2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
33 #include "ssltestlib.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
40 DEFINE_STACK_OF(OCSP_RESPID)
42 DEFINE_STACK_OF(X509_NAME)
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
47 #ifndef OPENSSL_NO_TLS1_3
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
62 static SSL_SESSION *create_a_psk(SSL *ssl);
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
71 static int is_fips = 0;
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
115 static unsigned char serverinfov2[] = {
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
123 static int hostname_cb(SSL *s, int *al, void *arg)
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
131 return SSL_TLSEXT_ERR_NOACK;
134 static void client_keylog_callback(const SSL *ssl, const char *line)
136 int line_length = strlen(line);
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
150 static void server_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 if (!TEST_size_t_eq(strlen(token), 16))
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 if (!TEST_size_t_eq(strlen(token), 64))
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
248 master_key_size = SSL_SESSION_get_master_key(session,
251 if (!TEST_size_t_ne(master_key_size, 0))
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
294 if (!TEST_size_t_eq(strlen(token), 64))
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
305 * TODO(TLS1.3): test that application traffic secrets are what
308 TEST_info("Unexpected token %s\n", token);
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
342 struct sslapitest_log_counts expected;
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
355 &sctx, &cctx, cert, privkey)))
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
462 || !TEST_false(error_writing_log))
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
488 serverssl = clientssl = NULL;
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
508 || !TEST_true(SSL_session_reused(clientssl)))
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
524 SSL_SESSION_free(sess);
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
538 const unsigned char *p;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
554 /* Make sure we can defer processing and get called back. */
556 return SSL_CLIENT_HELLO_RETRY;
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
570 return SSL_CLIENT_HELLO_ERROR;
573 return SSL_CLIENT_HELLO_SUCCESS;
576 static int test_client_hello_cb(void)
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
618 static int test_no_ems(void)
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
669 static int test_ccs_change_cipher(void)
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
719 * Now create a fresh connection and try to renegotiate a different
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
769 SSL_SESSION_free(sess);
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
785 X509 *chaincert = NULL;
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
793 if (!TEST_ptr(chaincert))
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
803 * Test that read_ahead works correctly when dealing with large
806 SSL_CTX_set_read_ahead(cctx, 1);
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
838 if (!TEST_true(SSL_clear(serverssl)))
843 X509_free(chaincert);
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
858 if (!ktls_enable(sock))
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1062 serverssl = clientssl = NULL;
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1070 static int test_ktls_sendfile(void)
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_off += chunk_size;
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1163 serverssl = clientssl = NULL;
1167 OPENSSL_free(buf_dst);
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1173 return execute_test_ktls(0, 0, 0, 0);
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1178 return execute_test_ktls(1, 0, 0, 0);
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1183 return execute_test_ktls(0, 1, 0, 0);
1186 static int test_ktls_client_no_txrx_server(void)
1188 return execute_test_ktls(1, 1, 0, 0);
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1193 return execute_test_ktls(0, 0, 1, 0);
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1198 return execute_test_ktls(1, 0, 1, 0);
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1203 return execute_test_ktls(0, 1, 1, 0);
1206 static int test_ktls_client_no_rx_server(void)
1208 return execute_test_ktls(1, 1, 1, 0);
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1213 return execute_test_ktls(0, 0, 0, 1);
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1218 return execute_test_ktls(1, 0, 0, 1);
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1223 return execute_test_ktls(0, 1, 0, 1);
1226 static int test_ktls_client_no_tx_server(void)
1228 return execute_test_ktls(1, 1, 0, 1);
1231 static int test_ktls_no_txrx_client_server(void)
1233 return execute_test_ktls(0, 0, 1, 1);
1236 static int test_ktls_no_rx_client_server(void)
1238 return execute_test_ktls(1, 0, 1, 1);
1241 static int test_ktls_no_tx_client_server(void)
1243 return execute_test_ktls(0, 1, 1, 1);
1246 static int test_ktls_client_server(void)
1248 return execute_test_ktls(1, 1, 1, 1);
1252 static int test_large_message_tls(void)
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1258 static int test_large_message_tls_read_ahead(void)
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1306 static int ocsp_client_cb(SSL *s, void *arg)
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1312 if (*argi != 1 && *argi != 2)
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1319 ocsp_client_called = 1;
1323 static int test_tlsext_status_type(void)
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1334 &sctx, &cctx, cert, privkey))
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1340 /* First just do various checks getting and setting tlsext_status_type */
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1350 SSL_free(clientssl);
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1360 SSL_free(clientssl);
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1447 X509_free(ocspcert);
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1461 * sess has been up-refed for us, but we don't actually need it so free it
1464 SSL_SESSION_free(sess);
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1473 static SSL_SESSION *get_sess_val = NULL;
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1480 return get_sess_val;
1483 static int execute_test_session(int maxprot, int use_int_cache,
1484 int use_ext_cache, long s_options)
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1495 new_called = remove_called = 0;
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1507 * Only allow the max protocol version so we can force a connection failure
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1528 SSL_CTX_set_options(sctx, s_options);
1531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1533 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1535 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1538 /* Should fail because it should already be in the cache */
1539 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1542 && (!TEST_int_eq(new_called, numnewsesstick)
1544 || !TEST_int_eq(remove_called, 0)))
1547 new_called = remove_called = 0;
1548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1549 &clientssl2, NULL, NULL))
1550 || !TEST_true(SSL_set_session(clientssl2, sess1))
1551 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1553 || !TEST_true(SSL_session_reused(clientssl2)))
1556 if (maxprot == TLS1_3_VERSION) {
1558 * In TLSv1.3 we should have created a new session even though we have
1559 * resumed. Since we attempted a resume we should also have removed the
1560 * old ticket from the cache so that we try to only use tickets once.
1563 && (!TEST_int_eq(new_called, 1)
1564 || !TEST_int_eq(remove_called, 1)))
1568 * In TLSv1.2 we expect to have resumed so no sessions added or
1572 && (!TEST_int_eq(new_called, 0)
1573 || !TEST_int_eq(remove_called, 0)))
1577 SSL_SESSION_free(sess1);
1578 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1580 shutdown_ssl_connection(serverssl2, clientssl2);
1581 serverssl2 = clientssl2 = NULL;
1583 new_called = remove_called = 0;
1584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1585 &clientssl2, NULL, NULL))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1590 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1594 && (!TEST_int_eq(new_called, numnewsesstick)
1595 || !TEST_int_eq(remove_called, 0)))
1598 new_called = remove_called = 0;
1600 * This should clear sess2 from the cache because it is a "bad" session.
1601 * See SSL_set_session() documentation.
1603 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1606 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1608 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1611 if (use_int_cache) {
1612 /* Should succeeded because it should not already be in the cache */
1613 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1614 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1618 new_called = remove_called = 0;
1619 /* This shouldn't be in the cache so should fail */
1620 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1624 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1627 # if !defined(OPENSSL_NO_TLS1_1)
1628 new_called = remove_called = 0;
1629 /* Force a connection failure */
1630 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1632 &clientssl3, NULL, NULL))
1633 || !TEST_true(SSL_set_session(clientssl3, sess1))
1634 /* This should fail because of the mismatched protocol versions */
1635 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1639 /* We should have automatically removed the session from the cache */
1641 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1644 /* Should succeed because it should not already be in the cache */
1645 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1649 /* Now do some tests for server side caching */
1650 if (use_ext_cache) {
1651 SSL_CTX_sess_set_new_cb(cctx, NULL);
1652 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1653 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1654 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1655 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1656 get_sess_val = NULL;
1659 SSL_CTX_set_session_cache_mode(cctx, 0);
1660 /* Internal caching is the default on the server side */
1662 SSL_CTX_set_session_cache_mode(sctx,
1663 SSL_SESS_CACHE_SERVER
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1666 SSL_free(serverssl1);
1667 SSL_free(clientssl1);
1668 serverssl1 = clientssl1 = NULL;
1669 SSL_free(serverssl2);
1670 SSL_free(clientssl2);
1671 serverssl2 = clientssl2 = NULL;
1672 SSL_SESSION_free(sess1);
1674 SSL_SESSION_free(sess2);
1677 SSL_CTX_set_max_proto_version(sctx, maxprot);
1678 if (maxprot == TLS1_2_VERSION)
1679 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1680 new_called = remove_called = get_called = 0;
1681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1683 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1685 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1686 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1689 if (use_int_cache) {
1690 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1692 * In TLSv1.3 it should not have been added to the internal cache,
1693 * except in the case where we also have an external cache (in that
1694 * case it gets added to the cache in order to generate remove
1695 * events after timeout).
1697 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1700 /* Should fail because it should already be in the cache */
1701 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1706 if (use_ext_cache) {
1707 SSL_SESSION *tmp = sess2;
1709 if (!TEST_int_eq(new_called, numnewsesstick)
1710 || !TEST_int_eq(remove_called, 0)
1711 || !TEST_int_eq(get_called, 0))
1714 * Delete the session from the internal cache to force a lookup from
1715 * the external cache. We take a copy first because
1716 * SSL_CTX_remove_session() also marks the session as non-resumable.
1718 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1719 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1720 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1722 SSL_SESSION_free(sess2);
1727 new_called = remove_called = get_called = 0;
1728 get_sess_val = sess2;
1729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1730 &clientssl2, NULL, NULL))
1731 || !TEST_true(SSL_set_session(clientssl2, sess1))
1732 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1734 || !TEST_true(SSL_session_reused(clientssl2)))
1737 if (use_ext_cache) {
1738 if (!TEST_int_eq(remove_called, 0))
1741 if (maxprot == TLS1_3_VERSION) {
1742 if (!TEST_int_eq(new_called, 1)
1743 || !TEST_int_eq(get_called, 0))
1746 if (!TEST_int_eq(new_called, 0)
1747 || !TEST_int_eq(get_called, 1))
1755 SSL_free(serverssl1);
1756 SSL_free(clientssl1);
1757 SSL_free(serverssl2);
1758 SSL_free(clientssl2);
1759 # ifndef OPENSSL_NO_TLS1_1
1760 SSL_free(serverssl3);
1761 SSL_free(clientssl3);
1763 SSL_SESSION_free(sess1);
1764 SSL_SESSION_free(sess2);
1770 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1772 static int test_session_with_only_int_cache(void)
1774 #ifndef OPENSSL_NO_TLS1_3
1775 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1779 #ifndef OPENSSL_NO_TLS1_2
1780 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1786 static int test_session_with_only_ext_cache(void)
1788 #ifndef OPENSSL_NO_TLS1_3
1789 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1793 #ifndef OPENSSL_NO_TLS1_2
1794 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1800 static int test_session_with_both_cache(void)
1802 #ifndef OPENSSL_NO_TLS1_3
1803 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1807 #ifndef OPENSSL_NO_TLS1_2
1808 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1814 static int test_session_wo_ca_names(void)
1816 #ifndef OPENSSL_NO_TLS1_3
1817 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1821 #ifndef OPENSSL_NO_TLS1_2
1822 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1829 #ifndef OPENSSL_NO_TLS1_3
1830 static SSL_SESSION *sesscache[6];
1831 static int do_cache;
1833 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1836 sesscache[new_called] = sess;
1838 /* We don't need the reference to the session, so free it */
1839 SSL_SESSION_free(sess);
1846 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1848 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1849 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1852 /* Start handshake on the server and client */
1853 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1854 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1855 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1856 || !TEST_true(create_ssl_connection(sssl, cssl,
1863 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1866 int sess_id_ctx = 1;
1868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1869 TLS_client_method(), TLS1_VERSION, 0,
1870 sctx, cctx, cert, privkey))
1871 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1872 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1873 (void *)&sess_id_ctx,
1874 sizeof(sess_id_ctx))))
1878 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1880 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1881 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1882 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1887 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1889 SSL *serverssl = NULL, *clientssl = NULL;
1892 /* Test that we can resume with all the tickets we got given */
1893 for (i = 0; i < idx * 2; i++) {
1895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1896 &clientssl, NULL, NULL))
1897 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1900 SSL_set_post_handshake_auth(clientssl, 1);
1902 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1907 * Following a successful resumption we only get 1 ticket. After a
1908 * failed one we should get idx tickets.
1911 if (!TEST_true(SSL_session_reused(clientssl))
1912 || !TEST_int_eq(new_called, 1))
1915 if (!TEST_false(SSL_session_reused(clientssl))
1916 || !TEST_int_eq(new_called, idx))
1921 /* After a post-handshake authentication we should get 1 new ticket */
1923 && (!post_handshake_verify(serverssl, clientssl)
1924 || !TEST_int_eq(new_called, 1)))
1927 SSL_shutdown(clientssl);
1928 SSL_shutdown(serverssl);
1929 SSL_free(serverssl);
1930 SSL_free(clientssl);
1931 serverssl = clientssl = NULL;
1932 SSL_SESSION_free(sesscache[i]);
1933 sesscache[i] = NULL;
1939 SSL_free(clientssl);
1940 SSL_free(serverssl);
1944 static int test_tickets(int stateful, int idx)
1946 SSL_CTX *sctx = NULL, *cctx = NULL;
1947 SSL *serverssl = NULL, *clientssl = NULL;
1951 /* idx is the test number, but also the number of tickets we want */
1956 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL)))
1963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1965 /* Check we got the number of tickets we were expecting */
1966 || !TEST_int_eq(idx, new_called))
1969 SSL_shutdown(clientssl);
1970 SSL_shutdown(serverssl);
1971 SSL_free(serverssl);
1972 SSL_free(clientssl);
1975 clientssl = serverssl = NULL;
1979 * Now we try to resume with the tickets we previously created. The
1980 * resumption attempt is expected to fail (because we're now using a new
1981 * SSL_CTX). We should see idx number of tickets issued again.
1984 /* Stop caching sessions - just count them */
1987 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1990 if (!check_resumption(idx, sctx, cctx, 0))
1993 /* Start again with caching sessions */
2000 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2004 &clientssl, NULL, NULL)))
2007 SSL_set_post_handshake_auth(clientssl, 1);
2009 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2011 /* Check we got the number of tickets we were expecting */
2012 || !TEST_int_eq(idx, new_called))
2015 /* After a post-handshake authentication we should get new tickets issued */
2016 if (!post_handshake_verify(serverssl, clientssl)
2017 || !TEST_int_eq(idx * 2, new_called))
2020 SSL_shutdown(clientssl);
2021 SSL_shutdown(serverssl);
2022 SSL_free(serverssl);
2023 SSL_free(clientssl);
2024 serverssl = clientssl = NULL;
2026 /* Stop caching sessions - just count them */
2030 * Check we can resume with all the tickets we created. This time around the
2031 * resumptions should all be successful.
2033 if (!check_resumption(idx, sctx, cctx, 1))
2039 SSL_free(serverssl);
2040 SSL_free(clientssl);
2041 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2042 SSL_SESSION_free(sesscache[j]);
2043 sesscache[j] = NULL;
2051 static int test_stateless_tickets(int idx)
2053 return test_tickets(0, idx);
2056 static int test_stateful_tickets(int idx)
2058 return test_tickets(1, idx);
2061 static int test_psk_tickets(void)
2063 SSL_CTX *sctx = NULL, *cctx = NULL;
2064 SSL *serverssl = NULL, *clientssl = NULL;
2066 int sess_id_ctx = 1;
2068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2069 TLS_client_method(), TLS1_VERSION, 0,
2070 &sctx, &cctx, NULL, NULL))
2071 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2072 (void *)&sess_id_ctx,
2073 sizeof(sess_id_ctx))))
2076 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2077 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2078 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2079 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2080 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2081 use_session_cb_cnt = 0;
2082 find_session_cb_cnt = 0;
2086 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2089 clientpsk = serverpsk = create_a_psk(clientssl);
2090 if (!TEST_ptr(clientpsk))
2092 SSL_SESSION_up_ref(clientpsk);
2094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2096 || !TEST_int_eq(1, find_session_cb_cnt)
2097 || !TEST_int_eq(1, use_session_cb_cnt)
2098 /* We should always get 1 ticket when using external PSK */
2099 || !TEST_int_eq(1, new_called))
2105 SSL_free(serverssl);
2106 SSL_free(clientssl);
2109 SSL_SESSION_free(clientpsk);
2110 SSL_SESSION_free(serverpsk);
2111 clientpsk = serverpsk = NULL;
2116 static int test_extra_tickets(int idx)
2118 SSL_CTX *sctx = NULL, *cctx = NULL;
2119 SSL *serverssl = NULL, *clientssl = NULL;
2120 BIO *bretry = BIO_new(bio_s_always_retry());
2125 unsigned char c, buf[1];
2135 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2137 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2138 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2139 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2142 &clientssl, NULL, NULL)))
2146 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2147 * incremented by both client and server.
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx * 2, new_called)
2153 || !TEST_true(SSL_new_session_ticket(serverssl))
2154 || !TEST_true(SSL_new_session_ticket(serverssl))
2155 || !TEST_int_eq(idx * 2, new_called))
2158 /* Now try a (real) write to actually send the tickets */
2160 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2161 || !TEST_size_t_eq(1, nbytes)
2162 || !TEST_int_eq(idx * 2 + 2, new_called)
2163 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2164 || !TEST_int_eq(idx * 2 + 4, new_called)
2165 || !TEST_int_eq(sizeof(buf), nbytes)
2166 || !TEST_int_eq(c, buf[0])
2167 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2170 /* Try with only requesting one new ticket, too */
2173 if (!TEST_true(SSL_new_session_ticket(serverssl))
2174 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2175 || !TEST_size_t_eq(sizeof(c), nbytes)
2176 || !TEST_int_eq(1, new_called)
2177 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2178 || !TEST_int_eq(2, new_called)
2179 || !TEST_size_t_eq(sizeof(buf), nbytes)
2180 || !TEST_int_eq(c, buf[0]))
2183 /* Do it again but use dummy writes to drive the ticket generation */
2186 if (!TEST_true(SSL_new_session_ticket(serverssl))
2187 || !TEST_true(SSL_new_session_ticket(serverssl))
2188 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2189 || !TEST_size_t_eq(0, nbytes)
2190 || !TEST_int_eq(2, new_called)
2191 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2192 || !TEST_int_eq(4, new_called))
2196 * Use the always-retry BIO to exercise the logic that forces ticket
2197 * generation to wait until a record boundary.
2201 tmp = SSL_get_wbio(serverssl);
2202 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2206 SSL_set0_wbio(serverssl, bretry);
2208 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2209 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2210 || !TEST_size_t_eq(nbytes, 0))
2212 /* Restore a BIO that will let the write succeed */
2213 SSL_set0_wbio(serverssl, tmp);
2215 /* These calls should just queue the request and not send anything. */
2216 if (!TEST_true(SSL_new_session_ticket(serverssl))
2217 || !TEST_true(SSL_new_session_ticket(serverssl))
2218 || !TEST_int_eq(0, new_called))
2220 /* Re-do the write; still no tickets sent */
2221 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2222 || !TEST_size_t_eq(1, nbytes)
2223 || !TEST_int_eq(0, new_called)
2224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2225 || !TEST_int_eq(0, new_called)
2226 || !TEST_int_eq(sizeof(buf), nbytes)
2227 || !TEST_int_eq(c, buf[0])
2228 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2230 /* Now the *next* write should send the tickets */
2232 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2233 || !TEST_size_t_eq(1, nbytes)
2234 || !TEST_int_eq(2, new_called)
2235 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2236 || !TEST_int_eq(4, new_called)
2237 || !TEST_int_eq(sizeof(buf), nbytes)
2238 || !TEST_int_eq(c, buf[0])
2239 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2242 SSL_shutdown(clientssl);
2243 SSL_shutdown(serverssl);
2249 SSL_free(serverssl);
2250 SSL_free(clientssl);
2253 clientssl = serverssl = NULL;
2262 #define USE_DEFAULT 3
2264 #define CONNTYPE_CONNECTION_SUCCESS 0
2265 #define CONNTYPE_CONNECTION_FAIL 1
2266 #define CONNTYPE_NO_CONNECTION 2
2268 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2269 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2270 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2271 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2273 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2276 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2277 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2278 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2280 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2297 * Tests calls to SSL_set_bio() under various conditions.
2299 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2300 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2301 * then do more tests where we create a successful connection first using our
2302 * standard connection setup functions, and then call SSL_set_bio() with
2303 * various combinations of valid BIOs or NULL. We then repeat these tests
2304 * following a failed connection. In this last case we are looking to check that
2305 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2307 static int test_ssl_set_bio(int idx)
2309 SSL_CTX *sctx = NULL, *cctx = NULL;
2312 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2313 SSL *serverssl = NULL, *clientssl = NULL;
2314 int initrbio, initwbio, newrbio, newwbio, conntype;
2317 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2325 conntype = CONNTYPE_NO_CONNECTION;
2327 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2328 initrbio = initwbio = USE_DEFAULT;
2336 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2337 TLS_client_method(), TLS1_VERSION, 0,
2338 &sctx, &cctx, cert, privkey)))
2341 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2343 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2344 * because we reduced the number of tests in the definition of
2345 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2346 * mismatched protocol versions we will force a connection failure.
2348 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2349 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2356 if (initrbio == USE_BIO_1
2357 || initwbio == USE_BIO_1
2358 || newrbio == USE_BIO_1
2359 || newwbio == USE_BIO_1) {
2360 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2364 if (initrbio == USE_BIO_2
2365 || initwbio == USE_BIO_2
2366 || newrbio == USE_BIO_2
2367 || newwbio == USE_BIO_2) {
2368 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2372 if (initrbio != USE_DEFAULT) {
2373 setupbio(&irbio, bio1, bio2, initrbio);
2374 setupbio(&iwbio, bio1, bio2, initwbio);
2375 SSL_set_bio(clientssl, irbio, iwbio);
2378 * We want to maintain our own refs to these BIO, so do an up ref for
2379 * each BIO that will have ownership transferred in the SSL_set_bio()
2384 if (iwbio != NULL && iwbio != irbio)
2388 if (conntype != CONNTYPE_NO_CONNECTION
2389 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2391 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2394 setupbio(&nrbio, bio1, bio2, newrbio);
2395 setupbio(&nwbio, bio1, bio2, newwbio);
2398 * We will (maybe) transfer ownership again so do more up refs.
2399 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2404 && (nwbio != iwbio || nrbio != nwbio))
2408 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2411 SSL_set_bio(clientssl, nrbio, nwbio);
2420 * This test is checking that the ref counting for SSL_set_bio is correct.
2421 * If we get here and we did too many frees then we will fail in the above
2424 SSL_free(serverssl);
2425 SSL_free(clientssl);
2431 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2433 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2435 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2440 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2441 || !TEST_ptr(ssl = SSL_new(ctx))
2442 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2443 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2446 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2449 * If anything goes wrong here then we could leak memory.
2451 BIO_push(sslbio, membio1);
2453 /* Verify changing the rbio/wbio directly does not cause leaks */
2454 if (change_bio != NO_BIO_CHANGE) {
2455 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2457 if (change_bio == CHANGE_RBIO)
2458 SSL_set0_rbio(ssl, membio2);
2460 SSL_set0_wbio(ssl, membio2);
2479 static int test_ssl_bio_pop_next_bio(void)
2481 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2484 static int test_ssl_bio_pop_ssl_bio(void)
2486 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2489 static int test_ssl_bio_change_rbio(void)
2491 return execute_test_ssl_bio(0, CHANGE_RBIO);
2494 static int test_ssl_bio_change_wbio(void)
2496 return execute_test_ssl_bio(0, CHANGE_WBIO);
2499 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2501 /* The list of sig algs */
2503 /* The length of the list */
2505 /* A sigalgs list in string format */
2506 const char *liststr;
2507 /* Whether setting the list should succeed */
2509 /* Whether creating a connection with the list should succeed */
2513 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2514 # ifndef OPENSSL_NO_EC
2515 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2516 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2518 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2519 static const int invalidlist2[] = {NID_sha256, NID_undef};
2520 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2521 static const int invalidlist4[] = {NID_sha256};
2522 static const sigalgs_list testsigalgs[] = {
2523 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2524 # ifndef OPENSSL_NO_EC
2525 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2526 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2528 {NULL, 0, "RSA+SHA256", 1, 1},
2529 # ifndef OPENSSL_NO_EC
2530 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2531 {NULL, 0, "ECDSA+SHA512", 1, 0},
2533 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2534 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2535 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2536 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2537 {NULL, 0, "RSA", 0, 0},
2538 {NULL, 0, "SHA256", 0, 0},
2539 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2540 {NULL, 0, "Invalid", 0, 0}
2543 static int test_set_sigalgs(int idx)
2545 SSL_CTX *cctx = NULL, *sctx = NULL;
2546 SSL *clientssl = NULL, *serverssl = NULL;
2548 const sigalgs_list *curr;
2551 /* Should never happen */
2552 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2555 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2556 curr = testctx ? &testsigalgs[idx]
2557 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2559 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2560 TLS_client_method(), TLS1_VERSION, 0,
2561 &sctx, &cctx, cert, privkey)))
2565 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2566 * for TLSv1.2 for now until we add a new API.
2568 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2573 if (curr->list != NULL)
2574 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2576 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2580 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2586 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2592 &clientssl, NULL, NULL)))
2598 if (curr->list != NULL)
2599 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2601 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2604 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2613 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2630 #ifndef OPENSSL_NO_TLS1_3
2631 static int psk_client_cb_cnt = 0;
2632 static int psk_server_cb_cnt = 0;
2634 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2635 size_t *idlen, SSL_SESSION **sess)
2637 switch (++use_session_cb_cnt) {
2639 /* The first call should always have a NULL md */
2645 /* The second call should always have an md */
2651 /* We should only be called a maximum of twice */
2655 if (clientpsk != NULL)
2656 SSL_SESSION_up_ref(clientpsk);
2659 *id = (const unsigned char *)pskid;
2660 *idlen = strlen(pskid);
2665 #ifndef OPENSSL_NO_PSK
2666 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2667 unsigned int max_id_len,
2669 unsigned int max_psk_len)
2671 unsigned int psklen = 0;
2673 psk_client_cb_cnt++;
2675 if (strlen(pskid) + 1 > max_id_len)
2678 /* We should only ever be called a maximum of twice per connection */
2679 if (psk_client_cb_cnt > 2)
2682 if (clientpsk == NULL)
2685 /* We'll reuse the PSK we set up for TLSv1.3 */
2686 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2688 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2689 strncpy(id, pskid, max_id_len);
2693 #endif /* OPENSSL_NO_PSK */
2695 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2696 size_t identity_len, SSL_SESSION **sess)
2698 find_session_cb_cnt++;
2700 /* We should only ever be called a maximum of twice per connection */
2701 if (find_session_cb_cnt > 2)
2704 if (serverpsk == NULL)
2707 /* Identity should match that set by the client */
2708 if (strlen(srvid) != identity_len
2709 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2710 /* No PSK found, continue but without a PSK */
2715 SSL_SESSION_up_ref(serverpsk);
2721 #ifndef OPENSSL_NO_PSK
2722 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2723 unsigned char *psk, unsigned int max_psk_len)
2725 unsigned int psklen = 0;
2727 psk_server_cb_cnt++;
2729 /* We should only ever be called a maximum of twice per connection */
2730 if (find_session_cb_cnt > 2)
2733 if (serverpsk == NULL)
2736 /* Identity should match that set by the client */
2737 if (strcmp(srvid, identity) != 0) {
2741 /* We'll reuse the PSK we set up for TLSv1.3 */
2742 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2744 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2748 #endif /* OPENSSL_NO_PSK */
2750 #define MSG1 "Hello"
2751 #define MSG2 "World."
2756 #define MSG7 "message."
2758 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2759 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2760 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2761 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2762 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2765 static SSL_SESSION *create_a_psk(SSL *ssl)
2767 const SSL_CIPHER *cipher = NULL;
2768 const unsigned char key[] = {
2769 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2770 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2771 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2772 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2773 0x2c, 0x2d, 0x2e, 0x2f
2775 SSL_SESSION *sess = NULL;
2777 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2778 sess = SSL_SESSION_new();
2780 || !TEST_ptr(cipher)
2781 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2783 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2785 SSL_SESSION_set_protocol_version(sess,
2787 SSL_SESSION_free(sess);
2794 * Helper method to setup objects for early data test. Caller frees objects on
2797 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2798 SSL **serverssl, SSL_SESSION **sess, int idx)
2801 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2802 TLS_client_method(),
2804 sctx, cctx, cert, privkey)))
2807 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2811 /* When idx == 1 we repeat the tests with read_ahead set */
2812 SSL_CTX_set_read_ahead(*cctx, 1);
2813 SSL_CTX_set_read_ahead(*sctx, 1);
2814 } else if (idx == 2) {
2815 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2816 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2817 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2818 use_session_cb_cnt = 0;
2819 find_session_cb_cnt = 0;
2823 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2828 * For one of the run throughs (doesn't matter which one), we'll try sending
2829 * some SNI data in the initial ClientHello. This will be ignored (because
2830 * there is no SNI cb set up by the server), so it should not impact
2834 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2838 clientpsk = create_a_psk(*clientssl);
2839 if (!TEST_ptr(clientpsk)
2841 * We just choose an arbitrary value for max_early_data which
2842 * should be big enough for testing purposes.
2844 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2846 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2847 SSL_SESSION_free(clientpsk);
2851 serverpsk = clientpsk;
2854 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2855 SSL_SESSION_free(clientpsk);
2856 SSL_SESSION_free(serverpsk);
2857 clientpsk = serverpsk = NULL;
2868 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2872 *sess = SSL_get1_session(*clientssl);
2873 SSL_shutdown(*clientssl);
2874 SSL_shutdown(*serverssl);
2875 SSL_free(*serverssl);
2876 SSL_free(*clientssl);
2877 *serverssl = *clientssl = NULL;
2879 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2880 clientssl, NULL, NULL))
2881 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2887 static int test_early_data_read_write(int idx)
2889 SSL_CTX *cctx = NULL, *sctx = NULL;
2890 SSL *clientssl = NULL, *serverssl = NULL;
2892 SSL_SESSION *sess = NULL;
2893 unsigned char buf[20], data[1024];
2894 size_t readbytes, written, eoedlen, rawread, rawwritten;
2897 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2898 &serverssl, &sess, idx)))
2901 /* Write and read some early data */
2902 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2904 || !TEST_size_t_eq(written, strlen(MSG1))
2905 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2906 sizeof(buf), &readbytes),
2907 SSL_READ_EARLY_DATA_SUCCESS)
2908 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2909 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2910 SSL_EARLY_DATA_ACCEPTED))
2914 * Server should be able to write data, and client should be able to
2917 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2919 || !TEST_size_t_eq(written, strlen(MSG2))
2920 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2921 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2924 /* Even after reading normal data, client should be able write early data */
2925 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2927 || !TEST_size_t_eq(written, strlen(MSG3)))
2930 /* Server should still be able read early data after writing data */
2931 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2933 SSL_READ_EARLY_DATA_SUCCESS)
2934 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2937 /* Write more data from server and read it from client */
2938 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2940 || !TEST_size_t_eq(written, strlen(MSG4))
2941 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2942 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2946 * If client writes normal data it should mean writing early data is no
2949 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2950 || !TEST_size_t_eq(written, strlen(MSG5))
2951 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2952 SSL_EARLY_DATA_ACCEPTED))
2956 * At this point the client has written EndOfEarlyData, ClientFinished and
2957 * normal (fully protected) data. We are going to cause a delay between the
2958 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2959 * in the read BIO, and then just put back the EndOfEarlyData message.
2961 rbio = SSL_get_rbio(serverssl);
2962 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2963 || !TEST_size_t_lt(rawread, sizeof(data))
2964 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2967 /* Record length is in the 4th and 5th bytes of the record header */
2968 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2969 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2970 || !TEST_size_t_eq(rawwritten, eoedlen))
2973 /* Server should be told that there is no more early data */
2974 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2976 SSL_READ_EARLY_DATA_FINISH)
2977 || !TEST_size_t_eq(readbytes, 0))
2981 * Server has not finished init yet, so should still be able to write early
2984 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2986 || !TEST_size_t_eq(written, strlen(MSG6)))
2989 /* Push the ClientFinished and the normal data back into the server rbio */
2990 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2992 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2995 /* Server should be able to read normal data */
2996 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2997 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3000 /* Client and server should not be able to write/read early data now */
3001 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3005 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3007 SSL_READ_EARLY_DATA_ERROR))
3011 /* Client should be able to read the data sent by the server */
3012 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3013 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3017 * Make sure we process the two NewSessionTickets. These arrive
3018 * post-handshake. We attempt reads which we do not expect to return any
3021 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3022 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3026 /* Server should be able to write normal data */
3027 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3028 || !TEST_size_t_eq(written, strlen(MSG7))
3029 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3030 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3033 SSL_SESSION_free(sess);
3034 sess = SSL_get1_session(clientssl);
3035 use_session_cb_cnt = 0;
3036 find_session_cb_cnt = 0;
3038 SSL_shutdown(clientssl);
3039 SSL_shutdown(serverssl);
3040 SSL_free(serverssl);
3041 SSL_free(clientssl);
3042 serverssl = clientssl = NULL;
3043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3044 &clientssl, NULL, NULL))
3045 || !TEST_true(SSL_set_session(clientssl, sess)))
3048 /* Write and read some early data */
3049 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3051 || !TEST_size_t_eq(written, strlen(MSG1))
3052 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3054 SSL_READ_EARLY_DATA_SUCCESS)
3055 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3058 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3059 || !TEST_int_gt(SSL_accept(serverssl), 0))
3062 /* Client and server should not be able to write/read early data now */
3063 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3067 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3069 SSL_READ_EARLY_DATA_ERROR))
3073 /* Client and server should be able to write/read normal data */
3074 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3075 || !TEST_size_t_eq(written, strlen(MSG5))
3076 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3077 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3083 SSL_SESSION_free(sess);
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_free(serverssl);
3088 SSL_free(clientssl);
3094 static int allow_ed_cb_called = 0;
3096 static int allow_early_data_cb(SSL *s, void *arg)
3098 int *usecb = (int *)arg;
3100 allow_ed_cb_called++;
3109 * idx == 0: Standard early_data setup
3110 * idx == 1: early_data setup using read_ahead
3111 * usecb == 0: Don't use a custom early data callback
3112 * usecb == 1: Use a custom early data callback and reject the early data
3113 * usecb == 2: Use a custom early data callback and accept the early data
3114 * confopt == 0: Configure anti-replay directly
3115 * confopt == 1: Configure anti-replay using SSL_CONF
3117 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3119 SSL_CTX *cctx = NULL, *sctx = NULL;
3120 SSL *clientssl = NULL, *serverssl = NULL;
3122 SSL_SESSION *sess = NULL;
3123 size_t readbytes, written;
3124 unsigned char buf[20];
3126 allow_ed_cb_called = 0;
3128 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3129 TLS_client_method(), TLS1_VERSION, 0,
3130 &sctx, &cctx, cert, privkey)))
3135 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3137 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3139 if (!TEST_ptr(confctx))
3141 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3142 | SSL_CONF_FLAG_SERVER);
3143 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3144 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3146 SSL_CONF_CTX_free(confctx);
3149 SSL_CONF_CTX_free(confctx);
3151 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3154 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3155 &serverssl, &sess, idx)))
3159 * The server is configured to accept early data. Create a connection to
3160 * "use up" the ticket
3162 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3163 || !TEST_true(SSL_session_reused(clientssl)))
3166 SSL_shutdown(clientssl);
3167 SSL_shutdown(serverssl);
3168 SSL_free(serverssl);
3169 SSL_free(clientssl);
3170 serverssl = clientssl = NULL;
3172 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3173 &clientssl, NULL, NULL))
3174 || !TEST_true(SSL_set_session(clientssl, sess)))
3177 /* Write and read some early data */
3178 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3180 || !TEST_size_t_eq(written, strlen(MSG1)))
3184 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3186 SSL_READ_EARLY_DATA_FINISH)
3188 * The ticket was reused, so the we should have rejected the
3191 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3192 SSL_EARLY_DATA_REJECTED))
3195 /* In this case the callback decides to accept the early data */
3196 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3198 SSL_READ_EARLY_DATA_SUCCESS)
3199 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3201 * Server will have sent its flight so client can now send
3202 * end of early data and complete its half of the handshake
3204 || !TEST_int_gt(SSL_connect(clientssl), 0)
3205 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3207 SSL_READ_EARLY_DATA_FINISH)
3208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3209 SSL_EARLY_DATA_ACCEPTED))
3213 /* Complete the connection */
3214 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3215 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3216 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3222 SSL_SESSION_free(sess);
3223 SSL_SESSION_free(clientpsk);
3224 SSL_SESSION_free(serverpsk);
3225 clientpsk = serverpsk = NULL;
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3233 static int test_early_data_replay(int idx)
3235 int ret = 1, usecb, confopt;
3237 for (usecb = 0; usecb < 3; usecb++) {
3238 for (confopt = 0; confopt < 2; confopt++)
3239 ret &= test_early_data_replay_int(idx, usecb, confopt);
3246 * Helper function to test that a server attempting to read early data can
3247 * handle a connection from a client where the early data should be skipped.
3248 * testtype: 0 == No HRR
3249 * testtype: 1 == HRR
3250 * testtype: 2 == HRR, invalid early_data sent after HRR
3251 * testtype: 3 == recv_max_early_data set to 0
3253 static int early_data_skip_helper(int testtype, int idx)
3255 SSL_CTX *cctx = NULL, *sctx = NULL;
3256 SSL *clientssl = NULL, *serverssl = NULL;
3258 SSL_SESSION *sess = NULL;
3259 unsigned char buf[20];
3260 size_t readbytes, written;
3262 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3263 &serverssl, &sess, idx)))
3266 if (testtype == 1 || testtype == 2) {
3267 /* Force an HRR to occur */
3268 #if defined(OPENSSL_NO_EC)
3269 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3272 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3275 } else if (idx == 2) {
3277 * We force early_data rejection by ensuring the PSK identity is
3280 srvid = "Dummy Identity";
3283 * Deliberately corrupt the creation time. We take 20 seconds off the
3284 * time. It could be any value as long as it is not within tolerance.
3285 * This should mean the ticket is rejected.
3287 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3292 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3295 /* Write some early data */
3296 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3298 || !TEST_size_t_eq(written, strlen(MSG1)))
3301 /* Server should reject the early data */
3302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3304 SSL_READ_EARLY_DATA_FINISH)
3305 || !TEST_size_t_eq(readbytes, 0)
3306 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3307 SSL_EARLY_DATA_REJECTED))
3317 * Finish off the handshake. We perform the same writes and reads as
3318 * further down but we expect them to fail due to the incomplete
3321 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3322 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3329 BIO *wbio = SSL_get_wbio(clientssl);
3330 /* A record that will appear as bad early_data */
3331 const unsigned char bad_early_data[] = {
3332 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3336 * We force the client to attempt a write. This will fail because
3337 * we're still in the handshake. It will cause the second
3338 * ClientHello to be sent.
3340 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3345 * Inject some early_data after the second ClientHello. This should
3346 * cause the server to fail
3348 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3349 sizeof(bad_early_data), &written)))
3356 * This client has sent more early_data than we are willing to skip
3357 * (case 3) or sent invalid early_data (case 2) so the connection should
3360 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3361 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3364 /* Connection has failed - nothing more to do */
3369 TEST_error("Invalid test type");
3374 * Should be able to send normal data despite rejection of early data. The
3375 * early_data should be skipped.
3377 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3378 || !TEST_size_t_eq(written, strlen(MSG2))
3379 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3380 SSL_EARLY_DATA_REJECTED)
3381 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3382 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3388 SSL_SESSION_free(clientpsk);
3389 SSL_SESSION_free(serverpsk);
3390 clientpsk = serverpsk = NULL;
3391 SSL_SESSION_free(sess);
3392 SSL_free(serverssl);
3393 SSL_free(clientssl);
3400 * Test that a server attempting to read early data can handle a connection
3401 * from a client where the early data is not acceptable.
3403 static int test_early_data_skip(int idx)
3405 return early_data_skip_helper(0, idx);
3409 * Test that a server attempting to read early data can handle a connection
3410 * from a client where an HRR occurs.
3412 static int test_early_data_skip_hrr(int idx)
3414 return early_data_skip_helper(1, idx);
3418 * Test that a server attempting to read early data can handle a connection
3419 * from a client where an HRR occurs and correctly fails if early_data is sent
3422 static int test_early_data_skip_hrr_fail(int idx)
3424 return early_data_skip_helper(2, idx);
3428 * Test that a server attempting to read early data will abort if it tries to
3429 * skip over too much.
3431 static int test_early_data_skip_abort(int idx)
3433 return early_data_skip_helper(3, idx);
3437 * Test that a server attempting to read early data can handle a connection
3438 * from a client that doesn't send any.
3440 static int test_early_data_not_sent(int idx)
3442 SSL_CTX *cctx = NULL, *sctx = NULL;
3443 SSL *clientssl = NULL, *serverssl = NULL;
3445 SSL_SESSION *sess = NULL;
3446 unsigned char buf[20];
3447 size_t readbytes, written;
3449 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3450 &serverssl, &sess, idx)))
3453 /* Write some data - should block due to handshake with server */
3454 SSL_set_connect_state(clientssl);
3455 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3458 /* Server should detect that early data has not been sent */
3459 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3461 SSL_READ_EARLY_DATA_FINISH)
3462 || !TEST_size_t_eq(readbytes, 0)
3463 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3464 SSL_EARLY_DATA_NOT_SENT)
3465 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3466 SSL_EARLY_DATA_NOT_SENT))
3469 /* Continue writing the message we started earlier */
3470 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3471 || !TEST_size_t_eq(written, strlen(MSG1))
3472 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3473 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3474 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3475 || !TEST_size_t_eq(written, strlen(MSG2)))
3478 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3479 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3485 SSL_SESSION_free(sess);
3486 SSL_SESSION_free(clientpsk);
3487 SSL_SESSION_free(serverpsk);
3488 clientpsk = serverpsk = NULL;
3489 SSL_free(serverssl);
3490 SSL_free(clientssl);
3496 static const char *servalpn;
3498 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3499 unsigned char *outlen, const unsigned char *in,
3500 unsigned int inlen, void *arg)
3502 unsigned int protlen = 0;
3503 const unsigned char *prot;
3505 for (prot = in; prot < in + inlen; prot += protlen) {
3507 if (in + inlen < prot + protlen)
3508 return SSL_TLSEXT_ERR_NOACK;
3510 if (protlen == strlen(servalpn)
3511 && memcmp(prot, servalpn, protlen) == 0) {
3514 return SSL_TLSEXT_ERR_OK;
3518 return SSL_TLSEXT_ERR_NOACK;
3521 /* Test that a PSK can be used to send early_data */
3522 static int test_early_data_psk(int idx)
3524 SSL_CTX *cctx = NULL, *sctx = NULL;
3525 SSL *clientssl = NULL, *serverssl = NULL;
3527 SSL_SESSION *sess = NULL;
3528 unsigned char alpnlist[] = {
3529 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3532 #define GOODALPNLEN 9
3533 #define BADALPNLEN 8
3534 #define GOODALPN (alpnlist)
3535 #define BADALPN (alpnlist + GOODALPNLEN)
3537 unsigned char buf[20];
3538 size_t readbytes, written;
3539 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3540 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3542 /* We always set this up with a final parameter of "2" for PSK */
3543 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3544 &serverssl, &sess, 2)))
3547 servalpn = "goodalpn";
3550 * Note: There is no test for inconsistent SNI with late client detection.
3551 * This is because servers do not acknowledge SNI even if they are using
3552 * it in a resumption handshake - so it is not actually possible for a
3553 * client to detect a problem.
3557 /* Set inconsistent SNI (early client detection) */
3558 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3559 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3560 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3565 /* Set inconsistent ALPN (early client detection) */
3566 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3567 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3568 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3570 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3577 * Set invalid protocol version. Technically this affects PSKs without
3578 * early_data too, but we test it here because it is similar to the
3579 * SNI/ALPN consistency tests.
3581 err = SSL_R_BAD_PSK;
3582 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3588 * Set inconsistent SNI (server side). In this case the connection
3589 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3590 * is associated with each handshake - not the session. Therefore it
3591 * should not matter that we used a different server name last time.
3593 SSL_SESSION_free(serverpsk);
3594 serverpsk = SSL_SESSION_dup(clientpsk);
3595 if (!TEST_ptr(serverpsk)
3596 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3600 /* Set consistent SNI */
3601 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3602 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3603 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3610 * Set inconsistent ALPN (server detected). In this case the connection
3611 * will succeed but reject early_data.
3613 servalpn = "badalpn";
3614 edstatus = SSL_EARLY_DATA_REJECTED;
3615 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3619 * Set consistent ALPN.
3620 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3621 * accepts a list of protos (each one length prefixed).
3622 * SSL_set1_alpn_selected accepts a single protocol (not length
3625 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3627 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3631 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3635 /* Set inconsistent ALPN (late client detection) */
3636 SSL_SESSION_free(serverpsk);
3637 serverpsk = SSL_SESSION_dup(clientpsk);
3638 if (!TEST_ptr(serverpsk)
3639 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3642 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3645 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3648 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3649 edstatus = SSL_EARLY_DATA_ACCEPTED;
3650 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3651 /* SSL_connect() call should fail */
3656 TEST_error("Bad test index");
3660 SSL_set_connect_state(clientssl);
3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3664 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3665 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3668 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes), readearlyres)
3674 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3675 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3676 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3677 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3684 SSL_SESSION_free(sess);
3685 SSL_SESSION_free(clientpsk);
3686 SSL_SESSION_free(serverpsk);
3687 clientpsk = serverpsk = NULL;
3688 SSL_free(serverssl);
3689 SSL_free(clientssl);
3696 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3697 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3698 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3699 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3700 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3701 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3703 static int test_early_data_psk_with_all_ciphers(int idx)
3705 SSL_CTX *cctx = NULL, *sctx = NULL;
3706 SSL *clientssl = NULL, *serverssl = NULL;
3708 SSL_SESSION *sess = NULL;
3709 unsigned char buf[20];
3710 size_t readbytes, written;
3711 const SSL_CIPHER *cipher;
3712 const char *cipher_str[] = {
3713 TLS1_3_RFC_AES_128_GCM_SHA256,
3714 TLS1_3_RFC_AES_256_GCM_SHA384,
3715 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3716 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3720 TLS1_3_RFC_AES_128_CCM_SHA256,
3721 TLS1_3_RFC_AES_128_CCM_8_SHA256
3723 const unsigned char *cipher_bytes[] = {
3724 TLS13_AES_128_GCM_SHA256_BYTES,
3725 TLS13_AES_256_GCM_SHA384_BYTES,
3726 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3727 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3731 TLS13_AES_128_CCM_SHA256_BYTES,
3732 TLS13_AES_128_CCM_8_SHA256_BYTES
3735 if (cipher_str[idx] == NULL)
3737 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3738 if (idx == 2 && is_fips == 1)
3741 /* We always set this up with a final parameter of "2" for PSK */
3742 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3743 &serverssl, &sess, 2)))
3746 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3747 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3751 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3752 * and assigns to both client and server with incremented reference
3753 * and the same instance is updated in 'sess'.
3754 * So updating ciphersuite in 'sess' which will get reflected in
3755 * PSK handshake using psk use sess and find sess cb.
3757 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3758 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3761 SSL_set_connect_state(clientssl);
3762 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3766 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3768 SSL_READ_EARLY_DATA_SUCCESS)
3769 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3770 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3771 SSL_EARLY_DATA_ACCEPTED)
3772 || !TEST_int_eq(SSL_connect(clientssl), 1)
3773 || !TEST_int_eq(SSL_accept(serverssl), 1))
3776 /* Send some normal data from client to server */
3777 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3778 || !TEST_size_t_eq(written, strlen(MSG2)))
3781 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3782 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3787 SSL_SESSION_free(sess);
3788 SSL_SESSION_free(clientpsk);
3789 SSL_SESSION_free(serverpsk);
3790 clientpsk = serverpsk = NULL;
3791 if (clientssl != NULL)
3792 SSL_shutdown(clientssl);
3793 if (serverssl != NULL)
3794 SSL_shutdown(serverssl);
3795 SSL_free(serverssl);
3796 SSL_free(clientssl);
3803 * Test that a server that doesn't try to read early data can handle a
3804 * client sending some.
3806 static int test_early_data_not_expected(int idx)
3808 SSL_CTX *cctx = NULL, *sctx = NULL;
3809 SSL *clientssl = NULL, *serverssl = NULL;
3811 SSL_SESSION *sess = NULL;
3812 unsigned char buf[20];
3813 size_t readbytes, written;
3815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3816 &serverssl, &sess, idx)))
3819 /* Write some early data */
3820 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3825 * Server should skip over early data and then block waiting for client to
3826 * continue handshake
3828 if (!TEST_int_le(SSL_accept(serverssl), 0)
3829 || !TEST_int_gt(SSL_connect(clientssl), 0)
3830 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3831 SSL_EARLY_DATA_REJECTED)
3832 || !TEST_int_gt(SSL_accept(serverssl), 0)
3833 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3834 SSL_EARLY_DATA_REJECTED))
3837 /* Send some normal data from client to server */
3838 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3839 || !TEST_size_t_eq(written, strlen(MSG2)))
3842 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3843 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3849 SSL_SESSION_free(sess);
3850 SSL_SESSION_free(clientpsk);
3851 SSL_SESSION_free(serverpsk);
3852 clientpsk = serverpsk = NULL;
3853 SSL_free(serverssl);
3854 SSL_free(clientssl);
3861 # ifndef OPENSSL_NO_TLS1_2
3863 * Test that a server attempting to read early data can handle a connection
3864 * from a TLSv1.2 client.
3866 static int test_early_data_tls1_2(int idx)
3868 SSL_CTX *cctx = NULL, *sctx = NULL;
3869 SSL *clientssl = NULL, *serverssl = NULL;
3871 unsigned char buf[20];
3872 size_t readbytes, written;
3874 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3875 &serverssl, NULL, idx)))
3878 /* Write some data - should block due to handshake with server */
3879 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3880 SSL_set_connect_state(clientssl);
3881 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3885 * Server should do TLSv1.2 handshake. First it will block waiting for more
3886 * messages from client after ServerDone. Then SSL_read_early_data should
3887 * finish and detect that early data has not been sent
3889 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3891 SSL_READ_EARLY_DATA_ERROR))
3895 * Continue writing the message we started earlier. Will still block waiting
3896 * for the CCS/Finished from server
3898 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3899 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3901 SSL_READ_EARLY_DATA_FINISH)
3902 || !TEST_size_t_eq(readbytes, 0)
3903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3904 SSL_EARLY_DATA_NOT_SENT))
3907 /* Continue writing the message we started earlier */
3908 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3909 || !TEST_size_t_eq(written, strlen(MSG1))
3910 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3911 SSL_EARLY_DATA_NOT_SENT)
3912 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3913 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3914 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3915 || !TEST_size_t_eq(written, strlen(MSG2))
3916 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3917 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3923 SSL_SESSION_free(clientpsk);
3924 SSL_SESSION_free(serverpsk);
3925 clientpsk = serverpsk = NULL;
3926 SSL_free(serverssl);
3927 SSL_free(clientssl);
3933 # endif /* OPENSSL_NO_TLS1_2 */
3936 * Test configuring the TLSv1.3 ciphersuites
3938 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3939 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3940 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3941 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3942 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3943 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3944 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3945 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3946 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3947 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3949 static int test_set_ciphersuite(int idx)
3951 SSL_CTX *cctx = NULL, *sctx = NULL;
3952 SSL *clientssl = NULL, *serverssl = NULL;
3955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3956 TLS_client_method(), TLS1_VERSION, 0,
3957 &sctx, &cctx, cert, privkey))
3958 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3959 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3962 if (idx >=4 && idx <= 7) {
3963 /* SSL_CTX explicit cipher list */
3964 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3968 if (idx == 0 || idx == 4) {
3969 /* Default ciphersuite */
3970 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3971 "TLS_AES_128_GCM_SHA256")))
3973 } else if (idx == 1 || idx == 5) {
3974 /* Non default ciphersuite */
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 "TLS_AES_128_CCM_SHA256")))
3980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3981 &clientssl, NULL, NULL)))
3984 if (idx == 8 || idx == 9) {
3985 /* SSL explicit cipher list */
3986 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3990 if (idx == 2 || idx == 6 || idx == 8) {
3991 /* Default ciphersuite */
3992 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3993 "TLS_AES_128_GCM_SHA256")))
3995 } else if (idx == 3 || idx == 7 || idx == 9) {
3996 /* Non default ciphersuite */
3997 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3998 "TLS_AES_128_CCM_SHA256")))
4002 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4008 SSL_free(serverssl);
4009 SSL_free(clientssl);
4016 static int test_ciphersuite_change(void)
4018 SSL_CTX *cctx = NULL, *sctx = NULL;
4019 SSL *clientssl = NULL, *serverssl = NULL;
4020 SSL_SESSION *clntsess = NULL;
4022 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4024 /* Create a session based on SHA-256 */
4025 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4026 TLS_client_method(), TLS1_VERSION, 0,
4027 &sctx, &cctx, cert, privkey))
4028 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4029 "TLS_AES_128_GCM_SHA256:"
4030 "TLS_AES_256_GCM_SHA384:"
4031 "TLS_AES_128_CCM_SHA256"))
4032 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4033 "TLS_AES_128_GCM_SHA256"))
4034 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4035 &clientssl, NULL, NULL))
4036 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4040 clntsess = SSL_get1_session(clientssl);
4041 /* Save for later */
4042 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4043 SSL_shutdown(clientssl);
4044 SSL_shutdown(serverssl);
4045 SSL_free(serverssl);
4046 SSL_free(clientssl);
4047 serverssl = clientssl = NULL;
4049 /* Check we can resume a session with a different SHA-256 ciphersuite */
4050 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4051 "TLS_AES_128_CCM_SHA256"))
4052 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4053 &clientssl, NULL, NULL))
4054 || !TEST_true(SSL_set_session(clientssl, clntsess))
4055 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4057 || !TEST_true(SSL_session_reused(clientssl)))
4060 SSL_SESSION_free(clntsess);
4061 clntsess = SSL_get1_session(clientssl);
4062 SSL_shutdown(clientssl);
4063 SSL_shutdown(serverssl);
4064 SSL_free(serverssl);
4065 SSL_free(clientssl);
4066 serverssl = clientssl = NULL;
4069 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4070 * succeeds but does not resume.
4072 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4073 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4075 || !TEST_true(SSL_set_session(clientssl, clntsess))
4076 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4078 || !TEST_false(SSL_session_reused(clientssl)))
4081 SSL_SESSION_free(clntsess);
4083 SSL_shutdown(clientssl);
4084 SSL_shutdown(serverssl);
4085 SSL_free(serverssl);
4086 SSL_free(clientssl);
4087 serverssl = clientssl = NULL;
4089 /* Create a session based on SHA384 */
4090 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4091 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4092 &clientssl, NULL, NULL))
4093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4097 clntsess = SSL_get1_session(clientssl);
4098 SSL_shutdown(clientssl);
4099 SSL_shutdown(serverssl);
4100 SSL_free(serverssl);
4101 SSL_free(clientssl);
4102 serverssl = clientssl = NULL;
4104 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4105 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4106 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4107 "TLS_AES_256_GCM_SHA384"))
4108 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4110 || !TEST_true(SSL_set_session(clientssl, clntsess))
4112 * We use SSL_ERROR_WANT_READ below so that we can pause the
4113 * connection after the initial ClientHello has been sent to
4114 * enable us to make some session changes.
4116 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4117 SSL_ERROR_WANT_READ)))
4120 /* Trick the client into thinking this session is for a different digest */
4121 clntsess->cipher = aes_128_gcm_sha256;
4122 clntsess->cipher_id = clntsess->cipher->id;
4125 * Continue the previously started connection. Server has selected a SHA-384
4126 * ciphersuite, but client thinks the session is for SHA-256, so it should
4129 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4131 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4132 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4138 SSL_SESSION_free(clntsess);
4139 SSL_free(serverssl);
4140 SSL_free(clientssl);
4148 * Test TLSv1.3 Key exchange
4149 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4150 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4151 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4152 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4153 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4154 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4155 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4156 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4157 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4158 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4159 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4160 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4161 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4162 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4164 static int test_key_exchange(int idx)
4166 SSL_CTX *sctx = NULL, *cctx = NULL;
4167 SSL *serverssl = NULL, *clientssl = NULL;
4169 # ifndef OPENSSL_NO_EC
4170 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4171 NID_secp521r1, NID_X25519, NID_X448};
4173 # ifndef OPENSSL_NO_DH
4174 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4175 NID_ffdhe6144, NID_ffdhe8192};
4178 int *kexch_groups = &kexch_alg;
4179 int kexch_groups_size = 1;
4180 int max_version = TLS1_3_VERSION;
4183 # ifndef OPENSSL_NO_EC
4184 # ifndef OPENSSL_NO_TLS1_2
4186 max_version = TLS1_2_VERSION;
4190 kexch_groups = ecdhe_kexch_groups;
4191 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4194 kexch_alg = NID_X9_62_prime256v1;
4197 kexch_alg = NID_secp384r1;
4200 kexch_alg = NID_secp521r1;
4203 kexch_alg = NID_X25519;
4206 kexch_alg = NID_X448;
4209 # ifndef OPENSSL_NO_DH
4210 # ifndef OPENSSL_NO_TLS1_2
4212 max_version = TLS1_2_VERSION;
4216 kexch_groups = ffdhe_kexch_groups;
4217 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4220 kexch_alg = NID_ffdhe2048;
4223 kexch_alg = NID_ffdhe3072;
4226 kexch_alg = NID_ffdhe4096;
4229 kexch_alg = NID_ffdhe6144;
4232 kexch_alg = NID_ffdhe8192;
4236 /* We're skipping this test */
4240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4241 TLS_client_method(), TLS1_VERSION,
4242 max_version, &sctx, &cctx, cert,
4246 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4247 TLS1_3_RFC_AES_128_GCM_SHA256)))
4250 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4251 TLS1_3_RFC_AES_128_GCM_SHA256)))
4254 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4255 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4259 * Must include an EC ciphersuite so that we send supported groups in
4262 # ifndef OPENSSL_NO_TLS1_2
4263 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4264 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4265 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4273 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4274 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4277 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4281 * If Handshake succeeds the negotiated kexch alg should be the first one in
4282 * configured, except in the case of FFDHE groups (idx 13), which are
4283 * TLSv1.3 only so we expect no shared group to exist.
4285 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4286 idx == 13 ? 0 : kexch_groups[0]))
4288 if (max_version == TLS1_3_VERSION) {
4289 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4291 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4297 SSL_free(serverssl);
4298 SSL_free(clientssl);
4305 * Test TLSv1.3 Cipher Suite
4306 * Test 0 = Set TLS1.3 cipher on context
4307 * Test 1 = Set TLS1.3 cipher on SSL
4308 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4309 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4311 static int test_tls13_ciphersuite(int idx)
4313 SSL_CTX *sctx = NULL, *cctx = NULL;
4314 SSL *serverssl = NULL, *clientssl = NULL;
4315 static const struct {
4316 const char *ciphername;
4319 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4320 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4321 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4322 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4323 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4324 { TLS1_3_RFC_AES_256_GCM_SHA384
4325 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4327 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4329 const char *t13_cipher = NULL;
4330 const char *t12_cipher = NULL;
4331 const char *negotiated_scipher;
4332 const char *negotiated_ccipher;
4348 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4352 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4356 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4357 # ifdef OPENSSL_NO_TLS1_2
4358 if (max_ver == TLS1_2_VERSION)
4361 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4362 if (is_fips && !t13_ciphers[i].fipscapable)
4364 t13_cipher = t13_ciphers[i].ciphername;
4365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4366 TLS_client_method(),
4367 TLS1_VERSION, max_ver,
4368 &sctx, &cctx, cert, privkey)))
4372 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4373 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4375 if (t12_cipher != NULL) {
4376 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4377 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4384 &clientssl, NULL, NULL)))
4388 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4389 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4391 if (t12_cipher != NULL) {
4392 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4393 || !TEST_true(SSL_set_cipher_list(clientssl,
4399 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4403 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4405 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4407 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4411 * TEST_strn_eq is used below because t13_cipher can contain
4412 * multiple ciphersuites
4414 if (max_ver == TLS1_3_VERSION
4415 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4416 strlen(negotiated_scipher)))
4419 # ifndef OPENSSL_NO_TLS1_2
4420 /* Below validation is not done when t12_cipher is NULL */
4421 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4422 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4426 SSL_free(serverssl);
4428 SSL_free(clientssl);
4439 SSL_free(serverssl);
4440 SSL_free(clientssl);
4448 * Test 0 = Test new style callbacks
4449 * Test 1 = Test both new and old style callbacks
4450 * Test 2 = Test old style callbacks
4451 * Test 3 = Test old style callbacks with no certificate
4453 static int test_tls13_psk(int idx)
4455 SSL_CTX *sctx = NULL, *cctx = NULL;
4456 SSL *serverssl = NULL, *clientssl = NULL;
4457 const SSL_CIPHER *cipher = NULL;
4458 const unsigned char key[] = {
4459 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4460 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4461 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4462 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4467 TLS_client_method(), TLS1_VERSION, 0,
4468 &sctx, &cctx, idx == 3 ? NULL : cert,
4469 idx == 3 ? NULL : privkey)))
4474 * We use a ciphersuite with SHA256 to ease testing old style PSK
4475 * callbacks which will always default to SHA256. This should not be
4476 * necessary if we have no cert/priv key. In that case the server should
4477 * prefer SHA256 automatically.
4479 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4480 "TLS_AES_128_GCM_SHA256")))
4484 * As noted above the server should prefer SHA256 automatically. However
4485 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4486 * code works even if we are testing with only the FIPS provider loaded.
4488 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4489 "TLS_AES_256_GCM_SHA384:"
4490 "TLS_AES_128_GCM_SHA256")))
4495 * Test 0: New style callbacks only
4496 * Test 1: New and old style callbacks (only the new ones should be used)
4497 * Test 2: Old style callbacks only
4499 if (idx == 0 || idx == 1) {
4500 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4501 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4503 #ifndef OPENSSL_NO_PSK
4505 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4506 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4510 use_session_cb_cnt = 0;
4511 find_session_cb_cnt = 0;
4512 psk_client_cb_cnt = 0;
4513 psk_server_cb_cnt = 0;
4517 * Check we can create a connection if callback decides not to send a
4520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4524 || !TEST_false(SSL_session_reused(clientssl))
4525 || !TEST_false(SSL_session_reused(serverssl)))
4528 if (idx == 0 || idx == 1) {
4529 if (!TEST_true(use_session_cb_cnt == 1)
4530 || !TEST_true(find_session_cb_cnt == 0)
4532 * If no old style callback then below should be 0
4535 || !TEST_true(psk_client_cb_cnt == idx)
4536 || !TEST_true(psk_server_cb_cnt == 0))
4539 if (!TEST_true(use_session_cb_cnt == 0)
4540 || !TEST_true(find_session_cb_cnt == 0)
4541 || !TEST_true(psk_client_cb_cnt == 1)
4542 || !TEST_true(psk_server_cb_cnt == 0))
4546 shutdown_ssl_connection(serverssl, clientssl);
4547 serverssl = clientssl = NULL;
4548 use_session_cb_cnt = psk_client_cb_cnt = 0;
4551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4555 /* Create the PSK */
4556 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4557 clientpsk = SSL_SESSION_new();
4558 if (!TEST_ptr(clientpsk)
4559 || !TEST_ptr(cipher)
4560 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4562 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4563 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4565 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4567 serverpsk = clientpsk;
4569 /* Check we can create a connection and the PSK is used */
4570 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4571 || !TEST_true(SSL_session_reused(clientssl))
4572 || !TEST_true(SSL_session_reused(serverssl)))
4575 if (idx == 0 || idx == 1) {
4576 if (!TEST_true(use_session_cb_cnt == 1)
4577 || !TEST_true(find_session_cb_cnt == 1)
4578 || !TEST_true(psk_client_cb_cnt == 0)
4579 || !TEST_true(psk_server_cb_cnt == 0))
4582 if (!TEST_true(use_session_cb_cnt == 0)
4583 || !TEST_true(find_session_cb_cnt == 0)
4584 || !TEST_true(psk_client_cb_cnt == 1)
4585 || !TEST_true(psk_server_cb_cnt == 1))
4589 shutdown_ssl_connection(serverssl, clientssl);
4590 serverssl = clientssl = NULL;
4591 use_session_cb_cnt = find_session_cb_cnt = 0;
4592 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4599 #if defined(OPENSSL_NO_EC)
4600 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4603 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4608 * Check we can create a connection, the PSK is used and the callbacks are
4611 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4612 || !TEST_true(SSL_session_reused(clientssl))
4613 || !TEST_true(SSL_session_reused(serverssl)))
4616 if (idx == 0 || idx == 1) {
4617 if (!TEST_true(use_session_cb_cnt == 2)
4618 || !TEST_true(find_session_cb_cnt == 2)
4619 || !TEST_true(psk_client_cb_cnt == 0)
4620 || !TEST_true(psk_server_cb_cnt == 0))
4623 if (!TEST_true(use_session_cb_cnt == 0)
4624 || !TEST_true(find_session_cb_cnt == 0)
4625 || !TEST_true(psk_client_cb_cnt == 2)
4626 || !TEST_true(psk_server_cb_cnt == 2))
4630 shutdown_ssl_connection(serverssl, clientssl);
4631 serverssl = clientssl = NULL;
4632 use_session_cb_cnt = find_session_cb_cnt = 0;
4633 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4637 * Check that if the server rejects the PSK we can still connect, but with
4640 srvid = "Dummy Identity";
4641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4645 || !TEST_false(SSL_session_reused(clientssl))
4646 || !TEST_false(SSL_session_reused(serverssl)))
4649 if (idx == 0 || idx == 1) {
4650 if (!TEST_true(use_session_cb_cnt == 1)
4651 || !TEST_true(find_session_cb_cnt == 1)
4652 || !TEST_true(psk_client_cb_cnt == 0)
4654 * If no old style callback then below should be 0
4657 || !TEST_true(psk_server_cb_cnt == idx))
4660 if (!TEST_true(use_session_cb_cnt == 0)
4661 || !TEST_true(find_session_cb_cnt == 0)
4662 || !TEST_true(psk_client_cb_cnt == 1)
4663 || !TEST_true(psk_server_cb_cnt == 1))
4667 shutdown_ssl_connection(serverssl, clientssl);
4668 serverssl = clientssl = NULL;
4673 SSL_SESSION_free(clientpsk);
4674 SSL_SESSION_free(serverpsk);
4675 clientpsk = serverpsk = NULL;
4676 SSL_free(serverssl);
4677 SSL_free(clientssl);
4683 static unsigned char cookie_magic_value[] = "cookie magic";
4685 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4686 unsigned int *cookie_len)
4689 * Not suitable as a real cookie generation function but good enough for
4692 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4693 *cookie_len = sizeof(cookie_magic_value) - 1;
4698 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4699 unsigned int cookie_len)
4701 if (cookie_len == sizeof(cookie_magic_value) - 1
4702 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4708 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4712 int res = generate_cookie_callback(ssl, cookie, &temp);
4717 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4720 return verify_cookie_callback(ssl, cookie, cookie_len);
4723 static int test_stateless(void)
4725 SSL_CTX *sctx = NULL, *cctx = NULL;
4726 SSL *serverssl = NULL, *clientssl = NULL;
4729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4730 TLS_client_method(), TLS1_VERSION, 0,
4731 &sctx, &cctx, cert, privkey)))
4734 /* The arrival of CCS messages can confuse the test */
4735 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4739 /* Send the first ClientHello */
4740 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4741 SSL_ERROR_WANT_READ))
4743 * This should fail with a -1 return because we have no callbacks
4746 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4749 /* Fatal error so abandon the connection from this client */
4750 SSL_free(clientssl);
4753 /* Set up the cookie generation and verification callbacks */
4754 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4755 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4758 * Create a new connection from the client (we can reuse the server SSL
4761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4763 /* Send the first ClientHello */
4764 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4765 SSL_ERROR_WANT_READ))
4766 /* This should fail because there is no cookie */
4767 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4770 /* Abandon the connection from this client */
4771 SSL_free(clientssl);
4775 * Now create a connection from a new client but with the same server SSL
4778 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4780 /* Send the first ClientHello */
4781 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4782 SSL_ERROR_WANT_READ))
4783 /* This should fail because there is no cookie */
4784 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4785 /* Send the second ClientHello */
4786 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4787 SSL_ERROR_WANT_READ))
4788 /* This should succeed because a cookie is now present */
4789 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4790 /* Complete the connection */
4791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4795 shutdown_ssl_connection(serverssl, clientssl);
4796 serverssl = clientssl = NULL;
4800 SSL_free(serverssl);
4801 SSL_free(clientssl);
4807 #endif /* OPENSSL_NO_TLS1_3 */
4809 static int clntaddoldcb = 0;
4810 static int clntparseoldcb = 0;
4811 static int srvaddoldcb = 0;
4812 static int srvparseoldcb = 0;
4813 static int clntaddnewcb = 0;
4814 static int clntparsenewcb = 0;
4815 static int srvaddnewcb = 0;
4816 static int srvparsenewcb = 0;
4817 static int snicb = 0;
4819 #define TEST_EXT_TYPE1 0xff00
4821 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4822 size_t *outlen, int *al, void *add_arg)
4824 int *server = (int *)add_arg;
4825 unsigned char *data;
4827 if (SSL_is_server(s))
4832 if (*server != SSL_is_server(s)
4833 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4838 *outlen = sizeof(char);
4842 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4845 OPENSSL_free((unsigned char *)out);
4848 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4849 size_t inlen, int *al, void *parse_arg)
4851 int *server = (int *)parse_arg;
4853 if (SSL_is_server(s))
4858 if (*server != SSL_is_server(s)
4859 || inlen != sizeof(char)
4866 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4867 const unsigned char **out, size_t *outlen, X509 *x,
4868 size_t chainidx, int *al, void *add_arg)
4870 int *server = (int *)add_arg;
4871 unsigned char *data;
4873 if (SSL_is_server(s))
4878 if (*server != SSL_is_server(s)
4879 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4884 *outlen = sizeof(*data);
4888 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4889 const unsigned char *out, void *add_arg)
4891 OPENSSL_free((unsigned char *)out);
4894 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4895 const unsigned char *in, size_t inlen, X509 *x,
4896 size_t chainidx, int *al, void *parse_arg)
4898 int *server = (int *)parse_arg;
4900 if (SSL_is_server(s))
4905 if (*server != SSL_is_server(s)
4906 || inlen != sizeof(char) || *in != 1)
4912 static int sni_cb(SSL *s, int *al, void *arg)
4914 SSL_CTX *ctx = (SSL_CTX *)arg;
4916 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4917 *al = SSL_AD_INTERNAL_ERROR;
4918 return SSL_TLSEXT_ERR_ALERT_FATAL;
4921 return SSL_TLSEXT_ERR_OK;
4925 * Custom call back tests.
4926 * Test 0: Old style callbacks in TLSv1.2
4927 * Test 1: New style callbacks in TLSv1.2
4928 * Test 2: New style callbacks in TLSv1.2 with SNI
4929 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4930 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4932 static int test_custom_exts(int tst)
4934 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4935 SSL *clientssl = NULL, *serverssl = NULL;
4937 static int server = 1;
4938 static int client = 0;
4939 SSL_SESSION *sess = NULL;
4940 unsigned int context;
4942 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4943 /* Skip tests for TLSv1.2 and below in this case */
4948 /* Reset callback counters */
4949 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4950 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4954 TLS_client_method(), TLS1_VERSION, 0,
4955 &sctx, &cctx, cert, privkey)))
4959 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4961 &sctx2, NULL, cert, privkey)))
4966 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4967 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4969 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4973 context = SSL_EXT_CLIENT_HELLO
4974 | SSL_EXT_TLS1_2_SERVER_HELLO
4975 | SSL_EXT_TLS1_3_SERVER_HELLO
4976 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4977 | SSL_EXT_TLS1_3_CERTIFICATE
4978 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4980 context = SSL_EXT_CLIENT_HELLO
4981 | SSL_EXT_TLS1_2_SERVER_HELLO
4982 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4985 /* Create a client side custom extension */
4987 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4988 old_add_cb, old_free_cb,
4989 &client, old_parse_cb,
4993 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4994 new_add_cb, new_free_cb,
4995 &client, new_parse_cb, &client)))
4999 /* Should not be able to add duplicates */
5000 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5001 old_add_cb, old_free_cb,
5002 &client, old_parse_cb,
5004 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5005 context, new_add_cb,
5006 new_free_cb, &client,
5007 new_parse_cb, &client)))
5010 /* Create a server side custom extension */
5012 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5013 old_add_cb, old_free_cb,
5014 &server, old_parse_cb,
5018 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5019 new_add_cb, new_free_cb,
5020 &server, new_parse_cb, &server)))
5023 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5024 context, new_add_cb,
5025 new_free_cb, &server,
5026 new_parse_cb, &server)))
5030 /* Should not be able to add duplicates */
5031 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5032 old_add_cb, old_free_cb,
5033 &server, old_parse_cb,
5035 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5036 context, new_add_cb,
5037 new_free_cb, &server,
5038 new_parse_cb, &server)))
5043 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5044 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5049 &clientssl, NULL, NULL))
5050 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5055 if (clntaddoldcb != 1
5056 || clntparseoldcb != 1
5058 || srvparseoldcb != 1)
5060 } else if (tst == 1 || tst == 2 || tst == 3) {
5061 if (clntaddnewcb != 1
5062 || clntparsenewcb != 1
5064 || srvparsenewcb != 1
5065 || (tst != 2 && snicb != 0)
5066 || (tst == 2 && snicb != 1))
5069 /* In this case there 2 NewSessionTicket messages created */
5070 if (clntaddnewcb != 1
5071 || clntparsenewcb != 5
5073 || srvparsenewcb != 1)
5077 sess = SSL_get1_session(clientssl);
5078 SSL_shutdown(clientssl);
5079 SSL_shutdown(serverssl);
5080 SSL_free(serverssl);
5081 SSL_free(clientssl);
5082 serverssl = clientssl = NULL;
5085 /* We don't bother with the resumption aspects for this test */
5090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5092 || !TEST_true(SSL_set_session(clientssl, sess))
5093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5098 * For a resumed session we expect to add the ClientHello extension. For the
5099 * old style callbacks we ignore it on the server side because they set
5100 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5104 if (clntaddoldcb != 2
5105 || clntparseoldcb != 1
5107 || srvparseoldcb != 1)
5109 } else if (tst == 1 || tst == 2 || tst == 3) {
5110 if (clntaddnewcb != 2
5111 || clntparsenewcb != 2
5113 || srvparsenewcb != 2)
5117 * No Certificate message extensions in the resumption handshake,
5118 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5120 if (clntaddnewcb != 2
5121 || clntparsenewcb != 8
5123 || srvparsenewcb != 2)
5130 SSL_SESSION_free(sess);
5131 SSL_free(serverssl);
5132 SSL_free(clientssl);
5133 SSL_CTX_free(sctx2);
5140 * Test loading of serverinfo data in various formats. test_sslmessages actually
5141 * tests to make sure the extensions appear in the handshake
5143 static int test_serverinfo(int tst)
5145 unsigned int version;
5146 unsigned char *sibuf;
5148 int ret, expected, testresult = 0;
5151 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5155 if ((tst & 0x01) == 0x01)
5156 version = SSL_SERVERINFOV2;
5158 version = SSL_SERVERINFOV1;
5160 if ((tst & 0x02) == 0x02) {
5161 sibuf = serverinfov2;
5162 sibuflen = sizeof(serverinfov2);
5163 expected = (version == SSL_SERVERINFOV2);
5165 sibuf = serverinfov1;
5166 sibuflen = sizeof(serverinfov1);
5167 expected = (version == SSL_SERVERINFOV1);
5170 if ((tst & 0x04) == 0x04) {
5171 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5173 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5176 * The version variable is irrelevant in this case - it's what is in the
5177 * buffer that matters
5179 if ((tst & 0x02) == 0x02)
5185 if (!TEST_true(ret == expected))
5197 * Test that SSL_export_keying_material() produces expected results. There are
5198 * no test vectors so all we do is test that both sides of the communication
5199 * produce the same results for different protocol versions.
5201 #define SMALL_LABEL_LEN 10
5202 #define LONG_LABEL_LEN 249
5203 static int test_export_key_mat(int tst)
5206 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5207 SSL *clientssl = NULL, *serverssl = NULL;
5208 const char label[LONG_LABEL_LEN + 1] = "test label";
5209 const unsigned char context[] = "context";
5210 const unsigned char *emptycontext = NULL;
5211 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5212 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5214 const int protocols[] = {
5223 #ifdef OPENSSL_NO_TLS1
5227 #ifdef OPENSSL_NO_TLS1_1
5231 if (is_fips && (tst == 0 || tst == 1))
5233 #ifdef OPENSSL_NO_TLS1_2
5237 #ifdef OPENSSL_NO_TLS1_3
5241 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5242 TLS_client_method(), TLS1_VERSION, 0,
5243 &sctx, &cctx, cert, privkey)))
5246 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5247 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5248 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5252 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5258 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5261 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5262 sizeof(ckeymat1), label,
5263 LONG_LABEL_LEN + 1, context,
5264 sizeof(context) - 1, 1), 0))
5269 } else if (tst == 4) {
5270 labellen = LONG_LABEL_LEN;
5272 labellen = SMALL_LABEL_LEN;
5275 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5276 sizeof(ckeymat1), label,
5278 sizeof(context) - 1, 1), 1)
5279 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5280 sizeof(ckeymat2), label,
5284 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5285 sizeof(ckeymat3), label,
5288 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5289 sizeof(skeymat1), label,
5292 sizeof(context) -1, 1),
5294 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5295 sizeof(skeymat2), label,
5299 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5300 sizeof(skeymat3), label,
5304 * Check that both sides created the same key material with the
5307 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5310 * Check that both sides created the same key material with an
5313 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5316 * Check that both sides created the same key material without a
5319 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5321 /* Different contexts should produce different results */
5322 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5327 * Check that an empty context and no context produce different results in
5328 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5330 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5332 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5339 SSL_free(serverssl);
5340 SSL_free(clientssl);
5341 SSL_CTX_free(sctx2);
5348 #ifndef OPENSSL_NO_TLS1_3
5350 * Test that SSL_export_keying_material_early() produces expected
5351 * results. There are no test vectors so all we do is test that both
5352 * sides of the communication produce the same results for different
5353 * protocol versions.
5355 static int test_export_key_mat_early(int idx)
5357 static const char label[] = "test label";
5358 static const unsigned char context[] = "context";
5360 SSL_CTX *cctx = NULL, *sctx = NULL;
5361 SSL *clientssl = NULL, *serverssl = NULL;
5362 SSL_SESSION *sess = NULL;
5363 const unsigned char *emptycontext = NULL;
5364 unsigned char ckeymat1[80], ckeymat2[80];
5365 unsigned char skeymat1[80], skeymat2[80];
5366 unsigned char buf[1];
5367 size_t readbytes, written;
5369 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5373 /* Here writing 0 length early data is enough. */
5374 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5375 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5377 SSL_READ_EARLY_DATA_ERROR)
5378 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5379 SSL_EARLY_DATA_ACCEPTED))
5382 if (!TEST_int_eq(SSL_export_keying_material_early(
5383 clientssl, ckeymat1, sizeof(ckeymat1), label,
5384 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5385 || !TEST_int_eq(SSL_export_keying_material_early(
5386 clientssl, ckeymat2, sizeof(ckeymat2), label,
5387 sizeof(label) - 1, emptycontext, 0), 1)
5388 || !TEST_int_eq(SSL_export_keying_material_early(
5389 serverssl, skeymat1, sizeof(skeymat1), label,
5390 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5391 || !TEST_int_eq(SSL_export_keying_material_early(
5392 serverssl, skeymat2, sizeof(skeymat2), label,
5393 sizeof(label) - 1, emptycontext, 0), 1)
5395 * Check that both sides created the same key material with the
5398 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5401 * Check that both sides created the same key material with an
5404 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5406 /* Different contexts should produce different results */
5407 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5414 SSL_SESSION_free(sess);
5415 SSL_SESSION_free(clientpsk);
5416 SSL_SESSION_free(serverpsk);
5417 clientpsk = serverpsk = NULL;
5418 SSL_free(serverssl);
5419 SSL_free(clientssl);
5426 #define NUM_KEY_UPDATE_MESSAGES 40
5430 static int test_key_update(void)
5432 SSL_CTX *cctx = NULL, *sctx = NULL;
5433 SSL *clientssl = NULL, *serverssl = NULL;
5434 int testresult = 0, i, j;
5436 static char *mess = "A test message";
5438 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5439 TLS_client_method(),
5442 &sctx, &cctx, cert, privkey))
5443 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5449 for (j = 0; j < 2; j++) {
5450 /* Send lots of KeyUpdate messages */
5451 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5452 if (!TEST_true(SSL_key_update(clientssl,
5454 ? SSL_KEY_UPDATE_NOT_REQUESTED
5455 : SSL_KEY_UPDATE_REQUESTED))
5456 || !TEST_true(SSL_do_handshake(clientssl)))
5460 /* Check that sending and receiving app data is ok */
5461 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5462 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5466 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5467 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5475 SSL_free(serverssl);
5476 SSL_free(clientssl);
5484 * Test we can handle a KeyUpdate (update requested) message while write data
5486 * Test 0: Client sends KeyUpdate while Server is writing
5487 * Test 1: Server sends KeyUpdate while Client is writing
5489 static int test_key_update_in_write(int tst)
5491 SSL_CTX *cctx = NULL, *sctx = NULL;
5492 SSL *clientssl = NULL, *serverssl = NULL;
5495 static char *mess = "A test message";
5496 BIO *bretry = BIO_new(bio_s_always_retry());
5498 SSL *peerupdate = NULL, *peerwrite = NULL;
5500 if (!TEST_ptr(bretry)
5501 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5502 TLS_client_method(),
5505 &sctx, &cctx, cert, privkey))
5506 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5512 peerupdate = tst == 0 ? clientssl : serverssl;
5513 peerwrite = tst == 0 ? serverssl : clientssl;
5515 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5516 || !TEST_true(SSL_do_handshake(peerupdate)))
5519 /* Swap the writing endpoint's write BIO to force a retry */
5520 tmp = SSL_get_wbio(peerwrite);
5521 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5525 SSL_set0_wbio(peerwrite, bretry);
5528 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5529 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5530 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5533 /* Reinstate the original writing endpoint's write BIO */
5534 SSL_set0_wbio(peerwrite, tmp);
5537 /* Now read some data - we will read the key update */
5538 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5539 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5543 * Complete the write we started previously and read it from the other
5546 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5547 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5550 /* Write more data to ensure we send the KeyUpdate message back */
5551 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5552 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5558 SSL_free(serverssl);
5559 SSL_free(clientssl);
5567 #endif /* OPENSSL_NO_TLS1_3 */
5569 static int test_ssl_clear(int idx)
5571 SSL_CTX *cctx = NULL, *sctx = NULL;
5572 SSL *clientssl = NULL, *serverssl = NULL;
5575 #ifdef OPENSSL_NO_TLS1_2
5580 /* Create an initial connection */
5581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5582 TLS_client_method(), TLS1_VERSION, 0,
5583 &sctx, &cctx, cert, privkey))
5585 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5587 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5588 &clientssl, NULL, NULL))
5589 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5593 SSL_shutdown(clientssl);
5594 SSL_shutdown(serverssl);
5595 SSL_free(serverssl);
5598 /* Clear clientssl - we're going to reuse the object */
5599 if (!TEST_true(SSL_clear(clientssl)))
5602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5604 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5606 || !TEST_true(SSL_session_reused(clientssl)))
5609 SSL_shutdown(clientssl);
5610 SSL_shutdown(serverssl);
5615 SSL_free(serverssl);
5616 SSL_free(clientssl);
5623 /* Parse CH and retrieve any MFL extension value if present */
5624 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5627 unsigned char *data;
5628 PACKET pkt, pkt2, pkt3;
5629 unsigned int MFL_code = 0, type = 0;
5631 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5634 memset(&pkt, 0, sizeof(pkt));
5635 memset(&pkt2, 0, sizeof(pkt2));
5636 memset(&pkt3, 0, sizeof(pkt3));
5638 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5639 /* Skip the record header */
5640 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5641 /* Skip the handshake message header */
5642 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5643 /* Skip client version and random */
5644 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5645 + SSL3_RANDOM_SIZE))
5646 /* Skip session id */
5647 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5649 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5650 /* Skip compression */
5651 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5652 /* Extensions len */
5653 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5656 /* Loop through all extensions */
5657 while (PACKET_remaining(&pkt2)) {
5658 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5659 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5662 if (type == TLSEXT_TYPE_max_fragment_length) {
5663 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5664 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5667 *mfl_codemfl_code = MFL_code;
5676 /* Maximum-Fragment-Length TLS extension mode to test */
5677 static const unsigned char max_fragment_len_test[] = {
5678 TLSEXT_max_fragment_length_512,
5679 TLSEXT_max_fragment_length_1024,
5680 TLSEXT_max_fragment_length_2048,
5681 TLSEXT_max_fragment_length_4096
5684 static int test_max_fragment_len_ext(int idx_tst)
5688 int testresult = 0, MFL_mode = 0;
5691 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5695 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5696 ctx, max_fragment_len_test[idx_tst])))
5703 rbio = BIO_new(BIO_s_mem());
5704 wbio = BIO_new(BIO_s_mem());
5705 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5711 SSL_set_bio(con, rbio, wbio);
5712 SSL_set_connect_state(con);
5714 if (!TEST_int_le(SSL_connect(con), 0)) {
5715 /* This shouldn't succeed because we don't have a server! */
5719 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5720 /* no MFL in client hello */
5722 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5734 #ifndef OPENSSL_NO_TLS1_3
5735 static int test_pha_key_update(void)
5737 SSL_CTX *cctx = NULL, *sctx = NULL;
5738 SSL *clientssl = NULL, *serverssl = NULL;
5741 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5742 TLS_client_method(), TLS1_VERSION, 0,
5743 &sctx, &cctx, cert, privkey)))
5746 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5747 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5748 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5749 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5752 SSL_CTX_set_post_handshake_auth(cctx, 1);
5754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5758 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5762 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5763 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5766 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5769 /* Start handshake on the server */
5770 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5773 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5774 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5778 SSL_shutdown(clientssl);
5779 SSL_shutdown(serverssl);
5784 SSL_free(serverssl);
5785 SSL_free(clientssl);
5792 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5794 static SRP_VBASE *vbase = NULL;
5796 DEFINE_STACK_OF(SRP_user_pwd)
5798 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5800 int ret = SSL3_AL_FATAL;
5802 SRP_user_pwd *user = NULL;
5804 username = SSL_get_srp_username(s);
5805 if (username == NULL) {
5806 *ad = SSL_AD_INTERNAL_ERROR;
5810 user = SRP_VBASE_get1_by_user(vbase, username);
5812 *ad = SSL_AD_INTERNAL_ERROR;
5816 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5818 *ad = SSL_AD_INTERNAL_ERROR;
5825 SRP_user_pwd_free(user);
5829 static int create_new_vfile(char *userid, char *password, const char *filename)
5832 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5835 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5838 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5841 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5842 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5843 if (!TEST_ptr(gNid))
5847 * The only way to create an empty TXT_DB is to provide a BIO with no data
5850 db = TXT_DB_read(dummy, DB_NUMBER);
5854 out = BIO_new_file(filename, "w");
5858 row[DB_srpid] = OPENSSL_strdup(userid);
5859 row[DB_srptype] = OPENSSL_strdup("V");
5860 row[DB_srpgN] = OPENSSL_strdup(gNid);
5862 if (!TEST_ptr(row[DB_srpid])
5863 || !TEST_ptr(row[DB_srptype])
5864 || !TEST_ptr(row[DB_srpgN])
5865 || !TEST_true(TXT_DB_insert(db, row)))
5870 if (!TXT_DB_write(out, db))
5876 for (i = 0; i < DB_NUMBER; i++)
5877 OPENSSL_free(row[i]);
5887 static int create_new_vbase(char *userid, char *password)
5889 BIGNUM *verifier = NULL, *salt = NULL;
5890 const SRP_gN *lgN = NULL;
5891 SRP_user_pwd *user_pwd = NULL;
5894 lgN = SRP_get_default_gN(NULL);
5898 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5899 lgN->N, lgN->g, libctx, NULL)))
5902 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5903 if (!TEST_ptr(user_pwd))
5906 user_pwd->N = lgN->N;
5907 user_pwd->g = lgN->g;
5908 user_pwd->id = OPENSSL_strdup(userid);
5909 if (!TEST_ptr(user_pwd->id))
5912 user_pwd->v = verifier;
5914 verifier = salt = NULL;
5916 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5922 SRP_user_pwd_free(user_pwd);
5932 * Test 0: Simple successful SRP connection, new vbase
5933 * Test 1: Connection failure due to bad password, new vbase
5934 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5935 * Test 3: Connection failure due to bad password, vbase loaded from existing
5937 * Test 4: Simple successful SRP connection, vbase loaded from new file
5938 * Test 5: Connection failure due to bad password, vbase loaded from new file
5940 static int test_srp(int tst)
5942 char *userid = "test", *password = "password", *tstsrpfile;
5943 SSL_CTX *cctx = NULL, *sctx = NULL;
5944 SSL *clientssl = NULL, *serverssl = NULL;
5945 int ret, testresult = 0;
5947 vbase = SRP_VBASE_new(NULL);
5948 if (!TEST_ptr(vbase))
5951 if (tst == 0 || tst == 1) {
5952 if (!TEST_true(create_new_vbase(userid, password)))
5955 if (tst == 4 || tst == 5) {
5956 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5958 tstsrpfile = tmpfilename;
5960 tstsrpfile = srpvfile;
5962 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5967 TLS_client_method(), TLS1_VERSION, 0,
5968 &sctx, &cctx, cert, privkey)))
5971 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5972 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5973 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5974 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5975 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5979 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5982 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5990 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5992 if (!TEST_true(tst % 2 == 0))
5995 if (!TEST_true(tst % 2 == 1))
6002 SRP_VBASE_free(vbase);
6004 SSL_free(serverssl);
6005 SSL_free(clientssl);
6013 static int info_cb_failed = 0;
6014 static int info_cb_offset = 0;
6015 static int info_cb_this_state = -1;
6017 static struct info_cb_states_st {
6019 const char *statestr;
6020 } info_cb_states[][60] = {
6022 /* TLSv1.2 server followed by resumption */
6023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6024 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6025 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6026 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6027 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6028 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6029 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6030 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6031 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6032 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6033 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6035 {SSL_CB_EXIT, NULL}, {0, NULL},
6037 /* TLSv1.2 client followed by resumption */
6038 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6039 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6040 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6041 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6042 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6043 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6044 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6045 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6046 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6047 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6048 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6049 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6051 /* TLSv1.3 server followed by resumption */
6052 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6053 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6054 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6055 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6056 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6057 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6058 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6059 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6060 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6061 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6062 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6063 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6064 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6066 /* TLSv1.3 client followed by resumption */
6067 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6068 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6069 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6070 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6071 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6072 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6073 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6074 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6075 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6076 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6077 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6078 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6079 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6080 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6081 {SSL_CB_EXIT, NULL}, {0, NULL},
6083 /* TLSv1.3 server, early_data */
6084 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6085 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6086 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6087 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6088 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6089 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6090 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6091 {SSL_CB_EXIT, NULL}, {0, NULL},
6093 /* TLSv1.3 client, early_data */
6094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6095 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6096 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6097 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6098 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6099 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6100 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6101 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6102 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6108 static void sslapi_info_callback(const SSL *s, int where, int ret)
6110 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6112 /* We do not ever expect a connection to fail in this test */
6113 if (!TEST_false(ret == 0)) {
6119 * Do some sanity checks. We never expect these things to happen in this
6122 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6123 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6124 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6129 /* Now check we're in the right state */
6130 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6134 if ((where & SSL_CB_LOOP) != 0
6135 && !TEST_int_eq(strcmp(SSL_state_string(s),
6136 state[info_cb_this_state].statestr), 0)) {
6142 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6144 if ((where & SSL_CB_HANDSHAKE_DONE)
6145 && SSL_in_init((SSL *)s) != 0) {
6152 * Test the info callback gets called when we expect it to.
6154 * Test 0: TLSv1.2, server
6155 * Test 1: TLSv1.2, client
6156 * Test 2: TLSv1.3, server
6157 * Test 3: TLSv1.3, client
6158 * Test 4: TLSv1.3, server, early_data
6159 * Test 5: TLSv1.3, client, early_data
6161 static int test_info_callback(int tst)
6163 SSL_CTX *cctx = NULL, *sctx = NULL;
6164 SSL *clientssl = NULL, *serverssl = NULL;
6165 SSL_SESSION *clntsess = NULL;
6170 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6171 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6172 || !defined(OPENSSL_NO_DH))
6173 tlsvers = TLS1_2_VERSION;
6178 #ifndef OPENSSL_NO_TLS1_3
6179 tlsvers = TLS1_3_VERSION;
6187 info_cb_this_state = -1;
6188 info_cb_offset = tst;
6190 #ifndef OPENSSL_NO_TLS1_3
6192 SSL_SESSION *sess = NULL;
6193 size_t written, readbytes;
6194 unsigned char buf[80];
6196 /* early_data tests */
6197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6198 &serverssl, &sess, 0)))
6201 /* We don't actually need this reference */
6202 SSL_SESSION_free(sess);
6204 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6205 sslapi_info_callback);
6207 /* Write and read some early data and then complete the connection */
6208 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6210 || !TEST_size_t_eq(written, strlen(MSG1))
6211 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6212 sizeof(buf), &readbytes),
6213 SSL_READ_EARLY_DATA_SUCCESS)
6214 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6215 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6216 SSL_EARLY_DATA_ACCEPTED)
6217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6219 || !TEST_false(info_cb_failed))
6227 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6228 TLS_client_method(),
6229 tlsvers, tlsvers, &sctx, &cctx, cert,
6234 * For even numbered tests we check the server callbacks. For odd numbers we
6237 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6238 sslapi_info_callback);
6240 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6241 &clientssl, NULL, NULL))
6242 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6244 || !TEST_false(info_cb_failed))
6249 clntsess = SSL_get1_session(clientssl);
6250 SSL_shutdown(clientssl);
6251 SSL_shutdown(serverssl);
6252 SSL_free(serverssl);
6253 SSL_free(clientssl);
6254 serverssl = clientssl = NULL;
6256 /* Now do a resumption */
6257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6259 || !TEST_true(SSL_set_session(clientssl, clntsess))
6260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6262 || !TEST_true(SSL_session_reused(clientssl))
6263 || !TEST_false(info_cb_failed))
6269 SSL_free(serverssl);
6270 SSL_free(clientssl);
6271 SSL_SESSION_free(clntsess);
6277 static int test_ssl_pending(int tst)
6279 SSL_CTX *cctx = NULL, *sctx = NULL;
6280 SSL *clientssl = NULL, *serverssl = NULL;
6282 char msg[] = "A test message";
6284 size_t written, readbytes;
6287 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6288 TLS_client_method(),
6290 &sctx, &cctx, cert, privkey)))
6293 #ifndef OPENSSL_NO_DTLS
6294 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6295 DTLS_client_method(),
6297 &sctx, &cctx, cert, privkey)))
6304 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6306 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6310 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6311 || !TEST_false(SSL_has_pending(clientssl))
6312 || !TEST_int_eq(SSL_pending(serverssl), 0)
6313 || !TEST_false(SSL_has_pending(serverssl))
6314 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6315 || !TEST_size_t_eq(written, sizeof(msg))
6316 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6317 || !TEST_size_t_eq(readbytes, sizeof(buf))
6318 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6319 || !TEST_true(SSL_has_pending(clientssl)))
6325 SSL_free(serverssl);
6326 SSL_free(clientssl);
6334 unsigned int maxprot;
6335 const char *clntciphers;
6336 const char *clnttls13ciphers;
6337 const char *srvrciphers;
6338 const char *srvrtls13ciphers;
6340 const char *fipsshared;
6341 } shared_ciphers_data[] = {
6343 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6344 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6346 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6349 "AES128-SHA:AES256-SHA",
6351 "AES256-SHA:DHE-RSA-AES128-SHA",
6356 # if !defined(OPENSSL_NO_CHACHA) \
6357 && !defined(OPENSSL_NO_POLY1305) \
6358 && !defined(OPENSSL_NO_EC)
6361 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6363 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6365 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6371 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6373 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6375 "AES128-SHA:AES256-SHA",
6376 "AES128-SHA:AES256-SHA"
6380 "AES128-SHA:AES256-SHA",
6382 "AES128-SHA:DHE-RSA-AES128-SHA",
6389 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6392 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6393 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6396 "AES128-SHA:AES256-SHA",
6398 "AES256-SHA:AES128-SHA256",
6400 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6401 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6402 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6405 #ifndef OPENSSL_NO_TLS1_3
6409 "TLS_AES_256_GCM_SHA384",
6411 "TLS_AES_256_GCM_SHA384",
6412 "TLS_AES_256_GCM_SHA384",
6413 "TLS_AES_256_GCM_SHA384"
6418 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6420 SSL_CTX *cctx = NULL, *sctx = NULL;
6421 SSL *clientssl = NULL, *serverssl = NULL;
6424 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6426 if (!TEST_ptr(tmplibctx))
6430 * Regardless of whether we're testing with the FIPS provider loaded into
6431 * libctx, we want one peer to always use the full set of ciphersuites
6432 * available. Therefore we use a separate libctx with the default provider
6433 * loaded into it. We run the same tests twice - once with the client side
6434 * having the full set of ciphersuites and once with the server side.
6437 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6438 if (!TEST_ptr(cctx))
6441 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6442 if (!TEST_ptr(sctx))
6446 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6447 TLS_client_method(),
6449 shared_ciphers_data[tst].maxprot,
6450 &sctx, &cctx, cert, privkey)))
6453 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6454 shared_ciphers_data[tst].clntciphers))
6455 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6456 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6457 shared_ciphers_data[tst].clnttls13ciphers)))
6458 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6459 shared_ciphers_data[tst].srvrciphers))
6460 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6461 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6462 shared_ciphers_data[tst].srvrtls13ciphers))))
6466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6468 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6472 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6473 || !TEST_int_eq(strcmp(buf,
6475 ? shared_ciphers_data[tst].fipsshared
6476 : shared_ciphers_data[tst].shared),
6478 TEST_info("Shared ciphers are: %s\n", buf);
6485 SSL_free(serverssl);
6486 SSL_free(clientssl);
6489 OPENSSL_CTX_free(tmplibctx);
6494 static int test_ssl_get_shared_ciphers(int tst)
6496 return int_test_ssl_get_shared_ciphers(tst, 0)
6497 && int_test_ssl_get_shared_ciphers(tst, 1);
6501 static const char *appdata = "Hello World";
6502 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6503 static int tick_key_renew = 0;
6504 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6506 static int gen_tick_cb(SSL *s, void *arg)
6508 gen_tick_called = 1;
6510 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6514 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6515 const unsigned char *keyname,
6516 size_t keyname_length,
6517 SSL_TICKET_STATUS status,
6523 dec_tick_called = 1;
6525 if (status == SSL_TICKET_EMPTY)
6526 return SSL_TICKET_RETURN_IGNORE_RENEW;
6528 if (!TEST_true(status == SSL_TICKET_SUCCESS
6529 || status == SSL_TICKET_SUCCESS_RENEW))
6530 return SSL_TICKET_RETURN_ABORT;
6532 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6534 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6535 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6536 return SSL_TICKET_RETURN_ABORT;
6538 if (tick_key_cb_called) {
6539 /* Don't change what the ticket key callback wanted to do */
6541 case SSL_TICKET_NO_DECRYPT:
6542 return SSL_TICKET_RETURN_IGNORE_RENEW;
6544 case SSL_TICKET_SUCCESS:
6545 return SSL_TICKET_RETURN_USE;
6547 case SSL_TICKET_SUCCESS_RENEW:
6548 return SSL_TICKET_RETURN_USE_RENEW;
6551 return SSL_TICKET_RETURN_ABORT;
6554 return tick_dec_ret;
6558 #ifndef OPENSSL_NO_DEPRECATED_3_0
6559 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6560 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6561 HMAC_CTX *hctx, int enc)
6563 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6564 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6565 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6566 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6569 tick_key_cb_called = 1;
6570 memset(iv, 0, AES_BLOCK_SIZE);
6571 memset(key_name, 0, 16);
6572 if (aes128cbc == NULL
6574 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6575 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6579 ret = tick_key_renew ? 2 : 1;
6581 EVP_CIPHER_free(aes128cbc);
6582 EVP_MD_free(sha256);
6588 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6589 unsigned char iv[EVP_MAX_IV_LENGTH],
6590 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6592 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6593 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6594 OSSL_PARAM params[3];
6595 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6598 tick_key_cb_called = 1;
6599 memset(iv, 0, AES_BLOCK_SIZE);
6600 memset(key_name, 0, 16);
6601 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6603 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6605 sizeof(tick_hmac_key));
6606 params[2] = OSSL_PARAM_construct_end();
6607 if (aes128cbc == NULL
6608 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6609 || !EVP_MAC_CTX_set_params(hctx, params)
6610 || !EVP_MAC_init(hctx))
6613 ret = tick_key_renew ? 2 : 1;
6615 EVP_CIPHER_free(aes128cbc);
6621 * Test the various ticket callbacks
6622 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6623 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6624 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6625 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6626 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6627 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6628 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6629 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6630 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6631 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6632 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6633 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6634 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6635 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6636 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6637 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6639 static int test_ticket_callbacks(int tst)
6641 SSL_CTX *cctx = NULL, *sctx = NULL;
6642 SSL *clientssl = NULL, *serverssl = NULL;
6643 SSL_SESSION *clntsess = NULL;
6646 #ifdef OPENSSL_NO_TLS1_2
6650 #ifdef OPENSSL_NO_TLS1_3
6654 #ifdef OPENSSL_NO_DEPRECATED_3_0
6655 if (tst >= 8 && tst <= 11)
6659 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6661 /* Which tests the ticket key callback should request renewal for */
6662 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6667 /* Which tests the decrypt ticket callback should request renewal for */
6671 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6676 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6681 tick_dec_ret = SSL_TICKET_RETURN_USE;
6686 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6690 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6694 TLS_client_method(),
6696 ((tst % 2) == 0) ? TLS1_2_VERSION
6698 &sctx, &cctx, cert, privkey)))
6702 * We only want sessions to resume from tickets - not the session cache. So
6703 * switch the cache off.
6705 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6708 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6713 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6715 #ifndef OPENSSL_NO_DEPRECATED_3_0
6716 } else if (tst >= 8) {
6717 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6729 * The decrypt ticket key callback in TLSv1.2 should be called even though
6730 * we have no ticket yet, because it gets called with a status of
6731 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6732 * actually send any ticket data). This does not happen in TLSv1.3 because
6733 * it is not valid to send empty ticket data in TLSv1.3.
6735 if (!TEST_int_eq(gen_tick_called, 1)
6736 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6739 gen_tick_called = dec_tick_called = 0;
6741 clntsess = SSL_get1_session(clientssl);
6742 SSL_shutdown(clientssl);
6743 SSL_shutdown(serverssl);
6744 SSL_free(serverssl);
6745 SSL_free(clientssl);
6746 serverssl = clientssl = NULL;
6748 /* Now do a resumption */
6749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6751 || !TEST_true(SSL_set_session(clientssl, clntsess))
6752 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6756 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6757 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6758 if (!TEST_false(SSL_session_reused(clientssl)))
6761 if (!TEST_true(SSL_session_reused(clientssl)))
6765 if (!TEST_int_eq(gen_tick_called,
6767 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6768 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6770 || !TEST_int_eq(dec_tick_called, 1))
6776 SSL_SESSION_free(clntsess);
6777 SSL_free(serverssl);
6778 SSL_free(clientssl);
6786 * Test incorrect shutdown.
6787 * Test 0: client does not shutdown properly,
6788 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6789 * server should get SSL_ERROR_SSL
6790 * Test 1: client does not shutdown properly,
6791 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6792 * server should get SSL_ERROR_ZERO_RETURN
6794 static int test_incorrect_shutdown(int tst)
6796 SSL_CTX *cctx = NULL, *sctx = NULL;
6797 SSL *clientssl = NULL, *serverssl = NULL;
6802 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6803 TLS_client_method(), 0, 0,
6804 &sctx, &cctx, cert, privkey)))
6808 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6810 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6814 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6818 c2s = SSL_get_rbio(serverssl);
6819 BIO_set_mem_eof_return(c2s, 0);
6821 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6824 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6826 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6832 SSL_free(serverssl);
6833 SSL_free(clientssl);
6841 * Test bi-directional shutdown.
6843 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6844 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6845 * Test 3: TLSv1.3, pending NewSessionTicket messages
6846 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6847 * sends key update, client reads it
6848 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6849 * sends CertificateRequest, client reads and ignores it
6850 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6853 static int test_shutdown(int tst)
6855 SSL_CTX *cctx = NULL, *sctx = NULL;
6856 SSL *clientssl = NULL, *serverssl = NULL;
6858 char msg[] = "A test message";
6860 size_t written, readbytes;
6863 #ifdef OPENSSL_NO_TLS1_2
6867 #ifdef OPENSSL_NO_TLS1_3
6872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6873 TLS_client_method(),
6875 (tst <= 1) ? TLS1_2_VERSION
6877 &sctx, &cctx, cert, privkey)))
6881 SSL_CTX_set_post_handshake_auth(cctx, 1);
6883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6888 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6890 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6891 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6893 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6895 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6896 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6900 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6905 * Reading on the server after the client has sent close_notify should
6906 * fail and provide SSL_ERROR_ZERO_RETURN
6908 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6909 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6910 SSL_ERROR_ZERO_RETURN)
6911 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6912 SSL_RECEIVED_SHUTDOWN)
6914 * Even though we're shutdown on receive we should still be
6917 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6920 && !TEST_true(SSL_key_update(serverssl,
6921 SSL_KEY_UPDATE_REQUESTED)))
6924 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6925 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6928 if ((tst == 4 || tst == 5)
6929 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6931 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6933 if (tst == 4 || tst == 5) {
6934 /* Should still be able to read data from server */
6935 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6937 || !TEST_size_t_eq(readbytes, sizeof(msg))
6938 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6939 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6941 || !TEST_size_t_eq(readbytes, sizeof(msg))
6942 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6947 /* Writing on the client after sending close_notify shouldn't be possible */
6948 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6953 * For these tests the client has sent close_notify but it has not yet
6954 * been received by the server. The server has not sent close_notify
6957 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6959 * Writing on the server after sending close_notify shouldn't
6962 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6963 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6964 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6965 || !TEST_true(SSL_SESSION_is_resumable(sess))
6966 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6968 } else if (tst == 4 || tst == 5) {
6970 * In this test the client has sent close_notify and it has been
6971 * received by the server which has responded with a close_notify. The
6972 * client needs to read the close_notify sent by the server.
6974 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6975 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6976 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6982 * The client has sent close_notify and is expecting a close_notify
6983 * back, but instead there is application data first. The shutdown
6984 * should fail with a fatal error.
6986 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6987 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6994 SSL_free(serverssl);
6995 SSL_free(clientssl);
7002 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7003 static int cert_cb_cnt;
7005 static int cert_cb(SSL *s, void *arg)
7007 SSL_CTX *ctx = (SSL_CTX *)arg;
7009 EVP_PKEY *pkey = NULL;
7010 X509 *x509 = NULL, *rootx = NULL;
7011 STACK_OF(X509) *chain = NULL;
7012 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7015 if (cert_cb_cnt == 0) {
7016 /* Suspend the handshake */
7019 } else if (cert_cb_cnt == 1) {
7021 * Update the SSL_CTX, set the certificate and private key and then
7022 * continue the handshake normally.
7024 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7027 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7028 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7030 || !TEST_true(SSL_check_private_key(s)))
7034 } else if (cert_cb_cnt == 3) {
7037 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7038 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7039 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7040 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7042 chain = sk_X509_new_null();
7043 if (!TEST_ptr(chain))
7045 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7046 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7047 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7048 || !TEST_true(sk_X509_push(chain, rootx)))
7052 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7053 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7054 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7057 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7058 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7059 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7061 rv = SSL_check_chain(s, x509, pkey, chain);
7063 * If the cert doesn't show as valid here (e.g., because we don't
7064 * have any shared sigalgs), then we will not set it, and there will
7065 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7066 * will cause tls_choose_sigalgs() to fail the connection.
7068 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7069 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7070 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7077 /* Abort the handshake */
7079 OPENSSL_free(ecdsacert);
7080 OPENSSL_free(ecdsakey);
7081 OPENSSL_free(rootfile);
7083 EVP_PKEY_free(pkey);
7086 sk_X509_pop_free(chain, X509_free);
7091 * Test the certificate callback.
7092 * Test 0: Callback fails
7093 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7094 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7095 * Test 3: Success - Call SSL_check_chain from the callback
7096 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7098 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7100 static int test_cert_cb_int(int prot, int tst)
7102 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7103 SSL *clientssl = NULL, *serverssl = NULL;
7104 int testresult = 0, ret;
7106 #ifdef OPENSSL_NO_EC
7107 /* We use an EC cert in these tests, so we skip in a no-ec build */
7112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7113 TLS_client_method(),
7116 &sctx, &cctx, NULL, NULL)))
7127 snictx = SSL_CTX_new(TLS_server_method());
7128 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7136 * We cause SSL_check_chain() to fail by specifying sig_algs that
7137 * the chain doesn't meet (the root uses an RSA cert)
7139 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7140 "ecdsa_secp256r1_sha256")))
7142 } else if (tst == 5) {
7144 * We cause SSL_check_chain() to fail by specifying sig_algs that
7145 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7147 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7148 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7152 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7153 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7155 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7162 SSL_free(serverssl);
7163 SSL_free(clientssl);
7166 SSL_CTX_free(snictx);
7172 static int test_cert_cb(int tst)
7176 #ifndef OPENSSL_NO_TLS1_2
7177 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7179 #ifndef OPENSSL_NO_TLS1_3
7180 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7186 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7192 /* Check that SSL_get_peer_certificate() returns something sensible */
7193 peer = SSL_get_peer_certificate(ssl);
7194 if (!TEST_ptr(peer))
7198 in = BIO_new_file(cert, "r");
7202 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7204 if (!TEST_ptr(xcert))
7207 in = BIO_new_file(privkey, "r");
7208 if (!TEST_ptr(in)) {
7213 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7215 if (!TEST_ptr(privpkey)) {
7226 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7231 static int test_client_cert_cb(int tst)
7233 SSL_CTX *cctx = NULL, *sctx = NULL;
7234 SSL *clientssl = NULL, *serverssl = NULL;
7237 #ifdef OPENSSL_NO_TLS1_2
7241 #ifdef OPENSSL_NO_TLS1_3
7246 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7247 TLS_client_method(),
7249 tst == 0 ? TLS1_2_VERSION
7251 &sctx, &cctx, cert, privkey)))
7255 * Test that setting a client_cert_cb results in a client certificate being
7258 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7259 SSL_CTX_set_verify(sctx,
7260 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7265 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7272 SSL_free(serverssl);
7273 SSL_free(clientssl);
7280 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7282 * Test setting certificate authorities on both client and server.
7284 * Test 0: SSL_CTX_set0_CA_list() only
7285 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7286 * Test 2: Only SSL_CTX_set_client_CA_list()
7288 static int test_ca_names_int(int prot, int tst)
7290 SSL_CTX *cctx = NULL, *sctx = NULL;
7291 SSL *clientssl = NULL, *serverssl = NULL;
7294 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7295 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7296 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7297 const STACK_OF(X509_NAME) *sktmp = NULL;
7299 for (i = 0; i < OSSL_NELEM(name); i++) {
7300 name[i] = X509_NAME_new();
7301 if (!TEST_ptr(name[i])
7302 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7311 TLS_client_method(),
7314 &sctx, &cctx, cert, privkey)))
7317 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7319 if (tst == 0 || tst == 1) {
7320 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7321 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7322 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7323 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7324 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7325 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7328 SSL_CTX_set0_CA_list(sctx, sk1);
7329 SSL_CTX_set0_CA_list(cctx, sk2);
7332 if (tst == 1 || tst == 2) {
7333 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7334 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7335 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7336 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7337 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7338 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7341 SSL_CTX_set_client_CA_list(sctx, sk1);
7342 SSL_CTX_set_client_CA_list(cctx, sk2);
7346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7353 * We only expect certificate authorities to have been sent to the server
7354 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7356 sktmp = SSL_get0_peer_CA_list(serverssl);
7357 if (prot == TLS1_3_VERSION
7358 && (tst == 0 || tst == 1)) {
7359 if (!TEST_ptr(sktmp)
7360 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7361 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7363 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7366 } else if (!TEST_ptr_null(sktmp)) {
7371 * In all tests we expect certificate authorities to have been sent to the
7372 * client. However, SSL_set_client_CA_list() should override
7373 * SSL_set0_CA_list()
7375 sktmp = SSL_get0_peer_CA_list(clientssl);
7376 if (!TEST_ptr(sktmp)
7377 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7378 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7379 name[tst == 0 ? 0 : 2]), 0)
7380 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7381 name[tst == 0 ? 1 : 3]), 0))
7387 SSL_free(serverssl);
7388 SSL_free(clientssl);
7391 for (i = 0; i < OSSL_NELEM(name); i++)
7392 X509_NAME_free(name[i]);
7393 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7394 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7400 static int test_ca_names(int tst)
7404 #ifndef OPENSSL_NO_TLS1_2
7405 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7407 #ifndef OPENSSL_NO_TLS1_3
7408 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7414 #ifndef OPENSSL_NO_TLS1_2
7415 static const char *multiblock_cipherlist_data[]=
7423 /* Reduce the fragment size - so the multiblock test buffer can be small */
7424 # define MULTIBLOCK_FRAGSIZE 512
7426 static int test_multiblock_write(int test_index)
7428 static const char *fetchable_ciphers[]=
7430 "AES-128-CBC-HMAC-SHA1",
7431 "AES-128-CBC-HMAC-SHA256",
7432 "AES-256-CBC-HMAC-SHA1",
7433 "AES-256-CBC-HMAC-SHA256"
7435 const char *cipherlist = multiblock_cipherlist_data[test_index];
7436 const SSL_METHOD *smeth = TLS_server_method();
7437 const SSL_METHOD *cmeth = TLS_client_method();
7438 int min_version = TLS1_VERSION;
7439 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7440 SSL_CTX *cctx = NULL, *sctx = NULL;
7441 SSL *clientssl = NULL, *serverssl = NULL;
7445 * Choose a buffer large enough to perform a multi-block operation
7446 * i.e: write_len >= 4 * frag_size
7447 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7449 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7450 unsigned char buf[sizeof(msg)], *p = buf;
7451 size_t readbytes, written, len;
7452 EVP_CIPHER *ciph = NULL;
7455 * Check if the cipher exists before attempting to use it since it only has
7456 * a hardware specific implementation.
7458 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7460 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7463 EVP_CIPHER_free(ciph);
7465 /* Set up a buffer with some data that will be sent to the client */
7466 RAND_bytes(msg, sizeof(msg));
7468 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7469 max_version, &sctx, &cctx, cert,
7473 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7480 /* settings to force it to use AES-CBC-HMAC_SHA */
7481 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7482 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7485 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7488 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7489 || !TEST_size_t_eq(written, sizeof(msg)))
7494 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7499 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7504 SSL_free(serverssl);
7505 SSL_free(clientssl);
7511 #endif /* OPENSSL_NO_TLS1_2 */
7514 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7515 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7516 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7517 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7518 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7519 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7520 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7521 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7522 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7523 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7525 static int test_servername(int tst)
7527 SSL_CTX *cctx = NULL, *sctx = NULL;
7528 SSL *clientssl = NULL, *serverssl = NULL;
7530 SSL_SESSION *sess = NULL;
7531 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7533 #ifdef OPENSSL_NO_TLS1_2
7537 #ifdef OPENSSL_NO_TLS1_3
7542 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7543 TLS_client_method(),
7545 (tst <= 4) ? TLS1_2_VERSION
7547 &sctx, &cctx, cert, privkey))
7548 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7552 if (tst != 1 && tst != 6) {
7553 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7558 if (tst != 3 && tst != 8) {
7559 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7561 sexpectedhost = cexpectedhost = "goodhost";
7564 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7567 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7569 || !TEST_str_eq(SSL_get_servername(serverssl,
7570 TLSEXT_NAMETYPE_host_name),
7574 /* Now repeat with a resumption handshake */
7576 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7577 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7578 || !TEST_true(SSL_SESSION_is_resumable(sess))
7579 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7582 SSL_free(clientssl);
7583 SSL_free(serverssl);
7584 clientssl = serverssl = NULL;
7586 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7590 if (!TEST_true(SSL_set_session(clientssl, sess)))
7593 sexpectedhost = cexpectedhost = "goodhost";
7594 if (tst == 2 || tst == 7) {
7595 /* Set an inconsistent hostname */
7596 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7599 * In TLSv1.2 we expect the hostname from the original handshake, in
7600 * TLSv1.3 we expect the hostname from this handshake
7603 sexpectedhost = cexpectedhost = "altgoodhost";
7605 if (!TEST_str_eq(SSL_get_servername(clientssl,
7606 TLSEXT_NAMETYPE_host_name),
7609 } else if (tst == 4 || tst == 9) {
7611 * A TLSv1.3 session does not associate a session with a servername,
7612 * but a TLSv1.2 session does.
7615 sexpectedhost = cexpectedhost = NULL;
7617 if (!TEST_str_eq(SSL_get_servername(clientssl,
7618 TLSEXT_NAMETYPE_host_name),
7622 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7625 * In a TLSv1.2 resumption where the hostname was not acknowledged
7626 * we expect the hostname on the server to be empty. On the client we
7627 * return what was requested in this case.
7629 * Similarly if the client didn't set a hostname on an original TLSv1.2
7630 * session but is now, the server hostname will be empty, but the client
7633 if (tst == 1 || tst == 3)
7634 sexpectedhost = NULL;
7636 if (!TEST_str_eq(SSL_get_servername(clientssl,
7637 TLSEXT_NAMETYPE_host_name),
7642 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7645 if (!TEST_true(SSL_session_reused(clientssl))
7646 || !TEST_true(SSL_session_reused(serverssl))
7647 || !TEST_str_eq(SSL_get_servername(clientssl,
7648 TLSEXT_NAMETYPE_host_name),
7650 || !TEST_str_eq(SSL_get_servername(serverssl,
7651 TLSEXT_NAMETYPE_host_name),
7658 SSL_SESSION_free(sess);
7659 SSL_free(serverssl);
7660 SSL_free(clientssl);
7667 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7669 int setup_tests(void)
7674 libctx = OPENSSL_CTX_new();
7675 if (!TEST_ptr(libctx))
7678 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7681 * Verify that the default and fips providers in the default libctx are not
7684 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7685 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7688 if (!test_skip_common_options()) {
7689 TEST_error("Error parsing test options\n");
7693 if (!TEST_ptr(certsdir = test_get_argument(0))
7694 || !TEST_ptr(srpvfile = test_get_argument(1))
7695 || !TEST_ptr(tmpfilename = test_get_argument(2))
7696 || !TEST_ptr(modulename = test_get_argument(3))
7697 || !TEST_ptr(configfile = test_get_argument(4)))
7700 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7703 /* Check we have the expected provider available */
7704 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7707 /* Check the default provider is not available */
7708 if (strcmp(modulename, "default") != 0
7709 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7712 if (strcmp(modulename, "fips") == 0)
7715 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7716 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7717 TEST_error("not supported in this build");
7720 int i, mcount, rcount, fcount;
7722 for (i = 0; i < 4; i++)
7723 test_export_key_mat(i);
7724 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7725 test_printf_stdout("malloc %d realloc %d free %d\n",
7726 mcount, rcount, fcount);
7731 cert = test_mk_file_path(certsdir, "servercert.pem");
7735 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7736 if (privkey == NULL) {
7741 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7742 && !defined(OPENSSL_NO_SOCK)
7743 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7744 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7745 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7746 ADD_TEST(test_ktls_client_no_txrx_server);
7747 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7748 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7749 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7750 ADD_TEST(test_ktls_client_no_rx_server);
7751 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7752 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7753 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7754 ADD_TEST(test_ktls_client_no_tx_server);
7755 ADD_TEST(test_ktls_no_txrx_client_server);
7756 ADD_TEST(test_ktls_no_rx_client_server);
7757 ADD_TEST(test_ktls_no_tx_client_server);
7758 ADD_TEST(test_ktls_client_server);
7759 ADD_TEST(test_ktls_sendfile);
7761 ADD_TEST(test_large_message_tls);
7762 ADD_TEST(test_large_message_tls_read_ahead);
7763 #ifndef OPENSSL_NO_DTLS
7764 ADD_TEST(test_large_message_dtls);
7766 #ifndef OPENSSL_NO_OCSP
7767 ADD_TEST(test_tlsext_status_type);
7769 ADD_TEST(test_session_with_only_int_cache);
7770 ADD_TEST(test_session_with_only_ext_cache);
7771 ADD_TEST(test_session_with_both_cache);
7772 ADD_TEST(test_session_wo_ca_names);
7773 #ifndef OPENSSL_NO_TLS1_3
7774 ADD_ALL_TESTS(test_stateful_tickets, 3);
7775 ADD_ALL_TESTS(test_stateless_tickets, 3);
7776 ADD_TEST(test_psk_tickets);
7777 ADD_ALL_TESTS(test_extra_tickets, 6);
7779 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7780 ADD_TEST(test_ssl_bio_pop_next_bio);
7781 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7782 ADD_TEST(test_ssl_bio_change_rbio);
7783 ADD_TEST(test_ssl_bio_change_wbio);
7784 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7785 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7786 ADD_TEST(test_keylog);
7788 #ifndef OPENSSL_NO_TLS1_3
7789 ADD_TEST(test_keylog_no_master_key);
7791 #ifndef OPENSSL_NO_TLS1_2
7792 ADD_TEST(test_client_hello_cb);
7793 ADD_TEST(test_no_ems);
7794 ADD_TEST(test_ccs_change_cipher);
7796 #ifndef OPENSSL_NO_TLS1_3
7797 ADD_ALL_TESTS(test_early_data_read_write, 3);
7799 * We don't do replay tests for external PSK. Replay protection isn't used
7802 ADD_ALL_TESTS(test_early_data_replay, 2);
7803 ADD_ALL_TESTS(test_early_data_skip, 3);
7804 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7805 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7806 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7807 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7808 ADD_ALL_TESTS(test_early_data_psk, 8);
7809 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
7810 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7811 # ifndef OPENSSL_NO_TLS1_2
7812 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7815 #ifndef OPENSSL_NO_TLS1_3
7816 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7817 ADD_TEST(test_ciphersuite_change);
7818 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7819 # ifdef OPENSSL_NO_PSK
7820 ADD_ALL_TESTS(test_tls13_psk, 1);
7822 ADD_ALL_TESTS(test_tls13_psk, 4);
7823 # endif /* OPENSSL_NO_PSK */
7824 # ifndef OPENSSL_NO_TLS1_2
7825 /* Test with both TLSv1.3 and 1.2 versions */
7826 ADD_ALL_TESTS(test_key_exchange, 14);
7828 /* Test with only TLSv1.3 versions */
7829 ADD_ALL_TESTS(test_key_exchange, 12);
7831 ADD_ALL_TESTS(test_custom_exts, 5);
7832 ADD_TEST(test_stateless);
7833 ADD_TEST(test_pha_key_update);
7835 ADD_ALL_TESTS(test_custom_exts, 3);
7837 ADD_ALL_TESTS(test_serverinfo, 8);
7838 ADD_ALL_TESTS(test_export_key_mat, 6);
7839 #ifndef OPENSSL_NO_TLS1_3
7840 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7841 ADD_TEST(test_key_update);
7842 ADD_ALL_TESTS(test_key_update_in_write, 2);
7844 ADD_ALL_TESTS(test_ssl_clear, 2);
7845 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7846 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7847 ADD_ALL_TESTS(test_srp, 6);
7849 ADD_ALL_TESTS(test_info_callback, 6);
7850 ADD_ALL_TESTS(test_ssl_pending, 2);
7851 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7852 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7853 ADD_ALL_TESTS(test_shutdown, 7);
7854 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
7855 ADD_ALL_TESTS(test_cert_cb, 6);
7856 ADD_ALL_TESTS(test_client_cert_cb, 2);
7857 ADD_ALL_TESTS(test_ca_names, 3);
7858 #ifndef OPENSSL_NO_TLS1_2
7859 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7861 ADD_ALL_TESTS(test_servername, 10);
7865 void cleanup_tests(void)
7868 OPENSSL_free(privkey);
7869 bio_s_mempacket_test_free();
7870 bio_s_always_retry_free();
7871 OSSL_PROVIDER_unload(defctxnull);
7872 OPENSSL_CTX_free(libctx);
projects / openssl.git / blob