES_128_CCM_SHA256"))
4504 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4505 &clientssl, NULL, NULL))
4506 || !TEST_true(SSL_set_session(clientssl, clntsess))
4507 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4509 || !TEST_true(SSL_session_reused(clientssl)))
4512 SSL_SESSION_free(clntsess);
4513 clntsess = SSL_get1_session(clientssl);
4514 SSL_shutdown(clientssl);
4515 SSL_shutdown(serverssl);
4516 SSL_free(serverssl);
4517 SSL_free(clientssl);
4518 serverssl = clientssl = NULL;
4521 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4522 * succeeds but does not resume.
4524 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4525 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4527 || !TEST_true(SSL_set_session(clientssl, clntsess))
4528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4530 || !TEST_false(SSL_session_reused(clientssl)))
4533 SSL_SESSION_free(clntsess);
4535 SSL_shutdown(clientssl);
4536 SSL_shutdown(serverssl);
4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 serverssl = clientssl = NULL;
4541 /* Create a session based on SHA384 */
4542 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4543 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4544 &clientssl, NULL, NULL))
4545 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4549 clntsess = SSL_get1_session(clientssl);
4550 SSL_shutdown(clientssl);
4551 SSL_shutdown(serverssl);
4552 SSL_free(serverssl);
4553 SSL_free(clientssl);
4554 serverssl = clientssl = NULL;
4556 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4557 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4558 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4559 "TLS_AES_256_GCM_SHA384"))
4560 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4562 || !TEST_true(SSL_set_session(clientssl, clntsess))
4564 * We use SSL_ERROR_WANT_READ below so that we can pause the
4565 * connection after the initial ClientHello has been sent to
4566 * enable us to make some session changes.
4568 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4569 SSL_ERROR_WANT_READ)))
4572 /* Trick the client into thinking this session is for a different digest */
4573 clntsess->cipher = aes_128_gcm_sha256;
4574 clntsess->cipher_id = clntsess->cipher->id;
4577 * Continue the previously started connection. Server has selected a SHA-384
4578 * ciphersuite, but client thinks the session is for SHA-256, so it should
4581 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4583 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4584 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4590 SSL_SESSION_free(clntsess);
4591 SSL_free(serverssl);
4592 SSL_free(clientssl);
4600 * Test TLSv1.3 Key exchange
4601 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4602 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4603 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4604 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4605 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4606 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4607 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4608 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4609 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4610 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4611 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4612 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4613 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4614 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4616 # ifndef OPENSSL_NO_EC
4617 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4618 NID_secp521r1, NID_X25519, NID_X448};
4620 # ifndef OPENSSL_NO_DH
4621 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4622 NID_ffdhe6144, NID_ffdhe8192};
4624 static int test_key_exchange(int idx)
4626 SSL_CTX *sctx = NULL, *cctx = NULL;
4627 SSL *serverssl = NULL, *clientssl = NULL;
4630 int *kexch_groups = &kexch_alg;
4631 int kexch_groups_size = 1;
4632 int max_version = TLS1_3_VERSION;
4633 char *kexch_name0 = NULL;
4636 # ifndef OPENSSL_NO_EC
4637 # ifndef OPENSSL_NO_TLS1_2
4639 max_version = TLS1_2_VERSION;
4643 kexch_groups = ecdhe_kexch_groups;
4644 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4645 kexch_name0 = "secp256r1";
4648 kexch_alg = NID_X9_62_prime256v1;
4649 kexch_name0 = "secp256r1";
4652 kexch_alg = NID_secp384r1;
4653 kexch_name0 = "secp384r1";
4656 kexch_alg = NID_secp521r1;
4657 kexch_name0 = "secp521r1";
4660 kexch_alg = NID_X25519;
4661 kexch_name0 = "x25519";
4664 kexch_alg = NID_X448;
4665 kexch_name0 = "x448";
4668 # ifndef OPENSSL_NO_DH
4669 # ifndef OPENSSL_NO_TLS1_2
4671 max_version = TLS1_2_VERSION;
4672 kexch_name0 = "ffdhe2048";
4676 kexch_groups = ffdhe_kexch_groups;
4677 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4678 kexch_name0 = "ffdhe2048";
4681 kexch_alg = NID_ffdhe2048;
4682 kexch_name0 = "ffdhe2048";
4685 kexch_alg = NID_ffdhe3072;
4686 kexch_name0 = "ffdhe3072";
4689 kexch_alg = NID_ffdhe4096;
4690 kexch_name0 = "ffdhe4096";
4693 kexch_alg = NID_ffdhe6144;
4694 kexch_name0 = "ffdhe6144";
4697 kexch_alg = NID_ffdhe8192;
4698 kexch_name0 = "ffdhe8192";
4702 /* We're skipping this test */
4706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4707 TLS_client_method(), TLS1_VERSION,
4708 max_version, &sctx, &cctx, cert,
4712 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4713 TLS1_3_RFC_AES_128_GCM_SHA256)))
4716 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4717 TLS1_3_RFC_AES_128_GCM_SHA256)))
4720 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4721 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4722 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4723 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4727 * Must include an EC ciphersuite so that we send supported groups in
4730 # ifndef OPENSSL_NO_TLS1_2
4731 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4732 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4733 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4741 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4742 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4749 * If Handshake succeeds the negotiated kexch alg should be the first one in
4750 * configured, except in the case of FFDHE groups (idx 13), which are
4751 * TLSv1.3 only so we expect no shared group to exist.
4753 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4754 idx == 13 ? 0 : kexch_groups[0]))
4757 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4761 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4763 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4765 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4771 SSL_free(serverssl);
4772 SSL_free(clientssl);
4778 # if !defined(OPENSSL_NO_TLS1_2) \
4779 && !defined(OPENSSL_NO_EC) \
4780 && !defined(OPENSSL_NO_DH)
4781 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4782 int isecdhe, int idx)
4785 int *kexch_groups = &kexch_alg;
4788 numec = OSSL_NELEM(ecdhe_kexch_groups);
4789 numff = OSSL_NELEM(ffdhe_kexch_groups);
4791 kexch_alg = ecdhe_kexch_groups[idx];
4793 kexch_alg = ffdhe_kexch_groups[idx];
4796 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4799 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4803 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4808 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4811 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4815 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4824 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4825 * Run through both the ECDHE and FFDHE group lists used in the previous
4826 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4827 * confirming the expected result; then perform a resumption handshake
4828 * while offering the same group list, and another resumption handshake
4829 * offering a different group list. The returned value should be the
4830 * negotiated group for the initial handshake; for TLS 1.3 resumption
4831 * handshakes the returned value will be negotiated on the resumption
4832 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4833 * be cached in the session from the original handshake, regardless of what
4834 * was offered in the resumption ClientHello.
4836 * Using E for the number of EC groups and F for the number of FF groups:
4837 * E tests of ECDHE with TLS 1.3, server only has one group
4838 * F tests of FFDHE with TLS 1.3, server only has one group
4839 * E tests of ECDHE with TLS 1.2, server only has one group
4840 * F tests of FFDHE with TLS 1.2, server only has one group
4841 * E tests of ECDHE with TLS 1.3, client sends only one group
4842 * F tests of FFDHE with TLS 1.3, client sends only one group
4843 * E tests of ECDHE with TLS 1.2, client sends only one group
4844 * F tests of FFDHE with TLS 1.2, client sends only one group
4846 static int test_negotiated_group(int idx)
4848 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4850 SSL_CTX *sctx = NULL, *cctx = NULL;
4851 SSL *serverssl = NULL, *clientssl = NULL;
4852 SSL_SESSION *origsess = NULL;
4855 int max_version = TLS1_3_VERSION;
4857 numec = OSSL_NELEM(ecdhe_kexch_groups);
4858 numff = OSSL_NELEM(ffdhe_kexch_groups);
4859 numgroups = numec + numff;
4860 clientmulti = (idx < 2 * numgroups);
4861 idx = idx % (2 * numgroups);
4862 istls13 = (idx < numgroups);
4863 idx = idx % numgroups;
4864 isecdhe = (idx < numec);
4867 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4869 kexch_alg = ecdhe_kexch_groups[idx];
4871 kexch_alg = ffdhe_kexch_groups[idx];
4872 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4873 if (!istls13 && !isecdhe)
4874 expectednid = NID_undef;
4876 expectednid = kexch_alg;
4879 max_version = TLS1_2_VERSION;
4881 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4882 TLS_client_method(), TLS1_VERSION,
4883 max_version, &sctx, &cctx, cert,
4888 * Force (EC)DHE ciphers for TLS 1.2.
4889 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4891 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4892 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4893 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4894 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4896 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4897 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4898 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4905 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4909 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4912 /* Initial handshake; always the configured one */
4913 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4914 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4917 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4920 SSL_shutdown(clientssl);
4921 SSL_shutdown(serverssl);
4922 SSL_free(serverssl);
4923 SSL_free(clientssl);
4924 serverssl = clientssl = NULL;
4926 /* First resumption attempt; use the same config as initial handshake */
4927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4929 || !TEST_true(SSL_set_session(clientssl, origsess))
4930 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4934 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4935 || !TEST_true(SSL_session_reused(clientssl)))
4938 /* Still had better agree, since nothing changed... */
4939 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4940 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4943 SSL_shutdown(clientssl);
4944 SSL_shutdown(serverssl);
4945 SSL_free(serverssl);
4946 SSL_free(clientssl);
4947 serverssl = clientssl = NULL;
4950 * Second resumption attempt
4951 * The party that picks one group changes it, which we effectuate by
4952 * changing 'idx' and updating what we expect.
4960 expectednid = ecdhe_kexch_groups[idx];
4962 expectednid = ffdhe_kexch_groups[idx];
4963 /* Verify that we are changing what we expect. */
4964 if (!TEST_int_ne(expectednid, kexch_alg))
4967 /* TLS 1.2 only supports named groups for ECDHE. */
4969 expectednid = kexch_alg;
4973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4975 || !TEST_true(SSL_set_session(clientssl, origsess))
4976 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4980 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4981 || !TEST_true(SSL_session_reused(clientssl)))
4984 /* Check that we get what we expected */
4985 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4986 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4991 SSL_free(serverssl);
4992 SSL_free(clientssl);
4995 SSL_SESSION_free(origsess);
4998 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5001 * Test TLSv1.3 Cipher Suite
5002 * Test 0 = Set TLS1.3 cipher on context
5003 * Test 1 = Set TLS1.3 cipher on SSL
5004 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5005 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5007 static int test_tls13_ciphersuite(int idx)
5009 SSL_CTX *sctx = NULL, *cctx = NULL;
5010 SSL *serverssl = NULL, *clientssl = NULL;
5011 static const struct {
5012 const char *ciphername;
5016 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5017 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5018 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5019 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5020 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5021 { TLS1_3_RFC_AES_256_GCM_SHA384
5022 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5024 /* CCM8 ciphers are considered low security due to their short tag */
5025 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5026 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5028 const char *t13_cipher = NULL;
5029 const char *t12_cipher = NULL;
5030 const char *negotiated_scipher;
5031 const char *negotiated_ccipher;
5047 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5051 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5055 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5056 # ifdef OPENSSL_NO_TLS1_2
5057 if (max_ver == TLS1_2_VERSION)
5060 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5061 if (is_fips && !t13_ciphers[i].fipscapable)
5063 t13_cipher = t13_ciphers[i].ciphername;
5064 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5065 TLS_client_method(),
5066 TLS1_VERSION, max_ver,
5067 &sctx, &cctx, cert, privkey)))
5070 if (t13_ciphers[i].low_security) {
5071 SSL_CTX_set_security_level(sctx, 0);
5072 SSL_CTX_set_security_level(cctx, 0);
5076 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5077 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5079 if (t12_cipher != NULL) {
5080 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5081 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5088 &clientssl, NULL, NULL)))
5092 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5093 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5095 if (t12_cipher != NULL) {
5096 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5097 || !TEST_true(SSL_set_cipher_list(clientssl,
5103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5107 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5109 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5111 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5115 * TEST_strn_eq is used below because t13_cipher can contain
5116 * multiple ciphersuites
5118 if (max_ver == TLS1_3_VERSION
5119 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5120 strlen(negotiated_scipher)))
5123 # ifndef OPENSSL_NO_TLS1_2
5124 /* Below validation is not done when t12_cipher is NULL */
5125 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5126 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5130 SSL_free(serverssl);
5132 SSL_free(clientssl);
5143 SSL_free(serverssl);
5144 SSL_free(clientssl);
5152 * Test 0 = Test new style callbacks
5153 * Test 1 = Test both new and old style callbacks
5154 * Test 2 = Test old style callbacks
5155 * Test 3 = Test old style callbacks with no certificate
5157 static int test_tls13_psk(int idx)
5159 SSL_CTX *sctx = NULL, *cctx = NULL;
5160 SSL *serverssl = NULL, *clientssl = NULL;
5161 const SSL_CIPHER *cipher = NULL;
5162 const unsigned char key[] = {
5163 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5164 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5165 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5166 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5170 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5171 TLS_client_method(), TLS1_VERSION, 0,
5172 &sctx, &cctx, idx == 3 ? NULL : cert,
5173 idx == 3 ? NULL : privkey)))
5178 * We use a ciphersuite with SHA256 to ease testing old style PSK
5179 * callbacks which will always default to SHA256. This should not be
5180 * necessary if we have no cert/priv key. In that case the server should
5181 * prefer SHA256 automatically.
5183 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5184 "TLS_AES_128_GCM_SHA256")))
5188 * As noted above the server should prefer SHA256 automatically. However
5189 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5190 * code works even if we are testing with only the FIPS provider loaded.
5192 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5193 "TLS_AES_256_GCM_SHA384:"
5194 "TLS_AES_128_GCM_SHA256")))
5199 * Test 0: New style callbacks only
5200 * Test 1: New and old style callbacks (only the new ones should be used)
5201 * Test 2: Old style callbacks only
5203 if (idx == 0 || idx == 1) {
5204 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5205 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5207 #ifndef OPENSSL_NO_PSK
5209 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5210 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5214 use_session_cb_cnt = 0;
5215 find_session_cb_cnt = 0;
5216 psk_client_cb_cnt = 0;
5217 psk_server_cb_cnt = 0;
5221 * Check we can create a connection if callback decides not to send a
5224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5226 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5228 || !TEST_false(SSL_session_reused(clientssl))
5229 || !TEST_false(SSL_session_reused(serverssl)))
5232 if (idx == 0 || idx == 1) {
5233 if (!TEST_true(use_session_cb_cnt == 1)
5234 || !TEST_true(find_session_cb_cnt == 0)
5236 * If no old style callback then below should be 0
5239 || !TEST_true(psk_client_cb_cnt == idx)
5240 || !TEST_true(psk_server_cb_cnt == 0))
5243 if (!TEST_true(use_session_cb_cnt == 0)
5244 || !TEST_true(find_session_cb_cnt == 0)
5245 || !TEST_true(psk_client_cb_cnt == 1)
5246 || !TEST_true(psk_server_cb_cnt == 0))
5250 shutdown_ssl_connection(serverssl, clientssl);
5251 serverssl = clientssl = NULL;
5252 use_session_cb_cnt = psk_client_cb_cnt = 0;
5255 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5259 /* Create the PSK */
5260 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5261 clientpsk = SSL_SESSION_new();
5262 if (!TEST_ptr(clientpsk)
5263 || !TEST_ptr(cipher)
5264 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5266 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5267 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5269 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5271 serverpsk = clientpsk;
5273 /* Check we can create a connection and the PSK is used */
5274 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5275 || !TEST_true(SSL_session_reused(clientssl))
5276 || !TEST_true(SSL_session_reused(serverssl)))
5279 if (idx == 0 || idx == 1) {
5280 if (!TEST_true(use_session_cb_cnt == 1)
5281 || !TEST_true(find_session_cb_cnt == 1)
5282 || !TEST_true(psk_client_cb_cnt == 0)
5283 || !TEST_true(psk_server_cb_cnt == 0))
5286 if (!TEST_true(use_session_cb_cnt == 0)
5287 || !TEST_true(find_session_cb_cnt == 0)
5288 || !TEST_true(psk_client_cb_cnt == 1)
5289 || !TEST_true(psk_server_cb_cnt == 1))
5293 shutdown_ssl_connection(serverssl, clientssl);
5294 serverssl = clientssl = NULL;
5295 use_session_cb_cnt = find_session_cb_cnt = 0;
5296 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5303 #if defined(OPENSSL_NO_EC)
5304 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5307 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5312 * Check we can create a connection, the PSK is used and the callbacks are
5315 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5316 || !TEST_true(SSL_session_reused(clientssl))
5317 || !TEST_true(SSL_session_reused(serverssl)))
5320 if (idx == 0 || idx == 1) {
5321 if (!TEST_true(use_session_cb_cnt == 2)
5322 || !TEST_true(find_session_cb_cnt == 2)
5323 || !TEST_true(psk_client_cb_cnt == 0)
5324 || !TEST_true(psk_server_cb_cnt == 0))
5327 if (!TEST_true(use_session_cb_cnt == 0)
5328 || !TEST_true(find_session_cb_cnt == 0)
5329 || !TEST_true(psk_client_cb_cnt == 2)
5330 || !TEST_true(psk_server_cb_cnt == 2))
5334 shutdown_ssl_connection(serverssl, clientssl);
5335 serverssl = clientssl = NULL;
5336 use_session_cb_cnt = find_session_cb_cnt = 0;
5337 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5341 * Check that if the server rejects the PSK we can still connect, but with
5344 srvid = "Dummy Identity";
5345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5349 || !TEST_false(SSL_session_reused(clientssl))
5350 || !TEST_false(SSL_session_reused(serverssl)))
5353 if (idx == 0 || idx == 1) {
5354 if (!TEST_true(use_session_cb_cnt == 1)
5355 || !TEST_true(find_session_cb_cnt == 1)
5356 || !TEST_true(psk_client_cb_cnt == 0)
5358 * If no old style callback then below should be 0
5361 || !TEST_true(psk_server_cb_cnt == idx))
5364 if (!TEST_true(use_session_cb_cnt == 0)
5365 || !TEST_true(find_session_cb_cnt == 0)
5366 || !TEST_true(psk_client_cb_cnt == 1)
5367 || !TEST_true(psk_server_cb_cnt == 1))
5371 shutdown_ssl_connection(serverssl, clientssl);
5372 serverssl = clientssl = NULL;
5377 SSL_SESSION_free(clientpsk);
5378 SSL_SESSION_free(serverpsk);
5379 clientpsk = serverpsk = NULL;
5380 SSL_free(serverssl);
5381 SSL_free(clientssl);
5387 static unsigned char cookie_magic_value[] = "cookie magic";
5389 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5390 unsigned int *cookie_len)
5393 * Not suitable as a real cookie generation function but good enough for
5396 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5397 *cookie_len = sizeof(cookie_magic_value) - 1;
5402 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5403 unsigned int cookie_len)
5405 if (cookie_len == sizeof(cookie_magic_value) - 1
5406 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5412 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5416 int res = generate_cookie_callback(ssl, cookie, &temp);
5421 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5424 return verify_cookie_callback(ssl, cookie, cookie_len);
5427 static int test_stateless(void)
5429 SSL_CTX *sctx = NULL, *cctx = NULL;
5430 SSL *serverssl = NULL, *clientssl = NULL;
5433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5434 TLS_client_method(), TLS1_VERSION, 0,
5435 &sctx, &cctx, cert, privkey)))
5438 /* The arrival of CCS messages can confuse the test */
5439 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5443 /* Send the first ClientHello */
5444 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5445 SSL_ERROR_WANT_READ))
5447 * This should fail with a -1 return because we have no callbacks
5450 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5453 /* Fatal error so abandon the connection from this client */
5454 SSL_free(clientssl);
5457 /* Set up the cookie generation and verification callbacks */
5458 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5459 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5462 * Create a new connection from the client (we can reuse the server SSL
5465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5467 /* Send the first ClientHello */
5468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5469 SSL_ERROR_WANT_READ))
5470 /* This should fail because there is no cookie */
5471 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5474 /* Abandon the connection from this client */
5475 SSL_free(clientssl);
5479 * Now create a connection from a new client but with the same server SSL
5482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5484 /* Send the first ClientHello */
5485 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5486 SSL_ERROR_WANT_READ))
5487 /* This should fail because there is no cookie */
5488 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5489 /* Send the second ClientHello */
5490 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5491 SSL_ERROR_WANT_READ))
5492 /* This should succeed because a cookie is now present */
5493 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5494 /* Complete the connection */
5495 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5499 shutdown_ssl_connection(serverssl, clientssl);
5500 serverssl = clientssl = NULL;
5504 SSL_free(serverssl);
5505 SSL_free(clientssl);
5511 #endif /* OSSL_NO_USABLE_TLS1_3 */
5513 static int clntaddoldcb = 0;
5514 static int clntparseoldcb = 0;
5515 static int srvaddoldcb = 0;
5516 static int srvparseoldcb = 0;
5517 static int clntaddnewcb = 0;
5518 static int clntparsenewcb = 0;
5519 static int srvaddnewcb = 0;
5520 static int srvparsenewcb = 0;
5521 static int snicb = 0;
5523 #define TEST_EXT_TYPE1 0xff00
5525 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5526 size_t *outlen, int *al, void *add_arg)
5528 int *server = (int *)add_arg;
5529 unsigned char *data;
5531 if (SSL_is_server(s))
5536 if (*server != SSL_is_server(s)
5537 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5542 *outlen = sizeof(char);
5546 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5549 OPENSSL_free((unsigned char *)out);
5552 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5553 size_t inlen, int *al, void *parse_arg)
5555 int *server = (int *)parse_arg;
5557 if (SSL_is_server(s))
5562 if (*server != SSL_is_server(s)
5563 || inlen != sizeof(char)
5570 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5571 const unsigned char **out, size_t *outlen, X509 *x,
5572 size_t chainidx, int *al, void *add_arg)
5574 int *server = (int *)add_arg;
5575 unsigned char *data;
5577 if (SSL_is_server(s))
5582 if (*server != SSL_is_server(s)
5583 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5588 *outlen = sizeof(*data);
5592 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5593 const unsigned char *out, void *add_arg)
5595 OPENSSL_free((unsigned char *)out);
5598 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5599 const unsigned char *in, size_t inlen, X509 *x,
5600 size_t chainidx, int *al, void *parse_arg)
5602 int *server = (int *)parse_arg;
5604 if (SSL_is_server(s))
5609 if (*server != SSL_is_server(s)
5610 || inlen != sizeof(char) || *in != 1)
5616 static int sni_cb(SSL *s, int *al, void *arg)
5618 SSL_CTX *ctx = (SSL_CTX *)arg;
5620 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5621 *al = SSL_AD_INTERNAL_ERROR;
5622 return SSL_TLSEXT_ERR_ALERT_FATAL;
5625 return SSL_TLSEXT_ERR_OK;
5628 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5634 * Custom call back tests.
5635 * Test 0: Old style callbacks in TLSv1.2
5636 * Test 1: New style callbacks in TLSv1.2
5637 * Test 2: New style callbacks in TLSv1.2 with SNI
5638 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5639 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5640 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5642 static int test_custom_exts(int tst)
5644 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5645 SSL *clientssl = NULL, *serverssl = NULL;
5647 static int server = 1;
5648 static int client = 0;
5649 SSL_SESSION *sess = NULL;
5650 unsigned int context;
5652 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5653 /* Skip tests for TLSv1.2 and below in this case */
5658 /* Reset callback counters */
5659 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5660 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5663 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5664 TLS_client_method(), TLS1_VERSION, 0,
5665 &sctx, &cctx, cert, privkey)))
5669 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5671 &sctx2, NULL, cert, privkey)))
5676 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5677 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5679 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5683 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5684 | SSL_EXT_TLS1_3_CERTIFICATE;
5685 SSL_CTX_set_verify(sctx,
5686 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5688 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5689 SSL_FILETYPE_PEM), 1)
5690 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5691 SSL_FILETYPE_PEM), 1)
5692 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5694 } else if (tst == 4) {
5695 context = SSL_EXT_CLIENT_HELLO
5696 | SSL_EXT_TLS1_2_SERVER_HELLO
5697 | SSL_EXT_TLS1_3_SERVER_HELLO
5698 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5699 | SSL_EXT_TLS1_3_CERTIFICATE
5700 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5702 context = SSL_EXT_CLIENT_HELLO
5703 | SSL_EXT_TLS1_2_SERVER_HELLO
5704 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5707 /* Create a client side custom extension */
5709 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5710 old_add_cb, old_free_cb,
5711 &client, old_parse_cb,
5715 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5716 new_add_cb, new_free_cb,
5717 &client, new_parse_cb, &client)))
5721 /* Should not be able to add duplicates */
5722 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5723 old_add_cb, old_free_cb,
5724 &client, old_parse_cb,
5726 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5727 context, new_add_cb,
5728 new_free_cb, &client,
5729 new_parse_cb, &client)))
5732 /* Create a server side custom extension */
5734 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5735 old_add_cb, old_free_cb,
5736 &server, old_parse_cb,
5740 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5741 new_add_cb, new_free_cb,
5742 &server, new_parse_cb, &server)))
5745 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5746 context, new_add_cb,
5747 new_free_cb, &server,
5748 new_parse_cb, &server)))
5752 /* Should not be able to add duplicates */
5753 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5754 old_add_cb, old_free_cb,
5755 &server, old_parse_cb,
5757 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5758 context, new_add_cb,
5759 new_free_cb, &server,
5760 new_parse_cb, &server)))
5765 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5766 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5771 &clientssl, NULL, NULL))
5772 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5777 if (clntaddoldcb != 1
5778 || clntparseoldcb != 1
5780 || srvparseoldcb != 1)
5782 } else if (tst == 1 || tst == 2 || tst == 3) {
5783 if (clntaddnewcb != 1
5784 || clntparsenewcb != 1
5786 || srvparsenewcb != 1
5787 || (tst != 2 && snicb != 0)
5788 || (tst == 2 && snicb != 1))
5790 } else if (tst == 5) {
5791 if (clntaddnewcb != 1
5792 || clntparsenewcb != 1
5794 || srvparsenewcb != 1)
5797 /* In this case there 2 NewSessionTicket messages created */
5798 if (clntaddnewcb != 1
5799 || clntparsenewcb != 5
5801 || srvparsenewcb != 1)
5805 sess = SSL_get1_session(clientssl);
5806 SSL_shutdown(clientssl);
5807 SSL_shutdown(serverssl);
5808 SSL_free(serverssl);
5809 SSL_free(clientssl);
5810 serverssl = clientssl = NULL;
5812 if (tst == 3 || tst == 5) {
5813 /* We don't bother with the resumption aspects for these tests */
5818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5820 || !TEST_true(SSL_set_session(clientssl, sess))
5821 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5826 * For a resumed session we expect to add the ClientHello extension. For the
5827 * old style callbacks we ignore it on the server side because they set
5828 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5832 if (clntaddoldcb != 2
5833 || clntparseoldcb != 1
5835 || srvparseoldcb != 1)
5837 } else if (tst == 1 || tst == 2 || tst == 3) {
5838 if (clntaddnewcb != 2
5839 || clntparsenewcb != 2
5841 || srvparsenewcb != 2)
5845 * No Certificate message extensions in the resumption handshake,
5846 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5848 if (clntaddnewcb != 2
5849 || clntparsenewcb != 8
5851 || srvparsenewcb != 2)
5858 SSL_SESSION_free(sess);
5859 SSL_free(serverssl);
5860 SSL_free(clientssl);
5861 SSL_CTX_free(sctx2);
5867 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5869 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
5870 | SSL_EXT_CLIENT_HELLO \
5871 | SSL_EXT_TLS1_2_SERVER_HELLO \
5872 | SSL_EXT_IGNORE_ON_RESUMPTION)
5874 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
5875 | SSL_EXT_TLS1_2_SERVER_HELLO \
5876 | SSL_EXT_CLIENT_HELLO)
5878 #define SERVERINFO_CUSTOM \
5879 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
5883 static const unsigned char serverinfo_custom_tls13[] = {
5884 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
5887 static const unsigned char serverinfo_custom_v2[] = {
5888 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
5891 static const unsigned char serverinfo_custom_v1[] = {
5894 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
5895 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
5896 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
5898 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
5899 unsigned int context,
5900 const unsigned char *in,
5901 size_t inlen, X509 *x,
5902 size_t chainidx, int *al,
5905 const size_t len = serverinfo_custom_v1_len;
5906 const unsigned char *si = &serverinfo_custom_v1[len - 3];
5907 int *p_cb_result = (int*)parse_arg;
5908 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
5912 static int test_serverinfo_custom(const int idx)
5914 SSL_CTX *sctx = NULL, *cctx = NULL;
5915 SSL *clientssl = NULL, *serverssl = NULL;
5920 * Following variables are set in the switch statement
5921 * according to the test iteration.
5922 * Default values do not make much sense: test would fail with them.
5924 int serverinfo_version = 0;
5925 int protocol_version = 0;
5926 unsigned int extension_context = 0;
5927 const unsigned char *si = NULL;
5930 const int call_use_serverinfo_ex = idx > 0;
5932 case 0: /* FALLTHROUGH */
5934 serverinfo_version = SSL_SERVERINFOV1;
5935 protocol_version = TLS1_2_VERSION;
5936 extension_context = SYNTHV1CONTEXT;
5937 si = serverinfo_custom_v1;
5938 si_len = serverinfo_custom_v1_len;
5941 serverinfo_version = SSL_SERVERINFOV2;
5942 protocol_version = TLS1_2_VERSION;
5943 extension_context = SYNTHV1CONTEXT;
5944 si = serverinfo_custom_v2;
5945 si_len = serverinfo_custom_v2_len;
5948 serverinfo_version = SSL_SERVERINFOV2;
5949 protocol_version = TLS1_3_VERSION;
5950 extension_context = TLS13CONTEXT;
5951 si = serverinfo_custom_tls13;
5952 si_len = serverinfo_custom_tls13_len;
5956 if (!TEST_true(create_ssl_ctx_pair(libctx,
5961 &sctx, &cctx, cert, privkey)))
5964 if (call_use_serverinfo_ex) {
5965 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
5969 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
5973 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
5976 serverinfo_custom_parse_cb,
5978 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5980 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5982 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
5985 if (!TEST_true(cb_result))
5991 SSL_free(serverssl);
5992 SSL_free(clientssl);
6001 * Test that SSL_export_keying_material() produces expected results. There are
6002 * no test vectors so all we do is test that both sides of the communication
6003 * produce the same results for different protocol versions.
6005 #define SMALL_LABEL_LEN 10
6006 #define LONG_LABEL_LEN 249
6007 static int test_export_key_mat(int tst)
6010 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6011 SSL *clientssl = NULL, *serverssl = NULL;
6012 const char label[LONG_LABEL_LEN + 1] = "test label";
6013 const unsigned char context[] = "context";
6014 const unsigned char *emptycontext = NULL;
6015 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6016 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6018 const int protocols[] = {
6027 #ifdef OPENSSL_NO_TLS1
6031 #ifdef OPENSSL_NO_TLS1_1
6035 if (is_fips && (tst == 0 || tst == 1))
6037 #ifdef OPENSSL_NO_TLS1_2
6041 #ifdef OSSL_NO_USABLE_TLS1_3
6045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6046 TLS_client_method(), TLS1_VERSION, 0,
6047 &sctx, &cctx, cert, privkey)))
6050 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6051 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6052 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6053 if ((protocols[tst] < TLS1_2_VERSION) &&
6054 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6055 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6063 * Premature call of SSL_export_keying_material should just fail.
6065 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6066 sizeof(ckeymat1), label,
6067 SMALL_LABEL_LEN + 1, context,
6068 sizeof(context) - 1, 1), 0))
6071 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6077 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6080 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6081 sizeof(ckeymat1), label,
6082 LONG_LABEL_LEN + 1, context,
6083 sizeof(context) - 1, 1), 0))
6088 } else if (tst == 4) {
6089 labellen = LONG_LABEL_LEN;
6091 labellen = SMALL_LABEL_LEN;
6094 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6095 sizeof(ckeymat1), label,
6097 sizeof(context) - 1, 1), 1)
6098 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6099 sizeof(ckeymat2), label,
6103 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6104 sizeof(ckeymat3), label,
6107 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6108 sizeof(skeymat1), label,
6111 sizeof(context) -1, 1),
6113 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6114 sizeof(skeymat2), label,
6118 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6119 sizeof(skeymat3), label,
6123 * Check that both sides created the same key material with the
6126 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6129 * Check that both sides created the same key material with an
6132 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6135 * Check that both sides created the same key material without a
6138 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6140 /* Different contexts should produce different results */
6141 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6146 * Check that an empty context and no context produce different results in
6147 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6149 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6151 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6158 SSL_free(serverssl);
6159 SSL_free(clientssl);
6160 SSL_CTX_free(sctx2);
6167 #ifndef OSSL_NO_USABLE_TLS1_3
6169 * Test that SSL_export_keying_material_early() produces expected
6170 * results. There are no test vectors so all we do is test that both
6171 * sides of the communication produce the same results for different
6172 * protocol versions.
6174 static int test_export_key_mat_early(int idx)
6176 static const char label[] = "test label";
6177 static const unsigned char context[] = "context";
6179 SSL_CTX *cctx = NULL, *sctx = NULL;
6180 SSL *clientssl = NULL, *serverssl = NULL;
6181 SSL_SESSION *sess = NULL;
6182 const unsigned char *emptycontext = NULL;
6183 unsigned char ckeymat1[80], ckeymat2[80];
6184 unsigned char skeymat1[80], skeymat2[80];
6185 unsigned char buf[1];
6186 size_t readbytes, written;
6188 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6192 /* Here writing 0 length early data is enough. */
6193 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6194 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6196 SSL_READ_EARLY_DATA_ERROR)
6197 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6198 SSL_EARLY_DATA_ACCEPTED))
6201 if (!TEST_int_eq(SSL_export_keying_material_early(
6202 clientssl, ckeymat1, sizeof(ckeymat1), label,
6203 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6204 || !TEST_int_eq(SSL_export_keying_material_early(
6205 clientssl, ckeymat2, sizeof(ckeymat2), label,
6206 sizeof(label) - 1, emptycontext, 0), 1)
6207 || !TEST_int_eq(SSL_export_keying_material_early(
6208 serverssl, skeymat1, sizeof(skeymat1), label,
6209 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6210 || !TEST_int_eq(SSL_export_keying_material_early(
6211 serverssl, skeymat2, sizeof(skeymat2), label,
6212 sizeof(label) - 1, emptycontext, 0), 1)
6214 * Check that both sides created the same key material with the
6217 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6220 * Check that both sides created the same key material with an
6223 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6225 /* Different contexts should produce different results */
6226 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6233 SSL_SESSION_free(sess);
6234 SSL_SESSION_free(clientpsk);
6235 SSL_SESSION_free(serverpsk);
6236 clientpsk = serverpsk = NULL;
6237 SSL_free(serverssl);
6238 SSL_free(clientssl);
6245 #define NUM_KEY_UPDATE_MESSAGES 40
6249 static int test_key_update(void)
6251 SSL_CTX *cctx = NULL, *sctx = NULL;
6252 SSL *clientssl = NULL, *serverssl = NULL;
6253 int testresult = 0, i, j;
6255 static char *mess = "A test message";
6257 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6258 TLS_client_method(),
6261 &sctx, &cctx, cert, privkey))
6262 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6264 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6268 for (j = 0; j < 2; j++) {
6269 /* Send lots of KeyUpdate messages */
6270 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6271 if (!TEST_true(SSL_key_update(clientssl,
6273 ? SSL_KEY_UPDATE_NOT_REQUESTED
6274 : SSL_KEY_UPDATE_REQUESTED))
6275 || !TEST_true(SSL_do_handshake(clientssl)))
6279 /* Check that sending and receiving app data is ok */
6280 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6281 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6285 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6286 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6294 SSL_free(serverssl);
6295 SSL_free(clientssl);
6303 * Test we can handle a KeyUpdate (update requested) message while
6304 * write data is pending in peer.
6305 * Test 0: Client sends KeyUpdate while Server is writing
6306 * Test 1: Server sends KeyUpdate while Client is writing
6308 static int test_key_update_peer_in_write(int tst)
6310 SSL_CTX *cctx = NULL, *sctx = NULL;
6311 SSL *clientssl = NULL, *serverssl = NULL;
6314 static char *mess = "A test message";
6315 BIO *bretry = BIO_new(bio_s_always_retry());
6317 SSL *peerupdate = NULL, *peerwrite = NULL;
6319 if (!TEST_ptr(bretry)
6320 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6321 TLS_client_method(),
6324 &sctx, &cctx, cert, privkey))
6325 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6327 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6331 peerupdate = tst == 0 ? clientssl : serverssl;
6332 peerwrite = tst == 0 ? serverssl : clientssl;
6334 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6335 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6338 /* Swap the writing endpoint's write BIO to force a retry */
6339 tmp = SSL_get_wbio(peerwrite);
6340 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6344 SSL_set0_wbio(peerwrite, bretry);
6347 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6348 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6349 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6352 /* Reinstate the original writing endpoint's write BIO */
6353 SSL_set0_wbio(peerwrite, tmp);
6356 /* Now read some data - we will read the key update */
6357 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6358 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6362 * Complete the write we started previously and read it from the other
6365 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6366 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6369 /* Write more data to ensure we send the KeyUpdate message back */
6370 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6371 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6377 SSL_free(serverssl);
6378 SSL_free(clientssl);
6388 * Test we can handle a KeyUpdate (update requested) message while
6389 * peer read data is pending after peer accepted keyupdate(the msg header
6390 * had been read 5 bytes).
6391 * Test 0: Client sends KeyUpdate while Server is reading
6392 * Test 1: Server sends KeyUpdate while Client is reading
6394 static int test_key_update_peer_in_read(int tst)
6396 SSL_CTX *cctx = NULL, *sctx = NULL;
6397 SSL *clientssl = NULL, *serverssl = NULL;
6399 char prbuf[515], lwbuf[515] = {0};
6400 static char *mess = "A test message";
6401 BIO *lbio = NULL, *pbio = NULL;
6402 SSL *local = NULL, *peer = NULL;
6404 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6405 TLS_client_method(),
6408 &sctx, &cctx, cert, privkey))
6409 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6411 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6415 local = tst == 0 ? clientssl : serverssl;
6416 peer = tst == 0 ? serverssl : clientssl;
6418 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6421 SSL_set_bio(local, lbio, lbio);
6422 SSL_set_bio(peer, pbio, pbio);
6425 * we first write keyupdate msg then appdata in local
6426 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6427 * lwbuf app data msg size + key updata msg size > 512(the size of
6428 * the bio pair buffer)
6430 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6431 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6432 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6436 * first read keyupdate msg in peer in peer
6437 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6439 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6440 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6443 /* Now write some data in peer - we will write the key update */
6444 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6448 * write data in local previously that we will complete
6449 * read data in peer previously that we will complete
6451 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6452 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6455 /* check that sending and receiving appdata ok */
6456 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6457 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6463 SSL_free(serverssl);
6464 SSL_free(clientssl);
6472 * Test we can't send a KeyUpdate (update requested) message while
6473 * local write data is pending.
6474 * Test 0: Client sends KeyUpdate while Client is writing
6475 * Test 1: Server sends KeyUpdate while Server is writing
6477 static int test_key_update_local_in_write(int tst)
6479 SSL_CTX *cctx = NULL, *sctx = NULL;
6480 SSL *clientssl = NULL, *serverssl = NULL;
6483 static char *mess = "A test message";
6484 BIO *bretry = BIO_new(bio_s_always_retry());
6486 SSL *local = NULL, *peer = NULL;
6488 if (!TEST_ptr(bretry)
6489 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6490 TLS_client_method(),
6493 &sctx, &cctx, cert, privkey))
6494 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6500 local = tst == 0 ? clientssl : serverssl;
6501 peer = tst == 0 ? serverssl : clientssl;
6503 /* Swap the writing endpoint's write BIO to force a retry */
6504 tmp = SSL_get_wbio(local);
6505 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6509 SSL_set0_wbio(local, bretry);
6512 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6513 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6514 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6517 /* Reinstate the original writing endpoint's write BIO */
6518 SSL_set0_wbio(local, tmp);
6521 /* SSL_key_update will fail, because writing in local*/
6522 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6523 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6527 /* write data in local previously that we will complete */
6528 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6531 /* SSL_key_update will succeed because there is no pending write data */
6532 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6533 || !TEST_int_eq(SSL_do_handshake(local), 1))
6537 * we write some appdata in local
6538 * read data in peer - we will read the keyupdate msg
6540 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6541 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6544 /* Write more peer more data to ensure we send the keyupdate message back */
6545 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6546 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6552 SSL_free(serverssl);
6553 SSL_free(clientssl);
6563 * Test we can handle a KeyUpdate (update requested) message while
6564 * local read data is pending(the msg header had been read 5 bytes).
6565 * Test 0: Client sends KeyUpdate while Client is reading
6566 * Test 1: Server sends KeyUpdate while Server is reading
6568 static int test_key_update_local_in_read(int tst)
6570 SSL_CTX *cctx = NULL, *sctx = NULL;
6571 SSL *clientssl = NULL, *serverssl = NULL;
6573 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6574 static char *mess = "A test message";
6575 BIO *lbio = NULL, *pbio = NULL;
6576 SSL *local = NULL, *peer = NULL;
6578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6579 TLS_client_method(),
6582 &sctx, &cctx, cert, privkey))
6583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6589 local = tst == 0 ? clientssl : serverssl;
6590 peer = tst == 0 ? serverssl : clientssl;
6592 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6595 SSL_set_bio(local, lbio, lbio);
6596 SSL_set_bio(peer, pbio, pbio);
6598 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6599 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6600 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6603 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6604 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6605 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6608 /* SSL_do_handshake will send keyupdate msg */
6609 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6610 || !TEST_int_eq(SSL_do_handshake(local), 1))
6614 * write data in peer previously that we will complete
6615 * read data in local previously that we will complete
6617 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6618 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6622 * write data in local
6623 * read data in peer - we will read the key update
6625 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6626 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6629 /* Write more peer data to ensure we send the keyupdate message back */
6630 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6631 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6637 SSL_free(serverssl);
6638 SSL_free(clientssl);
6644 #endif /* OSSL_NO_USABLE_TLS1_3 */
6646 static int test_ssl_clear(int idx)
6648 SSL_CTX *cctx = NULL, *sctx = NULL;
6649 SSL *clientssl = NULL, *serverssl = NULL;
6652 #ifdef OPENSSL_NO_TLS1_2
6657 /* Create an initial connection */
6658 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6659 TLS_client_method(), TLS1_VERSION, 0,
6660 &sctx, &cctx, cert, privkey))
6662 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6664 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6665 &clientssl, NULL, NULL))
6666 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6670 SSL_shutdown(clientssl);
6671 SSL_shutdown(serverssl);
6672 SSL_free(serverssl);
6675 /* Clear clientssl - we're going to reuse the object */
6676 if (!TEST_true(SSL_clear(clientssl)))
6679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6683 || !TEST_true(SSL_session_reused(clientssl)))
6686 SSL_shutdown(clientssl);
6687 SSL_shutdown(serverssl);
6692 SSL_free(serverssl);
6693 SSL_free(clientssl);
6700 /* Parse CH and retrieve any MFL extension value if present */
6701 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6704 unsigned char *data;
6705 PACKET pkt, pkt2, pkt3;
6706 unsigned int MFL_code = 0, type = 0;
6708 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6711 memset(&pkt, 0, sizeof(pkt));
6712 memset(&pkt2, 0, sizeof(pkt2));
6713 memset(&pkt3, 0, sizeof(pkt3));
6715 if (!TEST_long_gt(len, 0)
6716 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6717 /* Skip the record header */
6718 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6719 /* Skip the handshake message header */
6720 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6721 /* Skip client version and random */
6722 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6723 + SSL3_RANDOM_SIZE))
6724 /* Skip session id */
6725 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6727 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6728 /* Skip compression */
6729 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6730 /* Extensions len */
6731 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6734 /* Loop through all extensions */
6735 while (PACKET_remaining(&pkt2)) {
6736 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6737 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6740 if (type == TLSEXT_TYPE_max_fragment_length) {
6741 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6742 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6745 *mfl_codemfl_code = MFL_code;
6754 /* Maximum-Fragment-Length TLS extension mode to test */
6755 static const unsigned char max_fragment_len_test[] = {
6756 TLSEXT_max_fragment_length_512,
6757 TLSEXT_max_fragment_length_1024,
6758 TLSEXT_max_fragment_length_2048,
6759 TLSEXT_max_fragment_length_4096
6762 static int test_max_fragment_len_ext(int idx_tst)
6764 SSL_CTX *ctx = NULL;
6766 int testresult = 0, MFL_mode = 0;
6769 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6770 TLS1_VERSION, 0, NULL, &ctx, NULL,
6774 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6775 ctx, max_fragment_len_test[idx_tst])))
6782 rbio = BIO_new(BIO_s_mem());
6783 wbio = BIO_new(BIO_s_mem());
6784 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6790 SSL_set_bio(con, rbio, wbio);
6792 if (!TEST_int_le(SSL_connect(con), 0)) {
6793 /* This shouldn't succeed because we don't have a server! */
6797 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6798 /* no MFL in client hello */
6800 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6812 #ifndef OSSL_NO_USABLE_TLS1_3
6813 static int test_pha_key_update(void)
6815 SSL_CTX *cctx = NULL, *sctx = NULL;
6816 SSL *clientssl = NULL, *serverssl = NULL;
6819 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6820 TLS_client_method(), TLS1_VERSION, 0,
6821 &sctx, &cctx, cert, privkey)))
6824 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6825 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6826 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6827 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6830 SSL_CTX_set_post_handshake_auth(cctx, 1);
6832 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6836 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6840 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6841 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6844 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6847 /* Start handshake on the server */
6848 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6851 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6852 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6856 SSL_shutdown(clientssl);
6857 SSL_shutdown(serverssl);
6862 SSL_free(serverssl);
6863 SSL_free(clientssl);
6870 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6872 static SRP_VBASE *vbase = NULL;
6874 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6876 int ret = SSL3_AL_FATAL;
6878 SRP_user_pwd *user = NULL;
6880 username = SSL_get_srp_username(s);
6881 if (username == NULL) {
6882 *ad = SSL_AD_INTERNAL_ERROR;
6886 user = SRP_VBASE_get1_by_user(vbase, username);
6888 *ad = SSL_AD_INTERNAL_ERROR;
6892 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6894 *ad = SSL_AD_INTERNAL_ERROR;
6901 SRP_user_pwd_free(user);
6905 static int create_new_vfile(char *userid, char *password, const char *filename)
6908 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6911 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6914 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6917 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6918 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6919 if (!TEST_ptr(gNid))
6923 * The only way to create an empty TXT_DB is to provide a BIO with no data
6926 db = TXT_DB_read(dummy, DB_NUMBER);
6930 out = BIO_new_file(filename, "w");
6934 row[DB_srpid] = OPENSSL_strdup(userid);
6935 row[DB_srptype] = OPENSSL_strdup("V");
6936 row[DB_srpgN] = OPENSSL_strdup(gNid);
6938 if (!TEST_ptr(row[DB_srpid])
6939 || !TEST_ptr(row[DB_srptype])
6940 || !TEST_ptr(row[DB_srpgN])
6941 || !TEST_true(TXT_DB_insert(db, row)))
6946 if (TXT_DB_write(out, db) <= 0)
6952 for (i = 0; i < DB_NUMBER; i++)
6953 OPENSSL_free(row[i]);
6963 static int create_new_vbase(char *userid, char *password)
6965 BIGNUM *verifier = NULL, *salt = NULL;
6966 const SRP_gN *lgN = NULL;
6967 SRP_user_pwd *user_pwd = NULL;
6970 lgN = SRP_get_default_gN(NULL);
6974 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6975 lgN->N, lgN->g, libctx, NULL)))
6978 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6979 if (!TEST_ptr(user_pwd))
6982 user_pwd->N = lgN->N;
6983 user_pwd->g = lgN->g;
6984 user_pwd->id = OPENSSL_strdup(userid);
6985 if (!TEST_ptr(user_pwd->id))
6988 user_pwd->v = verifier;
6990 verifier = salt = NULL;
6992 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6998 SRP_user_pwd_free(user_pwd);
7008 * Test 0: Simple successful SRP connection, new vbase
7009 * Test 1: Connection failure due to bad password, new vbase
7010 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7011 * Test 3: Connection failure due to bad password, vbase loaded from existing
7013 * Test 4: Simple successful SRP connection, vbase loaded from new file
7014 * Test 5: Connection failure due to bad password, vbase loaded from new file
7016 static int test_srp(int tst)
7018 char *userid = "test", *password = "password", *tstsrpfile;
7019 SSL_CTX *cctx = NULL, *sctx = NULL;
7020 SSL *clientssl = NULL, *serverssl = NULL;
7021 int ret, testresult = 0;
7023 vbase = SRP_VBASE_new(NULL);
7024 if (!TEST_ptr(vbase))
7027 if (tst == 0 || tst == 1) {
7028 if (!TEST_true(create_new_vbase(userid, password)))
7031 if (tst == 4 || tst == 5) {
7032 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7034 tstsrpfile = tmpfilename;
7036 tstsrpfile = srpvfile;
7038 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7042 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7043 TLS_client_method(), TLS1_VERSION, 0,
7044 &sctx, &cctx, cert, privkey)))
7047 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7048 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7049 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7050 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7051 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7055 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7058 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7066 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7068 if (!TEST_true(tst % 2 == 0))
7071 if (!TEST_true(tst % 2 == 1))
7078 SRP_VBASE_free(vbase);
7080 SSL_free(serverssl);
7081 SSL_free(clientssl);
7089 static int info_cb_failed = 0;
7090 static int info_cb_offset = 0;
7091 static int info_cb_this_state = -1;
7093 static struct info_cb_states_st {
7095 const char *statestr;
7096 } info_cb_states[][60] = {
7098 /* TLSv1.2 server followed by resumption */
7099 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7100 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7101 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7102 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7103 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7104 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7105 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7106 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7107 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7108 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7109 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7110 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7111 {SSL_CB_EXIT, NULL}, {0, NULL},
7113 /* TLSv1.2 client followed by resumption */
7114 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7115 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7116 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7117 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7118 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7119 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7120 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7121 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7122 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7123 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7124 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7125 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7127 /* TLSv1.3 server followed by resumption */
7128 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7129 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7130 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7131 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7132 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7133 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7134 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7135 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7136 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7137 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7138 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7139 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7140 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7142 /* TLSv1.3 client followed by resumption */
7143 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7144 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7145 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7146 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7147 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7148 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7149 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7150 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7151 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7152 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7153 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7154 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7155 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7156 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7157 {SSL_CB_EXIT, NULL}, {0, NULL},
7159 /* TLSv1.3 server, early_data */
7160 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7161 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7162 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7163 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7164 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7165 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7166 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7167 {SSL_CB_EXIT, NULL}, {0, NULL},
7169 /* TLSv1.3 client, early_data */
7170 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7171 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7172 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7173 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7174 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7175 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7176 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7177 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7178 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7180 /* TLSv1.3 server, certificate compression, followed by resumption */
7181 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7182 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7183 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7184 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7185 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7186 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7187 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7188 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7189 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7190 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7191 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7192 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7193 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7195 /* TLSv1.3 client, certificate compression, followed by resumption */
7196 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7197 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7198 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7199 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7200 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7201 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7202 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7203 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7204 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7205 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7206 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7207 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7208 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7209 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7210 {SSL_CB_EXIT, NULL}, {0, NULL},
7216 static void sslapi_info_callback(const SSL *s, int where, int ret)
7218 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7220 /* We do not ever expect a connection to fail in this test */
7221 if (!TEST_false(ret == 0)) {
7227 * Do some sanity checks. We never expect these things to happen in this
7230 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7231 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7232 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7237 /* Now check we're in the right state */
7238 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7242 if ((where & SSL_CB_LOOP) != 0
7243 && !TEST_int_eq(strcmp(SSL_state_string(s),
7244 state[info_cb_this_state].statestr), 0)) {
7250 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7252 if ((where & SSL_CB_HANDSHAKE_DONE)
7253 && SSL_in_init((SSL *)s) != 0) {
7260 * Test the info callback gets called when we expect it to.
7262 * Test 0: TLSv1.2, server
7263 * Test 1: TLSv1.2, client
7264 * Test 2: TLSv1.3, server
7265 * Test 3: TLSv1.3, client
7266 * Test 4: TLSv1.3, server, early_data
7267 * Test 5: TLSv1.3, client, early_data
7268 * Test 6: TLSv1.3, server, compressed certificate
7269 * Test 7: TLSv1.3, client, compressed certificate
7271 static int test_info_callback(int tst)
7273 SSL_CTX *cctx = NULL, *sctx = NULL;
7274 SSL *clientssl = NULL, *serverssl = NULL;
7275 SSL_SESSION *clntsess = NULL;
7280 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7281 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7282 || !defined(OPENSSL_NO_DH))
7283 tlsvers = TLS1_2_VERSION;
7288 #ifndef OSSL_NO_USABLE_TLS1_3
7289 tlsvers = TLS1_3_VERSION;
7297 info_cb_this_state = -1;
7298 info_cb_offset = tst;
7300 #ifndef OSSL_NO_USABLE_TLS1_3
7301 if (tst >= 4 && tst < 6) {
7302 SSL_SESSION *sess = NULL;
7303 size_t written, readbytes;
7304 unsigned char buf[80];
7306 /* early_data tests */
7307 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7308 &serverssl, &sess, 0)))
7311 /* We don't actually need this reference */
7312 SSL_SESSION_free(sess);
7314 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7315 sslapi_info_callback);
7317 /* Write and read some early data and then complete the connection */
7318 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7320 || !TEST_size_t_eq(written, strlen(MSG1))
7321 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7322 sizeof(buf), &readbytes),
7323 SSL_READ_EARLY_DATA_SUCCESS)
7324 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7325 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7326 SSL_EARLY_DATA_ACCEPTED)
7327 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7329 || !TEST_false(info_cb_failed))
7337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7338 TLS_client_method(),
7339 tlsvers, tlsvers, &sctx, &cctx, cert,
7343 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7347 * For even numbered tests we check the server callbacks. For odd numbers we
7350 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7351 sslapi_info_callback);
7353 if (!SSL_CTX_compress_certs(sctx, 0))
7357 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7358 &clientssl, NULL, NULL))
7359 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7361 || !TEST_false(info_cb_failed))
7366 clntsess = SSL_get1_session(clientssl);
7367 SSL_shutdown(clientssl);
7368 SSL_shutdown(serverssl);
7369 SSL_free(serverssl);
7370 SSL_free(clientssl);
7371 serverssl = clientssl = NULL;
7373 /* Now do a resumption */
7374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7376 || !TEST_true(SSL_set_session(clientssl, clntsess))
7377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7379 || !TEST_true(SSL_session_reused(clientssl))
7380 || !TEST_false(info_cb_failed))
7386 SSL_free(serverssl);
7387 SSL_free(clientssl);
7388 SSL_SESSION_free(clntsess);
7394 static int test_ssl_pending(int tst)
7396 SSL_CTX *cctx = NULL, *sctx = NULL;
7397 SSL *clientssl = NULL, *serverssl = NULL;
7399 char msg[] = "A test message";
7401 size_t written, readbytes;
7404 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7405 TLS_client_method(),
7407 &sctx, &cctx, cert, privkey)))
7410 #ifndef OPENSSL_NO_DTLS
7411 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7412 DTLS_client_method(),
7414 &sctx, &cctx, cert, privkey)))
7417 # ifdef OPENSSL_NO_DTLS1_2
7418 /* Not supported in the FIPS provider */
7424 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7427 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7428 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7429 "DEFAULT:@SECLEVEL=0")))
7437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7439 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7443 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7444 || !TEST_false(SSL_has_pending(clientssl))
7445 || !TEST_int_eq(SSL_pending(serverssl), 0)
7446 || !TEST_false(SSL_has_pending(serverssl))
7447 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7448 || !TEST_size_t_eq(written, sizeof(msg))
7449 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7450 || !TEST_size_t_eq(readbytes, sizeof(buf))
7451 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7452 || !TEST_true(SSL_has_pending(clientssl)))
7458 SSL_free(serverssl);
7459 SSL_free(clientssl);
7467 unsigned int maxprot;
7468 const char *clntciphers;
7469 const char *clnttls13ciphers;
7470 const char *srvrciphers;
7471 const char *srvrtls13ciphers;
7473 const char *fipsshared;
7474 } shared_ciphers_data[] = {
7476 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7477 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7479 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7482 "AES128-SHA:AES256-SHA",
7484 "AES256-SHA:DHE-RSA-AES128-SHA",
7489 # if !defined(OPENSSL_NO_CHACHA) \
7490 && !defined(OPENSSL_NO_POLY1305) \
7491 && !defined(OPENSSL_NO_EC)
7494 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7496 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7498 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7504 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7506 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7508 "AES128-SHA:AES256-SHA",
7509 "AES128-SHA:AES256-SHA"
7513 "AES128-SHA:AES256-SHA",
7515 "AES128-SHA:DHE-RSA-AES128-SHA",
7522 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7525 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7526 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7529 "AES128-SHA:AES256-SHA",
7531 "AES256-SHA:AES128-SHA256",
7533 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7534 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7535 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7538 #ifndef OSSL_NO_USABLE_TLS1_3
7542 "TLS_AES_256_GCM_SHA384",
7544 "TLS_AES_256_GCM_SHA384",
7545 "TLS_AES_256_GCM_SHA384",
7546 "TLS_AES_256_GCM_SHA384"
7551 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7553 SSL_CTX *cctx = NULL, *sctx = NULL;
7554 SSL *clientssl = NULL, *serverssl = NULL;
7557 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7559 if (!TEST_ptr(tmplibctx))
7563 * Regardless of whether we're testing with the FIPS provider loaded into
7564 * libctx, we want one peer to always use the full set of ciphersuites
7565 * available. Therefore we use a separate libctx with the default provider
7566 * loaded into it. We run the same tests twice - once with the client side
7567 * having the full set of ciphersuites and once with the server side.
7570 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7571 if (!TEST_ptr(cctx))
7574 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7575 if (!TEST_ptr(sctx))
7579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7580 TLS_client_method(),
7582 shared_ciphers_data[tst].maxprot,
7583 &sctx, &cctx, cert, privkey)))
7586 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7587 shared_ciphers_data[tst].clntciphers))
7588 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7589 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7590 shared_ciphers_data[tst].clnttls13ciphers)))
7591 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7592 shared_ciphers_data[tst].srvrciphers))
7593 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7594 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7595 shared_ciphers_data[tst].srvrtls13ciphers))))
7599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7601 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7605 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7606 || !TEST_int_eq(strcmp(buf,
7608 ? shared_ciphers_data[tst].fipsshared
7609 : shared_ciphers_data[tst].shared),
7611 TEST_info("Shared ciphers are: %s\n", buf);
7618 SSL_free(serverssl);
7619 SSL_free(clientssl);
7622 OSSL_LIB_CTX_free(tmplibctx);
7627 static int test_ssl_get_shared_ciphers(int tst)
7629 return int_test_ssl_get_shared_ciphers(tst, 0)
7630 && int_test_ssl_get_shared_ciphers(tst, 1);
7634 static const char *appdata = "Hello World";
7635 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7636 static int tick_key_renew = 0;
7637 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7639 static int gen_tick_cb(SSL *s, void *arg)
7641 gen_tick_called = 1;
7643 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7647 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7648 const unsigned char *keyname,
7649 size_t keyname_length,
7650 SSL_TICKET_STATUS status,
7656 dec_tick_called = 1;
7658 if (status == SSL_TICKET_EMPTY)
7659 return SSL_TICKET_RETURN_IGNORE_RENEW;
7661 if (!TEST_true(status == SSL_TICKET_SUCCESS
7662 || status == SSL_TICKET_SUCCESS_RENEW))
7663 return SSL_TICKET_RETURN_ABORT;
7665 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7667 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7668 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7669 return SSL_TICKET_RETURN_ABORT;
7671 if (tick_key_cb_called) {
7672 /* Don't change what the ticket key callback wanted to do */
7674 case SSL_TICKET_NO_DECRYPT:
7675 return SSL_TICKET_RETURN_IGNORE_RENEW;
7677 case SSL_TICKET_SUCCESS:
7678 return SSL_TICKET_RETURN_USE;
7680 case SSL_TICKET_SUCCESS_RENEW:
7681 return SSL_TICKET_RETURN_USE_RENEW;
7684 return SSL_TICKET_RETURN_ABORT;
7687 return tick_dec_ret;
7691 #ifndef OPENSSL_NO_DEPRECATED_3_0
7692 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7693 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7694 HMAC_CTX *hctx, int enc)
7696 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7697 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7698 EVP_CIPHER *aes128cbc;
7702 tick_key_cb_called = 1;
7704 if (tick_key_renew == -1)
7707 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7708 if (!TEST_ptr(aes128cbc))
7710 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7711 if (!TEST_ptr(sha256)) {
7712 EVP_CIPHER_free(aes128cbc);
7716 memset(iv, 0, AES_BLOCK_SIZE);
7717 memset(key_name, 0, 16);
7718 if (aes128cbc == NULL
7720 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7721 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7725 ret = tick_key_renew ? 2 : 1;
7727 EVP_CIPHER_free(aes128cbc);
7728 EVP_MD_free(sha256);
7734 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7735 unsigned char iv[EVP_MAX_IV_LENGTH],
7736 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7738 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7739 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7740 OSSL_PARAM params[2];
7741 EVP_CIPHER *aes128cbc;
7744 tick_key_cb_called = 1;
7746 if (tick_key_renew == -1)
7749 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7750 if (!TEST_ptr(aes128cbc))
7753 memset(iv, 0, AES_BLOCK_SIZE);
7754 memset(key_name, 0, 16);
7755 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7757 params[1] = OSSL_PARAM_construct_end();
7758 if (aes128cbc == NULL
7759 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7760 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7764 ret = tick_key_renew ? 2 : 1;
7766 EVP_CIPHER_free(aes128cbc);
7772 * Test the various ticket callbacks
7773 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7774 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7775 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7776 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7777 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7778 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7779 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7780 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7781 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7782 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7783 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7784 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7785 * Test 12: TLSv1.2, old ticket key callback, no ticket
7786 * Test 13: TLSv1.3, old ticket key callback, no ticket
7787 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7788 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7789 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7790 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7791 * Test 18: TLSv1.2, ticket key callback, no ticket
7792 * Test 19: TLSv1.3, ticket key callback, no ticket
7794 static int test_ticket_callbacks(int tst)
7796 SSL_CTX *cctx = NULL, *sctx = NULL;
7797 SSL *clientssl = NULL, *serverssl = NULL;
7798 SSL_SESSION *clntsess = NULL;
7801 #ifdef OPENSSL_NO_TLS1_2
7805 #ifdef OSSL_NO_USABLE_TLS1_3
7809 #ifdef OPENSSL_NO_DEPRECATED_3_0
7810 if (tst >= 8 && tst <= 13)
7814 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7816 /* Which tests the ticket key callback should request renewal for */
7818 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7820 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7821 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7825 /* Which tests the decrypt ticket callback should request renewal for */
7829 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7834 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7839 tick_dec_ret = SSL_TICKET_RETURN_USE;
7844 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7848 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7851 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7852 TLS_client_method(),
7854 ((tst % 2) == 0) ? TLS1_2_VERSION
7856 &sctx, &cctx, cert, privkey)))
7860 * We only want sessions to resume from tickets - not the session cache. So
7861 * switch the cache off.
7863 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7866 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7871 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7873 #ifndef OPENSSL_NO_DEPRECATED_3_0
7874 } else if (tst >= 8) {
7875 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7887 * The decrypt ticket key callback in TLSv1.2 should be called even though
7888 * we have no ticket yet, because it gets called with a status of
7889 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7890 * actually send any ticket data). This does not happen in TLSv1.3 because
7891 * it is not valid to send empty ticket data in TLSv1.3.
7893 if (!TEST_int_eq(gen_tick_called, 1)
7894 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7897 gen_tick_called = dec_tick_called = 0;
7899 clntsess = SSL_get1_session(clientssl);
7900 SSL_shutdown(clientssl);
7901 SSL_shutdown(serverssl);
7902 SSL_free(serverssl);
7903 SSL_free(clientssl);
7904 serverssl = clientssl = NULL;
7906 /* Now do a resumption */
7907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7909 || !TEST_true(SSL_set_session(clientssl, clntsess))
7910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7914 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7915 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7916 || tick_key_renew == -1) {
7917 if (!TEST_false(SSL_session_reused(clientssl)))
7920 if (!TEST_true(SSL_session_reused(clientssl)))
7924 if (!TEST_int_eq(gen_tick_called,
7926 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7927 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7929 /* There is no ticket to decrypt in tests 13 and 19 */
7930 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
7936 SSL_SESSION_free(clntsess);
7937 SSL_free(serverssl);
7938 SSL_free(clientssl);
7946 * Test incorrect shutdown.
7947 * Test 0: client does not shutdown properly,
7948 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7949 * server should get SSL_ERROR_SSL
7950 * Test 1: client does not shutdown properly,
7951 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7952 * server should get SSL_ERROR_ZERO_RETURN
7954 static int test_incorrect_shutdown(int tst)
7956 SSL_CTX *cctx = NULL, *sctx = NULL;
7957 SSL *clientssl = NULL, *serverssl = NULL;
7962 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7963 TLS_client_method(), 0, 0,
7964 &sctx, &cctx, cert, privkey)))
7968 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7974 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7978 c2s = SSL_get_rbio(serverssl);
7979 BIO_set_mem_eof_return(c2s, 0);
7981 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7984 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7986 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7992 SSL_free(serverssl);
7993 SSL_free(clientssl);
8001 * Test bi-directional shutdown.
8003 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8004 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8005 * Test 3: TLSv1.3, pending NewSessionTicket messages
8006 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8007 * sends key update, client reads it
8008 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8009 * sends CertificateRequest, client reads and ignores it
8010 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8013 static int test_shutdown(int tst)
8015 SSL_CTX *cctx = NULL, *sctx = NULL;
8016 SSL *clientssl = NULL, *serverssl = NULL;
8018 char msg[] = "A test message";
8020 size_t written, readbytes;
8023 #ifdef OPENSSL_NO_TLS1_2
8027 #ifdef OSSL_NO_USABLE_TLS1_3
8032 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8033 TLS_client_method(),
8035 (tst <= 1) ? TLS1_2_VERSION
8037 &sctx, &cctx, cert, privkey)))
8041 SSL_CTX_set_post_handshake_auth(cctx, 1);
8043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8048 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8049 SSL_ERROR_NONE, 1, 0))
8050 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8051 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8053 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8055 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8056 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8060 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8065 * Reading on the server after the client has sent close_notify should
8066 * fail and provide SSL_ERROR_ZERO_RETURN
8068 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8069 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8070 SSL_ERROR_ZERO_RETURN)
8071 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8072 SSL_RECEIVED_SHUTDOWN)
8074 * Even though we're shutdown on receive we should still be
8077 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8080 && !TEST_true(SSL_key_update(serverssl,
8081 SSL_KEY_UPDATE_REQUESTED)))
8084 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8085 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8088 if ((tst == 4 || tst == 5)
8089 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8091 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8093 if (tst == 4 || tst == 5) {
8094 /* Should still be able to read data from server */
8095 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8097 || !TEST_size_t_eq(readbytes, sizeof(msg))
8098 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8099 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8101 || !TEST_size_t_eq(readbytes, sizeof(msg))
8102 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8107 /* Writing on the client after sending close_notify shouldn't be possible */
8108 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8113 * For these tests the client has sent close_notify but it has not yet
8114 * been received by the server. The server has not sent close_notify
8117 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8119 * Writing on the server after sending close_notify shouldn't
8122 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8123 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8124 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8125 || !TEST_true(SSL_SESSION_is_resumable(sess))
8126 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8128 } else if (tst == 4 || tst == 5) {
8130 * In this test the client has sent close_notify and it has been
8131 * received by the server which has responded with a close_notify. The
8132 * client needs to read the close_notify sent by the server.
8134 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8135 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8136 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8142 * The client has sent close_notify and is expecting a close_notify
8143 * back, but instead there is application data first. The shutdown
8144 * should fail with a fatal error.
8146 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8147 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8154 SSL_free(serverssl);
8155 SSL_free(clientssl);
8163 * Test that sending close_notify alerts works correctly in the case of a
8164 * retryable write failure.
8166 static int test_async_shutdown(void)
8168 SSL_CTX *cctx = NULL, *sctx = NULL;
8169 SSL *clientssl = NULL, *serverssl = NULL;
8171 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8173 if (!TEST_ptr(bretry))
8176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8177 TLS_client_method(),
8179 &sctx, &cctx, cert, privkey)))
8182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8189 /* Close write side of clientssl */
8190 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8193 tmp = SSL_get_wbio(serverssl);
8194 if (!TEST_true(BIO_up_ref(tmp))) {
8198 SSL_set0_wbio(serverssl, bretry);
8201 /* First server shutdown should fail because of a retrable write failure */
8202 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8203 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8206 /* Second server shutdown should fail for the same reason */
8207 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8208 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8211 SSL_set0_wbio(serverssl, tmp);
8214 /* Third server shutdown should send close_notify */
8215 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8218 /* Fourth server shutdown should read close_notify from client and finish */
8219 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8222 /* Client should also successfully fully shutdown */
8223 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8228 SSL_free(serverssl);
8229 SSL_free(clientssl);
8238 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8239 static int cert_cb_cnt;
8241 static int cert_cb(SSL *s, void *arg)
8243 SSL_CTX *ctx = (SSL_CTX *)arg;
8245 EVP_PKEY *pkey = NULL;
8246 X509 *x509 = NULL, *rootx = NULL;
8247 STACK_OF(X509) *chain = NULL;
8248 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8251 if (cert_cb_cnt == 0) {
8252 /* Suspend the handshake */
8255 } else if (cert_cb_cnt == 1) {
8257 * Update the SSL_CTX, set the certificate and private key and then
8258 * continue the handshake normally.
8260 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8263 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8264 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8266 || !TEST_true(SSL_check_private_key(s)))
8270 } else if (cert_cb_cnt == 3) {
8273 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8274 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8275 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8276 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8278 chain = sk_X509_new_null();
8279 if (!TEST_ptr(chain))
8281 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8282 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8283 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8284 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8285 || !TEST_true(sk_X509_push(chain, rootx)))
8289 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8290 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8291 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8292 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8295 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8296 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8297 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8301 rv = SSL_check_chain(s, x509, pkey, chain);
8303 * If the cert doesn't show as valid here (e.g., because we don't
8304 * have any shared sigalgs), then we will not set it, and there will
8305 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8306 * will cause tls_choose_sigalgs() to fail the connection.
8308 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8309 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8310 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8317 /* Abort the handshake */
8319 OPENSSL_free(ecdsacert);
8320 OPENSSL_free(ecdsakey);
8321 OPENSSL_free(rootfile);
8323 EVP_PKEY_free(pkey);
8326 OSSL_STACK_OF_X509_free(chain);
8331 * Test the certificate callback.
8332 * Test 0: Callback fails
8333 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8334 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8335 * Test 3: Success - Call SSL_check_chain from the callback
8336 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8338 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8340 static int test_cert_cb_int(int prot, int tst)
8342 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8343 SSL *clientssl = NULL, *serverssl = NULL;
8344 int testresult = 0, ret;
8346 #ifdef OPENSSL_NO_EC
8347 /* We use an EC cert in these tests, so we skip in a no-ec build */
8352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8353 TLS_client_method(),
8356 &sctx, &cctx, NULL, NULL)))
8367 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8368 if (!TEST_ptr(snictx))
8372 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8380 * We cause SSL_check_chain() to fail by specifying sig_algs that
8381 * the chain doesn't meet (the root uses an RSA cert)
8383 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8384 "ecdsa_secp256r1_sha256")))
8386 } else if (tst == 5) {
8388 * We cause SSL_check_chain() to fail by specifying sig_algs that
8389 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8391 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8392 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8396 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8397 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8399 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8406 SSL_free(serverssl);
8407 SSL_free(clientssl);
8410 SSL_CTX_free(snictx);
8416 static int test_cert_cb(int tst)
8420 #ifndef OPENSSL_NO_TLS1_2
8421 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8423 #ifndef OSSL_NO_USABLE_TLS1_3
8424 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8430 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8435 BIO *priv_in = NULL;
8437 /* Check that SSL_get0_peer_certificate() returns something sensible */
8438 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8441 in = BIO_new_file(cert, "r");
8445 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8446 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8447 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8448 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8466 static int test_client_cert_cb(int tst)
8468 SSL_CTX *cctx = NULL, *sctx = NULL;
8469 SSL *clientssl = NULL, *serverssl = NULL;
8472 #ifdef OPENSSL_NO_TLS1_2
8476 #ifdef OSSL_NO_USABLE_TLS1_3
8481 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8482 TLS_client_method(),
8484 tst == 0 ? TLS1_2_VERSION
8486 &sctx, &cctx, cert, privkey)))
8490 * Test that setting a client_cert_cb results in a client certificate being
8493 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8494 SSL_CTX_set_verify(sctx,
8495 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8500 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8507 SSL_free(serverssl);
8508 SSL_free(clientssl);
8515 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8517 * Test setting certificate authorities on both client and server.
8519 * Test 0: SSL_CTX_set0_CA_list() only
8520 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8521 * Test 2: Only SSL_CTX_set_client_CA_list()
8523 static int test_ca_names_int(int prot, int tst)
8525 SSL_CTX *cctx = NULL, *sctx = NULL;
8526 SSL *clientssl = NULL, *serverssl = NULL;
8529 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8530 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8531 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8532 const STACK_OF(X509_NAME) *sktmp = NULL;
8534 for (i = 0; i < OSSL_NELEM(name); i++) {
8535 name[i] = X509_NAME_new();
8536 if (!TEST_ptr(name[i])
8537 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8545 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8546 TLS_client_method(),
8549 &sctx, &cctx, cert, privkey)))
8552 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8554 if (tst == 0 || tst == 1) {
8555 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8556 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8557 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8558 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8559 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8560 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8563 SSL_CTX_set0_CA_list(sctx, sk1);
8564 SSL_CTX_set0_CA_list(cctx, sk2);
8567 if (tst == 1 || tst == 2) {
8568 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8569 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8570 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8571 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8572 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8573 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8576 SSL_CTX_set_client_CA_list(sctx, sk1);
8577 SSL_CTX_set_client_CA_list(cctx, sk2);
8581 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8583 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8588 * We only expect certificate authorities to have been sent to the server
8589 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8591 sktmp = SSL_get0_peer_CA_list(serverssl);
8592 if (prot == TLS1_3_VERSION
8593 && (tst == 0 || tst == 1)) {
8594 if (!TEST_ptr(sktmp)
8595 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8596 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8598 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8601 } else if (!TEST_ptr_null(sktmp)) {
8606 * In all tests we expect certificate authorities to have been sent to the
8607 * client. However, SSL_set_client_CA_list() should override
8608 * SSL_set0_CA_list()
8610 sktmp = SSL_get0_peer_CA_list(clientssl);
8611 if (!TEST_ptr(sktmp)
8612 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8613 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8614 name[tst == 0 ? 0 : 2]), 0)
8615 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8616 name[tst == 0 ? 1 : 3]), 0))
8622 SSL_free(serverssl);
8623 SSL_free(clientssl);
8626 for (i = 0; i < OSSL_NELEM(name); i++)
8627 X509_NAME_free(name[i]);
8628 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8629 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8635 static int test_ca_names(int tst)
8639 #ifndef OPENSSL_NO_TLS1_2
8640 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8642 #ifndef OSSL_NO_USABLE_TLS1_3
8643 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8649 #ifndef OPENSSL_NO_TLS1_2
8650 static const char *multiblock_cipherlist_data[]=
8658 /* Reduce the fragment size - so the multiblock test buffer can be small */
8659 # define MULTIBLOCK_FRAGSIZE 512
8661 static int test_multiblock_write(int test_index)
8663 static const char *fetchable_ciphers[]=
8665 "AES-128-CBC-HMAC-SHA1",
8666 "AES-128-CBC-HMAC-SHA256",
8667 "AES-256-CBC-HMAC-SHA1",
8668 "AES-256-CBC-HMAC-SHA256"
8670 const char *cipherlist = multiblock_cipherlist_data[test_index];
8671 const SSL_METHOD *smeth = TLS_server_method();
8672 const SSL_METHOD *cmeth = TLS_client_method();
8673 int min_version = TLS1_VERSION;
8674 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8675 SSL_CTX *cctx = NULL, *sctx = NULL;
8676 SSL *clientssl = NULL, *serverssl = NULL;
8680 * Choose a buffer large enough to perform a multi-block operation
8681 * i.e: write_len >= 4 * frag_size
8682 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8684 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8685 unsigned char buf[sizeof(msg)], *p = buf;
8686 size_t readbytes, written, len;
8687 EVP_CIPHER *ciph = NULL;
8690 * Check if the cipher exists before attempting to use it since it only has
8691 * a hardware specific implementation.
8693 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8695 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8698 EVP_CIPHER_free(ciph);
8700 /* Set up a buffer with some data that will be sent to the client */
8701 RAND_bytes(msg, sizeof(msg));
8703 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8704 max_version, &sctx, &cctx, cert,
8708 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8715 /* settings to force it to use AES-CBC-HMAC_SHA */
8716 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8717 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8723 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8724 || !TEST_size_t_eq(written, sizeof(msg)))
8729 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8734 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8739 SSL_free(serverssl);
8740 SSL_free(clientssl);
8746 #endif /* OPENSSL_NO_TLS1_2 */
8748 static int test_session_timeout(int test)
8751 * Test session ordering and timeout
8752 * Can't explicitly test performance of the new code,
8753 * but can test to see if the ordering of the sessions
8754 * are correct, and they they are removed as expected
8756 SSL_SESSION *early = NULL;
8757 SSL_SESSION *middle = NULL;
8758 SSL_SESSION *late = NULL;
8761 long now = (long)time(NULL);
8764 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8765 || !TEST_ptr(early = SSL_SESSION_new())
8766 || !TEST_ptr(middle = SSL_SESSION_new())
8767 || !TEST_ptr(late = SSL_SESSION_new()))
8770 /* assign unique session ids */
8771 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8772 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8773 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8774 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8775 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8776 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8778 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8779 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8780 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8783 /* Make sure they are all added */
8784 if (!TEST_ptr(early->prev)
8785 || !TEST_ptr(middle->prev)
8786 || !TEST_ptr(late->prev))
8789 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8790 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8791 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8794 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8795 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8796 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8799 /* Make sure they are all still there */
8800 if (!TEST_ptr(early->prev)
8801 || !TEST_ptr(middle->prev)
8802 || !TEST_ptr(late->prev))
8805 /* Make sure they are in the expected order */
8806 if (!TEST_ptr_eq(late->next, middle)
8807 || !TEST_ptr_eq(middle->next, early)
8808 || !TEST_ptr_eq(early->prev, middle)
8809 || !TEST_ptr_eq(middle->prev, late))
8812 /* This should remove "early" */
8813 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8814 if (!TEST_ptr_null(early->prev)
8815 || !TEST_ptr(middle->prev)
8816 || !TEST_ptr(late->prev))
8819 /* This should remove "middle" */
8820 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8821 if (!TEST_ptr_null(early->prev)
8822 || !TEST_ptr_null(middle->prev)
8823 || !TEST_ptr(late->prev))
8826 /* This should remove "late" */
8827 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8828 if (!TEST_ptr_null(early->prev)
8829 || !TEST_ptr_null(middle->prev)
8830 || !TEST_ptr_null(late->prev))
8833 /* Add them back in again */
8834 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8835 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8836 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8839 /* Make sure they are all added */
8840 if (!TEST_ptr(early->prev)
8841 || !TEST_ptr(middle->prev)
8842 || !TEST_ptr(late->prev))
8845 /* This should remove all of them */
8846 SSL_CTX_flush_sessions(ctx, 0);
8847 if (!TEST_ptr_null(early->prev)
8848 || !TEST_ptr_null(middle->prev)
8849 || !TEST_ptr_null(late->prev))
8852 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8853 | SSL_CTX_get_session_cache_mode(ctx));
8855 /* make sure |now| is NOT equal to the current time */
8857 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8858 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8859 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8865 SSL_SESSION_free(early);
8866 SSL_SESSION_free(middle);
8867 SSL_SESSION_free(late);
8872 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8873 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8874 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8875 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8876 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8877 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8878 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8879 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8880 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8881 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8883 static int test_servername(int tst)
8885 SSL_CTX *cctx = NULL, *sctx = NULL;
8886 SSL *clientssl = NULL, *serverssl = NULL;
8888 SSL_SESSION *sess = NULL;
8889 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8891 #ifdef OPENSSL_NO_TLS1_2
8895 #ifdef OSSL_NO_USABLE_TLS1_3
8900 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8901 TLS_client_method(),
8903 (tst <= 4) ? TLS1_2_VERSION
8905 &sctx, &cctx, cert, privkey))
8906 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8910 if (tst != 1 && tst != 6) {
8911 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8916 if (tst != 3 && tst != 8) {
8917 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8919 sexpectedhost = cexpectedhost = "goodhost";
8922 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8925 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8927 || !TEST_str_eq(SSL_get_servername(serverssl,
8928 TLSEXT_NAMETYPE_host_name),
8932 /* Now repeat with a resumption handshake */
8934 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8935 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8936 || !TEST_true(SSL_SESSION_is_resumable(sess))
8937 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8940 SSL_free(clientssl);
8941 SSL_free(serverssl);
8942 clientssl = serverssl = NULL;
8944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8948 if (!TEST_true(SSL_set_session(clientssl, sess)))
8951 sexpectedhost = cexpectedhost = "goodhost";
8952 if (tst == 2 || tst == 7) {
8953 /* Set an inconsistent hostname */
8954 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8957 * In TLSv1.2 we expect the hostname from the original handshake, in
8958 * TLSv1.3 we expect the hostname from this handshake
8961 sexpectedhost = cexpectedhost = "altgoodhost";
8963 if (!TEST_str_eq(SSL_get_servername(clientssl,
8964 TLSEXT_NAMETYPE_host_name),
8967 } else if (tst == 4 || tst == 9) {
8969 * A TLSv1.3 session does not associate a session with a servername,
8970 * but a TLSv1.2 session does.
8973 sexpectedhost = cexpectedhost = NULL;
8975 if (!TEST_str_eq(SSL_get_servername(clientssl,
8976 TLSEXT_NAMETYPE_host_name),
8980 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8983 * In a TLSv1.2 resumption where the hostname was not acknowledged
8984 * we expect the hostname on the server to be empty. On the client we
8985 * return what was requested in this case.
8987 * Similarly if the client didn't set a hostname on an original TLSv1.2
8988 * session but is now, the server hostname will be empty, but the client
8991 if (tst == 1 || tst == 3)
8992 sexpectedhost = NULL;
8994 if (!TEST_str_eq(SSL_get_servername(clientssl,
8995 TLSEXT_NAMETYPE_host_name),
9000 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9003 if (!TEST_true(SSL_session_reused(clientssl))
9004 || !TEST_true(SSL_session_reused(serverssl))
9005 || !TEST_str_eq(SSL_get_servername(clientssl,
9006 TLSEXT_NAMETYPE_host_name),
9008 || !TEST_str_eq(SSL_get_servername(serverssl,
9009 TLSEXT_NAMETYPE_host_name),
9016 SSL_SESSION_free(sess);
9017 SSL_free(serverssl);
9018 SSL_free(clientssl);
9025 #if !defined(OPENSSL_NO_EC) \
9026 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9028 * Test that if signature algorithms are not available, then we do not offer or
9030 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9031 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9032 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9033 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9034 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9035 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9037 static int test_sigalgs_available(int idx)
9039 SSL_CTX *cctx = NULL, *sctx = NULL;
9040 SSL *clientssl = NULL, *serverssl = NULL;
9042 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9043 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9044 OSSL_PROVIDER *filterprov = NULL;
9047 if (!TEST_ptr(tmpctx))
9050 if (idx != 0 && idx != 3) {
9051 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9052 filter_provider_init)))
9055 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9056 if (!TEST_ptr(filterprov))
9061 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9062 * or accepted for the peer that uses this libctx. Note that libssl
9063 * *requires* SHA2-256 to be available so we cannot disable that. We
9064 * also need SHA1 for our certificate.
9066 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9070 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9072 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9077 if (idx == 1 || idx == 4)
9083 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9084 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9085 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9090 TLS_client_method(),
9093 &sctx, &cctx, cert, privkey)))
9096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9097 TLS_client_method(),
9100 &sctx, &cctx, cert2, privkey2)))
9104 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9106 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9107 "ECDHE-RSA-AES128-GCM-SHA256")))
9110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9111 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9116 if (!SSL_CTX_set1_sigalgs_list(cctx,
9117 "rsa_pss_rsae_sha384"
9118 ":rsa_pss_rsae_sha256")
9119 || !SSL_CTX_set1_sigalgs_list(sctx,
9120 "rsa_pss_rsae_sha384"
9121 ":rsa_pss_rsae_sha256"))
9124 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9125 || !SSL_CTX_set1_sigalgs_list(sctx,
9126 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9131 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9132 SSL_FILETYPE_PEM), 1)
9133 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9135 SSL_FILETYPE_PEM), 1)
9136 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9143 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9146 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9147 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9149 (idx == 0 || idx == 3) ? 2 : 1))
9152 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9155 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9159 testresult = filter_provider_check_clean_finish();
9162 SSL_free(serverssl);
9163 SSL_free(clientssl);
9166 OSSL_PROVIDER_unload(filterprov);
9167 OSSL_LIB_CTX_free(tmpctx);
9172 * !defined(OPENSSL_NO_EC) \
9173 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9176 #ifndef OPENSSL_NO_TLS1_3
9177 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9178 static int test_pluggable_group(int idx)
9180 SSL_CTX *cctx = NULL, *sctx = NULL;
9181 SSL *clientssl = NULL, *serverssl = NULL;
9183 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9184 /* Check that we are not impacted by a provider without any groups */
9185 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9186 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9188 if (!TEST_ptr(tlsprov))
9191 if (legacyprov == NULL) {
9193 * In this case we assume we've been built with "no-legacy" and skip
9194 * this test (there is no OPENSSL_NO_LEGACY)
9200 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9201 TLS_client_method(),
9204 &sctx, &cctx, cert, privkey))
9205 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9209 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9210 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9213 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9216 if (!TEST_str_eq(group_name,
9217 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9223 SSL_free(serverssl);
9224 SSL_free(clientssl);
9227 OSSL_PROVIDER_unload(tlsprov);
9228 OSSL_PROVIDER_unload(legacyprov);
9234 #ifndef OPENSSL_NO_TLS1_2
9235 static int test_ssl_dup(void)
9237 SSL_CTX *cctx = NULL, *sctx = NULL;
9238 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9240 BIO *rbio = NULL, *wbio = NULL;
9242 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9243 TLS_client_method(),
9246 &sctx, &cctx, cert, privkey)))
9249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9253 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9254 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9257 client2ssl = SSL_dup(clientssl);
9258 rbio = SSL_get_rbio(clientssl);
9260 || !TEST_true(BIO_up_ref(rbio)))
9262 SSL_set0_rbio(client2ssl, rbio);
9265 wbio = SSL_get_wbio(clientssl);
9266 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9268 SSL_set0_wbio(client2ssl, wbio);
9271 if (!TEST_ptr(client2ssl)
9272 /* Handshake not started so pointers should be different */
9273 || !TEST_ptr_ne(clientssl, client2ssl))
9276 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9277 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9280 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9283 SSL_free(clientssl);
9284 clientssl = SSL_dup(client2ssl);
9285 if (!TEST_ptr(clientssl)
9286 /* Handshake has finished so pointers should be the same */
9287 || !TEST_ptr_eq(clientssl, client2ssl))
9293 SSL_free(serverssl);
9294 SSL_free(clientssl);
9295 SSL_free(client2ssl);
9302 # ifndef OPENSSL_NO_DH
9304 static EVP_PKEY *tmp_dh_params = NULL;
9306 /* Helper function for the test_set_tmp_dh() tests */
9307 static EVP_PKEY *get_tmp_dh_params(void)
9309 if (tmp_dh_params == NULL) {
9311 OSSL_PARAM_BLD *tmpl = NULL;
9312 EVP_PKEY_CTX *pctx = NULL;
9313 OSSL_PARAM *params = NULL;
9314 EVP_PKEY *dhpkey = NULL;
9316 p = BN_get_rfc3526_prime_2048(NULL);
9320 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9322 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9325 tmpl = OSSL_PARAM_BLD_new();
9327 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9328 OSSL_PKEY_PARAM_FFC_P,
9330 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9331 OSSL_PKEY_PARAM_FFC_G,
9335 params = OSSL_PARAM_BLD_to_param(tmpl);
9336 if (!TEST_ptr(params)
9337 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9338 EVP_PKEY_KEY_PARAMETERS,
9342 tmp_dh_params = dhpkey;
9345 EVP_PKEY_CTX_free(pctx);
9346 OSSL_PARAM_BLD_free(tmpl);
9347 OSSL_PARAM_free(params);
9350 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9353 return tmp_dh_params;
9356 # ifndef OPENSSL_NO_DEPRECATED_3_0
9357 /* Callback used by test_set_tmp_dh() */
9358 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9360 EVP_PKEY *dhpkey = get_tmp_dh_params();
9363 if (!TEST_ptr(dhpkey))
9367 * libssl does not free the returned DH, so we free it now knowing that even
9368 * after we free dhpkey, there will still be a reference to the owning
9369 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9370 * of time we need it for.
9372 ret = EVP_PKEY_get1_DH(dhpkey);
9375 EVP_PKEY_free(dhpkey);
9382 * Test the various methods for setting temporary DH parameters
9384 * Test 0: Default (no auto) setting
9385 * Test 1: Explicit SSL_CTX auto off
9386 * Test 2: Explicit SSL auto off
9387 * Test 3: Explicit SSL_CTX auto on
9388 * Test 4: Explicit SSL auto on
9389 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9390 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9392 * The following are testing deprecated APIs, so we only run them if available
9393 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9394 * Test 8: Explicit SSL auto off, custom DH params via DH
9395 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9396 * Test 10: Explicit SSL auto off, custom DH params via callback
9398 static int test_set_tmp_dh(int idx)
9400 SSL_CTX *cctx = NULL, *sctx = NULL;
9401 SSL *clientssl = NULL, *serverssl = NULL;
9403 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9404 int expected = (idx <= 2) ? 0 : 1;
9405 EVP_PKEY *dhpkey = NULL;
9406 # ifndef OPENSSL_NO_DEPRECATED_3_0
9414 if (idx >= 5 && idx <= 8) {
9415 dhpkey = get_tmp_dh_params();
9416 if (!TEST_ptr(dhpkey))
9419 # ifndef OPENSSL_NO_DEPRECATED_3_0
9420 if (idx == 7 || idx == 8) {
9421 dh = EVP_PKEY_get1_DH(dhpkey);
9427 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9428 TLS_client_method(),
9431 &sctx, &cctx, cert, privkey)))
9434 if ((idx & 1) == 1) {
9435 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9440 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9444 # ifndef OPENSSL_NO_DEPRECATED_3_0
9445 else if (idx == 7) {
9446 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9448 } else if (idx == 9) {
9449 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9457 if ((idx & 1) == 0 && idx != 0) {
9458 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9462 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9466 # ifndef OPENSSL_NO_DEPRECATED_3_0
9467 else if (idx == 8) {
9468 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9470 } else if (idx == 10) {
9471 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9475 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9476 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9477 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9481 * If autoon then we should succeed. Otherwise we expect failure because
9482 * there are no parameters
9484 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9485 SSL_ERROR_NONE), expected))
9491 # ifndef OPENSSL_NO_DEPRECATED_3_0
9494 SSL_free(serverssl);
9495 SSL_free(clientssl);
9498 EVP_PKEY_free(dhpkey);
9504 * Test the auto DH keys are appropriately sized
9506 static int test_dh_auto(int idx)
9508 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9509 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9510 SSL *clientssl = NULL, *serverssl = NULL;
9512 EVP_PKEY *tmpkey = NULL;
9513 char *thiscert = NULL, *thiskey = NULL;
9514 size_t expdhsize = 0;
9515 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9517 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9522 /* The FIPS provider doesn't support this DH size - so we ignore it */
9527 thiscert = cert1024;
9528 thiskey = privkey1024;
9530 SSL_CTX_set_security_level(sctx, 1);
9531 SSL_CTX_set_security_level(cctx, 1);
9534 /* 2048 bit prime */
9540 thiscert = cert3072;
9541 thiskey = privkey3072;
9545 thiscert = cert4096;
9546 thiskey = privkey4096;
9550 thiscert = cert8192;
9551 thiskey = privkey8192;
9554 /* No certificate cases */
9556 /* The FIPS provider doesn't support this DH size - so we ignore it */
9561 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9565 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9569 TEST_error("Invalid text index");
9573 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9577 &sctx, &cctx, thiscert, thiskey)))
9580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9584 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9585 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9586 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9587 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9588 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9592 * Send the server's first flight. At this point the server has created the
9593 * temporary DH key but hasn't finished using it yet. Once used it is
9594 * removed, so we cannot test it.
9596 if (!TEST_int_le(SSL_connect(clientssl), 0)
9597 || !TEST_int_le(SSL_accept(serverssl), 0))
9600 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9602 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9605 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9611 SSL_free(serverssl);
9612 SSL_free(clientssl);
9615 EVP_PKEY_free(tmpkey);
9620 # endif /* OPENSSL_NO_DH */
9621 #endif /* OPENSSL_NO_TLS1_2 */
9623 #ifndef OSSL_NO_USABLE_TLS1_3
9625 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9626 * that it works even without a certificate configured for the original
9629 static int test_sni_tls13(void)
9631 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9632 SSL *clientssl = NULL, *serverssl = NULL;
9635 /* Reset callback counter */
9638 /* Create an initial SSL_CTX with no certificate configured */
9639 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9640 if (!TEST_ptr(sctx))
9642 /* Require TLSv1.3 as a minimum */
9643 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9644 TLS_client_method(), TLS1_3_VERSION, 0,
9645 &sctx2, &cctx, cert, privkey)))
9649 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9650 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9654 * Connection should still succeed because the final SSL_CTX has the right
9655 * certificates configured.
9657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9658 &clientssl, NULL, NULL))
9659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9663 /* We should have had the SNI callback called exactly once */
9664 if (!TEST_int_eq(snicb, 1))
9670 SSL_free(serverssl);
9671 SSL_free(clientssl);
9672 SSL_CTX_free(sctx2);
9679 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9683 static int test_ticket_lifetime(int idx)
9685 SSL_CTX *cctx = NULL, *sctx = NULL;
9686 SSL *clientssl = NULL, *serverssl = NULL;
9688 int version = TLS1_3_VERSION;
9690 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9691 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9694 #ifdef OPENSSL_NO_TLS1_2
9695 return TEST_skip("TLS 1.2 is disabled.");
9697 version = TLS1_2_VERSION;
9701 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9702 TLS_client_method(), version, version,
9703 &sctx, &cctx, cert, privkey)))
9706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9707 &clientssl, NULL, NULL)))
9711 * Set the timeout to be more than 1 week
9712 * make sure the returned value is the default
9714 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9715 SSL_get_default_timeout(serverssl)))
9718 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9722 /* TLSv1.2 uses the set value */
9723 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9726 /* TLSv1.3 uses the limited value */
9727 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9733 SSL_free(serverssl);
9734 SSL_free(clientssl);
9741 * Test that setting an ALPN does not violate RFC
9743 static int test_set_alpn(void)
9745 SSL_CTX *ctx = NULL;
9749 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9750 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9751 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9752 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9753 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9754 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9756 /* Create an initial SSL_CTX with no certificate configured */
9757 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9761 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9762 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9764 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9766 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9768 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9770 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9772 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9774 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9776 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9778 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9785 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9787 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9789 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9791 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9793 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9795 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9797 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9799 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9801 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9813 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9815 static int test_set_verify_cert_store_ssl_ctx(void)
9817 SSL_CTX *ctx = NULL;
9819 X509_STORE *store = NULL, *new_store = NULL,
9820 *cstore = NULL, *new_cstore = NULL;
9822 /* Create an initial SSL_CTX. */
9823 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9827 /* Retrieve verify store pointer. */
9828 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9831 /* Retrieve chain store pointer. */
9832 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9835 /* We haven't set any yet, so this should be NULL. */
9836 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9839 /* Create stores. We use separate stores so pointers are different. */
9840 new_store = X509_STORE_new();
9841 if (!TEST_ptr(new_store))
9844 new_cstore = X509_STORE_new();
9845 if (!TEST_ptr(new_cstore))
9849 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9852 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9855 /* Should be able to retrieve the same pointer. */
9856 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9859 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9862 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9865 /* Should be able to unset again. */
9866 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9869 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9872 /* Should now be NULL. */
9873 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9876 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9879 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9885 X509_STORE_free(new_store);
9886 X509_STORE_free(new_cstore);
9892 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9894 static int test_set_verify_cert_store_ssl(void)
9896 SSL_CTX *ctx = NULL;
9899 X509_STORE *store = NULL, *new_store = NULL,
9900 *cstore = NULL, *new_cstore = NULL;
9902 /* Create an initial SSL_CTX. */
9903 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9907 /* Create an SSL object. */
9912 /* Retrieve verify store pointer. */
9913 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9916 /* Retrieve chain store pointer. */
9917 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9920 /* We haven't set any yet, so this should be NULL. */
9921 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9924 /* Create stores. We use separate stores so pointers are different. */
9925 new_store = X509_STORE_new();
9926 if (!TEST_ptr(new_store))
9929 new_cstore = X509_STORE_new();
9930 if (!TEST_ptr(new_cstore))
9934 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9937 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9940 /* Should be able to retrieve the same pointer. */
9941 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9944 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9947 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9950 /* Should be able to unset again. */
9951 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9954 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9957 /* Should now be NULL. */
9958 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9961 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9964 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9970 X509_STORE_free(new_store);
9971 X509_STORE_free(new_cstore);
9978 static int test_inherit_verify_param(void)
9982 SSL_CTX *ctx = NULL;
9983 X509_VERIFY_PARAM *cp = NULL;
9985 X509_VERIFY_PARAM *sp = NULL;
9986 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9988 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9992 cp = SSL_CTX_get0_param(ctx);
9995 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9998 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10000 ssl = SSL_new(ctx);
10001 if (!TEST_ptr(ssl))
10004 sp = SSL_get0_param(ssl);
10007 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10019 static int test_load_dhfile(void)
10021 #ifndef OPENSSL_NO_DH
10022 int testresult = 0;
10024 SSL_CTX *ctx = NULL;
10025 SSL_CONF_CTX *cctx = NULL;
10027 if (dhfile == NULL)
10030 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10031 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10034 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10035 SSL_CONF_CTX_set_flags(cctx,
10036 SSL_CONF_FLAG_CERTIFICATE
10037 | SSL_CONF_FLAG_SERVER
10038 | SSL_CONF_FLAG_FILE);
10040 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10045 SSL_CONF_CTX_free(cctx);
10050 return TEST_skip("DH not supported by this build");
10054 #ifndef OSSL_NO_USABLE_TLS1_3
10055 /* Test that read_ahead works across a key change */
10056 static int test_read_ahead_key_change(void)
10058 SSL_CTX *cctx = NULL, *sctx = NULL;
10059 SSL *clientssl = NULL, *serverssl = NULL;
10060 int testresult = 0;
10061 char *msg = "Hello World";
10062 size_t written, readbytes;
10066 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10067 TLS_client_method(), TLS1_3_VERSION, 0,
10068 &sctx, &cctx, cert, privkey)))
10071 SSL_CTX_set_read_ahead(sctx, 1);
10073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10074 &clientssl, NULL, NULL)))
10077 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10080 /* Write some data, send a key update, write more data */
10081 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10082 || !TEST_size_t_eq(written, strlen(msg)))
10085 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10088 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10089 || !TEST_size_t_eq(written, strlen(msg)))
10093 * Since read_ahead is on the first read below should read the record with
10094 * the first app data, the second record with the key update message, and
10095 * the third record with the app data all in one go. We should be able to
10096 * still process the read_ahead data correctly even though it crosses
10099 for (i = 0; i < 2; i++) {
10100 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10104 buf[readbytes] = '\0';
10105 if (!TEST_str_eq(buf, msg))
10112 SSL_free(serverssl);
10113 SSL_free(clientssl);
10114 SSL_CTX_free(sctx);
10115 SSL_CTX_free(cctx);
10119 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10123 switch ((*called)++) {
10125 /* Add some padding to first record */
10128 /* Maximally pad the second record */
10129 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10132 * Exceeding the maximum padding should be fine. It should just pad to
10133 * the maximum anyway
10135 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10138 * Very large padding should also be ok. Should just pad to the maximum
10148 * Test that setting record padding in TLSv1.3 works as expected
10149 * Test 0: Record padding callback on the SSL_CTX
10150 * Test 1: Record padding callback on the SSL
10151 * Test 2: Record block padding on the SSL_CTX
10152 * Test 3: Record block padding on the SSL
10154 static int test_tls13_record_padding(int idx)
10156 SSL_CTX *cctx = NULL, *sctx = NULL;
10157 SSL *clientssl = NULL, *serverssl = NULL;
10158 int testresult = 0;
10159 char *msg = "Hello World";
10160 size_t written, readbytes;
10165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10166 TLS_client_method(), TLS1_3_VERSION, 0,
10167 &sctx, &cctx, cert, privkey)))
10171 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10172 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10173 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10175 } else if (idx == 2) {
10176 /* Exceeding the max plain length should fail */
10177 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10178 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10180 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10185 &clientssl, NULL, NULL)))
10189 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10190 SSL_set_record_padding_callback_arg(clientssl, &called);
10191 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10193 } else if (idx == 3) {
10194 /* Exceeding the max plain length should fail */
10195 if (!TEST_false(SSL_set_block_padding(clientssl,
10196 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10198 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10202 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10207 * Write some data, then check we can read it. Do this four times to check
10208 * we can continue to write and read padded data after the initial record
10209 * padding has been added. We don't actually check that the padding has
10210 * been applied to the record - just that we can continue to communicate
10211 * normally and that the callback has been called (if appropriate).
10213 for (i = 0; i < 4; i++) {
10214 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10215 || !TEST_size_t_eq(written, strlen(msg)))
10218 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10220 || !TEST_size_t_eq(written, readbytes))
10223 buf[readbytes] = '\0';
10224 if (!TEST_str_eq(buf, msg))
10228 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10233 SSL_free(serverssl);
10234 SSL_free(clientssl);
10235 SSL_CTX_free(sctx);
10236 SSL_CTX_free(cctx);
10239 #endif /* OSSL_NO_USABLE_TLS1_3 */
10241 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10243 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10244 * support this yet. The only pipeline capable cipher that we have is in the
10245 * dasync engine (providers don't support this yet), so we have to use
10246 * deprecated APIs for this test.
10248 * Test 0: Client has pipelining enabled, server does not
10249 * Test 1: Server has pipelining enabled, client does not
10250 * Test 2: Client has pipelining enabled, server does not: not enough data to
10251 * fill all the pipelines
10252 * Test 3: Client has pipelining enabled, server does not: not enough data to
10253 * fill all the pipelines by more than a full pipeline's worth
10254 * Test 4: Client has pipelining enabled, server does not: more data than all
10255 * the available pipelines can take
10256 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10258 static int test_pipelining(int idx)
10260 SSL_CTX *cctx = NULL, *sctx = NULL;
10261 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10262 int testresult = 0, numreads;
10263 /* A 55 byte message */
10264 unsigned char *msg = (unsigned char *)
10265 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10266 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10267 size_t expectedreads;
10268 unsigned char *buf = NULL;
10271 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10274 if (!TEST_true(ENGINE_init(e))) {
10279 if (!TEST_true(ENGINE_register_ciphers(e)))
10282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10283 TLS_client_method(), 0,
10284 TLS1_2_VERSION, &sctx, &cctx, cert,
10288 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10289 &clientssl, NULL, NULL)))
10292 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10295 /* peera is always configured for pipelining, while peerb is not. */
10307 /* Maximum allowed fragment size */
10308 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10309 msglen = fragsize * numpipes;
10310 msg = OPENSSL_malloc(msglen);
10311 if (!TEST_ptr(msg))
10313 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10315 } else if (idx == 4) {
10321 msglen -= 2; /* Send 2 less bytes */
10323 msglen -= 12; /* Send 12 less bytes */
10325 buf = OPENSSL_malloc(msglen);
10326 if (!TEST_ptr(buf))
10331 * Test that setting a split send fragment longer than the maximum
10334 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10339 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10340 * (50 bytes in total). This is a ridiculously small number of bytes -
10341 * but sufficient for our purposes
10343 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10344 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10350 /* Write some data from peera to peerb */
10351 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10352 || !TEST_size_t_eq(written, msglen))
10356 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10357 * have been used - except in test 3 where only |numpipes - 1| pipelines
10358 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10359 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10360 * expect this to be read in |numpipes| or |numpipes - 1| separate
10361 * SSL_read_ex calls. In the case of test 4, there is then one additional
10362 * read for left over data that couldn't fit in the previous pipelines
10364 for (offset = 0, numreads = 0;
10366 offset += readbytes, numreads++) {
10367 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10368 msglen - offset, &readbytes)))
10372 expectedreads = idx == 4 ? numpipes + 1
10373 : (idx == 3 ? numpipes - 1 : numpipes);
10374 if (!TEST_mem_eq(msg, msglen, buf, offset)
10375 || !TEST_int_eq(numreads, expectedreads))
10379 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10380 * chunks to exercise the read pipelining code on peera.
10382 for (offset = 0; offset < msglen; offset += fragsize) {
10383 size_t sendlen = msglen - offset;
10385 if (sendlen > fragsize)
10386 sendlen = fragsize;
10387 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10388 || !TEST_size_t_eq(written, sendlen))
10393 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10394 * separate chunks (depending on which test we are running). If the
10395 * pipelining is working then we expect peera to read up to numpipes chunks
10396 * and process them in parallel, giving back the complete result in a single
10397 * call to SSL_read_ex
10399 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10400 || !TEST_size_t_le(readbytes, msglen))
10406 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10407 msglen - readbytes, &readbytes2)))
10409 readbytes += readbytes2;
10410 if (!TEST_size_t_le(readbytes, msglen))
10414 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10419 SSL_free(serverssl);
10420 SSL_free(clientssl);
10421 SSL_CTX_free(sctx);
10422 SSL_CTX_free(cctx);
10423 ENGINE_unregister_ciphers(e);
10431 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10433 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10435 int setup_tests(void)
10440 libctx = OSSL_LIB_CTX_new();
10441 if (!TEST_ptr(libctx))
10444 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10447 * Verify that the default and fips providers in the default libctx are not
10450 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10451 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10454 if (!test_skip_common_options()) {
10455 TEST_error("Error parsing test options\n");
10459 if (!TEST_ptr(certsdir = test_get_argument(0))
10460 || !TEST_ptr(srpvfile = test_get_argument(1))
10461 || !TEST_ptr(tmpfilename = test_get_argument(2))
10462 || !TEST_ptr(modulename = test_get_argument(3))
10463 || !TEST_ptr(configfile = test_get_argument(4))
10464 || !TEST_ptr(dhfile = test_get_argument(5)))
10467 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10470 /* Check we have the expected provider available */
10471 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10474 /* Check the default provider is not available */
10475 if (strcmp(modulename, "default") != 0
10476 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10479 if (strcmp(modulename, "fips") == 0)
10483 * We add, but don't load the test "tls-provider". We'll load it when we
10486 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10487 tls_provider_init)))
10491 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10492 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10493 TEST_error("not supported in this build");
10496 int i, mcount, rcount, fcount;
10498 for (i = 0; i < 4; i++)
10499 test_export_key_mat(i);
10500 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10501 test_printf_stdout("malloc %d realloc %d free %d\n",
10502 mcount, rcount, fcount);
10507 cert = test_mk_file_path(certsdir, "servercert.pem");
10511 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10512 if (privkey == NULL)
10515 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10519 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10520 if (privkey2 == NULL)
10523 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10524 if (cert1024 == NULL)
10527 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10528 if (privkey1024 == NULL)
10531 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10532 if (cert3072 == NULL)
10535 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10536 if (privkey3072 == NULL)
10539 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10540 if (cert4096 == NULL)
10543 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10544 if (privkey4096 == NULL)
10547 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10548 if (cert8192 == NULL)
10551 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10552 if (privkey8192 == NULL)
10555 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10556 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10557 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10558 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
10561 ADD_TEST(test_large_message_tls);
10562 ADD_TEST(test_large_message_tls_read_ahead);
10563 #ifndef OPENSSL_NO_DTLS
10564 ADD_TEST(test_large_message_dtls);
10566 ADD_TEST(test_cleanse_plaintext);
10567 #ifndef OPENSSL_NO_OCSP
10568 ADD_TEST(test_tlsext_status_type);
10570 ADD_TEST(test_session_with_only_int_cache);
10571 ADD_TEST(test_session_with_only_ext_cache);
10572 ADD_TEST(test_session_with_both_cache);
10573 ADD_TEST(test_session_wo_ca_names);
10574 #ifndef OSSL_NO_USABLE_TLS1_3
10575 ADD_ALL_TESTS(test_stateful_tickets, 3);
10576 ADD_ALL_TESTS(test_stateless_tickets, 3);
10577 ADD_TEST(test_psk_tickets);
10578 ADD_ALL_TESTS(test_extra_tickets, 6);
10580 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10581 ADD_TEST(test_ssl_bio_pop_next_bio);
10582 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10583 ADD_TEST(test_ssl_bio_change_rbio);
10584 ADD_TEST(test_ssl_bio_change_wbio);
10585 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10586 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10587 ADD_TEST(test_keylog);
10589 #ifndef OSSL_NO_USABLE_TLS1_3
10590 ADD_TEST(test_keylog_no_master_key);
10592 ADD_TEST(test_client_cert_verify_cb);
10593 ADD_TEST(test_ssl_build_cert_chain);
10594 ADD_TEST(test_ssl_ctx_build_cert_chain);
10595 #ifndef OPENSSL_NO_TLS1_2
10596 ADD_TEST(test_client_hello_cb);
10597 ADD_TEST(test_no_ems);
10598 ADD_TEST(test_ccs_change_cipher);
10600 #ifndef OSSL_NO_USABLE_TLS1_3
10601 ADD_ALL_TESTS(test_early_data_read_write, 3);
10603 * We don't do replay tests for external PSK. Replay protection isn't used
10604 * in that scenario.
10606 ADD_ALL_TESTS(test_early_data_replay, 2);
10607 ADD_ALL_TESTS(test_early_data_skip, 3);
10608 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
10609 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
10610 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
10611 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10612 ADD_ALL_TESTS(test_early_data_psk, 8);
10613 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10614 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10615 # ifndef OPENSSL_NO_TLS1_2
10616 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10619 #ifndef OSSL_NO_USABLE_TLS1_3
10620 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10621 ADD_TEST(test_ciphersuite_change);
10622 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10623 # ifdef OPENSSL_NO_PSK
10624 ADD_ALL_TESTS(test_tls13_psk, 1);
10626 ADD_ALL_TESTS(test_tls13_psk, 4);
10627 # endif /* OPENSSL_NO_PSK */
10628 # ifndef OPENSSL_NO_TLS1_2
10629 /* Test with both TLSv1.3 and 1.2 versions */
10630 ADD_ALL_TESTS(test_key_exchange, 14);
10631 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10632 ADD_ALL_TESTS(test_negotiated_group,
10633 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10634 + OSSL_NELEM(ffdhe_kexch_groups)));
10637 /* Test with only TLSv1.3 versions */
10638 ADD_ALL_TESTS(test_key_exchange, 12);
10640 ADD_ALL_TESTS(test_custom_exts, 6);
10641 ADD_TEST(test_stateless);
10642 ADD_TEST(test_pha_key_update);
10644 ADD_ALL_TESTS(test_custom_exts, 3);
10646 ADD_ALL_TESTS(test_export_key_mat, 6);
10647 #ifndef OSSL_NO_USABLE_TLS1_3
10648 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10649 ADD_TEST(test_key_update);
10650 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10651 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10652 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10653 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10655 ADD_ALL_TESTS(test_ssl_clear, 2);
10656 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10657 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10658 ADD_ALL_TESTS(test_srp, 6);
10660 #if !defined(OPENSSL_NO_COMP_ALG)
10661 /* Add compression case */
10662 ADD_ALL_TESTS(test_info_callback, 8);
10664 ADD_ALL_TESTS(test_info_callback, 6);
10666 ADD_ALL_TESTS(test_ssl_pending, 2);
10667 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10668 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10669 ADD_ALL_TESTS(test_shutdown, 7);
10670 ADD_TEST(test_async_shutdown);
10671 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10672 ADD_ALL_TESTS(test_cert_cb, 6);
10673 ADD_ALL_TESTS(test_client_cert_cb, 2);
10674 ADD_ALL_TESTS(test_ca_names, 3);
10675 #ifndef OPENSSL_NO_TLS1_2
10676 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10678 ADD_ALL_TESTS(test_servername, 10);
10679 #if !defined(OPENSSL_NO_EC) \
10680 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10681 ADD_ALL_TESTS(test_sigalgs_available, 6);
10683 #ifndef OPENSSL_NO_TLS1_3
10684 ADD_ALL_TESTS(test_pluggable_group, 2);
10686 #ifndef OPENSSL_NO_TLS1_2
10687 ADD_TEST(test_ssl_dup);
10688 # ifndef OPENSSL_NO_DH
10689 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10690 ADD_ALL_TESTS(test_dh_auto, 7);
10693 #ifndef OSSL_NO_USABLE_TLS1_3
10694 ADD_TEST(test_sni_tls13);
10695 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10697 ADD_TEST(test_inherit_verify_param);
10698 ADD_TEST(test_set_alpn);
10699 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10700 ADD_TEST(test_set_verify_cert_store_ssl);
10701 ADD_ALL_TESTS(test_session_timeout, 1);
10702 ADD_TEST(test_load_dhfile);
10703 #ifndef OSSL_NO_USABLE_TLS1_3
10704 ADD_TEST(test_read_ahead_key_change);
10705 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10707 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10708 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10710 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10711 ADD_ALL_TESTS(test_pipelining, 6);
10716 OPENSSL_free(cert);
10717 OPENSSL_free(privkey);
10718 OPENSSL_free(cert2);
10719 OPENSSL_free(privkey2);
10723 void cleanup_tests(void)
10725 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10726 EVP_PKEY_free(tmp_dh_params);
10728 OPENSSL_free(cert);
10729 OPENSSL_free(privkey);
10730 OPENSSL_free(cert2);
10731 OPENSSL_free(privkey2);
10732 OPENSSL_free(cert1024);
10733 OPENSSL_free(privkey1024);
10734 OPENSSL_free(cert3072);
10735 OPENSSL_free(privkey3072);
10736 OPENSSL_free(cert4096);
10737 OPENSSL_free(privkey4096);
10738 OPENSSL_free(cert8192);
10739 OPENSSL_free(privkey8192);
10740 bio_s_mempacket_test_free();
10741 bio_s_always_retry_free();
10742 OSSL_PROVIDER_unload(defctxnull);
10743 OSSL_LIB_CTX_free(libctx);
projects / openssl.git / blob