2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
102 static int fips_ems_check = 0;
104 #define LOG_BUFFER_SIZE 2048
105 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t server_log_buffer_index = 0;
107 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
108 static size_t client_log_buffer_index = 0;
109 static int error_writing_log = 0;
111 #ifndef OPENSSL_NO_OCSP
112 static const unsigned char orespder[] = "Dummy OCSP Response";
113 static int ocsp_server_called = 0;
114 static int ocsp_client_called = 0;
116 static int cdummyarg = 1;
117 static X509 *ocspcert = NULL;
120 #define NUM_EXTRA_CERTS 40
121 #define CLIENT_VERSION_LEN 2
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
127 struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
130 unsigned int client_early_secret_count;
131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
135 unsigned int early_exporter_secret_count;
136 unsigned int exporter_secret_count;
140 static int hostname_cb(SSL *s, int *al, void *arg)
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
148 return SSL_TLSEXT_ERR_NOACK;
151 static void client_keylog_callback(const SSL *ssl, const char *line)
153 int line_length = strlen(line);
155 /* If the log doesn't fit, error out. */
156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
158 error_writing_log = 1;
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
164 client_log_buffer[client_log_buffer_index++] = '\n';
167 static void server_keylog_callback(const SSL *ssl, const char *line)
169 int line_length = strlen(line);
171 /* If the log doesn't fit, error out. */
172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173 TEST_info("Server log too full");
174 error_writing_log = 1;
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
180 server_log_buffer[server_log_buffer_index++] = '\n';
183 static int compare_hex_encoded_buffer(const char *hex_encoded,
191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195 sprintf(hexed, "%02x", raw[i]);
196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
204 static int test_keylog_output(char *buffer, const SSL *ssl,
205 const SSL_SESSION *session,
206 struct sslapitest_log_counts *expected)
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
215 unsigned int client_early_secret_count = 0;
216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
220 unsigned int early_exporter_secret_count = 0;
221 unsigned int exporter_secret_count = 0;
223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
225 if (strcmp(token, "RSA") == 0) {
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
228 * hex-encoded encrypted secret, then the hex-encoded pre-master
231 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 if (!TEST_size_t_eq(strlen(token), 16))
235 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
242 rsa_key_exchange_count++;
243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, then the hex-encoded master secret.
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
254 if (!TEST_ptr(token = strtok(NULL, " \n")))
256 if (!TEST_size_t_eq(strlen(token), 64))
258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 master_key_size = SSL_SESSION_get_master_key(session,
268 if (!TEST_size_t_ne(master_key_size, 0))
270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
274 master_secret_count++;
275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281 || strcmp(token, "EXPORTER_SECRET") == 0) {
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
309 if (!TEST_ptr(token = strtok(NULL, " \n")))
311 if (!TEST_size_t_eq(strlen(token), 64))
313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 TEST_info("Unexpected token %s\n", token);
326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
340 expected->server_application_secret_count)
341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
350 static int test_keylog(void)
352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
355 struct sslapitest_log_counts expected;
357 /* Clean up logging space */
358 memset(&expected, 0, sizeof(expected));
359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
368 &sctx, &cctx, cert, privkey)))
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
375 /* We also want to ensure that we use RSA-based key exchange. */
376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
402 * Now we want to test that our output data was vaguely sensible. We
403 * do that by using strtok and confirming that we have more or less the
404 * data we expect. For both client and server, we expect to see one master
405 * secret. The client should also see an RSA key exchange.
407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
413 expected.rsa_key_exchange_count = 0;
414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
430 #ifndef OSSL_NO_USABLE_TLS1_3
431 static int test_keylog_no_master_key(void)
433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
435 SSL_SESSION *sess = NULL;
437 struct sslapitest_log_counts expected;
438 unsigned char buf[1];
439 size_t readbytes, written;
441 /* Clean up logging space */
442 memset(&expected, 0, sizeof(expected));
443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453 SSL3_RT_MAX_PLAIN_LENGTH)))
456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_false(error_writing_log))
479 * Now we want to test that our output data was vaguely sensible. For this
480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481 * TLSv1.3, but we do expect both client and server to emit keys.
483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
487 expected.exporter_secret_count = 1;
488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
501 serverssl = clientssl = NULL;
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
521 || !TEST_true(SSL_session_reused(clientssl)))
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
526 expected.early_exporter_secret_count = 1;
527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
537 SSL_SESSION_free(sess);
547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
549 int res = X509_verify_cert(ctx);
550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
553 /* this should not happen but check anyway */
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
676 static const char pass[] = "testpass";
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
685 static int test_ssl_ctx_build_cert_chain(void)
689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
707 OPENSSL_free(leaf_chain);
712 #ifndef OPENSSL_NO_TLS1_2
713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
716 const unsigned char *p;
718 /* We only configure two ciphers, but the SCSV is added automatically. */
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
722 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
725 const int expected_extensions[] = {
726 #ifndef OPENSSL_NO_EC
732 /* Make sure we can defer processing and get called back. */
734 return SSL_CLIENT_HELLO_RETRY;
736 len = SSL_client_hello_get0_ciphers(s, &p);
737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
740 || !TEST_int_eq(*p, 0))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743 return SSL_CLIENT_HELLO_ERROR;
744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746 printf("ClientHello callback expected extensions mismatch\n");
748 return SSL_CLIENT_HELLO_ERROR;
751 return SSL_CLIENT_HELLO_SUCCESS;
754 static int test_client_hello_cb(void)
756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
762 &sctx, &cctx, cert, privkey)))
764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
770 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
772 &clientssl, NULL, NULL))
773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
774 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 * Passing a -1 literal is a hack since
777 * the real value was lost.
779 || !TEST_int_eq(SSL_get_error(serverssl, -1),
780 SSL_ERROR_WANT_CLIENT_HELLO_CB)
781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
796 static int test_no_ems(void)
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0, status;
802 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
803 TLS1_VERSION, TLS1_2_VERSION,
804 &sctx, &cctx, cert, privkey)) {
805 printf("Unable to create SSL_CTX pair\n");
809 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
812 printf("Unable to create SSL objects\n");
816 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
817 if (fips_ems_check) {
819 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
824 printf("Creating SSL connection failed\n");
827 if (SSL_get_extms_support(serverssl)) {
828 printf("Server reports Extended Master Secret support\n");
831 if (SSL_get_extms_support(clientssl)) {
832 printf("Client reports Extended Master Secret support\n");
848 * Very focused test to exercise a single case in the server-side state
849 * machine, when the ChangeCipherState message needs to actually change
850 * from one cipher to a different cipher (i.e., not changing from null
851 * encryption to real encryption).
853 static int test_ccs_change_cipher(void)
855 SSL_CTX *cctx = NULL, *sctx = NULL;
856 SSL *clientssl = NULL, *serverssl = NULL;
857 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
864 * Create a connection so we can resume and potentially (but not) use
865 * a different cipher in the second connection.
867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869 TLS1_VERSION, TLS1_2_VERSION,
870 &sctx, &cctx, cert, privkey))
871 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
875 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
878 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
884 /* Resume, preferring a different cipher. Our server will force the
885 * same cipher to be used as the initial handshake. */
886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888 || !TEST_true(SSL_set_session(clientssl, sess))
889 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 || !TEST_true(SSL_session_reused(clientssl))
893 || !TEST_true(SSL_session_reused(serverssl))
894 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
895 || !TEST_ptr_eq(sesspre, sesspost)
896 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
897 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899 shutdown_ssl_connection(serverssl, clientssl);
900 serverssl = clientssl = NULL;
903 * Now create a fresh connection and try to renegotiate a different
906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
911 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
913 || !TEST_true(SSL_renegotiate(clientssl))
914 || !TEST_true(SSL_renegotiate_pending(clientssl)))
916 /* Actually drive the renegotiation. */
917 for (i = 0; i < 3; i++) {
918 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
922 SSL_ERROR_WANT_READ)) {
925 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
926 if (!TEST_ulong_eq(readbytes, 0))
928 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
929 SSL_ERROR_WANT_READ)) {
933 /* sesspre and sesspost should be different since the cipher changed. */
934 if (!TEST_false(SSL_renegotiate_pending(clientssl))
935 || !TEST_false(SSL_session_reused(clientssl))
936 || !TEST_false(SSL_session_reused(serverssl))
937 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
938 || !TEST_ptr_ne(sesspre, sesspost)
939 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
940 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
943 shutdown_ssl_connection(serverssl, clientssl);
944 serverssl = clientssl = NULL;
953 SSL_SESSION_free(sess);
959 static int execute_test_large_message(const SSL_METHOD *smeth,
960 const SSL_METHOD *cmeth,
961 int min_version, int max_version,
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
969 X509 *chaincert = NULL;
972 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
975 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
978 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
983 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
984 max_version, &sctx, &cctx, cert,
988 #ifdef OPENSSL_NO_DTLS1_2
989 if (smeth == DTLS_server_method()) {
991 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
994 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
995 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
996 "DEFAULT:@SECLEVEL=0")))
1003 * Test that read_ahead works correctly when dealing with large
1006 SSL_CTX_set_read_ahead(cctx, 1);
1010 * We assume the supplied certificate is big enough so that if we add
1011 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1012 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1013 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1014 * test we need to have a message larger than that.
1016 certlen = i2d_X509(chaincert, NULL);
1017 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1018 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1019 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1020 if (!X509_up_ref(chaincert))
1022 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1023 X509_free(chaincert);
1028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1035 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1038 if (!TEST_true(SSL_clear(serverssl)))
1044 X509_free(chaincert);
1045 SSL_free(serverssl);
1046 SSL_free(clientssl);
1053 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1054 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1055 /* sock must be connected */
1056 static int ktls_chk_platform(int sock)
1058 if (!ktls_enable(sock))
1063 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1065 static char count = 1;
1066 unsigned char cbuf[16000] = {0};
1067 unsigned char sbuf[16000];
1069 char crec_wseq_before[SEQ_NUM_SIZE];
1070 char crec_wseq_after[SEQ_NUM_SIZE];
1071 char crec_rseq_before[SEQ_NUM_SIZE];
1072 char crec_rseq_after[SEQ_NUM_SIZE];
1073 char srec_wseq_before[SEQ_NUM_SIZE];
1074 char srec_wseq_after[SEQ_NUM_SIZE];
1075 char srec_rseq_before[SEQ_NUM_SIZE];
1076 char srec_rseq_after[SEQ_NUM_SIZE];
1077 SSL_CONNECTION *clientsc, *serversc;
1079 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1080 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1084 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1107 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1109 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1117 * If ktls is used then kernel sequences are used instead of
1120 if (!BIO_get_ktls_send(clientsc->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1130 if (!BIO_get_ktls_send(serversc->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1140 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1150 if (!BIO_get_ktls_recv(serversc->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1165 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1173 SSL_CONNECTION *clientsc, *serversc;
1175 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1178 /* Skip this test if the platform does not support ktls */
1179 if (!ktls_chk_platform(cfd)) {
1180 testresult = TEST_skip("Kernel does not support KTLS");
1184 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1185 testresult = TEST_skip("CHACHA is not supported in FIPS");
1189 /* Create a session based on SHA-256 */
1190 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1191 TLS_client_method(),
1192 tls_version, tls_version,
1193 &sctx, &cctx, cert, privkey)))
1196 if (tls_version == TLS1_3_VERSION) {
1197 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1198 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1201 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1206 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1207 &clientssl, sfd, cfd)))
1210 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1211 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1215 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1220 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1224 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1228 * The running kernel may not support a given cipher suite
1229 * or direction, so just check that KTLS isn't used when it
1233 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1236 if (BIO_get_ktls_send(clientsc->wbio))
1241 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1244 if (BIO_get_ktls_send(serversc->wbio))
1248 #if defined(OPENSSL_NO_KTLS_RX)
1253 if (!cis_ktls || !rx_supported) {
1254 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1257 if (BIO_get_ktls_send(clientsc->rbio))
1261 if (!sis_ktls || !rx_supported) {
1262 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1265 if (BIO_get_ktls_send(serversc->rbio))
1269 if ((cis_ktls || sis_ktls) && !ktls_used) {
1270 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1271 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1276 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1704 const SSL_METHOD *cmeth,
1705 int min_version, int max_version)
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1711 const unsigned char *zbuf;
1712 SSL_CONNECTION *serversc;
1715 static unsigned char cbuf[16000];
1716 static unsigned char sbuf[16000];
1718 if (!TEST_true(create_ssl_ctx_pair(libctx,
1720 min_version, max_version,
1725 #ifdef OPENSSL_NO_DTLS1_2
1726 if (smeth == DTLS_server_method()) {
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 static int test_cleanse_plaintext(void)
1813 #if !defined(OPENSSL_NO_TLS1_2)
1814 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1815 TLS_client_method(),
1822 #if !defined(OSSL_NO_USABLE_TLS1_3)
1823 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1824 TLS_client_method(),
1830 #if !defined(OPENSSL_NO_DTLS)
1832 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1833 DTLS_client_method(),
1841 #ifndef OPENSSL_NO_OCSP
1842 static int ocsp_server_cb(SSL *s, void *arg)
1844 int *argi = (int *)arg;
1845 unsigned char *copy = NULL;
1846 STACK_OF(OCSP_RESPID) *ids = NULL;
1847 OCSP_RESPID *id = NULL;
1850 /* In this test we are expecting exactly 1 OCSP_RESPID */
1851 SSL_get_tlsext_status_ids(s, &ids);
1852 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1853 return SSL_TLSEXT_ERR_ALERT_FATAL;
1855 id = sk_OCSP_RESPID_value(ids, 0);
1856 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858 } else if (*argi != 1) {
1859 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1865 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1866 sizeof(orespder)))) {
1868 return SSL_TLSEXT_ERR_ALERT_FATAL;
1870 ocsp_server_called = 1;
1871 return SSL_TLSEXT_ERR_OK;
1874 static int ocsp_client_cb(SSL *s, void *arg)
1876 int *argi = (int *)arg;
1877 const unsigned char *respderin;
1880 if (*argi != 1 && *argi != 2)
1883 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1884 if (!TEST_mem_eq(orespder, len, respderin, len))
1887 ocsp_client_called = 1;
1891 static int test_tlsext_status_type(void)
1893 SSL_CTX *cctx = NULL, *sctx = NULL;
1894 SSL *clientssl = NULL, *serverssl = NULL;
1896 STACK_OF(OCSP_RESPID) *ids = NULL;
1897 OCSP_RESPID *id = NULL;
1898 BIO *certbio = NULL;
1900 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1902 &sctx, &cctx, cert, privkey))
1905 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1908 /* First just do various checks getting and setting tlsext_status_type */
1910 clientssl = SSL_new(cctx);
1911 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1912 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1913 TLSEXT_STATUSTYPE_ocsp))
1914 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1915 TLSEXT_STATUSTYPE_ocsp))
1918 SSL_free(clientssl);
1921 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1922 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1925 clientssl = SSL_new(cctx);
1926 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1928 SSL_free(clientssl);
1932 * Now actually do a handshake and check OCSP information is exchanged and
1933 * the callbacks get called
1935 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1936 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1937 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1938 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1940 &clientssl, NULL, NULL))
1941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1943 || !TEST_true(ocsp_client_called)
1944 || !TEST_true(ocsp_server_called))
1946 SSL_free(serverssl);
1947 SSL_free(clientssl);
1951 /* Try again but this time force the server side callback to fail */
1952 ocsp_client_called = 0;
1953 ocsp_server_called = 0;
1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1956 &clientssl, NULL, NULL))
1957 /* This should fail because the callback will fail */
1958 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1960 || !TEST_false(ocsp_client_called)
1961 || !TEST_false(ocsp_server_called))
1963 SSL_free(serverssl);
1964 SSL_free(clientssl);
1969 * This time we'll get the client to send an OCSP_RESPID that it will
1972 ocsp_client_called = 0;
1973 ocsp_server_called = 0;
1975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1976 &clientssl, NULL, NULL)))
1980 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1981 * specific one. We'll use the server cert.
1983 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1984 || !TEST_ptr(id = OCSP_RESPID_new())
1985 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1986 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1987 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1988 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1989 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1992 SSL_set_tlsext_status_ids(clientssl, ids);
1993 /* Control has been transferred */
1999 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2001 || !TEST_true(ocsp_client_called)
2002 || !TEST_true(ocsp_server_called))
2008 SSL_free(serverssl);
2009 SSL_free(clientssl);
2012 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2013 OCSP_RESPID_free(id);
2015 X509_free(ocspcert);
2022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2023 static int new_called, remove_called, get_called;
2025 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2029 * sess has been up-refed for us, but we don't actually need it so free it
2032 SSL_SESSION_free(sess);
2036 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041 static SSL_SESSION *get_sess_val = NULL;
2043 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 return get_sess_val;
2051 static int execute_test_session(int maxprot, int use_int_cache,
2052 int use_ext_cache, long s_options)
2054 SSL_CTX *sctx = NULL, *cctx = NULL;
2055 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2056 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2057 # ifndef OPENSSL_NO_TLS1_1
2058 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2060 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2061 int testresult = 0, numnewsesstick = 1;
2063 new_called = remove_called = 0;
2065 /* TLSv1.3 sends 2 NewSessionTickets */
2066 if (maxprot == TLS1_3_VERSION)
2069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2070 TLS_client_method(), TLS1_VERSION, 0,
2071 &sctx, &cctx, cert, privkey)))
2075 * Only allow the max protocol version so we can force a connection failure
2078 SSL_CTX_set_min_proto_version(cctx, maxprot);
2079 SSL_CTX_set_max_proto_version(cctx, maxprot);
2081 /* Set up session cache */
2082 if (use_ext_cache) {
2083 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2084 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2086 if (use_int_cache) {
2087 /* Also covers instance where both are set */
2088 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2090 SSL_CTX_set_session_cache_mode(cctx,
2091 SSL_SESS_CACHE_CLIENT
2092 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2096 SSL_CTX_set_options(sctx, s_options);
2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2101 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2103 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2106 /* Should fail because it should already be in the cache */
2107 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2110 && (!TEST_int_eq(new_called, numnewsesstick)
2112 || !TEST_int_eq(remove_called, 0)))
2115 new_called = remove_called = 0;
2116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2117 &clientssl2, NULL, NULL))
2118 || !TEST_true(SSL_set_session(clientssl2, sess1))
2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2121 || !TEST_true(SSL_session_reused(clientssl2)))
2124 if (maxprot == TLS1_3_VERSION) {
2126 * In TLSv1.3 we should have created a new session even though we have
2127 * resumed. Since we attempted a resume we should also have removed the
2128 * old ticket from the cache so that we try to only use tickets once.
2131 && (!TEST_int_eq(new_called, 1)
2132 || !TEST_int_eq(remove_called, 1)))
2136 * In TLSv1.2 we expect to have resumed so no sessions added or
2140 && (!TEST_int_eq(new_called, 0)
2141 || !TEST_int_eq(remove_called, 0)))
2145 SSL_SESSION_free(sess1);
2146 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2148 shutdown_ssl_connection(serverssl2, clientssl2);
2149 serverssl2 = clientssl2 = NULL;
2151 new_called = remove_called = 0;
2152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2153 &clientssl2, NULL, NULL))
2154 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2158 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2162 && (!TEST_int_eq(new_called, numnewsesstick)
2163 || !TEST_int_eq(remove_called, 0)))
2166 new_called = remove_called = 0;
2168 * This should clear sess2 from the cache because it is a "bad" session.
2169 * See SSL_set_session() documentation.
2171 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2176 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2179 if (use_int_cache) {
2180 /* Should succeeded because it should not already be in the cache */
2181 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2182 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2186 new_called = remove_called = 0;
2187 /* This shouldn't be in the cache so should fail */
2188 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2192 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2195 # if !defined(OPENSSL_NO_TLS1_1)
2196 new_called = remove_called = 0;
2197 /* Force a connection failure */
2198 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2200 &clientssl3, NULL, NULL))
2201 || !TEST_true(SSL_set_session(clientssl3, sess1))
2202 /* This should fail because of the mismatched protocol versions */
2203 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2207 /* We should have automatically removed the session from the cache */
2209 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2212 /* Should succeed because it should not already be in the cache */
2213 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2217 /* Now do some tests for server side caching */
2218 if (use_ext_cache) {
2219 SSL_CTX_sess_set_new_cb(cctx, NULL);
2220 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2221 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2222 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2223 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2224 get_sess_val = NULL;
2227 SSL_CTX_set_session_cache_mode(cctx, 0);
2228 /* Internal caching is the default on the server side */
2230 SSL_CTX_set_session_cache_mode(sctx,
2231 SSL_SESS_CACHE_SERVER
2232 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2234 SSL_free(serverssl1);
2235 SSL_free(clientssl1);
2236 serverssl1 = clientssl1 = NULL;
2237 SSL_free(serverssl2);
2238 SSL_free(clientssl2);
2239 serverssl2 = clientssl2 = NULL;
2240 SSL_SESSION_free(sess1);
2242 SSL_SESSION_free(sess2);
2245 SSL_CTX_set_max_proto_version(sctx, maxprot);
2246 if (maxprot == TLS1_2_VERSION)
2247 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2248 new_called = remove_called = get_called = 0;
2249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2251 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2253 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2254 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2257 if (use_int_cache) {
2258 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2260 * In TLSv1.3 it should not have been added to the internal cache,
2261 * except in the case where we also have an external cache (in that
2262 * case it gets added to the cache in order to generate remove
2263 * events after timeout).
2265 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2268 /* Should fail because it should already be in the cache */
2269 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 if (use_ext_cache) {
2275 SSL_SESSION *tmp = sess2;
2277 if (!TEST_int_eq(new_called, numnewsesstick)
2278 || !TEST_int_eq(remove_called, 0)
2279 || !TEST_int_eq(get_called, 0))
2282 * Delete the session from the internal cache to force a lookup from
2283 * the external cache. We take a copy first because
2284 * SSL_CTX_remove_session() also marks the session as non-resumable.
2286 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2287 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2288 || !TEST_true(sess2->owner != NULL)
2289 || !TEST_true(tmp->owner == NULL)
2290 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2292 SSL_SESSION_free(sess2);
2297 new_called = remove_called = get_called = 0;
2298 get_sess_val = sess2;
2299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2300 &clientssl2, NULL, NULL))
2301 || !TEST_true(SSL_set_session(clientssl2, sess1))
2302 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2304 || !TEST_true(SSL_session_reused(clientssl2)))
2307 if (use_ext_cache) {
2308 if (!TEST_int_eq(remove_called, 0))
2311 if (maxprot == TLS1_3_VERSION) {
2312 if (!TEST_int_eq(new_called, 1)
2313 || !TEST_int_eq(get_called, 0))
2316 if (!TEST_int_eq(new_called, 0)
2317 || !TEST_int_eq(get_called, 1))
2322 * Make a small cache, force out all other sessions but
2323 * sess2, try to add sess1, which should succeed. Then
2324 * make sure it's there by checking the owners. Despite
2325 * the timeouts, sess1 should have kicked out sess2
2328 /* Make sess1 expire before sess2 */
2329 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2330 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2331 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2332 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2335 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2338 /* Don't care about results - cache should only be sess2 at end */
2339 SSL_CTX_add_session(sctx, sess1);
2340 SSL_CTX_add_session(sctx, sess2);
2342 /* Now add sess1, and make sure it remains, despite timeout */
2343 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2344 || !TEST_ptr(sess1->owner)
2345 || !TEST_ptr_null(sess2->owner))
2351 SSL_free(serverssl1);
2352 SSL_free(clientssl1);
2353 SSL_free(serverssl2);
2354 SSL_free(clientssl2);
2355 # ifndef OPENSSL_NO_TLS1_1
2356 SSL_free(serverssl3);
2357 SSL_free(clientssl3);
2359 SSL_SESSION_free(sess1);
2360 SSL_SESSION_free(sess2);
2366 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2368 static int test_session_with_only_int_cache(void)
2370 #ifndef OSSL_NO_USABLE_TLS1_3
2371 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2375 #ifndef OPENSSL_NO_TLS1_2
2376 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2382 static int test_session_with_only_ext_cache(void)
2384 #ifndef OSSL_NO_USABLE_TLS1_3
2385 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2389 #ifndef OPENSSL_NO_TLS1_2
2390 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2396 static int test_session_with_both_cache(void)
2398 #ifndef OSSL_NO_USABLE_TLS1_3
2399 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2403 #ifndef OPENSSL_NO_TLS1_2
2404 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2410 static int test_session_wo_ca_names(void)
2412 #ifndef OSSL_NO_USABLE_TLS1_3
2413 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2417 #ifndef OPENSSL_NO_TLS1_2
2418 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2425 #ifndef OSSL_NO_USABLE_TLS1_3
2426 static SSL_SESSION *sesscache[6];
2427 static int do_cache;
2429 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2432 sesscache[new_called] = sess;
2434 /* We don't need the reference to the session, so free it */
2435 SSL_SESSION_free(sess);
2442 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2444 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2445 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2448 /* Start handshake on the server and client */
2449 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2450 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2451 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2452 || !TEST_true(create_ssl_connection(sssl, cssl,
2459 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2462 int sess_id_ctx = 1;
2464 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2465 TLS_client_method(), TLS1_VERSION, 0,
2466 sctx, cctx, cert, privkey))
2467 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2468 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2469 (void *)&sess_id_ctx,
2470 sizeof(sess_id_ctx))))
2474 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2476 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2477 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2478 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2483 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2485 SSL *serverssl = NULL, *clientssl = NULL;
2488 /* Test that we can resume with all the tickets we got given */
2489 for (i = 0; i < idx * 2; i++) {
2491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2492 &clientssl, NULL, NULL))
2493 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2496 SSL_set_post_handshake_auth(clientssl, 1);
2498 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2503 * Following a successful resumption we only get 1 ticket. After a
2504 * failed one we should get idx tickets.
2507 if (!TEST_true(SSL_session_reused(clientssl))
2508 || !TEST_int_eq(new_called, 1))
2511 if (!TEST_false(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, idx))
2517 /* After a post-handshake authentication we should get 1 new ticket */
2519 && (!post_handshake_verify(serverssl, clientssl)
2520 || !TEST_int_eq(new_called, 1)))
2523 SSL_shutdown(clientssl);
2524 SSL_shutdown(serverssl);
2525 SSL_free(serverssl);
2526 SSL_free(clientssl);
2527 serverssl = clientssl = NULL;
2528 SSL_SESSION_free(sesscache[i]);
2529 sesscache[i] = NULL;
2535 SSL_free(clientssl);
2536 SSL_free(serverssl);
2540 static int test_tickets(int stateful, int idx)
2542 SSL_CTX *sctx = NULL, *cctx = NULL;
2543 SSL *serverssl = NULL, *clientssl = NULL;
2547 /* idx is the test number, but also the number of tickets we want */
2552 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2556 &clientssl, NULL, NULL)))
2559 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2561 /* Check we got the number of tickets we were expecting */
2562 || !TEST_int_eq(idx, new_called))
2565 SSL_shutdown(clientssl);
2566 SSL_shutdown(serverssl);
2567 SSL_free(serverssl);
2568 SSL_free(clientssl);
2571 clientssl = serverssl = NULL;
2575 * Now we try to resume with the tickets we previously created. The
2576 * resumption attempt is expected to fail (because we're now using a new
2577 * SSL_CTX). We should see idx number of tickets issued again.
2580 /* Stop caching sessions - just count them */
2583 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2586 if (!check_resumption(idx, sctx, cctx, 0))
2589 /* Start again with caching sessions */
2596 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2600 &clientssl, NULL, NULL)))
2603 SSL_set_post_handshake_auth(clientssl, 1);
2605 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2607 /* Check we got the number of tickets we were expecting */
2608 || !TEST_int_eq(idx, new_called))
2611 /* After a post-handshake authentication we should get new tickets issued */
2612 if (!post_handshake_verify(serverssl, clientssl)
2613 || !TEST_int_eq(idx * 2, new_called))
2616 SSL_shutdown(clientssl);
2617 SSL_shutdown(serverssl);
2618 SSL_free(serverssl);
2619 SSL_free(clientssl);
2620 serverssl = clientssl = NULL;
2622 /* Stop caching sessions - just count them */
2626 * Check we can resume with all the tickets we created. This time around the
2627 * resumptions should all be successful.
2629 if (!check_resumption(idx, sctx, cctx, 1))
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2637 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2638 SSL_SESSION_free(sesscache[j]);
2639 sesscache[j] = NULL;
2647 static int test_stateless_tickets(int idx)
2649 return test_tickets(0, idx);
2652 static int test_stateful_tickets(int idx)
2654 return test_tickets(1, idx);
2657 static int test_psk_tickets(void)
2659 SSL_CTX *sctx = NULL, *cctx = NULL;
2660 SSL *serverssl = NULL, *clientssl = NULL;
2662 int sess_id_ctx = 1;
2664 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2665 TLS_client_method(), TLS1_VERSION, 0,
2666 &sctx, &cctx, NULL, NULL))
2667 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2668 (void *)&sess_id_ctx,
2669 sizeof(sess_id_ctx))))
2672 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2673 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2674 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2675 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2676 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2677 use_session_cb_cnt = 0;
2678 find_session_cb_cnt = 0;
2682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2685 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2686 if (!TEST_ptr(clientpsk))
2688 SSL_SESSION_up_ref(clientpsk);
2690 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2692 || !TEST_int_eq(1, find_session_cb_cnt)
2693 || !TEST_int_eq(1, use_session_cb_cnt)
2694 /* We should always get 1 ticket when using external PSK */
2695 || !TEST_int_eq(1, new_called))
2701 SSL_free(serverssl);
2702 SSL_free(clientssl);
2705 SSL_SESSION_free(clientpsk);
2706 SSL_SESSION_free(serverpsk);
2707 clientpsk = serverpsk = NULL;
2712 static int test_extra_tickets(int idx)
2714 SSL_CTX *sctx = NULL, *cctx = NULL;
2715 SSL *serverssl = NULL, *clientssl = NULL;
2716 BIO *bretry = BIO_new(bio_s_always_retry());
2721 unsigned char c, buf[1];
2731 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2733 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2734 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2735 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2738 &clientssl, NULL, NULL)))
2742 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2743 * incremented by both client and server.
2745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2747 /* Check we got the number of tickets we were expecting */
2748 || !TEST_int_eq(idx * 2, new_called)
2749 || !TEST_true(SSL_new_session_ticket(serverssl))
2750 || !TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_int_eq(idx * 2, new_called))
2754 /* Now try a (real) write to actually send the tickets */
2756 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2757 || !TEST_size_t_eq(1, nbytes)
2758 || !TEST_int_eq(idx * 2 + 2, new_called)
2759 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2760 || !TEST_int_eq(idx * 2 + 4, new_called)
2761 || !TEST_int_eq(sizeof(buf), nbytes)
2762 || !TEST_int_eq(c, buf[0])
2763 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2766 /* Try with only requesting one new ticket, too */
2769 if (!TEST_true(SSL_new_session_ticket(serverssl))
2770 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2771 || !TEST_size_t_eq(sizeof(c), nbytes)
2772 || !TEST_int_eq(1, new_called)
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2774 || !TEST_int_eq(2, new_called)
2775 || !TEST_size_t_eq(sizeof(buf), nbytes)
2776 || !TEST_int_eq(c, buf[0]))
2779 /* Do it again but use dummy writes to drive the ticket generation */
2782 if (!TEST_true(SSL_new_session_ticket(serverssl))
2783 || !TEST_true(SSL_new_session_ticket(serverssl))
2784 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2785 || !TEST_size_t_eq(0, nbytes)
2786 || !TEST_int_eq(2, new_called)
2787 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2788 || !TEST_int_eq(4, new_called))
2791 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2794 if (!TEST_true(SSL_new_session_ticket(serverssl))
2795 || !TEST_true(SSL_new_session_ticket(serverssl))
2796 || !TEST_true(SSL_do_handshake(serverssl))
2797 || !TEST_int_eq(2, new_called)
2798 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2799 || !TEST_int_eq(4, new_called))
2803 * Use the always-retry BIO to exercise the logic that forces ticket
2804 * generation to wait until a record boundary.
2808 tmp = SSL_get_wbio(serverssl);
2809 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2813 SSL_set0_wbio(serverssl, bretry);
2815 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2816 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2817 || !TEST_size_t_eq(nbytes, 0))
2819 /* Restore a BIO that will let the write succeed */
2820 SSL_set0_wbio(serverssl, tmp);
2823 * These calls should just queue the request and not send anything
2824 * even if we explicitly try to hit the state machine.
2826 if (!TEST_true(SSL_new_session_ticket(serverssl))
2827 || !TEST_true(SSL_new_session_ticket(serverssl))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_true(SSL_do_handshake(serverssl))
2830 || !TEST_int_eq(0, new_called))
2832 /* Re-do the write; still no tickets sent */
2833 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2834 || !TEST_size_t_eq(1, nbytes)
2835 || !TEST_int_eq(0, new_called)
2836 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2837 || !TEST_int_eq(0, new_called)
2838 || !TEST_int_eq(sizeof(buf), nbytes)
2839 || !TEST_int_eq(c, buf[0])
2840 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2842 /* Even trying to hit the state machine now will still not send tickets */
2843 if (!TEST_true(SSL_do_handshake(serverssl))
2844 || !TEST_int_eq(0, new_called))
2846 /* Now the *next* write should send the tickets */
2848 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2849 || !TEST_size_t_eq(1, nbytes)
2850 || !TEST_int_eq(2, new_called)
2851 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2852 || !TEST_int_eq(4, new_called)
2853 || !TEST_int_eq(sizeof(buf), nbytes)
2854 || !TEST_int_eq(c, buf[0])
2855 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2858 SSL_shutdown(clientssl);
2859 SSL_shutdown(serverssl);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2869 clientssl = serverssl = NULL;
2878 #define USE_DEFAULT 3
2880 #define CONNTYPE_CONNECTION_SUCCESS 0
2881 #define CONNTYPE_CONNECTION_FAIL 1
2882 #define CONNTYPE_NO_CONNECTION 2
2884 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2885 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2886 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2887 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2889 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2892 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2893 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2894 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2896 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2913 * Tests calls to SSL_set_bio() under various conditions.
2915 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2916 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2917 * then do more tests where we create a successful connection first using our
2918 * standard connection setup functions, and then call SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL. We then repeat these tests
2920 * following a failed connection. In this last case we are looking to check that
2921 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2923 static int test_ssl_set_bio(int idx)
2925 SSL_CTX *sctx = NULL, *cctx = NULL;
2928 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2929 SSL *serverssl = NULL, *clientssl = NULL;
2930 int initrbio, initwbio, newrbio, newwbio, conntype;
2933 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2941 conntype = CONNTYPE_NO_CONNECTION;
2943 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2944 initrbio = initwbio = USE_DEFAULT;
2952 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2953 TLS_client_method(), TLS1_VERSION, 0,
2954 &sctx, &cctx, cert, privkey)))
2957 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2959 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2960 * because we reduced the number of tests in the definition of
2961 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2962 * mismatched protocol versions we will force a connection failure.
2964 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2965 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2972 if (initrbio == USE_BIO_1
2973 || initwbio == USE_BIO_1
2974 || newrbio == USE_BIO_1
2975 || newwbio == USE_BIO_1) {
2976 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2980 if (initrbio == USE_BIO_2
2981 || initwbio == USE_BIO_2
2982 || newrbio == USE_BIO_2
2983 || newwbio == USE_BIO_2) {
2984 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2988 if (initrbio != USE_DEFAULT) {
2989 setupbio(&irbio, bio1, bio2, initrbio);
2990 setupbio(&iwbio, bio1, bio2, initwbio);
2991 SSL_set_bio(clientssl, irbio, iwbio);
2994 * We want to maintain our own refs to these BIO, so do an up ref for
2995 * each BIO that will have ownership transferred in the SSL_set_bio()
3000 if (iwbio != NULL && iwbio != irbio)
3004 if (conntype != CONNTYPE_NO_CONNECTION
3005 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3007 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3010 setupbio(&nrbio, bio1, bio2, newrbio);
3011 setupbio(&nwbio, bio1, bio2, newwbio);
3014 * We will (maybe) transfer ownership again so do more up refs.
3015 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3020 && (nwbio != iwbio || nrbio != nwbio))
3024 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3027 SSL_set_bio(clientssl, nrbio, nwbio);
3036 * This test is checking that the ref counting for SSL_set_bio is correct.
3037 * If we get here and we did too many frees then we will fail in the above
3040 SSL_free(serverssl);
3041 SSL_free(clientssl);
3047 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3049 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3051 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3056 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3057 || !TEST_ptr(ssl = SSL_new(ctx))
3058 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3059 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3062 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3065 * If anything goes wrong here then we could leak memory.
3067 BIO_push(sslbio, membio1);
3069 /* Verify changing the rbio/wbio directly does not cause leaks */
3070 if (change_bio != NO_BIO_CHANGE) {
3071 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3075 if (change_bio == CHANGE_RBIO)
3076 SSL_set0_rbio(ssl, membio2);
3078 SSL_set0_wbio(ssl, membio2);
3097 static int test_ssl_bio_pop_next_bio(void)
3099 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3102 static int test_ssl_bio_pop_ssl_bio(void)
3104 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3107 static int test_ssl_bio_change_rbio(void)
3109 return execute_test_ssl_bio(0, CHANGE_RBIO);
3112 static int test_ssl_bio_change_wbio(void)
3114 return execute_test_ssl_bio(0, CHANGE_WBIO);
3117 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3119 /* The list of sig algs */
3121 /* The length of the list */
3123 /* A sigalgs list in string format */
3124 const char *liststr;
3125 /* Whether setting the list should succeed */
3127 /* Whether creating a connection with the list should succeed */
3131 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3132 # ifndef OPENSSL_NO_EC
3133 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3134 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3136 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3137 static const int invalidlist2[] = {NID_sha256, NID_undef};
3138 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3139 static const int invalidlist4[] = {NID_sha256};
3140 static const sigalgs_list testsigalgs[] = {
3141 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3142 # ifndef OPENSSL_NO_EC
3143 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3144 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3146 {NULL, 0, "RSA+SHA256", 1, 1},
3147 # ifndef OPENSSL_NO_EC
3148 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3149 {NULL, 0, "ECDSA+SHA512", 1, 0},
3151 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3152 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3153 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3154 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3155 {NULL, 0, "RSA", 0, 0},
3156 {NULL, 0, "SHA256", 0, 0},
3157 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3158 {NULL, 0, "Invalid", 0, 0}
3161 static int test_set_sigalgs(int idx)
3163 SSL_CTX *cctx = NULL, *sctx = NULL;
3164 SSL *clientssl = NULL, *serverssl = NULL;
3166 const sigalgs_list *curr;
3169 /* Should never happen */
3170 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3173 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3174 curr = testctx ? &testsigalgs[idx]
3175 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3177 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3178 TLS_client_method(), TLS1_VERSION, 0,
3179 &sctx, &cctx, cert, privkey)))
3182 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3187 if (curr->list != NULL)
3188 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3190 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3194 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3200 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3206 &clientssl, NULL, NULL)))
3212 if (curr->list != NULL)
3213 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3215 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3218 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3227 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3235 SSL_free(serverssl);
3236 SSL_free(clientssl);
3244 #ifndef OSSL_NO_USABLE_TLS1_3
3245 static int psk_client_cb_cnt = 0;
3246 static int psk_server_cb_cnt = 0;
3248 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3249 size_t *idlen, SSL_SESSION **sess)
3251 switch (++use_session_cb_cnt) {
3253 /* The first call should always have a NULL md */
3259 /* The second call should always have an md */
3265 /* We should only be called a maximum of twice */
3269 if (clientpsk != NULL)
3270 SSL_SESSION_up_ref(clientpsk);
3273 *id = (const unsigned char *)pskid;
3274 *idlen = strlen(pskid);
3279 #ifndef OPENSSL_NO_PSK
3280 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3281 unsigned int max_id_len,
3283 unsigned int max_psk_len)
3285 unsigned int psklen = 0;
3287 psk_client_cb_cnt++;
3289 if (strlen(pskid) + 1 > max_id_len)
3292 /* We should only ever be called a maximum of twice per connection */
3293 if (psk_client_cb_cnt > 2)
3296 if (clientpsk == NULL)
3299 /* We'll reuse the PSK we set up for TLSv1.3 */
3300 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3302 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3303 strncpy(id, pskid, max_id_len);
3307 #endif /* OPENSSL_NO_PSK */
3309 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3310 size_t identity_len, SSL_SESSION **sess)
3312 find_session_cb_cnt++;
3314 /* We should only ever be called a maximum of twice per connection */
3315 if (find_session_cb_cnt > 2)
3318 if (serverpsk == NULL)
3321 /* Identity should match that set by the client */
3322 if (strlen(srvid) != identity_len
3323 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3324 /* No PSK found, continue but without a PSK */
3329 SSL_SESSION_up_ref(serverpsk);
3335 #ifndef OPENSSL_NO_PSK
3336 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3337 unsigned char *psk, unsigned int max_psk_len)
3339 unsigned int psklen = 0;
3341 psk_server_cb_cnt++;
3343 /* We should only ever be called a maximum of twice per connection */
3344 if (find_session_cb_cnt > 2)
3347 if (serverpsk == NULL)
3350 /* Identity should match that set by the client */
3351 if (strcmp(srvid, identity) != 0) {
3355 /* We'll reuse the PSK we set up for TLSv1.3 */
3356 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3358 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3362 #endif /* OPENSSL_NO_PSK */
3364 #define MSG1 "Hello"
3365 #define MSG2 "World."
3370 #define MSG7 "message."
3372 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3373 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3374 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3375 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3376 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3379 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3381 const SSL_CIPHER *cipher = NULL;
3382 const unsigned char key[] = {
3383 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3384 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3385 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3386 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3387 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3389 SSL_SESSION *sess = NULL;
3391 if (mdsize == SHA384_DIGEST_LENGTH) {
3392 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3393 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3395 * Any ciphersuite using SHA256 will do - it will be compatible with
3396 * the actual ciphersuite selected as long as it too is based on SHA256
3398 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3400 /* Should not happen */
3403 sess = SSL_SESSION_new();
3405 || !TEST_ptr(cipher)
3406 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3407 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3409 SSL_SESSION_set_protocol_version(sess,
3411 SSL_SESSION_free(sess);
3417 static int artificial_ticket_time = 0;
3419 static int ed_gen_cb(SSL *s, void *arg)
3421 SSL_SESSION *sess = SSL_get0_session(s);
3427 * Artificially give the ticket some age. Just do it for the number of
3428 * tickets we've been told to do.
3430 if (artificial_ticket_time == 0)
3432 artificial_ticket_time--;
3434 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3441 * Helper method to setup objects for early data test. Caller frees objects on
3444 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3445 SSL **serverssl, SSL_SESSION **sess, int idx,
3448 int artificial = (artificial_ticket_time > 0);
3451 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3452 TLS_client_method(),
3454 sctx, cctx, cert, privkey)))
3458 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3460 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3464 /* When idx == 1 we repeat the tests with read_ahead set */
3465 SSL_CTX_set_read_ahead(*cctx, 1);
3466 SSL_CTX_set_read_ahead(*sctx, 1);
3467 } else if (idx == 2) {
3468 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3469 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3470 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3471 use_session_cb_cnt = 0;
3472 find_session_cb_cnt = 0;
3476 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3481 * For one of the run throughs (doesn't matter which one), we'll try sending
3482 * some SNI data in the initial ClientHello. This will be ignored (because
3483 * there is no SNI cb set up by the server), so it should not impact
3487 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3491 clientpsk = create_a_psk(*clientssl, mdsize);
3492 if (!TEST_ptr(clientpsk)
3494 * We just choose an arbitrary value for max_early_data which
3495 * should be big enough for testing purposes.
3497 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3499 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3500 SSL_SESSION_free(clientpsk);
3504 serverpsk = clientpsk;
3507 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3508 SSL_SESSION_free(clientpsk);
3509 SSL_SESSION_free(serverpsk);
3510 clientpsk = serverpsk = NULL;
3521 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3525 *sess = SSL_get1_session(*clientssl);
3526 SSL_shutdown(*clientssl);
3527 SSL_shutdown(*serverssl);
3528 SSL_free(*serverssl);
3529 SSL_free(*clientssl);
3530 *serverssl = *clientssl = NULL;
3533 * Artificially give the ticket some age to match the artificial age we
3534 * gave it on the server side
3537 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3538 SSL_SESSION_get_time(*sess) - 10), 0))
3541 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3542 clientssl, NULL, NULL))
3543 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3549 static int test_early_data_read_write(int idx)
3551 SSL_CTX *cctx = NULL, *sctx = NULL;
3552 SSL *clientssl = NULL, *serverssl = NULL;
3554 SSL_SESSION *sess = NULL;
3555 unsigned char buf[20], data[1024];
3556 size_t readbytes, written, eoedlen, rawread, rawwritten;
3559 /* Artificially give the next 2 tickets some age for non PSK sessions */
3561 artificial_ticket_time = 2;
3562 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3563 &serverssl, &sess, idx,
3564 SHA384_DIGEST_LENGTH))) {
3565 artificial_ticket_time = 0;
3568 artificial_ticket_time = 0;
3570 /* Write and read some early data */
3571 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3573 || !TEST_size_t_eq(written, strlen(MSG1))
3574 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3575 sizeof(buf), &readbytes),
3576 SSL_READ_EARLY_DATA_SUCCESS)
3577 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3578 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3579 SSL_EARLY_DATA_ACCEPTED))
3583 * Server should be able to write data, and client should be able to
3586 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3588 || !TEST_size_t_eq(written, strlen(MSG2))
3589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3590 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3593 /* Even after reading normal data, client should be able write early data */
3594 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3596 || !TEST_size_t_eq(written, strlen(MSG3)))
3599 /* Server should still be able read early data after writing data */
3600 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3602 SSL_READ_EARLY_DATA_SUCCESS)
3603 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3606 /* Write more data from server and read it from client */
3607 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3609 || !TEST_size_t_eq(written, strlen(MSG4))
3610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3611 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3615 * If client writes normal data it should mean writing early data is no
3618 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3619 || !TEST_size_t_eq(written, strlen(MSG5))
3620 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3621 SSL_EARLY_DATA_ACCEPTED))
3625 * At this point the client has written EndOfEarlyData, ClientFinished and
3626 * normal (fully protected) data. We are going to cause a delay between the
3627 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3628 * in the read BIO, and then just put back the EndOfEarlyData message.
3630 rbio = SSL_get_rbio(serverssl);
3631 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3632 || !TEST_size_t_lt(rawread, sizeof(data))
3633 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3636 /* Record length is in the 4th and 5th bytes of the record header */
3637 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3638 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3639 || !TEST_size_t_eq(rawwritten, eoedlen))
3642 /* Server should be told that there is no more early data */
3643 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3645 SSL_READ_EARLY_DATA_FINISH)
3646 || !TEST_size_t_eq(readbytes, 0))
3650 * Server has not finished init yet, so should still be able to write early
3653 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3655 || !TEST_size_t_eq(written, strlen(MSG6)))
3658 /* Push the ClientFinished and the normal data back into the server rbio */
3659 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3661 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3664 /* Server should be able to read normal data */
3665 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3666 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3669 /* Client and server should not be able to write/read early data now */
3670 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3676 SSL_READ_EARLY_DATA_ERROR))
3680 /* Client should be able to read the data sent by the server */
3681 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3686 * Make sure we process the two NewSessionTickets. These arrive
3687 * post-handshake. We attempt reads which we do not expect to return any
3690 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3695 /* Server should be able to write normal data */
3696 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3697 || !TEST_size_t_eq(written, strlen(MSG7))
3698 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3699 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3702 SSL_SESSION_free(sess);
3703 sess = SSL_get1_session(clientssl);
3704 use_session_cb_cnt = 0;
3705 find_session_cb_cnt = 0;
3707 SSL_shutdown(clientssl);
3708 SSL_shutdown(serverssl);
3709 SSL_free(serverssl);
3710 SSL_free(clientssl);
3711 serverssl = clientssl = NULL;
3712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3713 &clientssl, NULL, NULL))
3714 || !TEST_true(SSL_set_session(clientssl, sess)))
3717 /* Write and read some early data */
3718 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3720 || !TEST_size_t_eq(written, strlen(MSG1))
3721 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3723 SSL_READ_EARLY_DATA_SUCCESS)
3724 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3727 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3728 || !TEST_int_gt(SSL_accept(serverssl), 0))
3731 /* Client and server should not be able to write/read early data now */
3732 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3736 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3738 SSL_READ_EARLY_DATA_ERROR))
3742 /* Client and server should be able to write/read normal data */
3743 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3744 || !TEST_size_t_eq(written, strlen(MSG5))
3745 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3746 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3752 SSL_SESSION_free(sess);
3753 SSL_SESSION_free(clientpsk);
3754 SSL_SESSION_free(serverpsk);
3755 clientpsk = serverpsk = NULL;
3756 SSL_free(serverssl);
3757 SSL_free(clientssl);
3763 static int allow_ed_cb_called = 0;
3765 static int allow_early_data_cb(SSL *s, void *arg)
3767 int *usecb = (int *)arg;
3769 allow_ed_cb_called++;
3778 * idx == 0: Standard early_data setup
3779 * idx == 1: early_data setup using read_ahead
3780 * usecb == 0: Don't use a custom early data callback
3781 * usecb == 1: Use a custom early data callback and reject the early data
3782 * usecb == 2: Use a custom early data callback and accept the early data
3783 * confopt == 0: Configure anti-replay directly
3784 * confopt == 1: Configure anti-replay using SSL_CONF
3786 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3788 SSL_CTX *cctx = NULL, *sctx = NULL;
3789 SSL *clientssl = NULL, *serverssl = NULL;
3791 SSL_SESSION *sess = NULL;
3792 size_t readbytes, written;
3793 unsigned char buf[20];
3795 allow_ed_cb_called = 0;
3797 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3798 TLS_client_method(), TLS1_VERSION, 0,
3799 &sctx, &cctx, cert, privkey)))
3804 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3806 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3808 if (!TEST_ptr(confctx))
3810 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3811 | SSL_CONF_FLAG_SERVER);
3812 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3813 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3815 SSL_CONF_CTX_free(confctx);
3818 SSL_CONF_CTX_free(confctx);
3820 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3823 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3824 &serverssl, &sess, idx,
3825 SHA384_DIGEST_LENGTH)))
3829 * The server is configured to accept early data. Create a connection to
3830 * "use up" the ticket
3832 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3833 || !TEST_true(SSL_session_reused(clientssl)))
3836 SSL_shutdown(clientssl);
3837 SSL_shutdown(serverssl);
3838 SSL_free(serverssl);
3839 SSL_free(clientssl);
3840 serverssl = clientssl = NULL;
3842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3843 &clientssl, NULL, NULL))
3844 || !TEST_true(SSL_set_session(clientssl, sess)))
3847 /* Write and read some early data */
3848 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3850 || !TEST_size_t_eq(written, strlen(MSG1)))
3854 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3856 SSL_READ_EARLY_DATA_FINISH)
3858 * The ticket was reused, so the we should have rejected the
3861 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3862 SSL_EARLY_DATA_REJECTED))
3865 /* In this case the callback decides to accept the early data */
3866 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3868 SSL_READ_EARLY_DATA_SUCCESS)
3869 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3871 * Server will have sent its flight so client can now send
3872 * end of early data and complete its half of the handshake
3874 || !TEST_int_gt(SSL_connect(clientssl), 0)
3875 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3877 SSL_READ_EARLY_DATA_FINISH)
3878 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3879 SSL_EARLY_DATA_ACCEPTED))
3883 /* Complete the connection */
3884 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3885 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3886 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3892 SSL_SESSION_free(sess);
3893 SSL_SESSION_free(clientpsk);
3894 SSL_SESSION_free(serverpsk);
3895 clientpsk = serverpsk = NULL;
3896 SSL_free(serverssl);
3897 SSL_free(clientssl);
3903 static int test_early_data_replay(int idx)
3905 int ret = 1, usecb, confopt;
3907 for (usecb = 0; usecb < 3; usecb++) {
3908 for (confopt = 0; confopt < 2; confopt++)
3909 ret &= test_early_data_replay_int(idx, usecb, confopt);
3915 static const char *ciphersuites[] = {
3916 "TLS_AES_128_CCM_8_SHA256",
3917 "TLS_AES_128_GCM_SHA256",
3918 "TLS_AES_256_GCM_SHA384",
3919 "TLS_AES_128_CCM_SHA256",
3920 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3921 "TLS_CHACHA20_POLY1305_SHA256"
3926 * Helper function to test that a server attempting to read early data can
3927 * handle a connection from a client where the early data should be skipped.
3928 * testtype: 0 == No HRR
3929 * testtype: 1 == HRR
3930 * testtype: 2 == HRR, invalid early_data sent after HRR
3931 * testtype: 3 == recv_max_early_data set to 0
3933 static int early_data_skip_helper(int testtype, int cipher, int idx)
3935 SSL_CTX *cctx = NULL, *sctx = NULL;
3936 SSL *clientssl = NULL, *serverssl = NULL;
3938 SSL_SESSION *sess = NULL;
3939 unsigned char buf[20];
3940 size_t readbytes, written;
3942 if (is_fips && cipher == 4)
3945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3946 TLS_client_method(),
3948 &sctx, &cctx, cert, privkey)))
3952 SSL_CTX_set_security_level(sctx, 0);
3953 SSL_CTX_set_security_level(cctx, 0);
3956 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3957 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3961 &serverssl, &sess, idx,
3962 cipher == 2 ? SHA384_DIGEST_LENGTH
3963 : SHA256_DIGEST_LENGTH)))
3966 if (testtype == 1 || testtype == 2) {
3967 /* Force an HRR to occur */
3968 #if defined(OPENSSL_NO_EC)
3969 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3972 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3975 } else if (idx == 2) {
3977 * We force early_data rejection by ensuring the PSK identity is
3980 srvid = "Dummy Identity";
3983 * Deliberately corrupt the creation time. We take 20 seconds off the
3984 * time. It could be any value as long as it is not within tolerance.
3985 * This should mean the ticket is rejected.
3987 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3992 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3995 /* Write some early data */
3996 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3998 || !TEST_size_t_eq(written, strlen(MSG1)))
4001 /* Server should reject the early data */
4002 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4004 SSL_READ_EARLY_DATA_FINISH)
4005 || !TEST_size_t_eq(readbytes, 0)
4006 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4007 SSL_EARLY_DATA_REJECTED))
4017 * Finish off the handshake. We perform the same writes and reads as
4018 * further down but we expect them to fail due to the incomplete
4021 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4022 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4029 BIO *wbio = SSL_get_wbio(clientssl);
4030 /* A record that will appear as bad early_data */
4031 const unsigned char bad_early_data[] = {
4032 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4036 * We force the client to attempt a write. This will fail because
4037 * we're still in the handshake. It will cause the second
4038 * ClientHello to be sent.
4040 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4045 * Inject some early_data after the second ClientHello. This should
4046 * cause the server to fail
4048 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4049 sizeof(bad_early_data), &written)))
4056 * This client has sent more early_data than we are willing to skip
4057 * (case 3) or sent invalid early_data (case 2) so the connection should
4060 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4061 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4064 /* Connection has failed - nothing more to do */
4069 TEST_error("Invalid test type");
4075 * Should be able to send normal data despite rejection of early data. The
4076 * early_data should be skipped.
4078 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4079 || !TEST_size_t_eq(written, strlen(MSG2))
4080 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4081 SSL_EARLY_DATA_REJECTED)
4082 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4083 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4087 * Failure to decrypt early data records should not leave spurious errors
4088 * on the error stack
4090 if (!TEST_long_eq(ERR_peek_error(), 0))
4096 SSL_SESSION_free(clientpsk);
4097 SSL_SESSION_free(serverpsk);
4098 clientpsk = serverpsk = NULL;
4099 SSL_SESSION_free(sess);
4100 SSL_free(serverssl);
4101 SSL_free(clientssl);
4108 * Test that a server attempting to read early data can handle a connection
4109 * from a client where the early data is not acceptable.
4111 static int test_early_data_skip(int idx)
4113 return early_data_skip_helper(0,
4114 idx % OSSL_NELEM(ciphersuites),
4115 idx / OSSL_NELEM(ciphersuites));
4119 * Test that a server attempting to read early data can handle a connection
4120 * from a client where an HRR occurs.
4122 static int test_early_data_skip_hrr(int idx)
4124 return early_data_skip_helper(1,
4125 idx % OSSL_NELEM(ciphersuites),
4126 idx / OSSL_NELEM(ciphersuites));
4130 * Test that a server attempting to read early data can handle a connection
4131 * from a client where an HRR occurs and correctly fails if early_data is sent
4134 static int test_early_data_skip_hrr_fail(int idx)
4136 return early_data_skip_helper(2,
4137 idx % OSSL_NELEM(ciphersuites),
4138 idx / OSSL_NELEM(ciphersuites));
4142 * Test that a server attempting to read early data will abort if it tries to
4143 * skip over too much.
4145 static int test_early_data_skip_abort(int idx)
4147 return early_data_skip_helper(3,
4148 idx % OSSL_NELEM(ciphersuites),
4149 idx / OSSL_NELEM(ciphersuites));
4153 * Test that a server attempting to read early data can handle a connection
4154 * from a client that doesn't send any.
4156 static int test_early_data_not_sent(int idx)
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4161 SSL_SESSION *sess = NULL;
4162 unsigned char buf[20];
4163 size_t readbytes, written;
4165 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4166 &serverssl, &sess, idx,
4167 SHA384_DIGEST_LENGTH)))
4170 /* Write some data - should block due to handshake with server */
4171 SSL_set_connect_state(clientssl);
4172 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4175 /* Server should detect that early data has not been sent */
4176 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4178 SSL_READ_EARLY_DATA_FINISH)
4179 || !TEST_size_t_eq(readbytes, 0)
4180 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4181 SSL_EARLY_DATA_NOT_SENT)
4182 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4183 SSL_EARLY_DATA_NOT_SENT))
4186 /* Continue writing the message we started earlier */
4187 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4188 || !TEST_size_t_eq(written, strlen(MSG1))
4189 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4190 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4191 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4192 || !TEST_size_t_eq(written, strlen(MSG2)))
4195 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4196 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4202 SSL_SESSION_free(sess);
4203 SSL_SESSION_free(clientpsk);
4204 SSL_SESSION_free(serverpsk);
4205 clientpsk = serverpsk = NULL;
4206 SSL_free(serverssl);
4207 SSL_free(clientssl);
4213 static const char *servalpn;
4215 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4216 unsigned char *outlen, const unsigned char *in,
4217 unsigned int inlen, void *arg)
4219 unsigned int protlen = 0;
4220 const unsigned char *prot;
4222 for (prot = in; prot < in + inlen; prot += protlen) {
4224 if (in + inlen < prot + protlen)
4225 return SSL_TLSEXT_ERR_NOACK;
4227 if (protlen == strlen(servalpn)
4228 && memcmp(prot, servalpn, protlen) == 0) {
4231 return SSL_TLSEXT_ERR_OK;
4235 return SSL_TLSEXT_ERR_NOACK;
4238 /* Test that a PSK can be used to send early_data */
4239 static int test_early_data_psk(int idx)
4241 SSL_CTX *cctx = NULL, *sctx = NULL;
4242 SSL *clientssl = NULL, *serverssl = NULL;
4244 SSL_SESSION *sess = NULL;
4245 unsigned char alpnlist[] = {
4246 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4249 #define GOODALPNLEN 9
4250 #define BADALPNLEN 8
4251 #define GOODALPN (alpnlist)
4252 #define BADALPN (alpnlist + GOODALPNLEN)
4254 unsigned char buf[20];
4255 size_t readbytes, written;
4256 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4257 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4259 /* We always set this up with a final parameter of "2" for PSK */
4260 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4261 &serverssl, &sess, 2,
4262 SHA384_DIGEST_LENGTH)))
4265 servalpn = "goodalpn";
4268 * Note: There is no test for inconsistent SNI with late client detection.
4269 * This is because servers do not acknowledge SNI even if they are using
4270 * it in a resumption handshake - so it is not actually possible for a
4271 * client to detect a problem.
4275 /* Set inconsistent SNI (early client detection) */
4276 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4277 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4278 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4283 /* Set inconsistent ALPN (early client detection) */
4284 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4285 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4286 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4288 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4295 * Set invalid protocol version. Technically this affects PSKs without
4296 * early_data too, but we test it here because it is similar to the
4297 * SNI/ALPN consistency tests.
4299 err = SSL_R_BAD_PSK;
4300 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4306 * Set inconsistent SNI (server side). In this case the connection
4307 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4308 * is associated with each handshake - not the session. Therefore it
4309 * should not matter that we used a different server name last time.
4311 SSL_SESSION_free(serverpsk);
4312 serverpsk = SSL_SESSION_dup(clientpsk);
4313 if (!TEST_ptr(serverpsk)
4314 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4318 /* Set consistent SNI */
4319 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4320 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4321 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4328 * Set inconsistent ALPN (server detected). In this case the connection
4329 * will succeed but reject early_data.
4331 servalpn = "badalpn";
4332 edstatus = SSL_EARLY_DATA_REJECTED;
4333 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4337 * Set consistent ALPN.
4338 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4339 * accepts a list of protos (each one length prefixed).
4340 * SSL_set1_alpn_selected accepts a single protocol (not length
4343 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4345 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4349 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4353 /* Set inconsistent ALPN (late client detection) */
4354 SSL_SESSION_free(serverpsk);
4355 serverpsk = SSL_SESSION_dup(clientpsk);
4356 if (!TEST_ptr(serverpsk)
4357 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4360 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4363 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4366 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4367 edstatus = SSL_EARLY_DATA_ACCEPTED;
4368 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4369 /* SSL_connect() call should fail */
4374 TEST_error("Bad test index");
4378 SSL_set_connect_state(clientssl);
4380 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4382 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4383 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4386 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4390 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4391 &readbytes), readearlyres)
4392 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4393 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4394 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4395 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4402 SSL_SESSION_free(sess);
4403 SSL_SESSION_free(clientpsk);
4404 SSL_SESSION_free(serverpsk);
4405 clientpsk = serverpsk = NULL;
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4414 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4415 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4416 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4417 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4418 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4419 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4421 static int test_early_data_psk_with_all_ciphers(int idx)
4423 SSL_CTX *cctx = NULL, *sctx = NULL;
4424 SSL *clientssl = NULL, *serverssl = NULL;
4426 SSL_SESSION *sess = NULL;
4427 unsigned char buf[20];
4428 size_t readbytes, written;
4429 const SSL_CIPHER *cipher;
4430 const char *cipher_str[] = {
4431 TLS1_3_RFC_AES_128_GCM_SHA256,
4432 TLS1_3_RFC_AES_256_GCM_SHA384,
4433 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4434 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4438 TLS1_3_RFC_AES_128_CCM_SHA256,
4439 TLS1_3_RFC_AES_128_CCM_8_SHA256
4441 const unsigned char *cipher_bytes[] = {
4442 TLS13_AES_128_GCM_SHA256_BYTES,
4443 TLS13_AES_256_GCM_SHA384_BYTES,
4444 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4445 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4449 TLS13_AES_128_CCM_SHA256_BYTES,
4450 TLS13_AES_128_CCM_8_SHA256_BYTES
4453 if (cipher_str[idx] == NULL)
4455 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4456 if (idx == 2 && is_fips == 1)
4459 /* We always set this up with a final parameter of "2" for PSK */
4460 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4461 &serverssl, &sess, 2,
4462 SHA384_DIGEST_LENGTH)))
4466 /* CCM8 ciphers are considered low security due to their short tag */
4467 SSL_set_security_level(clientssl, 0);
4468 SSL_set_security_level(serverssl, 0);
4471 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4472 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4476 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4477 * and assigns to both client and server with incremented reference
4478 * and the same instance is updated in 'sess'.
4479 * So updating ciphersuite in 'sess' which will get reflected in
4480 * PSK handshake using psk use sess and find sess cb.
4482 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4483 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4486 SSL_set_connect_state(clientssl);
4487 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4491 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4493 SSL_READ_EARLY_DATA_SUCCESS)
4494 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4495 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4496 SSL_EARLY_DATA_ACCEPTED)
4497 || !TEST_int_eq(SSL_connect(clientssl), 1)
4498 || !TEST_int_eq(SSL_accept(serverssl), 1))
4501 /* Send some normal data from client to server */
4502 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4503 || !TEST_size_t_eq(written, strlen(MSG2)))
4506 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4507 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4512 SSL_SESSION_free(sess);
4513 SSL_SESSION_free(clientpsk);
4514 SSL_SESSION_free(serverpsk);
4515 clientpsk = serverpsk = NULL;
4516 if (clientssl != NULL)
4517 SSL_shutdown(clientssl);
4518 if (serverssl != NULL)
4519 SSL_shutdown(serverssl);
4520 SSL_free(serverssl);
4521 SSL_free(clientssl);
4528 * Test that a server that doesn't try to read early data can handle a
4529 * client sending some.
4531 static int test_early_data_not_expected(int idx)
4533 SSL_CTX *cctx = NULL, *sctx = NULL;
4534 SSL *clientssl = NULL, *serverssl = NULL;
4536 SSL_SESSION *sess = NULL;
4537 unsigned char buf[20];
4538 size_t readbytes, written;
4540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4541 &serverssl, &sess, idx,
4542 SHA384_DIGEST_LENGTH)))
4545 /* Write some early data */
4546 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4551 * Server should skip over early data and then block waiting for client to
4552 * continue handshake
4554 if (!TEST_int_le(SSL_accept(serverssl), 0)
4555 || !TEST_int_gt(SSL_connect(clientssl), 0)
4556 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4557 SSL_EARLY_DATA_REJECTED)
4558 || !TEST_int_gt(SSL_accept(serverssl), 0)
4559 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4560 SSL_EARLY_DATA_REJECTED))
4563 /* Send some normal data from client to server */
4564 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4565 || !TEST_size_t_eq(written, strlen(MSG2)))
4568 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4569 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4575 SSL_SESSION_free(sess);
4576 SSL_SESSION_free(clientpsk);
4577 SSL_SESSION_free(serverpsk);
4578 clientpsk = serverpsk = NULL;
4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4587 # ifndef OPENSSL_NO_TLS1_2
4589 * Test that a server attempting to read early data can handle a connection
4590 * from a TLSv1.2 client.
4592 static int test_early_data_tls1_2(int idx)
4594 SSL_CTX *cctx = NULL, *sctx = NULL;
4595 SSL *clientssl = NULL, *serverssl = NULL;
4597 unsigned char buf[20];
4598 size_t readbytes, written;
4600 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4601 &serverssl, NULL, idx,
4602 SHA384_DIGEST_LENGTH)))
4605 /* Write some data - should block due to handshake with server */
4606 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4607 SSL_set_connect_state(clientssl);
4608 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4612 * Server should do TLSv1.2 handshake. First it will block waiting for more
4613 * messages from client after ServerDone. Then SSL_read_early_data should
4614 * finish and detect that early data has not been sent
4616 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4618 SSL_READ_EARLY_DATA_ERROR))
4622 * Continue writing the message we started earlier. Will still block waiting
4623 * for the CCS/Finished from server
4625 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4626 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4628 SSL_READ_EARLY_DATA_FINISH)
4629 || !TEST_size_t_eq(readbytes, 0)
4630 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4631 SSL_EARLY_DATA_NOT_SENT))
4634 /* Continue writing the message we started earlier */
4635 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4636 || !TEST_size_t_eq(written, strlen(MSG1))
4637 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4638 SSL_EARLY_DATA_NOT_SENT)
4639 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4640 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4641 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4642 || !TEST_size_t_eq(written, strlen(MSG2))
4643 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4644 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4650 SSL_SESSION_free(clientpsk);
4651 SSL_SESSION_free(serverpsk);
4652 clientpsk = serverpsk = NULL;
4653 SSL_free(serverssl);
4654 SSL_free(clientssl);
4660 # endif /* OPENSSL_NO_TLS1_2 */
4663 * Test configuring the TLSv1.3 ciphersuites
4665 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4666 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4667 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4668 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4669 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4670 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4671 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4672 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4673 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4674 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4676 static int test_set_ciphersuite(int idx)
4678 SSL_CTX *cctx = NULL, *sctx = NULL;
4679 SSL *clientssl = NULL, *serverssl = NULL;
4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
4684 &sctx, &cctx, cert, privkey))
4685 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4686 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4689 if (idx >=4 && idx <= 7) {
4690 /* SSL_CTX explicit cipher list */
4691 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4695 if (idx == 0 || idx == 4) {
4696 /* Default ciphersuite */
4697 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4698 "TLS_AES_128_GCM_SHA256")))
4700 } else if (idx == 1 || idx == 5) {
4701 /* Non default ciphersuite */
4702 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4703 "TLS_AES_128_CCM_SHA256")))
4707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4708 &clientssl, NULL, NULL)))
4711 if (idx == 8 || idx == 9) {
4712 /* SSL explicit cipher list */
4713 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4717 if (idx == 2 || idx == 6 || idx == 8) {
4718 /* Default ciphersuite */
4719 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4720 "TLS_AES_128_GCM_SHA256")))
4722 } else if (idx == 3 || idx == 7 || idx == 9) {
4723 /* Non default ciphersuite */
4724 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4725 "TLS_AES_128_CCM_SHA256")))
4729 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4735 SSL_free(serverssl);
4736 SSL_free(clientssl);
4743 static int test_ciphersuite_change(void)
4745 SSL_CTX *cctx = NULL, *sctx = NULL;
4746 SSL *clientssl = NULL, *serverssl = NULL;
4747 SSL_SESSION *clntsess = NULL;
4749 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4751 /* Create a session based on SHA-256 */
4752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4753 TLS_client_method(), TLS1_VERSION, 0,
4754 &sctx, &cctx, cert, privkey))
4755 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4756 "TLS_AES_128_GCM_SHA256:"
4757 "TLS_AES_256_GCM_SHA384:"
4758 "TLS_AES_128_CCM_SHA256"))
4759 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4760 "TLS_AES_128_GCM_SHA256")))
4763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4769 clntsess = SSL_get1_session(clientssl);
4770 /* Save for later */
4771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4778 /* Check we can resume a session with a different SHA-256 ciphersuite */
4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4780 "TLS_AES_128_CCM_SHA256"))
4781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4782 &clientssl, NULL, NULL))
4783 || !TEST_true(SSL_set_session(clientssl, clntsess))
4784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4786 || !TEST_true(SSL_session_reused(clientssl)))
4789 SSL_SESSION_free(clntsess);
4790 clntsess = SSL_get1_session(clientssl);
4791 SSL_shutdown(clientssl);
4792 SSL_shutdown(serverssl);
4793 SSL_free(serverssl);
4794 SSL_free(clientssl);
4795 serverssl = clientssl = NULL;
4798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4799 * succeeds but does not resume.
4801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4804 || !TEST_true(SSL_set_session(clientssl, clntsess))
4805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4807 || !TEST_false(SSL_session_reused(clientssl)))
4810 SSL_SESSION_free(clntsess);
4812 SSL_shutdown(clientssl);
4813 SSL_shutdown(serverssl);
4814 SSL_free(serverssl);
4815 SSL_free(clientssl);
4816 serverssl = clientssl = NULL;
4818 /* Create a session based on SHA384 */
4819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4821 &clientssl, NULL, NULL))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4826 clntsess = SSL_get1_session(clientssl);
4827 SSL_shutdown(clientssl);
4828 SSL_shutdown(serverssl);
4829 SSL_free(serverssl);
4830 SSL_free(clientssl);
4831 serverssl = clientssl = NULL;
4833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4836 "TLS_AES_256_GCM_SHA384"))
4837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4839 || !TEST_true(SSL_set_session(clientssl, clntsess))
4841 * We use SSL_ERROR_WANT_READ below so that we can pause the
4842 * connection after the initial ClientHello has been sent to
4843 * enable us to make some session changes.
4845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4846 SSL_ERROR_WANT_READ)))
4849 /* Trick the client into thinking this session is for a different digest */
4850 clntsess->cipher = aes_128_gcm_sha256;
4851 clntsess->cipher_id = clntsess->cipher->id;
4854 * Continue the previously started connection. Server has selected a SHA-384
4855 * ciphersuite, but client thinks the session is for SHA-256, so it should
4858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4867 SSL_SESSION_free(clntsess);
4868 SSL_free(serverssl);
4869 SSL_free(clientssl);
4877 * Test TLSv1.3 Key exchange
4878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4893 # ifndef OPENSSL_NO_EC
4894 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4896 # ifndef OPENSSL_NO_ECX
4897 NID_X25519, NID_X448
4901 # ifndef OPENSSL_NO_DH
4902 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4903 NID_ffdhe6144, NID_ffdhe8192};
4905 static int test_key_exchange(int idx)
4907 SSL_CTX *sctx = NULL, *cctx = NULL;
4908 SSL *serverssl = NULL, *clientssl = NULL;
4911 int *kexch_groups = &kexch_alg;
4912 int kexch_groups_size = 1;
4913 int max_version = TLS1_3_VERSION;
4914 char *kexch_name0 = NULL;
4917 # ifndef OPENSSL_NO_EC
4918 # ifndef OPENSSL_NO_TLS1_2
4920 max_version = TLS1_2_VERSION;
4924 kexch_groups = ecdhe_kexch_groups;
4925 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4926 kexch_name0 = "secp256r1";
4929 kexch_alg = NID_X9_62_prime256v1;
4930 kexch_name0 = "secp256r1";
4933 kexch_alg = NID_secp384r1;
4934 kexch_name0 = "secp384r1";
4937 kexch_alg = NID_secp521r1;
4938 kexch_name0 = "secp521r1";
4940 # ifndef OPENSSL_NO_ECX
4942 kexch_alg = NID_X25519;
4943 kexch_name0 = "x25519";
4946 kexch_alg = NID_X448;
4947 kexch_name0 = "x448";
4951 # ifndef OPENSSL_NO_DH
4952 # ifndef OPENSSL_NO_TLS1_2
4954 max_version = TLS1_2_VERSION;
4955 kexch_name0 = "ffdhe2048";
4959 kexch_groups = ffdhe_kexch_groups;
4960 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4961 kexch_name0 = "ffdhe2048";
4964 kexch_alg = NID_ffdhe2048;
4965 kexch_name0 = "ffdhe2048";
4968 kexch_alg = NID_ffdhe3072;
4969 kexch_name0 = "ffdhe3072";
4972 kexch_alg = NID_ffdhe4096;
4973 kexch_name0 = "ffdhe4096";
4976 kexch_alg = NID_ffdhe6144;
4977 kexch_name0 = "ffdhe6144";
4980 kexch_alg = NID_ffdhe8192;
4981 kexch_name0 = "ffdhe8192";
4985 /* We're skipping this test */
4989 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4990 TLS_client_method(), TLS1_VERSION,
4991 max_version, &sctx, &cctx, cert,
4995 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4996 TLS1_3_RFC_AES_128_GCM_SHA256)))
4999 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5000 TLS1_3_RFC_AES_128_GCM_SHA256)))
5003 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5004 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5005 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5006 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5010 * Must include an EC ciphersuite so that we send supported groups in
5013 # ifndef OPENSSL_NO_TLS1_2
5014 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5015 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5016 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5024 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5025 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5028 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5032 * If Handshake succeeds the negotiated kexch alg should be the first one in
5033 * configured, except in the case of FFDHE groups (idx 13), which are
5034 * TLSv1.3 only so we expect no shared group to exist.
5036 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5037 idx == 13 ? 0 : kexch_groups[0]))
5040 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5044 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5046 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5047 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5049 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5051 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5057 SSL_free(serverssl);
5058 SSL_free(clientssl);
5064 # if !defined(OPENSSL_NO_TLS1_2) \
5065 && !defined(OPENSSL_NO_EC) \
5066 && !defined(OPENSSL_NO_DH)
5067 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5068 int isecdhe, int idx)
5071 int *kexch_groups = &kexch_alg;
5074 numec = OSSL_NELEM(ecdhe_kexch_groups);
5075 numff = OSSL_NELEM(ffdhe_kexch_groups);
5077 kexch_alg = ecdhe_kexch_groups[idx];
5079 kexch_alg = ffdhe_kexch_groups[idx];
5082 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5085 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5089 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5094 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5097 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5101 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5110 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5111 * Run through both the ECDHE and FFDHE group lists used in the previous
5112 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5113 * confirming the expected result; then perform a resumption handshake
5114 * while offering the same group list, and another resumption handshake
5115 * offering a different group list. The returned value should be the
5116 * negotiated group for the initial handshake; for TLS 1.3 resumption
5117 * handshakes the returned value will be negotiated on the resumption
5118 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5119 * be cached in the session from the original handshake, regardless of what
5120 * was offered in the resumption ClientHello.
5122 * Using E for the number of EC groups and F for the number of FF groups:
5123 * E tests of ECDHE with TLS 1.3, server only has one group
5124 * F tests of FFDHE with TLS 1.3, server only has one group
5125 * E tests of ECDHE with TLS 1.2, server only has one group
5126 * F tests of FFDHE with TLS 1.2, server only has one group
5127 * E tests of ECDHE with TLS 1.3, client sends only one group
5128 * F tests of FFDHE with TLS 1.3, client sends only one group
5129 * E tests of ECDHE with TLS 1.2, client sends only one group
5130 * F tests of FFDHE with TLS 1.2, client sends only one group
5132 static int test_negotiated_group(int idx)
5134 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5136 SSL_CTX *sctx = NULL, *cctx = NULL;
5137 SSL *serverssl = NULL, *clientssl = NULL;
5138 SSL_SESSION *origsess = NULL;
5141 int max_version = TLS1_3_VERSION;
5143 numec = OSSL_NELEM(ecdhe_kexch_groups);
5144 numff = OSSL_NELEM(ffdhe_kexch_groups);
5145 numgroups = numec + numff;
5146 clientmulti = (idx < 2 * numgroups);
5147 idx = idx % (2 * numgroups);
5148 istls13 = (idx < numgroups);
5149 idx = idx % numgroups;
5150 isecdhe = (idx < numec);
5153 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5155 kexch_alg = ecdhe_kexch_groups[idx];
5157 kexch_alg = ffdhe_kexch_groups[idx];
5158 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5159 if (!istls13 && !isecdhe)
5160 expectednid = NID_undef;
5162 expectednid = kexch_alg;
5165 max_version = TLS1_2_VERSION;
5167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5168 TLS_client_method(), TLS1_VERSION,
5169 max_version, &sctx, &cctx, cert,
5174 * Force (EC)DHE ciphers for TLS 1.2.
5175 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5177 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5178 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5179 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5180 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5182 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5183 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5184 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5191 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5195 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5198 /* Initial handshake; always the configured one */
5199 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5200 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5203 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5206 SSL_shutdown(clientssl);
5207 SSL_shutdown(serverssl);
5208 SSL_free(serverssl);
5209 SSL_free(clientssl);
5210 serverssl = clientssl = NULL;
5212 /* First resumption attempt; use the same config as initial handshake */
5213 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5215 || !TEST_true(SSL_set_session(clientssl, origsess))
5216 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5220 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5221 || !TEST_true(SSL_session_reused(clientssl)))
5224 /* Still had better agree, since nothing changed... */
5225 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5226 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5229 SSL_shutdown(clientssl);
5230 SSL_shutdown(serverssl);
5231 SSL_free(serverssl);
5232 SSL_free(clientssl);
5233 serverssl = clientssl = NULL;
5236 * Second resumption attempt
5237 * The party that picks one group changes it, which we effectuate by
5238 * changing 'idx' and updating what we expect.
5246 expectednid = ecdhe_kexch_groups[idx];
5248 expectednid = ffdhe_kexch_groups[idx];
5249 /* Verify that we are changing what we expect. */
5250 if (!TEST_int_ne(expectednid, kexch_alg))
5253 /* TLS 1.2 only supports named groups for ECDHE. */
5255 expectednid = kexch_alg;
5259 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5261 || !TEST_true(SSL_set_session(clientssl, origsess))
5262 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5266 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5267 || !TEST_true(SSL_session_reused(clientssl)))
5270 /* Check that we get what we expected */
5271 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5272 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5277 SSL_free(serverssl);
5278 SSL_free(clientssl);
5281 SSL_SESSION_free(origsess);
5284 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5287 * Test TLSv1.3 Cipher Suite
5288 * Test 0 = Set TLS1.3 cipher on context
5289 * Test 1 = Set TLS1.3 cipher on SSL
5290 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5291 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5293 static int test_tls13_ciphersuite(int idx)
5295 SSL_CTX *sctx = NULL, *cctx = NULL;
5296 SSL *serverssl = NULL, *clientssl = NULL;
5297 static const struct {
5298 const char *ciphername;
5302 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5303 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5304 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5305 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5306 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5307 { TLS1_3_RFC_AES_256_GCM_SHA384
5308 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5310 /* CCM8 ciphers are considered low security due to their short tag */
5311 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5312 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5314 const char *t13_cipher = NULL;
5315 const char *t12_cipher = NULL;
5316 const char *negotiated_scipher;
5317 const char *negotiated_ccipher;
5333 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5337 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5341 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5342 # ifdef OPENSSL_NO_TLS1_2
5343 if (max_ver == TLS1_2_VERSION)
5346 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5347 if (is_fips && !t13_ciphers[i].fipscapable)
5349 t13_cipher = t13_ciphers[i].ciphername;
5350 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5351 TLS_client_method(),
5352 TLS1_VERSION, max_ver,
5353 &sctx, &cctx, cert, privkey)))
5356 if (t13_ciphers[i].low_security) {
5357 SSL_CTX_set_security_level(sctx, 0);
5358 SSL_CTX_set_security_level(cctx, 0);
5362 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5363 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5365 if (t12_cipher != NULL) {
5366 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5367 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5374 &clientssl, NULL, NULL)))
5378 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5379 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5381 if (t12_cipher != NULL) {
5382 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5383 || !TEST_true(SSL_set_cipher_list(clientssl,
5389 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5393 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5395 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5397 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5401 * TEST_strn_eq is used below because t13_cipher can contain
5402 * multiple ciphersuites
5404 if (max_ver == TLS1_3_VERSION
5405 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5406 strlen(negotiated_scipher)))
5409 # ifndef OPENSSL_NO_TLS1_2
5410 /* Below validation is not done when t12_cipher is NULL */
5411 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5412 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5416 SSL_free(serverssl);
5418 SSL_free(clientssl);
5429 SSL_free(serverssl);
5430 SSL_free(clientssl);
5438 * Test 0 = Test new style callbacks
5439 * Test 1 = Test both new and old style callbacks
5440 * Test 2 = Test old style callbacks
5441 * Test 3 = Test old style callbacks with no certificate
5443 static int test_tls13_psk(int idx)
5445 SSL_CTX *sctx = NULL, *cctx = NULL;
5446 SSL *serverssl = NULL, *clientssl = NULL;
5447 const SSL_CIPHER *cipher = NULL;
5448 const unsigned char key[] = {
5449 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5450 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5451 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5452 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5456 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5457 TLS_client_method(), TLS1_VERSION, 0,
5458 &sctx, &cctx, idx == 3 ? NULL : cert,
5459 idx == 3 ? NULL : privkey)))
5464 * We use a ciphersuite with SHA256 to ease testing old style PSK
5465 * callbacks which will always default to SHA256. This should not be
5466 * necessary if we have no cert/priv key. In that case the server should
5467 * prefer SHA256 automatically.
5469 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5470 "TLS_AES_128_GCM_SHA256")))
5474 * As noted above the server should prefer SHA256 automatically. However
5475 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5476 * code works even if we are testing with only the FIPS provider loaded.
5478 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5479 "TLS_AES_256_GCM_SHA384:"
5480 "TLS_AES_128_GCM_SHA256")))
5485 * Test 0: New style callbacks only
5486 * Test 1: New and old style callbacks (only the new ones should be used)
5487 * Test 2: Old style callbacks only
5489 if (idx == 0 || idx == 1) {
5490 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5491 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5493 #ifndef OPENSSL_NO_PSK
5495 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5496 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5500 use_session_cb_cnt = 0;
5501 find_session_cb_cnt = 0;
5502 psk_client_cb_cnt = 0;
5503 psk_server_cb_cnt = 0;
5507 * Check we can create a connection if callback decides not to send a
5510 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5512 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5514 || !TEST_false(SSL_session_reused(clientssl))
5515 || !TEST_false(SSL_session_reused(serverssl)))
5518 if (idx == 0 || idx == 1) {
5519 if (!TEST_true(use_session_cb_cnt == 1)
5520 || !TEST_true(find_session_cb_cnt == 0)
5522 * If no old style callback then below should be 0
5525 || !TEST_true(psk_client_cb_cnt == idx)
5526 || !TEST_true(psk_server_cb_cnt == 0))
5529 if (!TEST_true(use_session_cb_cnt == 0)
5530 || !TEST_true(find_session_cb_cnt == 0)
5531 || !TEST_true(psk_client_cb_cnt == 1)
5532 || !TEST_true(psk_server_cb_cnt == 0))
5536 shutdown_ssl_connection(serverssl, clientssl);
5537 serverssl = clientssl = NULL;
5538 use_session_cb_cnt = psk_client_cb_cnt = 0;
5541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5545 /* Create the PSK */
5546 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5547 clientpsk = SSL_SESSION_new();
5548 if (!TEST_ptr(clientpsk)
5549 || !TEST_ptr(cipher)
5550 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5552 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5553 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5555 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5557 serverpsk = clientpsk;
5559 /* Check we can create a connection and the PSK is used */
5560 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5561 || !TEST_true(SSL_session_reused(clientssl))
5562 || !TEST_true(SSL_session_reused(serverssl)))
5565 if (idx == 0 || idx == 1) {
5566 if (!TEST_true(use_session_cb_cnt == 1)
5567 || !TEST_true(find_session_cb_cnt == 1)
5568 || !TEST_true(psk_client_cb_cnt == 0)
5569 || !TEST_true(psk_server_cb_cnt == 0))
5572 if (!TEST_true(use_session_cb_cnt == 0)
5573 || !TEST_true(find_session_cb_cnt == 0)
5574 || !TEST_true(psk_client_cb_cnt == 1)
5575 || !TEST_true(psk_server_cb_cnt == 1))
5579 shutdown_ssl_connection(serverssl, clientssl);
5580 serverssl = clientssl = NULL;
5581 use_session_cb_cnt = find_session_cb_cnt = 0;
5582 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5589 #if defined(OPENSSL_NO_EC)
5590 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5593 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5598 * Check we can create a connection, the PSK is used and the callbacks are
5601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5602 || !TEST_true(SSL_session_reused(clientssl))
5603 || !TEST_true(SSL_session_reused(serverssl)))
5606 if (idx == 0 || idx == 1) {
5607 if (!TEST_true(use_session_cb_cnt == 2)
5608 || !TEST_true(find_session_cb_cnt == 2)
5609 || !TEST_true(psk_client_cb_cnt == 0)
5610 || !TEST_true(psk_server_cb_cnt == 0))
5613 if (!TEST_true(use_session_cb_cnt == 0)
5614 || !TEST_true(find_session_cb_cnt == 0)
5615 || !TEST_true(psk_client_cb_cnt == 2)
5616 || !TEST_true(psk_server_cb_cnt == 2))
5620 shutdown_ssl_connection(serverssl, clientssl);
5621 serverssl = clientssl = NULL;
5622 use_session_cb_cnt = find_session_cb_cnt = 0;
5623 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5627 * Check that if the server rejects the PSK we can still connect, but with
5630 srvid = "Dummy Identity";
5631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5633 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5635 || !TEST_false(SSL_session_reused(clientssl))
5636 || !TEST_false(SSL_session_reused(serverssl)))
5639 if (idx == 0 || idx == 1) {
5640 if (!TEST_true(use_session_cb_cnt == 1)
5641 || !TEST_true(find_session_cb_cnt == 1)
5642 || !TEST_true(psk_client_cb_cnt == 0)
5644 * If no old style callback then below should be 0
5647 || !TEST_true(psk_server_cb_cnt == idx))
5650 if (!TEST_true(use_session_cb_cnt == 0)
5651 || !TEST_true(find_session_cb_cnt == 0)
5652 || !TEST_true(psk_client_cb_cnt == 1)
5653 || !TEST_true(psk_server_cb_cnt == 1))
5657 shutdown_ssl_connection(serverssl, clientssl);
5658 serverssl = clientssl = NULL;
5663 SSL_SESSION_free(clientpsk);
5664 SSL_SESSION_free(serverpsk);
5665 clientpsk = serverpsk = NULL;
5666 SSL_free(serverssl);
5667 SSL_free(clientssl);
5673 static unsigned char cookie_magic_value[] = "cookie magic";
5675 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5676 unsigned int *cookie_len)
5679 * Not suitable as a real cookie generation function but good enough for
5682 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5683 *cookie_len = sizeof(cookie_magic_value) - 1;
5688 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5689 unsigned int cookie_len)
5691 if (cookie_len == sizeof(cookie_magic_value) - 1
5692 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5698 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5702 int res = generate_cookie_callback(ssl, cookie, &temp);
5707 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5710 return verify_cookie_callback(ssl, cookie, cookie_len);
5713 static int test_stateless(void)
5715 SSL_CTX *sctx = NULL, *cctx = NULL;
5716 SSL *serverssl = NULL, *clientssl = NULL;
5719 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5720 TLS_client_method(), TLS1_VERSION, 0,
5721 &sctx, &cctx, cert, privkey)))
5724 /* The arrival of CCS messages can confuse the test */
5725 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5729 /* Send the first ClientHello */
5730 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5731 SSL_ERROR_WANT_READ))
5733 * This should fail with a -1 return because we have no callbacks
5736 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5739 /* Fatal error so abandon the connection from this client */
5740 SSL_free(clientssl);
5743 /* Set up the cookie generation and verification callbacks */
5744 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5745 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5748 * Create a new connection from the client (we can reuse the server SSL
5751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5753 /* Send the first ClientHello */
5754 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5755 SSL_ERROR_WANT_READ))
5756 /* This should fail because there is no cookie */
5757 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5760 /* Abandon the connection from this client */
5761 SSL_free(clientssl);
5765 * Now create a connection from a new client but with the same server SSL
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5770 /* Send the first ClientHello */
5771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5772 SSL_ERROR_WANT_READ))
5773 /* This should fail because there is no cookie */
5774 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5775 /* Send the second ClientHello */
5776 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5777 SSL_ERROR_WANT_READ))
5778 /* This should succeed because a cookie is now present */
5779 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5780 /* Complete the connection */
5781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5785 shutdown_ssl_connection(serverssl, clientssl);
5786 serverssl = clientssl = NULL;
5790 SSL_free(serverssl);
5791 SSL_free(clientssl);
5797 #endif /* OSSL_NO_USABLE_TLS1_3 */
5799 static int clntaddoldcb = 0;
5800 static int clntparseoldcb = 0;
5801 static int srvaddoldcb = 0;
5802 static int srvparseoldcb = 0;
5803 static int clntaddnewcb = 0;
5804 static int clntparsenewcb = 0;
5805 static int srvaddnewcb = 0;
5806 static int srvparsenewcb = 0;
5807 static int snicb = 0;
5809 #define TEST_EXT_TYPE1 0xff00
5811 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5812 size_t *outlen, int *al, void *add_arg)
5814 int *server = (int *)add_arg;
5815 unsigned char *data;
5817 if (SSL_is_server(s))
5822 if (*server != SSL_is_server(s)
5823 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5828 *outlen = sizeof(char);
5832 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5835 OPENSSL_free((unsigned char *)out);
5838 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5839 size_t inlen, int *al, void *parse_arg)
5841 int *server = (int *)parse_arg;
5843 if (SSL_is_server(s))
5848 if (*server != SSL_is_server(s)
5849 || inlen != sizeof(char)
5856 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5857 const unsigned char **out, size_t *outlen, X509 *x,
5858 size_t chainidx, int *al, void *add_arg)
5860 int *server = (int *)add_arg;
5861 unsigned char *data;
5863 if (SSL_is_server(s))
5868 if (*server != SSL_is_server(s)
5869 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5874 *outlen = sizeof(*data);
5878 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5879 const unsigned char *out, void *add_arg)
5881 OPENSSL_free((unsigned char *)out);
5884 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5885 const unsigned char *in, size_t inlen, X509 *x,
5886 size_t chainidx, int *al, void *parse_arg)
5888 int *server = (int *)parse_arg;
5890 if (SSL_is_server(s))
5895 if (*server != SSL_is_server(s)
5896 || inlen != sizeof(char) || *in != 1)
5902 static int sni_cb(SSL *s, int *al, void *arg)
5904 SSL_CTX *ctx = (SSL_CTX *)arg;
5906 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5907 *al = SSL_AD_INTERNAL_ERROR;
5908 return SSL_TLSEXT_ERR_ALERT_FATAL;
5911 return SSL_TLSEXT_ERR_OK;
5914 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5920 * Custom call back tests.
5921 * Test 0: Old style callbacks in TLSv1.2
5922 * Test 1: New style callbacks in TLSv1.2
5923 * Test 2: New style callbacks in TLSv1.2 with SNI
5924 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5925 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5926 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5928 static int test_custom_exts(int tst)
5930 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5931 SSL *clientssl = NULL, *serverssl = NULL;
5933 static int server = 1;
5934 static int client = 0;
5935 SSL_SESSION *sess = NULL;
5936 unsigned int context;
5938 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5939 /* Skip tests for TLSv1.2 and below in this case */
5944 /* Reset callback counters */
5945 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5946 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5949 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5950 TLS_client_method(), TLS1_VERSION, 0,
5951 &sctx, &cctx, cert, privkey)))
5955 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5957 &sctx2, NULL, cert, privkey)))
5962 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5963 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5965 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5969 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5970 | SSL_EXT_TLS1_3_CERTIFICATE;
5971 SSL_CTX_set_verify(sctx,
5972 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5974 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5975 SSL_FILETYPE_PEM), 1)
5976 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5977 SSL_FILETYPE_PEM), 1)
5978 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5980 } else if (tst == 4) {
5981 context = SSL_EXT_CLIENT_HELLO
5982 | SSL_EXT_TLS1_2_SERVER_HELLO
5983 | SSL_EXT_TLS1_3_SERVER_HELLO
5984 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5985 | SSL_EXT_TLS1_3_CERTIFICATE
5986 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5988 context = SSL_EXT_CLIENT_HELLO
5989 | SSL_EXT_TLS1_2_SERVER_HELLO
5990 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5993 /* Create a client side custom extension */
5995 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5996 old_add_cb, old_free_cb,
5997 &client, old_parse_cb,
6001 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6002 new_add_cb, new_free_cb,
6003 &client, new_parse_cb, &client)))
6007 /* Should not be able to add duplicates */
6008 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6009 old_add_cb, old_free_cb,
6010 &client, old_parse_cb,
6012 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6013 context, new_add_cb,
6014 new_free_cb, &client,
6015 new_parse_cb, &client)))
6018 /* Create a server side custom extension */
6020 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6021 old_add_cb, old_free_cb,
6022 &server, old_parse_cb,
6026 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6027 new_add_cb, new_free_cb,
6028 &server, new_parse_cb, &server)))
6031 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6032 context, new_add_cb,
6033 new_free_cb, &server,
6034 new_parse_cb, &server)))
6038 /* Should not be able to add duplicates */
6039 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6040 old_add_cb, old_free_cb,
6041 &server, old_parse_cb,
6043 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6044 context, new_add_cb,
6045 new_free_cb, &server,
6046 new_parse_cb, &server)))
6051 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6052 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6057 &clientssl, NULL, NULL))
6058 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6063 if (clntaddoldcb != 1
6064 || clntparseoldcb != 1
6066 || srvparseoldcb != 1)
6068 } else if (tst == 1 || tst == 2 || tst == 3) {
6069 if (clntaddnewcb != 1
6070 || clntparsenewcb != 1
6072 || srvparsenewcb != 1
6073 || (tst != 2 && snicb != 0)
6074 || (tst == 2 && snicb != 1))
6076 } else if (tst == 5) {
6077 if (clntaddnewcb != 1
6078 || clntparsenewcb != 1
6080 || srvparsenewcb != 1)
6083 /* In this case there 2 NewSessionTicket messages created */
6084 if (clntaddnewcb != 1
6085 || clntparsenewcb != 5
6087 || srvparsenewcb != 1)
6091 sess = SSL_get1_session(clientssl);
6092 SSL_shutdown(clientssl);
6093 SSL_shutdown(serverssl);
6094 SSL_free(serverssl);
6095 SSL_free(clientssl);
6096 serverssl = clientssl = NULL;
6098 if (tst == 3 || tst == 5) {
6099 /* We don't bother with the resumption aspects for these tests */
6104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6106 || !TEST_true(SSL_set_session(clientssl, sess))
6107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6112 * For a resumed session we expect to add the ClientHello extension. For the
6113 * old style callbacks we ignore it on the server side because they set
6114 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6118 if (clntaddoldcb != 2
6119 || clntparseoldcb != 1
6121 || srvparseoldcb != 1)
6123 } else if (tst == 1 || tst == 2 || tst == 3) {
6124 if (clntaddnewcb != 2
6125 || clntparsenewcb != 2
6127 || srvparsenewcb != 2)
6131 * No Certificate message extensions in the resumption handshake,
6132 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6134 if (clntaddnewcb != 2
6135 || clntparsenewcb != 8
6137 || srvparsenewcb != 2)
6144 SSL_SESSION_free(sess);
6145 SSL_free(serverssl);
6146 SSL_free(clientssl);
6147 SSL_CTX_free(sctx2);
6153 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6155 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6156 | SSL_EXT_CLIENT_HELLO \
6157 | SSL_EXT_TLS1_2_SERVER_HELLO \
6158 | SSL_EXT_IGNORE_ON_RESUMPTION)
6160 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6161 | SSL_EXT_TLS1_2_SERVER_HELLO \
6162 | SSL_EXT_CLIENT_HELLO)
6164 #define SERVERINFO_CUSTOM \
6165 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6169 static const unsigned char serverinfo_custom_tls13[] = {
6170 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6173 static const unsigned char serverinfo_custom_v2[] = {
6174 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6177 static const unsigned char serverinfo_custom_v1[] = {
6180 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6181 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6182 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6184 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6185 unsigned int context,
6186 const unsigned char *in,
6187 size_t inlen, X509 *x,
6188 size_t chainidx, int *al,
6191 const size_t len = serverinfo_custom_v1_len;
6192 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6193 int *p_cb_result = (int*)parse_arg;
6194 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6198 static int test_serverinfo_custom(const int idx)
6200 SSL_CTX *sctx = NULL, *cctx = NULL;
6201 SSL *clientssl = NULL, *serverssl = NULL;
6206 * Following variables are set in the switch statement
6207 * according to the test iteration.
6208 * Default values do not make much sense: test would fail with them.
6210 int serverinfo_version = 0;
6211 int protocol_version = 0;
6212 unsigned int extension_context = 0;
6213 const unsigned char *si = NULL;
6216 const int call_use_serverinfo_ex = idx > 0;
6218 case 0: /* FALLTHROUGH */
6220 serverinfo_version = SSL_SERVERINFOV1;
6221 protocol_version = TLS1_2_VERSION;
6222 extension_context = SYNTHV1CONTEXT;
6223 si = serverinfo_custom_v1;
6224 si_len = serverinfo_custom_v1_len;
6227 serverinfo_version = SSL_SERVERINFOV2;
6228 protocol_version = TLS1_2_VERSION;
6229 extension_context = SYNTHV1CONTEXT;
6230 si = serverinfo_custom_v2;
6231 si_len = serverinfo_custom_v2_len;
6234 serverinfo_version = SSL_SERVERINFOV2;
6235 protocol_version = TLS1_3_VERSION;
6236 extension_context = TLS13CONTEXT;
6237 si = serverinfo_custom_tls13;
6238 si_len = serverinfo_custom_tls13_len;
6242 if (!TEST_true(create_ssl_ctx_pair(libctx,
6247 &sctx, &cctx, cert, privkey)))
6250 if (call_use_serverinfo_ex) {
6251 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6255 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6259 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6262 serverinfo_custom_parse_cb,
6264 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6268 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6271 if (!TEST_true(cb_result))
6277 SSL_free(serverssl);
6278 SSL_free(clientssl);
6287 * Test that SSL_export_keying_material() produces expected results. There are
6288 * no test vectors so all we do is test that both sides of the communication
6289 * produce the same results for different protocol versions.
6291 #define SMALL_LABEL_LEN 10
6292 #define LONG_LABEL_LEN 249
6293 static int test_export_key_mat(int tst)
6296 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6297 SSL *clientssl = NULL, *serverssl = NULL;
6298 const char label[LONG_LABEL_LEN + 1] = "test label";
6299 const unsigned char context[] = "context";
6300 const unsigned char *emptycontext = NULL;
6301 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6302 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6304 const int protocols[] = {
6313 #ifdef OPENSSL_NO_TLS1
6317 #ifdef OPENSSL_NO_TLS1_1
6321 if (is_fips && (tst == 0 || tst == 1))
6323 #ifdef OPENSSL_NO_TLS1_2
6327 #ifdef OSSL_NO_USABLE_TLS1_3
6331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6332 TLS_client_method(), TLS1_VERSION, 0,
6333 &sctx, &cctx, cert, privkey)))
6336 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6337 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6338 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6339 if ((protocols[tst] < TLS1_2_VERSION) &&
6340 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6341 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6349 * Premature call of SSL_export_keying_material should just fail.
6351 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6352 sizeof(ckeymat1), label,
6353 SMALL_LABEL_LEN + 1, context,
6354 sizeof(context) - 1, 1), 0))
6357 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6363 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6366 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6367 sizeof(ckeymat1), label,
6368 LONG_LABEL_LEN + 1, context,
6369 sizeof(context) - 1, 1), 0))
6374 } else if (tst == 4) {
6375 labellen = LONG_LABEL_LEN;
6377 labellen = SMALL_LABEL_LEN;
6380 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6381 sizeof(ckeymat1), label,
6383 sizeof(context) - 1, 1), 1)
6384 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6385 sizeof(ckeymat2), label,
6389 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6390 sizeof(ckeymat3), label,
6393 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6394 sizeof(skeymat1), label,
6397 sizeof(context) -1, 1),
6399 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6400 sizeof(skeymat2), label,
6404 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6405 sizeof(skeymat3), label,
6409 * Check that both sides created the same key material with the
6412 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6415 * Check that both sides created the same key material with an
6418 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6421 * Check that both sides created the same key material without a
6424 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6426 /* Different contexts should produce different results */
6427 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6432 * Check that an empty context and no context produce different results in
6433 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6435 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6437 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6444 SSL_free(serverssl);
6445 SSL_free(clientssl);
6446 SSL_CTX_free(sctx2);
6453 #ifndef OSSL_NO_USABLE_TLS1_3
6455 * Test that SSL_export_keying_material_early() produces expected
6456 * results. There are no test vectors so all we do is test that both
6457 * sides of the communication produce the same results for different
6458 * protocol versions.
6460 static int test_export_key_mat_early(int idx)
6462 static const char label[] = "test label";
6463 static const unsigned char context[] = "context";
6465 SSL_CTX *cctx = NULL, *sctx = NULL;
6466 SSL *clientssl = NULL, *serverssl = NULL;
6467 SSL_SESSION *sess = NULL;
6468 const unsigned char *emptycontext = NULL;
6469 unsigned char ckeymat1[80], ckeymat2[80];
6470 unsigned char skeymat1[80], skeymat2[80];
6471 unsigned char buf[1];
6472 size_t readbytes, written;
6474 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6475 &sess, idx, SHA384_DIGEST_LENGTH)))
6478 /* Here writing 0 length early data is enough. */
6479 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6480 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6482 SSL_READ_EARLY_DATA_ERROR)
6483 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6484 SSL_EARLY_DATA_ACCEPTED))
6487 if (!TEST_int_eq(SSL_export_keying_material_early(
6488 clientssl, ckeymat1, sizeof(ckeymat1), label,
6489 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6490 || !TEST_int_eq(SSL_export_keying_material_early(
6491 clientssl, ckeymat2, sizeof(ckeymat2), label,
6492 sizeof(label) - 1, emptycontext, 0), 1)
6493 || !TEST_int_eq(SSL_export_keying_material_early(
6494 serverssl, skeymat1, sizeof(skeymat1), label,
6495 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6496 || !TEST_int_eq(SSL_export_keying_material_early(
6497 serverssl, skeymat2, sizeof(skeymat2), label,
6498 sizeof(label) - 1, emptycontext, 0), 1)
6500 * Check that both sides created the same key material with the
6503 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6506 * Check that both sides created the same key material with an
6509 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6511 /* Different contexts should produce different results */
6512 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6519 SSL_SESSION_free(sess);
6520 SSL_SESSION_free(clientpsk);
6521 SSL_SESSION_free(serverpsk);
6522 clientpsk = serverpsk = NULL;
6523 SSL_free(serverssl);
6524 SSL_free(clientssl);
6531 #define NUM_KEY_UPDATE_MESSAGES 40
6535 static int test_key_update(void)
6537 SSL_CTX *cctx = NULL, *sctx = NULL;
6538 SSL *clientssl = NULL, *serverssl = NULL;
6539 int testresult = 0, i, j;
6541 static char *mess = "A test message";
6543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6544 TLS_client_method(),
6547 &sctx, &cctx, cert, privkey))
6548 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6550 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6554 for (j = 0; j < 2; j++) {
6555 /* Send lots of KeyUpdate messages */
6556 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6557 if (!TEST_true(SSL_key_update(clientssl,
6559 ? SSL_KEY_UPDATE_NOT_REQUESTED
6560 : SSL_KEY_UPDATE_REQUESTED))
6561 || !TEST_true(SSL_do_handshake(clientssl)))
6565 /* Check that sending and receiving app data is ok */
6566 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6567 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6571 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6572 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6580 SSL_free(serverssl);
6581 SSL_free(clientssl);
6589 * Test we can handle a KeyUpdate (update requested) message while
6590 * write data is pending in peer.
6591 * Test 0: Client sends KeyUpdate while Server is writing
6592 * Test 1: Server sends KeyUpdate while Client is writing
6594 static int test_key_update_peer_in_write(int tst)
6596 SSL_CTX *cctx = NULL, *sctx = NULL;
6597 SSL *clientssl = NULL, *serverssl = NULL;
6600 static char *mess = "A test message";
6601 BIO *bretry = BIO_new(bio_s_always_retry());
6603 SSL *peerupdate = NULL, *peerwrite = NULL;
6605 if (!TEST_ptr(bretry)
6606 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6607 TLS_client_method(),
6610 &sctx, &cctx, cert, privkey))
6611 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6613 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6617 peerupdate = tst == 0 ? clientssl : serverssl;
6618 peerwrite = tst == 0 ? serverssl : clientssl;
6620 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6621 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6624 /* Swap the writing endpoint's write BIO to force a retry */
6625 tmp = SSL_get_wbio(peerwrite);
6626 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6630 SSL_set0_wbio(peerwrite, bretry);
6633 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6634 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6635 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6638 /* Reinstate the original writing endpoint's write BIO */
6639 SSL_set0_wbio(peerwrite, tmp);
6642 /* Now read some data - we will read the key update */
6643 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6644 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6648 * Complete the write we started previously and read it from the other
6651 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6652 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6655 /* Write more data to ensure we send the KeyUpdate message back */
6656 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6657 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6663 SSL_free(serverssl);
6664 SSL_free(clientssl);
6674 * Test we can handle a KeyUpdate (update requested) message while
6675 * peer read data is pending after peer accepted keyupdate(the msg header
6676 * had been read 5 bytes).
6677 * Test 0: Client sends KeyUpdate while Server is reading
6678 * Test 1: Server sends KeyUpdate while Client is reading
6680 static int test_key_update_peer_in_read(int tst)
6682 SSL_CTX *cctx = NULL, *sctx = NULL;
6683 SSL *clientssl = NULL, *serverssl = NULL;
6685 char prbuf[515], lwbuf[515] = {0};
6686 static char *mess = "A test message";
6687 BIO *lbio = NULL, *pbio = NULL;
6688 SSL *local = NULL, *peer = NULL;
6690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6691 TLS_client_method(),
6694 &sctx, &cctx, cert, privkey))
6695 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6701 local = tst == 0 ? clientssl : serverssl;
6702 peer = tst == 0 ? serverssl : clientssl;
6704 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6707 SSL_set_bio(local, lbio, lbio);
6708 SSL_set_bio(peer, pbio, pbio);
6711 * we first write keyupdate msg then appdata in local
6712 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6713 * lwbuf app data msg size + key updata msg size > 512(the size of
6714 * the bio pair buffer)
6716 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6717 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6718 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6722 * first read keyupdate msg in peer in peer
6723 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6725 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6726 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6729 /* Now write some data in peer - we will write the key update */
6730 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6734 * write data in local previously that we will complete
6735 * read data in peer previously that we will complete
6737 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6738 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6741 /* check that sending and receiving appdata ok */
6742 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6743 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6749 SSL_free(serverssl);
6750 SSL_free(clientssl);
6758 * Test we can't send a KeyUpdate (update requested) message while
6759 * local write data is pending.
6760 * Test 0: Client sends KeyUpdate while Client is writing
6761 * Test 1: Server sends KeyUpdate while Server is writing
6763 static int test_key_update_local_in_write(int tst)
6765 SSL_CTX *cctx = NULL, *sctx = NULL;
6766 SSL *clientssl = NULL, *serverssl = NULL;
6769 static char *mess = "A test message";
6770 BIO *bretry = BIO_new(bio_s_always_retry());
6772 SSL *local = NULL, *peer = NULL;
6774 if (!TEST_ptr(bretry)
6775 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6776 TLS_client_method(),
6779 &sctx, &cctx, cert, privkey))
6780 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6786 local = tst == 0 ? clientssl : serverssl;
6787 peer = tst == 0 ? serverssl : clientssl;
6789 /* Swap the writing endpoint's write BIO to force a retry */
6790 tmp = SSL_get_wbio(local);
6791 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6795 SSL_set0_wbio(local, bretry);
6798 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6799 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6800 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6803 /* Reinstate the original writing endpoint's write BIO */
6804 SSL_set0_wbio(local, tmp);
6807 /* SSL_key_update will fail, because writing in local*/
6808 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6809 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6813 /* write data in local previously that we will complete */
6814 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6817 /* SSL_key_update will succeed because there is no pending write data */
6818 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6819 || !TEST_int_eq(SSL_do_handshake(local), 1))
6823 * we write some appdata in local
6824 * read data in peer - we will read the keyupdate msg
6826 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6827 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6830 /* Write more peer more data to ensure we send the keyupdate message back */
6831 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6832 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6838 SSL_free(serverssl);
6839 SSL_free(clientssl);
6849 * Test we can handle a KeyUpdate (update requested) message while
6850 * local read data is pending(the msg header had been read 5 bytes).
6851 * Test 0: Client sends KeyUpdate while Client is reading
6852 * Test 1: Server sends KeyUpdate while Server is reading
6854 static int test_key_update_local_in_read(int tst)
6856 SSL_CTX *cctx = NULL, *sctx = NULL;
6857 SSL *clientssl = NULL, *serverssl = NULL;
6859 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6860 static char *mess = "A test message";
6861 BIO *lbio = NULL, *pbio = NULL;
6862 SSL *local = NULL, *peer = NULL;
6864 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6865 TLS_client_method(),
6868 &sctx, &cctx, cert, privkey))
6869 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6871 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6875 local = tst == 0 ? clientssl : serverssl;
6876 peer = tst == 0 ? serverssl : clientssl;
6878 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6881 SSL_set_bio(local, lbio, lbio);
6882 SSL_set_bio(peer, pbio, pbio);
6884 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6885 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6886 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6889 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6890 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6891 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6894 /* SSL_do_handshake will send keyupdate msg */
6895 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6896 || !TEST_int_eq(SSL_do_handshake(local), 1))
6900 * write data in peer previously that we will complete
6901 * read data in local previously that we will complete
6903 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6904 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6908 * write data in local
6909 * read data in peer - we will read the key update
6911 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6912 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6915 /* Write more peer data to ensure we send the keyupdate message back */
6916 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6917 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6923 SSL_free(serverssl);
6924 SSL_free(clientssl);
6930 #endif /* OSSL_NO_USABLE_TLS1_3 */
6932 static int test_ssl_clear(int idx)
6934 SSL_CTX *cctx = NULL, *sctx = NULL;
6935 SSL *clientssl = NULL, *serverssl = NULL;
6938 #ifdef OPENSSL_NO_TLS1_2
6943 /* Create an initial connection */
6944 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6945 TLS_client_method(), TLS1_VERSION, 0,
6946 &sctx, &cctx, cert, privkey))
6948 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6950 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6951 &clientssl, NULL, NULL))
6952 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6956 SSL_shutdown(clientssl);
6957 SSL_shutdown(serverssl);
6958 SSL_free(serverssl);
6961 /* Clear clientssl - we're going to reuse the object */
6962 if (!TEST_true(SSL_clear(clientssl)))
6965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6967 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6969 || !TEST_true(SSL_session_reused(clientssl)))
6972 SSL_shutdown(clientssl);
6973 SSL_shutdown(serverssl);
6978 SSL_free(serverssl);
6979 SSL_free(clientssl);
6986 /* Parse CH and retrieve any MFL extension value if present */
6987 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6990 unsigned char *data;
6991 PACKET pkt, pkt2, pkt3;
6992 unsigned int MFL_code = 0, type = 0;
6994 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6997 memset(&pkt, 0, sizeof(pkt));
6998 memset(&pkt2, 0, sizeof(pkt2));
6999 memset(&pkt3, 0, sizeof(pkt3));
7001 if (!TEST_long_gt(len, 0)
7002 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7003 /* Skip the record header */
7004 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7005 /* Skip the handshake message header */
7006 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7007 /* Skip client version and random */
7008 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7009 + SSL3_RANDOM_SIZE))
7010 /* Skip session id */
7011 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7013 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7014 /* Skip compression */
7015 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7016 /* Extensions len */
7017 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7020 /* Loop through all extensions */
7021 while (PACKET_remaining(&pkt2)) {
7022 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7023 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7026 if (type == TLSEXT_TYPE_max_fragment_length) {
7027 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7028 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7031 *mfl_codemfl_code = MFL_code;
7040 /* Maximum-Fragment-Length TLS extension mode to test */
7041 static const unsigned char max_fragment_len_test[] = {
7042 TLSEXT_max_fragment_length_512,
7043 TLSEXT_max_fragment_length_1024,
7044 TLSEXT_max_fragment_length_2048,
7045 TLSEXT_max_fragment_length_4096
7048 static int test_max_fragment_len_ext(int idx_tst)
7050 SSL_CTX *ctx = NULL;
7052 int testresult = 0, MFL_mode = 0;
7055 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7056 TLS1_VERSION, 0, NULL, &ctx, NULL,
7060 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7061 ctx, max_fragment_len_test[idx_tst])))
7068 rbio = BIO_new(BIO_s_mem());
7069 wbio = BIO_new(BIO_s_mem());
7070 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7076 SSL_set_bio(con, rbio, wbio);
7078 if (!TEST_int_le(SSL_connect(con), 0)) {
7079 /* This shouldn't succeed because we don't have a server! */
7083 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7084 /* no MFL in client hello */
7086 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7098 #ifndef OSSL_NO_USABLE_TLS1_3
7099 static int test_pha_key_update(void)
7101 SSL_CTX *cctx = NULL, *sctx = NULL;
7102 SSL *clientssl = NULL, *serverssl = NULL;
7105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7106 TLS_client_method(), TLS1_VERSION, 0,
7107 &sctx, &cctx, cert, privkey)))
7110 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7111 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7112 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7113 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7116 SSL_CTX_set_post_handshake_auth(cctx, 1);
7118 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7122 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7126 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7127 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7130 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7133 /* Start handshake on the server */
7134 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7137 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7138 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7142 SSL_shutdown(clientssl);
7143 SSL_shutdown(serverssl);
7148 SSL_free(serverssl);
7149 SSL_free(clientssl);
7156 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7158 static SRP_VBASE *vbase = NULL;
7160 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7162 int ret = SSL3_AL_FATAL;
7164 SRP_user_pwd *user = NULL;
7166 username = SSL_get_srp_username(s);
7167 if (username == NULL) {
7168 *ad = SSL_AD_INTERNAL_ERROR;
7172 user = SRP_VBASE_get1_by_user(vbase, username);
7174 *ad = SSL_AD_INTERNAL_ERROR;
7178 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7180 *ad = SSL_AD_INTERNAL_ERROR;
7187 SRP_user_pwd_free(user);
7191 static int create_new_vfile(char *userid, char *password, const char *filename)
7194 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7197 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7200 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7203 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7204 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7205 if (!TEST_ptr(gNid))
7209 * The only way to create an empty TXT_DB is to provide a BIO with no data
7212 db = TXT_DB_read(dummy, DB_NUMBER);
7216 out = BIO_new_file(filename, "w");
7220 row[DB_srpid] = OPENSSL_strdup(userid);
7221 row[DB_srptype] = OPENSSL_strdup("V");
7222 row[DB_srpgN] = OPENSSL_strdup(gNid);
7224 if (!TEST_ptr(row[DB_srpid])
7225 || !TEST_ptr(row[DB_srptype])
7226 || !TEST_ptr(row[DB_srpgN])
7227 || !TEST_true(TXT_DB_insert(db, row)))
7232 if (TXT_DB_write(out, db) <= 0)
7238 for (i = 0; i < DB_NUMBER; i++)
7239 OPENSSL_free(row[i]);
7249 static int create_new_vbase(char *userid, char *password)
7251 BIGNUM *verifier = NULL, *salt = NULL;
7252 const SRP_gN *lgN = NULL;
7253 SRP_user_pwd *user_pwd = NULL;
7256 lgN = SRP_get_default_gN(NULL);
7260 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7261 lgN->N, lgN->g, libctx, NULL)))
7264 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7265 if (!TEST_ptr(user_pwd))
7268 user_pwd->N = lgN->N;
7269 user_pwd->g = lgN->g;
7270 user_pwd->id = OPENSSL_strdup(userid);
7271 if (!TEST_ptr(user_pwd->id))
7274 user_pwd->v = verifier;
7276 verifier = salt = NULL;
7278 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7284 SRP_user_pwd_free(user_pwd);
7294 * Test 0: Simple successful SRP connection, new vbase
7295 * Test 1: Connection failure due to bad password, new vbase
7296 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7297 * Test 3: Connection failure due to bad password, vbase loaded from existing
7299 * Test 4: Simple successful SRP connection, vbase loaded from new file
7300 * Test 5: Connection failure due to bad password, vbase loaded from new file
7302 static int test_srp(int tst)
7304 char *userid = "test", *password = "password", *tstsrpfile;
7305 SSL_CTX *cctx = NULL, *sctx = NULL;
7306 SSL *clientssl = NULL, *serverssl = NULL;
7307 int ret, testresult = 0;
7309 vbase = SRP_VBASE_new(NULL);
7310 if (!TEST_ptr(vbase))
7313 if (tst == 0 || tst == 1) {
7314 if (!TEST_true(create_new_vbase(userid, password)))
7317 if (tst == 4 || tst == 5) {
7318 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7320 tstsrpfile = tmpfilename;
7322 tstsrpfile = srpvfile;
7324 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7329 TLS_client_method(), TLS1_VERSION, 0,
7330 &sctx, &cctx, cert, privkey)))
7333 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7334 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7335 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7336 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7337 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7341 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7344 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7352 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7354 if (!TEST_true(tst % 2 == 0))
7357 if (!TEST_true(tst % 2 == 1))
7364 SRP_VBASE_free(vbase);
7366 SSL_free(serverssl);
7367 SSL_free(clientssl);
7375 static int info_cb_failed = 0;
7376 static int info_cb_offset = 0;
7377 static int info_cb_this_state = -1;
7379 static struct info_cb_states_st {
7381 const char *statestr;
7382 } info_cb_states[][60] = {
7384 /* TLSv1.2 server followed by resumption */
7385 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7386 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7387 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7388 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7389 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7390 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7391 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7392 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7393 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7394 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7395 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7396 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7397 {SSL_CB_EXIT, NULL}, {0, NULL},
7399 /* TLSv1.2 client followed by resumption */
7400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7401 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7402 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7403 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7404 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7405 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7407 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7408 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7409 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7410 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7411 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7413 /* TLSv1.3 server followed by resumption */
7414 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7415 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7416 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7417 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7418 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7419 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7420 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7421 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7422 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7423 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7424 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7425 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7426 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7428 /* TLSv1.3 client followed by resumption */
7429 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7430 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7431 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7432 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7433 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7434 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7435 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7436 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7437 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7438 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7439 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7440 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7441 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7442 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7443 {SSL_CB_EXIT, NULL}, {0, NULL},
7445 /* TLSv1.3 server, early_data */
7446 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7447 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7448 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7449 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7450 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7451 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7452 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7453 {SSL_CB_EXIT, NULL}, {0, NULL},
7455 /* TLSv1.3 client, early_data */
7456 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7457 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7458 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7459 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7460 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7461 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7462 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7463 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7464 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7466 /* TLSv1.3 server, certificate compression, followed by resumption */
7467 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7468 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7469 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7470 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7471 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7472 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7473 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7474 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7475 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7476 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7477 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7478 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7479 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7481 /* TLSv1.3 client, certificate compression, followed by resumption */
7482 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7483 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7484 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7485 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7486 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7487 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7488 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7489 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7490 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7491 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7492 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7493 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7494 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7495 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7496 {SSL_CB_EXIT, NULL}, {0, NULL},
7502 static void sslapi_info_callback(const SSL *s, int where, int ret)
7504 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7506 /* We do not ever expect a connection to fail in this test */
7507 if (!TEST_false(ret == 0)) {
7513 * Do some sanity checks. We never expect these things to happen in this
7516 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7517 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7518 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7523 /* Now check we're in the right state */
7524 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7528 if ((where & SSL_CB_LOOP) != 0
7529 && !TEST_int_eq(strcmp(SSL_state_string(s),
7530 state[info_cb_this_state].statestr), 0)) {
7536 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7538 if ((where & SSL_CB_HANDSHAKE_DONE)
7539 && SSL_in_init((SSL *)s) != 0) {
7546 * Test the info callback gets called when we expect it to.
7548 * Test 0: TLSv1.2, server
7549 * Test 1: TLSv1.2, client
7550 * Test 2: TLSv1.3, server
7551 * Test 3: TLSv1.3, client
7552 * Test 4: TLSv1.3, server, early_data
7553 * Test 5: TLSv1.3, client, early_data
7554 * Test 6: TLSv1.3, server, compressed certificate
7555 * Test 7: TLSv1.3, client, compressed certificate
7557 static int test_info_callback(int tst)
7559 SSL_CTX *cctx = NULL, *sctx = NULL;
7560 SSL *clientssl = NULL, *serverssl = NULL;
7561 SSL_SESSION *clntsess = NULL;
7566 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7567 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7568 || !defined(OPENSSL_NO_DH))
7569 tlsvers = TLS1_2_VERSION;
7574 #ifndef OSSL_NO_USABLE_TLS1_3
7575 tlsvers = TLS1_3_VERSION;
7583 info_cb_this_state = -1;
7584 info_cb_offset = tst;
7586 #ifndef OSSL_NO_USABLE_TLS1_3
7587 if (tst >= 4 && tst < 6) {
7588 SSL_SESSION *sess = NULL;
7589 size_t written, readbytes;
7590 unsigned char buf[80];
7592 /* early_data tests */
7593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7594 &serverssl, &sess, 0,
7595 SHA384_DIGEST_LENGTH)))
7598 /* We don't actually need this reference */
7599 SSL_SESSION_free(sess);
7601 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7602 sslapi_info_callback);
7604 /* Write and read some early data and then complete the connection */
7605 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7607 || !TEST_size_t_eq(written, strlen(MSG1))
7608 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7609 sizeof(buf), &readbytes),
7610 SSL_READ_EARLY_DATA_SUCCESS)
7611 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7612 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7613 SSL_EARLY_DATA_ACCEPTED)
7614 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7616 || !TEST_false(info_cb_failed))
7624 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7625 TLS_client_method(),
7626 tlsvers, tlsvers, &sctx, &cctx, cert,
7630 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7634 * For even numbered tests we check the server callbacks. For odd numbers we
7637 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7638 sslapi_info_callback);
7640 if (!SSL_CTX_compress_certs(sctx, 0))
7644 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7645 &clientssl, NULL, NULL))
7646 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7648 || !TEST_false(info_cb_failed))
7653 clntsess = SSL_get1_session(clientssl);
7654 SSL_shutdown(clientssl);
7655 SSL_shutdown(serverssl);
7656 SSL_free(serverssl);
7657 SSL_free(clientssl);
7658 serverssl = clientssl = NULL;
7660 /* Now do a resumption */
7661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7663 || !TEST_true(SSL_set_session(clientssl, clntsess))
7664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7666 || !TEST_true(SSL_session_reused(clientssl))
7667 || !TEST_false(info_cb_failed))
7673 SSL_free(serverssl);
7674 SSL_free(clientssl);
7675 SSL_SESSION_free(clntsess);
7681 static int test_ssl_pending(int tst)
7683 SSL_CTX *cctx = NULL, *sctx = NULL;
7684 SSL *clientssl = NULL, *serverssl = NULL;
7686 char msg[] = "A test message";
7688 size_t written, readbytes;
7691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7692 TLS_client_method(),
7694 &sctx, &cctx, cert, privkey)))
7697 #ifndef OPENSSL_NO_DTLS
7698 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7699 DTLS_client_method(),
7701 &sctx, &cctx, cert, privkey)))
7704 # ifdef OPENSSL_NO_DTLS1_2
7705 /* Not supported in the FIPS provider */
7711 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7714 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7715 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7716 "DEFAULT:@SECLEVEL=0")))
7724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7726 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7730 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7731 || !TEST_false(SSL_has_pending(clientssl))
7732 || !TEST_int_eq(SSL_pending(serverssl), 0)
7733 || !TEST_false(SSL_has_pending(serverssl))
7734 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7735 || !TEST_size_t_eq(written, sizeof(msg))
7736 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7737 || !TEST_size_t_eq(readbytes, sizeof(buf))
7738 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7739 || !TEST_true(SSL_has_pending(clientssl)))
7745 SSL_free(serverssl);
7746 SSL_free(clientssl);
7754 unsigned int maxprot;
7755 const char *clntciphers;
7756 const char *clnttls13ciphers;
7757 const char *srvrciphers;
7758 const char *srvrtls13ciphers;
7760 const char *fipsshared;
7761 } shared_ciphers_data[] = {
7763 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7764 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7766 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7769 "AES128-SHA:AES256-SHA",
7771 "AES256-SHA:DHE-RSA-AES128-SHA",
7776 # if !defined(OPENSSL_NO_CHACHA) \
7777 && !defined(OPENSSL_NO_POLY1305) \
7778 && !defined(OPENSSL_NO_EC)
7781 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7783 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7785 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7791 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7793 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7795 "AES128-SHA:AES256-SHA",
7796 "AES128-SHA:AES256-SHA"
7800 "AES128-SHA:AES256-SHA",
7802 "AES128-SHA:DHE-RSA-AES128-SHA",
7809 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7812 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7813 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7816 "AES128-SHA:AES256-SHA",
7818 "AES256-SHA:AES128-SHA256",
7820 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7821 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7822 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7825 #ifndef OSSL_NO_USABLE_TLS1_3
7829 "TLS_AES_256_GCM_SHA384",
7831 "TLS_AES_256_GCM_SHA384",
7832 "TLS_AES_256_GCM_SHA384",
7833 "TLS_AES_256_GCM_SHA384"
7838 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7840 SSL_CTX *cctx = NULL, *sctx = NULL;
7841 SSL *clientssl = NULL, *serverssl = NULL;
7844 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7846 if (!TEST_ptr(tmplibctx))
7850 * Regardless of whether we're testing with the FIPS provider loaded into
7851 * libctx, we want one peer to always use the full set of ciphersuites
7852 * available. Therefore we use a separate libctx with the default provider
7853 * loaded into it. We run the same tests twice - once with the client side
7854 * having the full set of ciphersuites and once with the server side.
7857 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7858 if (!TEST_ptr(cctx))
7861 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7862 if (!TEST_ptr(sctx))
7866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7867 TLS_client_method(),
7869 shared_ciphers_data[tst].maxprot,
7870 &sctx, &cctx, cert, privkey)))
7873 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7874 shared_ciphers_data[tst].clntciphers))
7875 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7876 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7877 shared_ciphers_data[tst].clnttls13ciphers)))
7878 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7879 shared_ciphers_data[tst].srvrciphers))
7880 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7881 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7882 shared_ciphers_data[tst].srvrtls13ciphers))))
7886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7892 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7893 || !TEST_int_eq(strcmp(buf,
7895 ? shared_ciphers_data[tst].fipsshared
7896 : shared_ciphers_data[tst].shared),
7898 TEST_info("Shared ciphers are: %s\n", buf);
7905 SSL_free(serverssl);
7906 SSL_free(clientssl);
7909 OSSL_LIB_CTX_free(tmplibctx);
7914 static int test_ssl_get_shared_ciphers(int tst)
7916 return int_test_ssl_get_shared_ciphers(tst, 0)
7917 && int_test_ssl_get_shared_ciphers(tst, 1);
7921 static const char *appdata = "Hello World";
7922 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7923 static int tick_key_renew = 0;
7924 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7926 static int gen_tick_cb(SSL *s, void *arg)
7928 gen_tick_called = 1;
7930 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7934 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7935 const unsigned char *keyname,
7936 size_t keyname_length,
7937 SSL_TICKET_STATUS status,
7943 dec_tick_called = 1;
7945 if (status == SSL_TICKET_EMPTY)
7946 return SSL_TICKET_RETURN_IGNORE_RENEW;
7948 if (!TEST_true(status == SSL_TICKET_SUCCESS
7949 || status == SSL_TICKET_SUCCESS_RENEW))
7950 return SSL_TICKET_RETURN_ABORT;
7952 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7954 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7955 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7956 return SSL_TICKET_RETURN_ABORT;
7958 if (tick_key_cb_called) {
7959 /* Don't change what the ticket key callback wanted to do */
7961 case SSL_TICKET_NO_DECRYPT:
7962 return SSL_TICKET_RETURN_IGNORE_RENEW;
7964 case SSL_TICKET_SUCCESS:
7965 return SSL_TICKET_RETURN_USE;
7967 case SSL_TICKET_SUCCESS_RENEW:
7968 return SSL_TICKET_RETURN_USE_RENEW;
7971 return SSL_TICKET_RETURN_ABORT;
7974 return tick_dec_ret;
7978 #ifndef OPENSSL_NO_DEPRECATED_3_0
7979 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7980 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7981 HMAC_CTX *hctx, int enc)
7983 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7984 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7985 EVP_CIPHER *aes128cbc;
7989 tick_key_cb_called = 1;
7991 if (tick_key_renew == -1)
7994 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7995 if (!TEST_ptr(aes128cbc))
7997 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7998 if (!TEST_ptr(sha256)) {
7999 EVP_CIPHER_free(aes128cbc);
8003 memset(iv, 0, AES_BLOCK_SIZE);
8004 memset(key_name, 0, 16);
8005 if (aes128cbc == NULL
8007 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8008 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8012 ret = tick_key_renew ? 2 : 1;
8014 EVP_CIPHER_free(aes128cbc);
8015 EVP_MD_free(sha256);
8021 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8022 unsigned char iv[EVP_MAX_IV_LENGTH],
8023 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8025 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8026 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8027 OSSL_PARAM params[2];
8028 EVP_CIPHER *aes128cbc;
8031 tick_key_cb_called = 1;
8033 if (tick_key_renew == -1)
8036 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8037 if (!TEST_ptr(aes128cbc))
8040 memset(iv, 0, AES_BLOCK_SIZE);
8041 memset(key_name, 0, 16);
8042 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8044 params[1] = OSSL_PARAM_construct_end();
8045 if (aes128cbc == NULL
8046 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8047 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8051 ret = tick_key_renew ? 2 : 1;
8053 EVP_CIPHER_free(aes128cbc);
8059 * Test the various ticket callbacks
8060 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8061 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8062 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8063 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8064 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8065 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8066 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8067 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8068 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8069 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8070 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8071 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8072 * Test 12: TLSv1.2, old ticket key callback, no ticket
8073 * Test 13: TLSv1.3, old ticket key callback, no ticket
8074 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8075 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8076 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8077 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8078 * Test 18: TLSv1.2, ticket key callback, no ticket
8079 * Test 19: TLSv1.3, ticket key callback, no ticket
8081 static int test_ticket_callbacks(int tst)
8083 SSL_CTX *cctx = NULL, *sctx = NULL;
8084 SSL *clientssl = NULL, *serverssl = NULL;
8085 SSL_SESSION *clntsess = NULL;
8088 #ifdef OPENSSL_NO_TLS1_2
8092 #ifdef OSSL_NO_USABLE_TLS1_3
8096 #ifdef OPENSSL_NO_DEPRECATED_3_0
8097 if (tst >= 8 && tst <= 13)
8101 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8103 /* Which tests the ticket key callback should request renewal for */
8105 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8107 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8108 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8112 /* Which tests the decrypt ticket callback should request renewal for */
8116 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8121 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8126 tick_dec_ret = SSL_TICKET_RETURN_USE;
8131 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8135 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8139 TLS_client_method(),
8141 ((tst % 2) == 0) ? TLS1_2_VERSION
8143 &sctx, &cctx, cert, privkey)))
8147 * We only want sessions to resume from tickets - not the session cache. So
8148 * switch the cache off.
8150 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8153 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8158 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8160 #ifndef OPENSSL_NO_DEPRECATED_3_0
8161 } else if (tst >= 8) {
8162 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8169 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8174 * The decrypt ticket key callback in TLSv1.2 should be called even though
8175 * we have no ticket yet, because it gets called with a status of
8176 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8177 * actually send any ticket data). This does not happen in TLSv1.3 because
8178 * it is not valid to send empty ticket data in TLSv1.3.
8180 if (!TEST_int_eq(gen_tick_called, 1)
8181 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8184 gen_tick_called = dec_tick_called = 0;
8186 clntsess = SSL_get1_session(clientssl);
8187 SSL_shutdown(clientssl);
8188 SSL_shutdown(serverssl);
8189 SSL_free(serverssl);
8190 SSL_free(clientssl);
8191 serverssl = clientssl = NULL;
8193 /* Now do a resumption */
8194 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8196 || !TEST_true(SSL_set_session(clientssl, clntsess))
8197 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8201 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8202 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8203 || tick_key_renew == -1) {
8204 if (!TEST_false(SSL_session_reused(clientssl)))
8207 if (!TEST_true(SSL_session_reused(clientssl)))
8211 if (!TEST_int_eq(gen_tick_called,
8213 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8214 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8216 /* There is no ticket to decrypt in tests 13 and 19 */
8217 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8223 SSL_SESSION_free(clntsess);
8224 SSL_free(serverssl);
8225 SSL_free(clientssl);
8233 * Test incorrect shutdown.
8234 * Test 0: client does not shutdown properly,
8235 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8236 * server should get SSL_ERROR_SSL
8237 * Test 1: client does not shutdown properly,
8238 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8239 * server should get SSL_ERROR_ZERO_RETURN
8241 static int test_incorrect_shutdown(int tst)
8243 SSL_CTX *cctx = NULL, *sctx = NULL;
8244 SSL *clientssl = NULL, *serverssl = NULL;
8249 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8250 TLS_client_method(), 0, 0,
8251 &sctx, &cctx, cert, privkey)))
8255 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8261 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8265 c2s = SSL_get_rbio(serverssl);
8266 BIO_set_mem_eof_return(c2s, 0);
8268 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8271 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8273 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8279 SSL_free(serverssl);
8280 SSL_free(clientssl);
8288 * Test bi-directional shutdown.
8290 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8291 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8292 * Test 3: TLSv1.3, pending NewSessionTicket messages
8293 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8294 * sends key update, client reads it
8295 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8296 * sends CertificateRequest, client reads and ignores it
8297 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8300 static int test_shutdown(int tst)
8302 SSL_CTX *cctx = NULL, *sctx = NULL;
8303 SSL *clientssl = NULL, *serverssl = NULL;
8305 char msg[] = "A test message";
8307 size_t written, readbytes;
8310 #ifdef OPENSSL_NO_TLS1_2
8314 #ifdef OSSL_NO_USABLE_TLS1_3
8319 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8320 TLS_client_method(),
8322 (tst <= 1) ? TLS1_2_VERSION
8324 &sctx, &cctx, cert, privkey)))
8328 SSL_CTX_set_post_handshake_auth(cctx, 1);
8330 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8335 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8336 SSL_ERROR_NONE, 1, 0))
8337 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8338 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8340 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8342 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8343 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8347 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8352 * Reading on the server after the client has sent close_notify should
8353 * fail and provide SSL_ERROR_ZERO_RETURN
8355 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8356 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8357 SSL_ERROR_ZERO_RETURN)
8358 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8359 SSL_RECEIVED_SHUTDOWN)
8361 * Even though we're shutdown on receive we should still be
8364 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8367 && !TEST_true(SSL_key_update(serverssl,
8368 SSL_KEY_UPDATE_REQUESTED)))
8371 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8372 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8375 if ((tst == 4 || tst == 5)
8376 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8378 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8380 if (tst == 4 || tst == 5) {
8381 /* Should still be able to read data from server */
8382 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8384 || !TEST_size_t_eq(readbytes, sizeof(msg))
8385 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8386 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8388 || !TEST_size_t_eq(readbytes, sizeof(msg))
8389 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8394 /* Writing on the client after sending close_notify shouldn't be possible */
8395 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8400 * For these tests the client has sent close_notify but it has not yet
8401 * been received by the server. The server has not sent close_notify
8404 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8406 * Writing on the server after sending close_notify shouldn't
8409 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8410 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8411 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8412 || !TEST_true(SSL_SESSION_is_resumable(sess))
8413 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8415 } else if (tst == 4 || tst == 5) {
8417 * In this test the client has sent close_notify and it has been
8418 * received by the server which has responded with a close_notify. The
8419 * client needs to read the close_notify sent by the server.
8421 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8422 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8423 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8429 * The client has sent close_notify and is expecting a close_notify
8430 * back, but instead there is application data first. The shutdown
8431 * should fail with a fatal error.
8433 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8434 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8441 SSL_free(serverssl);
8442 SSL_free(clientssl);
8450 * Test that sending close_notify alerts works correctly in the case of a
8451 * retryable write failure.
8453 static int test_async_shutdown(void)
8455 SSL_CTX *cctx = NULL, *sctx = NULL;
8456 SSL *clientssl = NULL, *serverssl = NULL;
8458 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8460 if (!TEST_ptr(bretry))
8463 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8464 TLS_client_method(),
8466 &sctx, &cctx, cert, privkey)))
8469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8473 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8476 /* Close write side of clientssl */
8477 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8480 tmp = SSL_get_wbio(serverssl);
8481 if (!TEST_true(BIO_up_ref(tmp))) {
8485 SSL_set0_wbio(serverssl, bretry);
8488 /* First server shutdown should fail because of a retrable write failure */
8489 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8490 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8493 /* Second server shutdown should fail for the same reason */
8494 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8495 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8498 SSL_set0_wbio(serverssl, tmp);
8501 /* Third server shutdown should send close_notify */
8502 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8505 /* Fourth server shutdown should read close_notify from client and finish */
8506 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8509 /* Client should also successfully fully shutdown */
8510 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8515 SSL_free(serverssl);
8516 SSL_free(clientssl);
8525 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8526 static int cert_cb_cnt;
8528 static int cert_cb(SSL *s, void *arg)
8530 SSL_CTX *ctx = (SSL_CTX *)arg;
8532 EVP_PKEY *pkey = NULL;
8533 X509 *x509 = NULL, *rootx = NULL;
8534 STACK_OF(X509) *chain = NULL;
8535 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8538 if (cert_cb_cnt == 0) {
8539 /* Suspend the handshake */
8542 } else if (cert_cb_cnt == 1) {
8544 * Update the SSL_CTX, set the certificate and private key and then
8545 * continue the handshake normally.
8547 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8550 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8551 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8553 || !TEST_true(SSL_check_private_key(s)))
8557 } else if (cert_cb_cnt == 3) {
8560 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8561 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8562 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8563 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8565 chain = sk_X509_new_null();
8566 if (!TEST_ptr(chain))
8568 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8569 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8570 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8571 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8572 || !TEST_true(sk_X509_push(chain, rootx)))
8576 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8577 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8578 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8579 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8582 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8583 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8584 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8588 rv = SSL_check_chain(s, x509, pkey, chain);
8590 * If the cert doesn't show as valid here (e.g., because we don't
8591 * have any shared sigalgs), then we will not set it, and there will
8592 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8593 * will cause tls_choose_sigalgs() to fail the connection.
8595 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8596 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8597 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8604 /* Abort the handshake */
8606 OPENSSL_free(ecdsacert);
8607 OPENSSL_free(ecdsakey);
8608 OPENSSL_free(rootfile);
8610 EVP_PKEY_free(pkey);
8613 OSSL_STACK_OF_X509_free(chain);
8618 * Test the certificate callback.
8619 * Test 0: Callback fails
8620 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8621 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8622 * Test 3: Success - Call SSL_check_chain from the callback
8623 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8625 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8627 static int test_cert_cb_int(int prot, int tst)
8629 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8630 SSL *clientssl = NULL, *serverssl = NULL;
8631 int testresult = 0, ret;
8633 #ifdef OPENSSL_NO_EC
8634 /* We use an EC cert in these tests, so we skip in a no-ec build */
8639 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8640 TLS_client_method(),
8643 &sctx, &cctx, NULL, NULL)))
8654 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8655 if (!TEST_ptr(snictx))
8659 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8667 * We cause SSL_check_chain() to fail by specifying sig_algs that
8668 * the chain doesn't meet (the root uses an RSA cert)
8670 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8671 "ecdsa_secp256r1_sha256")))
8673 } else if (tst == 5) {
8675 * We cause SSL_check_chain() to fail by specifying sig_algs that
8676 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8678 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8679 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8683 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8684 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8686 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8693 SSL_free(serverssl);
8694 SSL_free(clientssl);
8697 SSL_CTX_free(snictx);
8703 static int test_cert_cb(int tst)
8707 #ifndef OPENSSL_NO_TLS1_2
8708 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8710 #ifndef OSSL_NO_USABLE_TLS1_3
8711 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8717 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8722 BIO *priv_in = NULL;
8724 /* Check that SSL_get0_peer_certificate() returns something sensible */
8725 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8728 in = BIO_new_file(cert, "r");
8732 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8733 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8734 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8735 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8753 static int test_client_cert_cb(int tst)
8755 SSL_CTX *cctx = NULL, *sctx = NULL;
8756 SSL *clientssl = NULL, *serverssl = NULL;
8759 #ifdef OPENSSL_NO_TLS1_2
8763 #ifdef OSSL_NO_USABLE_TLS1_3
8768 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8769 TLS_client_method(),
8771 tst == 0 ? TLS1_2_VERSION
8773 &sctx, &cctx, cert, privkey)))
8777 * Test that setting a client_cert_cb results in a client certificate being
8780 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8781 SSL_CTX_set_verify(sctx,
8782 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8785 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8787 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8794 SSL_free(serverssl);
8795 SSL_free(clientssl);
8802 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8804 * Test setting certificate authorities on both client and server.
8806 * Test 0: SSL_CTX_set0_CA_list() only
8807 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8808 * Test 2: Only SSL_CTX_set_client_CA_list()
8810 static int test_ca_names_int(int prot, int tst)
8812 SSL_CTX *cctx = NULL, *sctx = NULL;
8813 SSL *clientssl = NULL, *serverssl = NULL;
8816 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8817 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8818 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8819 const STACK_OF(X509_NAME) *sktmp = NULL;
8821 for (i = 0; i < OSSL_NELEM(name); i++) {
8822 name[i] = X509_NAME_new();
8823 if (!TEST_ptr(name[i])
8824 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8833 TLS_client_method(),
8836 &sctx, &cctx, cert, privkey)))
8839 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8841 if (tst == 0 || tst == 1) {
8842 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8843 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8844 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8845 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8846 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8847 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8850 SSL_CTX_set0_CA_list(sctx, sk1);
8851 SSL_CTX_set0_CA_list(cctx, sk2);
8854 if (tst == 1 || tst == 2) {
8855 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8856 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8857 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8858 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8859 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8860 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8863 SSL_CTX_set_client_CA_list(sctx, sk1);
8864 SSL_CTX_set_client_CA_list(cctx, sk2);
8868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8875 * We only expect certificate authorities to have been sent to the server
8876 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8878 sktmp = SSL_get0_peer_CA_list(serverssl);
8879 if (prot == TLS1_3_VERSION
8880 && (tst == 0 || tst == 1)) {
8881 if (!TEST_ptr(sktmp)
8882 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8883 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8885 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8888 } else if (!TEST_ptr_null(sktmp)) {
8893 * In all tests we expect certificate authorities to have been sent to the
8894 * client. However, SSL_set_client_CA_list() should override
8895 * SSL_set0_CA_list()
8897 sktmp = SSL_get0_peer_CA_list(clientssl);
8898 if (!TEST_ptr(sktmp)
8899 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8900 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8901 name[tst == 0 ? 0 : 2]), 0)
8902 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8903 name[tst == 0 ? 1 : 3]), 0))
8909 SSL_free(serverssl);
8910 SSL_free(clientssl);
8913 for (i = 0; i < OSSL_NELEM(name); i++)
8914 X509_NAME_free(name[i]);
8915 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8916 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8922 static int test_ca_names(int tst)
8926 #ifndef OPENSSL_NO_TLS1_2
8927 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8929 #ifndef OSSL_NO_USABLE_TLS1_3
8930 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8936 #ifndef OPENSSL_NO_TLS1_2
8937 static const char *multiblock_cipherlist_data[]=
8945 /* Reduce the fragment size - so the multiblock test buffer can be small */
8946 # define MULTIBLOCK_FRAGSIZE 512
8948 static int test_multiblock_write(int test_index)
8950 static const char *fetchable_ciphers[]=
8952 "AES-128-CBC-HMAC-SHA1",
8953 "AES-128-CBC-HMAC-SHA256",
8954 "AES-256-CBC-HMAC-SHA1",
8955 "AES-256-CBC-HMAC-SHA256"
8957 const char *cipherlist = multiblock_cipherlist_data[test_index];
8958 const SSL_METHOD *smeth = TLS_server_method();
8959 const SSL_METHOD *cmeth = TLS_client_method();
8960 int min_version = TLS1_VERSION;
8961 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8962 SSL_CTX *cctx = NULL, *sctx = NULL;
8963 SSL *clientssl = NULL, *serverssl = NULL;
8967 * Choose a buffer large enough to perform a multi-block operation
8968 * i.e: write_len >= 4 * frag_size
8969 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8971 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8972 unsigned char buf[sizeof(msg)], *p = buf;
8973 size_t readbytes, written, len;
8974 EVP_CIPHER *ciph = NULL;
8977 * Check if the cipher exists before attempting to use it since it only has
8978 * a hardware specific implementation.
8980 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8982 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8985 EVP_CIPHER_free(ciph);
8987 /* Set up a buffer with some data that will be sent to the client */
8988 RAND_bytes(msg, sizeof(msg));
8990 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8991 max_version, &sctx, &cctx, cert,
8995 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9002 /* settings to force it to use AES-CBC-HMAC_SHA */
9003 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9004 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9007 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9010 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9011 || !TEST_size_t_eq(written, sizeof(msg)))
9016 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9021 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9026 SSL_free(serverssl);
9027 SSL_free(clientssl);
9033 #endif /* OPENSSL_NO_TLS1_2 */
9035 static int test_session_timeout(int test)
9038 * Test session ordering and timeout
9039 * Can't explicitly test performance of the new code,
9040 * but can test to see if the ordering of the sessions
9041 * are correct, and they they are removed as expected
9043 SSL_SESSION *early = NULL;
9044 SSL_SESSION *middle = NULL;
9045 SSL_SESSION *late = NULL;
9048 long now = (long)time(NULL);
9051 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9052 || !TEST_ptr(early = SSL_SESSION_new())
9053 || !TEST_ptr(middle = SSL_SESSION_new())
9054 || !TEST_ptr(late = SSL_SESSION_new()))
9057 /* assign unique session ids */
9058 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9059 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9060 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9061 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9062 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9063 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9065 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9066 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9067 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9070 /* Make sure they are all added */
9071 if (!TEST_ptr(early->prev)
9072 || !TEST_ptr(middle->prev)
9073 || !TEST_ptr(late->prev))
9076 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9077 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9078 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9081 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9082 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9083 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9086 /* Make sure they are all still there */
9087 if (!TEST_ptr(early->prev)
9088 || !TEST_ptr(middle->prev)
9089 || !TEST_ptr(late->prev))
9092 /* Make sure they are in the expected order */
9093 if (!TEST_ptr_eq(late->next, middle)
9094 || !TEST_ptr_eq(middle->next, early)
9095 || !TEST_ptr_eq(early->prev, middle)
9096 || !TEST_ptr_eq(middle->prev, late))
9099 /* This should remove "early" */
9100 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9101 if (!TEST_ptr_null(early->prev)
9102 || !TEST_ptr(middle->prev)
9103 || !TEST_ptr(late->prev))
9106 /* This should remove "middle" */
9107 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9108 if (!TEST_ptr_null(early->prev)
9109 || !TEST_ptr_null(middle->prev)
9110 || !TEST_ptr(late->prev))
9113 /* This should remove "late" */
9114 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9115 if (!TEST_ptr_null(early->prev)
9116 || !TEST_ptr_null(middle->prev)
9117 || !TEST_ptr_null(late->prev))
9120 /* Add them back in again */
9121 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9122 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9123 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9126 /* Make sure they are all added */
9127 if (!TEST_ptr(early->prev)
9128 || !TEST_ptr(middle->prev)
9129 || !TEST_ptr(late->prev))
9132 /* This should remove all of them */
9133 SSL_CTX_flush_sessions(ctx, 0);
9134 if (!TEST_ptr_null(early->prev)
9135 || !TEST_ptr_null(middle->prev)
9136 || !TEST_ptr_null(late->prev))
9139 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9140 | SSL_CTX_get_session_cache_mode(ctx));
9142 /* make sure |now| is NOT equal to the current time */
9144 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9145 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9146 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9152 SSL_SESSION_free(early);
9153 SSL_SESSION_free(middle);
9154 SSL_SESSION_free(late);
9159 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9160 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9161 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9162 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9163 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9164 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9165 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9166 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9167 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9168 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9170 static int test_servername(int tst)
9172 SSL_CTX *cctx = NULL, *sctx = NULL;
9173 SSL *clientssl = NULL, *serverssl = NULL;
9175 SSL_SESSION *sess = NULL;
9176 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9178 #ifdef OPENSSL_NO_TLS1_2
9182 #ifdef OSSL_NO_USABLE_TLS1_3
9187 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9188 TLS_client_method(),
9190 (tst <= 4) ? TLS1_2_VERSION
9192 &sctx, &cctx, cert, privkey))
9193 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9197 if (tst != 1 && tst != 6) {
9198 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9203 if (tst != 3 && tst != 8) {
9204 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9206 sexpectedhost = cexpectedhost = "goodhost";
9209 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9212 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9214 || !TEST_str_eq(SSL_get_servername(serverssl,
9215 TLSEXT_NAMETYPE_host_name),
9219 /* Now repeat with a resumption handshake */
9221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9222 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9223 || !TEST_true(SSL_SESSION_is_resumable(sess))
9224 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9227 SSL_free(clientssl);
9228 SSL_free(serverssl);
9229 clientssl = serverssl = NULL;
9231 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9235 if (!TEST_true(SSL_set_session(clientssl, sess)))
9238 sexpectedhost = cexpectedhost = "goodhost";
9239 if (tst == 2 || tst == 7) {
9240 /* Set an inconsistent hostname */
9241 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9244 * In TLSv1.2 we expect the hostname from the original handshake, in
9245 * TLSv1.3 we expect the hostname from this handshake
9248 sexpectedhost = cexpectedhost = "altgoodhost";
9250 if (!TEST_str_eq(SSL_get_servername(clientssl,
9251 TLSEXT_NAMETYPE_host_name),
9254 } else if (tst == 4 || tst == 9) {
9256 * A TLSv1.3 session does not associate a session with a servername,
9257 * but a TLSv1.2 session does.
9260 sexpectedhost = cexpectedhost = NULL;
9262 if (!TEST_str_eq(SSL_get_servername(clientssl,
9263 TLSEXT_NAMETYPE_host_name),
9267 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9270 * In a TLSv1.2 resumption where the hostname was not acknowledged
9271 * we expect the hostname on the server to be empty. On the client we
9272 * return what was requested in this case.
9274 * Similarly if the client didn't set a hostname on an original TLSv1.2
9275 * session but is now, the server hostname will be empty, but the client
9278 if (tst == 1 || tst == 3)
9279 sexpectedhost = NULL;
9281 if (!TEST_str_eq(SSL_get_servername(clientssl,
9282 TLSEXT_NAMETYPE_host_name),
9287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9290 if (!TEST_true(SSL_session_reused(clientssl))
9291 || !TEST_true(SSL_session_reused(serverssl))
9292 || !TEST_str_eq(SSL_get_servername(clientssl,
9293 TLSEXT_NAMETYPE_host_name),
9295 || !TEST_str_eq(SSL_get_servername(serverssl,
9296 TLSEXT_NAMETYPE_host_name),
9303 SSL_SESSION_free(sess);
9304 SSL_free(serverssl);
9305 SSL_free(clientssl);
9312 #if !defined(OPENSSL_NO_EC) \
9313 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9315 * Test that if signature algorithms are not available, then we do not offer or
9317 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9318 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9319 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9320 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9321 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9322 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9324 static int test_sigalgs_available(int idx)
9326 SSL_CTX *cctx = NULL, *sctx = NULL;
9327 SSL *clientssl = NULL, *serverssl = NULL;
9329 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9330 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9331 OSSL_PROVIDER *filterprov = NULL;
9334 if (!TEST_ptr(tmpctx))
9337 if (idx != 0 && idx != 3) {
9338 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9339 filter_provider_init)))
9342 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9343 if (!TEST_ptr(filterprov))
9348 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9349 * or accepted for the peer that uses this libctx. Note that libssl
9350 * *requires* SHA2-256 to be available so we cannot disable that. We
9351 * also need SHA1 for our certificate.
9353 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9357 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9359 # ifdef OPENSSL_NO_ECX
9360 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9362 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9369 if (idx == 1 || idx == 4)
9375 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9376 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9377 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9382 TLS_client_method(),
9385 &sctx, &cctx, cert, privkey)))
9388 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9389 TLS_client_method(),
9392 &sctx, &cctx, cert2, privkey2)))
9396 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9398 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9399 "ECDHE-RSA-AES128-GCM-SHA256")))
9402 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9403 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9408 if (!SSL_CTX_set1_sigalgs_list(cctx,
9409 "rsa_pss_rsae_sha384"
9410 ":rsa_pss_rsae_sha256")
9411 || !SSL_CTX_set1_sigalgs_list(sctx,
9412 "rsa_pss_rsae_sha384"
9413 ":rsa_pss_rsae_sha256"))
9416 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9417 || !SSL_CTX_set1_sigalgs_list(sctx,
9418 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9423 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9424 SSL_FILETYPE_PEM), 1)
9425 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9427 SSL_FILETYPE_PEM), 1)
9428 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9431 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9435 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9438 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9439 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9441 (idx == 0 || idx == 3) ? 2 : 1))
9444 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9447 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9451 testresult = filter_provider_check_clean_finish();
9454 SSL_free(serverssl);
9455 SSL_free(clientssl);
9458 OSSL_PROVIDER_unload(filterprov);
9459 OSSL_LIB_CTX_free(tmpctx);
9464 * !defined(OPENSSL_NO_EC) \
9465 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9468 #ifndef OPENSSL_NO_TLS1_3
9469 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9470 static int test_pluggable_group(int idx)
9472 SSL_CTX *cctx = NULL, *sctx = NULL;
9473 SSL *clientssl = NULL, *serverssl = NULL;
9475 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9476 /* Check that we are not impacted by a provider without any groups */
9477 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9478 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9480 if (!TEST_ptr(tlsprov))
9483 if (legacyprov == NULL) {
9485 * In this case we assume we've been built with "no-legacy" and skip
9486 * this test (there is no OPENSSL_NO_LEGACY)
9492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9493 TLS_client_method(),
9496 &sctx, &cctx, cert, privkey))
9497 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9501 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9502 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9505 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9508 if (!TEST_str_eq(group_name,
9509 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9512 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9513 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9519 SSL_free(serverssl);
9520 SSL_free(clientssl);
9523 OSSL_PROVIDER_unload(tlsprov);
9524 OSSL_PROVIDER_unload(legacyprov);
9530 * This function triggers encode, decode and sign functions
9531 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9532 * creating private key and certificate files for use in TLS testing.
9534 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9536 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9537 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9538 EVP_PKEY *pkey = NULL;
9539 X509 *x509 = X509_new();
9540 X509_NAME *name = NULL;
9541 BIO *keybio = NULL, *certbio = NULL;
9544 if (!TEST_ptr(evpctx)
9545 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9546 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9549 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9550 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9551 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9552 || !TEST_true(X509_set_pubkey(x509, pkey))
9553 || !TEST_ptr(name = X509_get_subject_name(x509))
9554 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9555 (unsigned char *)"CH", -1, -1, 0))
9556 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9557 (unsigned char *)"test.org", -1, -1, 0))
9558 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9559 (unsigned char *)"localhost", -1, -1, 0))
9560 || !TEST_true(X509_set_issuer_name(x509, name))
9561 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9562 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9563 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9564 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9565 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9568 EVP_PKEY_free(pkey);
9570 EVP_PKEY_CTX_free(evpctx);
9577 * Test that signature algorithms loaded via the provider interface can
9578 * correctly establish a TLS (1.3) connection.
9579 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9580 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9581 * Test 2: Test 0 using RPK
9582 * Test 3: Test 1 using RPK
9584 static int test_pluggable_signature(int idx)
9586 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9587 SSL_CTX *cctx = NULL, *sctx = NULL;
9588 SSL *clientssl = NULL, *serverssl = NULL;
9590 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9591 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9592 char *certfilename = "tls-prov-cert.pem";
9593 char *privkeyfilename = "tls-prov-key.pem";
9594 int sigidx = idx % 2;
9595 int rpkidx = idx / 2;
9597 /* create key and certificate for the different algorithm types */
9598 if (!TEST_ptr(tlsprov)
9599 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9602 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9603 TLS_client_method(),
9606 &sctx, &cctx, certfilename, privkeyfilename))
9607 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9611 /* Enable RPK for server cert */
9613 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9614 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9618 /* This is necessary to pass minimal setup w/o other groups configured */
9619 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9620 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9624 * If this connection gets established, it must have been completed
9625 * via the tls-provider-implemented "hmacsig" algorithm, testing
9626 * both sign and verify functions during handshake.
9628 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9631 /* If using RPK, make sure we got one */
9632 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9638 SSL_free(serverssl);
9639 SSL_free(clientssl);
9642 OSSL_PROVIDER_unload(tlsprov);
9643 OSSL_PROVIDER_unload(defaultprov);
9649 #ifndef OPENSSL_NO_TLS1_2
9650 static int test_ssl_dup(void)
9652 SSL_CTX *cctx = NULL, *sctx = NULL;
9653 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9655 BIO *rbio = NULL, *wbio = NULL;
9657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9658 TLS_client_method(),
9661 &sctx, &cctx, cert, privkey)))
9664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9668 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9669 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9672 client2ssl = SSL_dup(clientssl);
9673 rbio = SSL_get_rbio(clientssl);
9675 || !TEST_true(BIO_up_ref(rbio)))
9677 SSL_set0_rbio(client2ssl, rbio);
9680 wbio = SSL_get_wbio(clientssl);
9681 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9683 SSL_set0_wbio(client2ssl, wbio);
9686 if (!TEST_ptr(client2ssl)
9687 /* Handshake not started so pointers should be different */
9688 || !TEST_ptr_ne(clientssl, client2ssl))
9691 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9692 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9695 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9698 SSL_free(clientssl);
9699 clientssl = SSL_dup(client2ssl);
9700 if (!TEST_ptr(clientssl)
9701 /* Handshake has finished so pointers should be the same */
9702 || !TEST_ptr_eq(clientssl, client2ssl))
9708 SSL_free(serverssl);
9709 SSL_free(clientssl);
9710 SSL_free(client2ssl);
9717 # ifndef OPENSSL_NO_DH
9719 static EVP_PKEY *tmp_dh_params = NULL;
9721 /* Helper function for the test_set_tmp_dh() tests */
9722 static EVP_PKEY *get_tmp_dh_params(void)
9724 if (tmp_dh_params == NULL) {
9726 OSSL_PARAM_BLD *tmpl = NULL;
9727 EVP_PKEY_CTX *pctx = NULL;
9728 OSSL_PARAM *params = NULL;
9729 EVP_PKEY *dhpkey = NULL;
9731 p = BN_get_rfc3526_prime_2048(NULL);
9735 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9737 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9740 tmpl = OSSL_PARAM_BLD_new();
9742 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9743 OSSL_PKEY_PARAM_FFC_P,
9745 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9746 OSSL_PKEY_PARAM_FFC_G,
9750 params = OSSL_PARAM_BLD_to_param(tmpl);
9751 if (!TEST_ptr(params)
9752 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9753 EVP_PKEY_KEY_PARAMETERS,
9757 tmp_dh_params = dhpkey;
9760 EVP_PKEY_CTX_free(pctx);
9761 OSSL_PARAM_BLD_free(tmpl);
9762 OSSL_PARAM_free(params);
9765 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9768 return tmp_dh_params;
9771 # ifndef OPENSSL_NO_DEPRECATED_3_0
9772 /* Callback used by test_set_tmp_dh() */
9773 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9775 EVP_PKEY *dhpkey = get_tmp_dh_params();
9778 if (!TEST_ptr(dhpkey))
9782 * libssl does not free the returned DH, so we free it now knowing that even
9783 * after we free dhpkey, there will still be a reference to the owning
9784 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9785 * of time we need it for.
9787 ret = EVP_PKEY_get1_DH(dhpkey);
9790 EVP_PKEY_free(dhpkey);
9797 * Test the various methods for setting temporary DH parameters
9799 * Test 0: Default (no auto) setting
9800 * Test 1: Explicit SSL_CTX auto off
9801 * Test 2: Explicit SSL auto off
9802 * Test 3: Explicit SSL_CTX auto on
9803 * Test 4: Explicit SSL auto on
9804 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9805 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9807 * The following are testing deprecated APIs, so we only run them if available
9808 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9809 * Test 8: Explicit SSL auto off, custom DH params via DH
9810 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9811 * Test 10: Explicit SSL auto off, custom DH params via callback
9813 static int test_set_tmp_dh(int idx)
9815 SSL_CTX *cctx = NULL, *sctx = NULL;
9816 SSL *clientssl = NULL, *serverssl = NULL;
9818 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9819 int expected = (idx <= 2) ? 0 : 1;
9820 EVP_PKEY *dhpkey = NULL;
9821 # ifndef OPENSSL_NO_DEPRECATED_3_0
9829 if (idx >= 5 && idx <= 8) {
9830 dhpkey = get_tmp_dh_params();
9831 if (!TEST_ptr(dhpkey))
9834 # ifndef OPENSSL_NO_DEPRECATED_3_0
9835 if (idx == 7 || idx == 8) {
9836 dh = EVP_PKEY_get1_DH(dhpkey);
9842 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9843 TLS_client_method(),
9846 &sctx, &cctx, cert, privkey)))
9849 if ((idx & 1) == 1) {
9850 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9855 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9859 # ifndef OPENSSL_NO_DEPRECATED_3_0
9860 else if (idx == 7) {
9861 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9863 } else if (idx == 9) {
9864 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9872 if ((idx & 1) == 0 && idx != 0) {
9873 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9877 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9881 # ifndef OPENSSL_NO_DEPRECATED_3_0
9882 else if (idx == 8) {
9883 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9885 } else if (idx == 10) {
9886 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9890 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9891 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9892 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9896 * If autoon then we should succeed. Otherwise we expect failure because
9897 * there are no parameters
9899 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9900 SSL_ERROR_NONE), expected))
9906 # ifndef OPENSSL_NO_DEPRECATED_3_0
9909 SSL_free(serverssl);
9910 SSL_free(clientssl);
9913 EVP_PKEY_free(dhpkey);
9919 * Test the auto DH keys are appropriately sized
9921 static int test_dh_auto(int idx)
9923 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9924 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9925 SSL *clientssl = NULL, *serverssl = NULL;
9927 EVP_PKEY *tmpkey = NULL;
9928 char *thiscert = NULL, *thiskey = NULL;
9929 size_t expdhsize = 0;
9930 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9932 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9937 /* The FIPS provider doesn't support this DH size - so we ignore it */
9942 thiscert = cert1024;
9943 thiskey = privkey1024;
9945 SSL_CTX_set_security_level(sctx, 1);
9946 SSL_CTX_set_security_level(cctx, 1);
9949 /* 2048 bit prime */
9955 thiscert = cert3072;
9956 thiskey = privkey3072;
9960 thiscert = cert4096;
9961 thiskey = privkey4096;
9965 thiscert = cert8192;
9966 thiskey = privkey8192;
9969 /* No certificate cases */
9971 /* The FIPS provider doesn't support this DH size - so we ignore it */
9976 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9980 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9984 TEST_error("Invalid text index");
9988 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9992 &sctx, &cctx, thiscert, thiskey)))
9995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9999 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10000 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10001 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10002 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10003 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10007 * Send the server's first flight. At this point the server has created the
10008 * temporary DH key but hasn't finished using it yet. Once used it is
10009 * removed, so we cannot test it.
10011 if (!TEST_int_le(SSL_connect(clientssl), 0)
10012 || !TEST_int_le(SSL_accept(serverssl), 0))
10015 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10017 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10020 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10026 SSL_free(serverssl);
10027 SSL_free(clientssl);
10028 SSL_CTX_free(sctx);
10029 SSL_CTX_free(cctx);
10030 EVP_PKEY_free(tmpkey);
10035 # endif /* OPENSSL_NO_DH */
10036 #endif /* OPENSSL_NO_TLS1_2 */
10038 #ifndef OSSL_NO_USABLE_TLS1_3
10040 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10041 * that it works even without a certificate configured for the original
10044 static int test_sni_tls13(void)
10046 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10047 SSL *clientssl = NULL, *serverssl = NULL;
10048 int testresult = 0;
10050 /* Reset callback counter */
10053 /* Create an initial SSL_CTX with no certificate configured */
10054 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10055 if (!TEST_ptr(sctx))
10057 /* Require TLSv1.3 as a minimum */
10058 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10059 TLS_client_method(), TLS1_3_VERSION, 0,
10060 &sctx2, &cctx, cert, privkey)))
10064 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10065 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10069 * Connection should still succeed because the final SSL_CTX has the right
10070 * certificates configured.
10072 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10073 &clientssl, NULL, NULL))
10074 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10078 /* We should have had the SNI callback called exactly once */
10079 if (!TEST_int_eq(snicb, 1))
10085 SSL_free(serverssl);
10086 SSL_free(clientssl);
10087 SSL_CTX_free(sctx2);
10088 SSL_CTX_free(sctx);
10089 SSL_CTX_free(cctx);
10094 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10098 static int test_ticket_lifetime(int idx)
10100 SSL_CTX *cctx = NULL, *sctx = NULL;
10101 SSL *clientssl = NULL, *serverssl = NULL;
10102 int testresult = 0;
10103 int version = TLS1_3_VERSION;
10105 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10106 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10109 #ifdef OPENSSL_NO_TLS1_2
10110 return TEST_skip("TLS 1.2 is disabled.");
10112 version = TLS1_2_VERSION;
10116 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10117 TLS_client_method(), version, version,
10118 &sctx, &cctx, cert, privkey)))
10121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10122 &clientssl, NULL, NULL)))
10126 * Set the timeout to be more than 1 week
10127 * make sure the returned value is the default
10129 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10130 SSL_get_default_timeout(serverssl)))
10133 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10137 /* TLSv1.2 uses the set value */
10138 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10141 /* TLSv1.3 uses the limited value */
10142 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10148 SSL_free(serverssl);
10149 SSL_free(clientssl);
10150 SSL_CTX_free(sctx);
10151 SSL_CTX_free(cctx);
10156 * Test that setting an ALPN does not violate RFC
10158 static int test_set_alpn(void)
10160 SSL_CTX *ctx = NULL;
10162 int testresult = 0;
10164 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10165 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10166 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10167 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10168 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10169 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10171 /* Create an initial SSL_CTX with no certificate configured */
10172 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10173 if (!TEST_ptr(ctx))
10176 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10177 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10179 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10181 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10183 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10185 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10187 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10189 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10191 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10193 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10196 ssl = SSL_new(ctx);
10197 if (!TEST_ptr(ssl))
10200 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10202 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10204 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10206 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10208 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10210 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10212 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10214 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10216 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10228 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10230 static int test_set_verify_cert_store_ssl_ctx(void)
10232 SSL_CTX *ctx = NULL;
10233 int testresult = 0;
10234 X509_STORE *store = NULL, *new_store = NULL,
10235 *cstore = NULL, *new_cstore = NULL;
10237 /* Create an initial SSL_CTX. */
10238 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10239 if (!TEST_ptr(ctx))
10242 /* Retrieve verify store pointer. */
10243 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10246 /* Retrieve chain store pointer. */
10247 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10250 /* We haven't set any yet, so this should be NULL. */
10251 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10254 /* Create stores. We use separate stores so pointers are different. */
10255 new_store = X509_STORE_new();
10256 if (!TEST_ptr(new_store))
10259 new_cstore = X509_STORE_new();
10260 if (!TEST_ptr(new_cstore))
10264 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10267 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10270 /* Should be able to retrieve the same pointer. */
10271 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10274 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10277 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10280 /* Should be able to unset again. */
10281 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10284 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10287 /* Should now be NULL. */
10288 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10291 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10294 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10300 X509_STORE_free(new_store);
10301 X509_STORE_free(new_cstore);
10307 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10309 static int test_set_verify_cert_store_ssl(void)
10311 SSL_CTX *ctx = NULL;
10313 int testresult = 0;
10314 X509_STORE *store = NULL, *new_store = NULL,
10315 *cstore = NULL, *new_cstore = NULL;
10317 /* Create an initial SSL_CTX. */
10318 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10319 if (!TEST_ptr(ctx))
10322 /* Create an SSL object. */
10323 ssl = SSL_new(ctx);
10324 if (!TEST_ptr(ssl))
10327 /* Retrieve verify store pointer. */
10328 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10331 /* Retrieve chain store pointer. */
10332 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10335 /* We haven't set any yet, so this should be NULL. */
10336 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10339 /* Create stores. We use separate stores so pointers are different. */
10340 new_store = X509_STORE_new();
10341 if (!TEST_ptr(new_store))
10344 new_cstore = X509_STORE_new();
10345 if (!TEST_ptr(new_cstore))
10349 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10352 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10355 /* Should be able to retrieve the same pointer. */
10356 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10359 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10362 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10365 /* Should be able to unset again. */
10366 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10369 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10372 /* Should now be NULL. */
10373 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10376 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10379 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10385 X509_STORE_free(new_store);
10386 X509_STORE_free(new_cstore);
10393 static int test_inherit_verify_param(void)
10395 int testresult = 0;
10397 SSL_CTX *ctx = NULL;
10398 X509_VERIFY_PARAM *cp = NULL;
10400 X509_VERIFY_PARAM *sp = NULL;
10401 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10403 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10404 if (!TEST_ptr(ctx))
10407 cp = SSL_CTX_get0_param(ctx);
10410 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10413 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10415 ssl = SSL_new(ctx);
10416 if (!TEST_ptr(ssl))
10419 sp = SSL_get0_param(ssl);
10422 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10434 static int test_load_dhfile(void)
10436 #ifndef OPENSSL_NO_DH
10437 int testresult = 0;
10439 SSL_CTX *ctx = NULL;
10440 SSL_CONF_CTX *cctx = NULL;
10442 if (dhfile == NULL)
10445 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10446 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10449 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10450 SSL_CONF_CTX_set_flags(cctx,
10451 SSL_CONF_FLAG_CERTIFICATE
10452 | SSL_CONF_FLAG_SERVER
10453 | SSL_CONF_FLAG_FILE);
10455 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10460 SSL_CONF_CTX_free(cctx);
10465 return TEST_skip("DH not supported by this build");
10469 #ifndef OSSL_NO_USABLE_TLS1_3
10470 /* Test that read_ahead works across a key change */
10471 static int test_read_ahead_key_change(void)
10473 SSL_CTX *cctx = NULL, *sctx = NULL;
10474 SSL *clientssl = NULL, *serverssl = NULL;
10475 int testresult = 0;
10476 char *msg = "Hello World";
10477 size_t written, readbytes;
10481 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10482 TLS_client_method(), TLS1_3_VERSION, 0,
10483 &sctx, &cctx, cert, privkey)))
10486 SSL_CTX_set_read_ahead(sctx, 1);
10488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10489 &clientssl, NULL, NULL)))
10492 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10495 /* Write some data, send a key update, write more data */
10496 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10497 || !TEST_size_t_eq(written, strlen(msg)))
10500 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10503 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10504 || !TEST_size_t_eq(written, strlen(msg)))
10508 * Since read_ahead is on the first read below should read the record with
10509 * the first app data, the second record with the key update message, and
10510 * the third record with the app data all in one go. We should be able to
10511 * still process the read_ahead data correctly even though it crosses
10514 for (i = 0; i < 2; i++) {
10515 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10519 buf[readbytes] = '\0';
10520 if (!TEST_str_eq(buf, msg))
10527 SSL_free(serverssl);
10528 SSL_free(clientssl);
10529 SSL_CTX_free(sctx);
10530 SSL_CTX_free(cctx);
10534 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10538 switch ((*called)++) {
10540 /* Add some padding to first record */
10543 /* Maximally pad the second record */
10544 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10547 * Exceeding the maximum padding should be fine. It should just pad to
10548 * the maximum anyway
10550 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10553 * Very large padding should also be ok. Should just pad to the maximum
10563 * Test that setting record padding in TLSv1.3 works as expected
10564 * Test 0: Record padding callback on the SSL_CTX
10565 * Test 1: Record padding callback on the SSL
10566 * Test 2: Record block padding on the SSL_CTX
10567 * Test 3: Record block padding on the SSL
10569 static int test_tls13_record_padding(int idx)
10571 SSL_CTX *cctx = NULL, *sctx = NULL;
10572 SSL *clientssl = NULL, *serverssl = NULL;
10573 int testresult = 0;
10574 char *msg = "Hello World";
10575 size_t written, readbytes;
10580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10581 TLS_client_method(), TLS1_3_VERSION, 0,
10582 &sctx, &cctx, cert, privkey)))
10586 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10587 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10588 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10590 } else if (idx == 2) {
10591 /* Exceeding the max plain length should fail */
10592 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10593 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10595 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10600 &clientssl, NULL, NULL)))
10604 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10605 SSL_set_record_padding_callback_arg(clientssl, &called);
10606 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10608 } else if (idx == 3) {
10609 /* Exceeding the max plain length should fail */
10610 if (!TEST_false(SSL_set_block_padding(clientssl,
10611 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10613 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10617 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10622 * Write some data, then check we can read it. Do this four times to check
10623 * we can continue to write and read padded data after the initial record
10624 * padding has been added. We don't actually check that the padding has
10625 * been applied to the record - just that we can continue to communicate
10626 * normally and that the callback has been called (if appropriate).
10628 for (i = 0; i < 4; i++) {
10629 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10630 || !TEST_size_t_eq(written, strlen(msg)))
10633 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10635 || !TEST_size_t_eq(written, readbytes))
10638 buf[readbytes] = '\0';
10639 if (!TEST_str_eq(buf, msg))
10643 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10648 SSL_free(serverssl);
10649 SSL_free(clientssl);
10650 SSL_CTX_free(sctx);
10651 SSL_CTX_free(cctx);
10654 #endif /* OSSL_NO_USABLE_TLS1_3 */
10656 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10658 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10659 * support this yet. The only pipeline capable cipher that we have is in the
10660 * dasync engine (providers don't support this yet), so we have to use
10661 * deprecated APIs for this test.
10663 * Test 0: Client has pipelining enabled, server does not
10664 * Test 1: Server has pipelining enabled, client does not
10665 * Test 2: Client has pipelining enabled, server does not: not enough data to
10666 * fill all the pipelines
10667 * Test 3: Client has pipelining enabled, server does not: not enough data to
10668 * fill all the pipelines by more than a full pipeline's worth
10669 * Test 4: Client has pipelining enabled, server does not: more data than all
10670 * the available pipelines can take
10671 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10673 static int test_pipelining(int idx)
10675 SSL_CTX *cctx = NULL, *sctx = NULL;
10676 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10677 int testresult = 0, numreads;
10678 /* A 55 byte message */
10679 unsigned char *msg = (unsigned char *)
10680 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10681 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10682 size_t expectedreads;
10683 unsigned char *buf = NULL;
10686 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10689 if (!TEST_true(ENGINE_init(e))) {
10694 if (!TEST_true(ENGINE_register_ciphers(e)))
10697 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10698 TLS_client_method(), 0,
10699 TLS1_2_VERSION, &sctx, &cctx, cert,
10703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10704 &clientssl, NULL, NULL)))
10707 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10710 /* peera is always configured for pipelining, while peerb is not. */
10722 /* Maximum allowed fragment size */
10723 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10724 msglen = fragsize * numpipes;
10725 msg = OPENSSL_malloc(msglen);
10726 if (!TEST_ptr(msg))
10728 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10730 } else if (idx == 4) {
10736 msglen -= 2; /* Send 2 less bytes */
10738 msglen -= 12; /* Send 12 less bytes */
10740 buf = OPENSSL_malloc(msglen);
10741 if (!TEST_ptr(buf))
10746 * Test that setting a split send fragment longer than the maximum
10749 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10754 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10755 * (50 bytes in total). This is a ridiculously small number of bytes -
10756 * but sufficient for our purposes
10758 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10759 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10762 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10765 /* Write some data from peera to peerb */
10766 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10767 || !TEST_size_t_eq(written, msglen))
10771 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10772 * have been used - except in test 3 where only |numpipes - 1| pipelines
10773 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10774 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10775 * expect this to be read in |numpipes| or |numpipes - 1| separate
10776 * SSL_read_ex calls. In the case of test 4, there is then one additional
10777 * read for left over data that couldn't fit in the previous pipelines
10779 for (offset = 0, numreads = 0;
10781 offset += readbytes, numreads++) {
10782 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10783 msglen - offset, &readbytes)))
10787 expectedreads = idx == 4 ? numpipes + 1
10788 : (idx == 3 ? numpipes - 1 : numpipes);
10789 if (!TEST_mem_eq(msg, msglen, buf, offset)
10790 || !TEST_int_eq(numreads, expectedreads))
10794 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10795 * chunks to exercise the read pipelining code on peera.
10797 for (offset = 0; offset < msglen; offset += fragsize) {
10798 size_t sendlen = msglen - offset;
10800 if (sendlen > fragsize)
10801 sendlen = fragsize;
10802 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10803 || !TEST_size_t_eq(written, sendlen))
10808 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10809 * separate chunks (depending on which test we are running). If the
10810 * pipelining is working then we expect peera to read up to numpipes chunks
10811 * and process them in parallel, giving back the complete result in a single
10812 * call to SSL_read_ex
10814 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10815 || !TEST_size_t_le(readbytes, msglen))
10821 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10822 msglen - readbytes, &readbytes2)))
10824 readbytes += readbytes2;
10825 if (!TEST_size_t_le(readbytes, msglen))
10829 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10834 SSL_free(serverssl);
10835 SSL_free(clientssl);
10836 SSL_CTX_free(sctx);
10837 SSL_CTX_free(cctx);
10838 ENGINE_unregister_ciphers(e);
10846 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10848 static int check_version_string(SSL *s, int version)
10850 const char *verstr = NULL;
10859 case TLS1_1_VERSION:
10860 verstr = "TLSv1.1";
10862 case TLS1_2_VERSION:
10863 verstr = "TLSv1.2";
10865 case TLS1_3_VERSION:
10866 verstr = "TLSv1.3";
10868 case DTLS1_VERSION:
10871 case DTLS1_2_VERSION:
10872 verstr = "DTLSv1.2";
10875 return TEST_str_eq(verstr, SSL_get_version(s));
10879 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10880 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10881 * test_version() in quicapitest.c which does the same thing for QUIC
10884 static int test_version(int idx)
10886 SSL_CTX *cctx = NULL, *sctx = NULL;
10887 SSL *clientssl = NULL, *serverssl = NULL;
10888 int testresult = 0, version;
10889 const SSL_METHOD *servmeth = TLS_server_method();
10890 const SSL_METHOD *clientmeth = TLS_client_method();
10893 #if !defined(OPENSSL_NO_SSL3)
10895 version = SSL3_VERSION;
10898 #if !defined(OPENSSL_NO_TLS1)
10900 version = TLS1_VERSION;
10903 #if !defined(OPENSSL_NO_TLS1_2)
10905 version = TLS1_2_VERSION;
10908 #if !defined(OSSL_NO_USABLE_TLS1_3)
10910 version = TLS1_3_VERSION;
10913 #if !defined(OPENSSL_NO_DTLS1)
10915 version = DTLS1_VERSION;
10918 #if !defined(OPENSSL_NO_DTLS1_2)
10920 version = DTLS1_2_VERSION;
10924 * NB we do not support QUIC in this test. That is covered by quicapitest.c
10925 * We also don't support DTLS1_BAD_VER since we have no server support for
10929 TEST_skip("Unsupported protocol version");
10934 && (version == SSL3_VERSION
10935 || version == TLS1_VERSION
10936 || version == DTLS1_VERSION)) {
10937 TEST_skip("Protocol version not supported with FIPS");
10941 #if !defined(OPENSSL_NO_DTLS)
10942 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10943 servmeth = DTLS_server_method();
10944 clientmeth = DTLS_client_method();
10948 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
10949 version, &sctx, &cctx, cert, privkey)))
10952 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
10953 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
10954 "DEFAULT:@SECLEVEL=0")))
10957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10958 &clientssl, NULL, NULL)))
10961 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10964 if (!TEST_int_eq(SSL_version(serverssl), version)
10965 || !TEST_int_eq(SSL_version(clientssl), version)
10966 || !TEST_true(check_version_string(serverssl, version))
10967 || !TEST_true(check_version_string(clientssl, version)))
10970 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10971 if (!TEST_true(SSL_is_dtls(serverssl))
10972 || !TEST_true(SSL_is_dtls(clientssl))
10973 || !TEST_false(SSL_is_tls(serverssl))
10974 || !TEST_false(SSL_is_tls(clientssl))
10975 || !TEST_false(SSL_is_quic(serverssl))
10976 || !TEST_false(SSL_is_quic(clientssl)))
10979 if (!TEST_true(SSL_is_tls(serverssl))
10980 || !TEST_true(SSL_is_tls(clientssl))
10981 || !TEST_false(SSL_is_dtls(serverssl))
10982 || !TEST_false(SSL_is_dtls(clientssl))
10983 || !TEST_false(SSL_is_quic(serverssl))
10984 || !TEST_false(SSL_is_quic(clientssl)))
10990 SSL_free(serverssl);
10991 SSL_free(clientssl);
10992 SSL_CTX_free(sctx);
10993 SSL_CTX_free(cctx);
10998 * Test that the SSL_rstate_string*() APIs return sane results
11000 static int test_rstate_string(void)
11002 SSL_CTX *cctx = NULL, *sctx = NULL;
11003 SSL *clientssl = NULL, *serverssl = NULL;
11004 int testresult = 0, version;
11005 const SSL_METHOD *servmeth = TLS_server_method();
11006 const SSL_METHOD *clientmeth = TLS_client_method();
11007 size_t written, readbytes;
11008 unsigned char buf[2];
11009 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11010 SSL3_RT_APPLICATION_DATA,
11011 TLS1_2_VERSION_MAJOR,
11012 0, /* To be filled in later */
11017 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11018 0, &sctx, &cctx, cert, privkey)))
11021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11022 &clientssl, NULL, NULL)))
11025 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11026 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11029 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11032 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11033 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11036 /* Fill in the correct version for the record header */
11037 version = SSL_version(serverssl);
11038 if (version == TLS1_3_VERSION)
11039 version = TLS1_2_VERSION;
11040 dummyheader[2] = version & 0xff;
11043 * Send a dummy header. If we continued to read the body as well this
11044 * would fail with a bad record mac, but we're not going to go that far.
11046 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11047 sizeof(dummyheader), &written))
11048 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11051 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11054 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11055 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11060 SSL_free(serverssl);
11061 SSL_free(clientssl);
11062 SSL_CTX_free(sctx);
11063 SSL_CTX_free(cctx);
11067 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11069 int setup_tests(void)
11074 libctx = OSSL_LIB_CTX_new();
11075 if (!TEST_ptr(libctx))
11078 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11081 * Verify that the default and fips providers in the default libctx are not
11084 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11085 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11088 if (!test_skip_common_options()) {
11089 TEST_error("Error parsing test options\n");
11093 if (!TEST_ptr(certsdir = test_get_argument(0))
11094 || !TEST_ptr(srpvfile = test_get_argument(1))
11095 || !TEST_ptr(tmpfilename = test_get_argument(2))
11096 || !TEST_ptr(modulename = test_get_argument(3))
11097 || !TEST_ptr(configfile = test_get_argument(4))
11098 || !TEST_ptr(dhfile = test_get_argument(5)))
11101 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11104 /* Check we have the expected provider available */
11105 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11108 /* Check the default provider is not available */
11109 if (strcmp(modulename, "default") != 0
11110 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11113 if (strcmp(modulename, "fips") == 0) {
11114 OSSL_PROVIDER *prov = NULL;
11115 OSSL_PARAM params[2];
11119 prov = OSSL_PROVIDER_load(libctx, "fips");
11120 if (prov != NULL) {
11121 /* Query the fips provider to check if the check ems option is enabled */
11123 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11125 params[1] = OSSL_PARAM_construct_end();
11126 OSSL_PROVIDER_get_params(prov, params);
11127 OSSL_PROVIDER_unload(prov);
11132 * We add, but don't load the test "tls-provider". We'll load it when we
11135 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11136 tls_provider_init)))
11140 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11141 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11142 TEST_error("not supported in this build");
11145 int i, mcount, rcount, fcount;
11147 for (i = 0; i < 4; i++)
11148 test_export_key_mat(i);
11149 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11150 test_printf_stdout("malloc %d realloc %d free %d\n",
11151 mcount, rcount, fcount);
11156 cert = test_mk_file_path(certsdir, "servercert.pem");
11160 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11161 if (privkey == NULL)
11164 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11168 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11169 if (privkey2 == NULL)
11172 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11173 if (cert1024 == NULL)
11176 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11177 if (privkey1024 == NULL)
11180 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11181 if (cert3072 == NULL)
11184 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11185 if (privkey3072 == NULL)
11188 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11189 if (cert4096 == NULL)
11192 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11193 if (privkey4096 == NULL)
11196 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11197 if (cert8192 == NULL)
11200 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11201 if (privkey8192 == NULL)
11204 if (fips_ems_check) {
11205 #ifndef OPENSSL_NO_TLS1_2
11206 ADD_TEST(test_no_ems);
11210 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11211 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11212 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11213 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11216 ADD_TEST(test_large_message_tls);
11217 ADD_TEST(test_large_message_tls_read_ahead);
11218 #ifndef OPENSSL_NO_DTLS
11219 ADD_TEST(test_large_message_dtls);
11221 ADD_ALL_TESTS(test_large_app_data, 28);
11222 ADD_TEST(test_cleanse_plaintext);
11223 #ifndef OPENSSL_NO_OCSP
11224 ADD_TEST(test_tlsext_status_type);
11226 ADD_TEST(test_session_with_only_int_cache);
11227 ADD_TEST(test_session_with_only_ext_cache);
11228 ADD_TEST(test_session_with_both_cache);
11229 ADD_TEST(test_session_wo_ca_names);
11230 #ifndef OSSL_NO_USABLE_TLS1_3
11231 ADD_ALL_TESTS(test_stateful_tickets, 3);
11232 ADD_ALL_TESTS(test_stateless_tickets, 3);
11233 ADD_TEST(test_psk_tickets);
11234 ADD_ALL_TESTS(test_extra_tickets, 6);
11236 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11237 ADD_TEST(test_ssl_bio_pop_next_bio);
11238 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11239 ADD_TEST(test_ssl_bio_change_rbio);
11240 ADD_TEST(test_ssl_bio_change_wbio);
11241 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11242 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11243 ADD_TEST(test_keylog);
11245 #ifndef OSSL_NO_USABLE_TLS1_3
11246 ADD_TEST(test_keylog_no_master_key);
11248 ADD_TEST(test_client_cert_verify_cb);
11249 ADD_TEST(test_ssl_build_cert_chain);
11250 ADD_TEST(test_ssl_ctx_build_cert_chain);
11251 #ifndef OPENSSL_NO_TLS1_2
11252 ADD_TEST(test_client_hello_cb);
11253 ADD_TEST(test_no_ems);
11254 ADD_TEST(test_ccs_change_cipher);
11256 #ifndef OSSL_NO_USABLE_TLS1_3
11257 ADD_ALL_TESTS(test_early_data_read_write, 6);
11259 * We don't do replay tests for external PSK. Replay protection isn't used
11260 * in that scenario.
11262 ADD_ALL_TESTS(test_early_data_replay, 2);
11263 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11264 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11265 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11266 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11267 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11268 ADD_ALL_TESTS(test_early_data_psk, 8);
11269 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11270 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11271 # ifndef OPENSSL_NO_TLS1_2
11272 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11275 #ifndef OSSL_NO_USABLE_TLS1_3
11276 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11277 ADD_TEST(test_ciphersuite_change);
11278 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11279 # ifdef OPENSSL_NO_PSK
11280 ADD_ALL_TESTS(test_tls13_psk, 1);
11282 ADD_ALL_TESTS(test_tls13_psk, 4);
11283 # endif /* OPENSSL_NO_PSK */
11284 # ifndef OPENSSL_NO_TLS1_2
11285 /* Test with both TLSv1.3 and 1.2 versions */
11286 ADD_ALL_TESTS(test_key_exchange, 14);
11287 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11288 ADD_ALL_TESTS(test_negotiated_group,
11289 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11290 + OSSL_NELEM(ffdhe_kexch_groups)));
11293 /* Test with only TLSv1.3 versions */
11294 ADD_ALL_TESTS(test_key_exchange, 12);
11296 ADD_ALL_TESTS(test_custom_exts, 6);
11297 ADD_TEST(test_stateless);
11298 ADD_TEST(test_pha_key_update);
11300 ADD_ALL_TESTS(test_custom_exts, 3);
11302 ADD_ALL_TESTS(test_export_key_mat, 6);
11303 #ifndef OSSL_NO_USABLE_TLS1_3
11304 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11305 ADD_TEST(test_key_update);
11306 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11307 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11308 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11309 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11311 ADD_ALL_TESTS(test_ssl_clear, 2);
11312 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11313 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11314 ADD_ALL_TESTS(test_srp, 6);
11316 #if !defined(OPENSSL_NO_COMP_ALG)
11317 /* Add compression case */
11318 ADD_ALL_TESTS(test_info_callback, 8);
11320 ADD_ALL_TESTS(test_info_callback, 6);
11322 ADD_ALL_TESTS(test_ssl_pending, 2);
11323 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11324 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11325 ADD_ALL_TESTS(test_shutdown, 7);
11326 ADD_TEST(test_async_shutdown);
11327 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11328 ADD_ALL_TESTS(test_cert_cb, 6);
11329 ADD_ALL_TESTS(test_client_cert_cb, 2);
11330 ADD_ALL_TESTS(test_ca_names, 3);
11331 #ifndef OPENSSL_NO_TLS1_2
11332 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11334 ADD_ALL_TESTS(test_servername, 10);
11335 #if !defined(OPENSSL_NO_EC) \
11336 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11337 ADD_ALL_TESTS(test_sigalgs_available, 6);
11339 #ifndef OPENSSL_NO_TLS1_3
11340 ADD_ALL_TESTS(test_pluggable_group, 2);
11341 ADD_ALL_TESTS(test_pluggable_signature, 4);
11343 #ifndef OPENSSL_NO_TLS1_2
11344 ADD_TEST(test_ssl_dup);
11345 # ifndef OPENSSL_NO_DH
11346 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11347 ADD_ALL_TESTS(test_dh_auto, 7);
11350 #ifndef OSSL_NO_USABLE_TLS1_3
11351 ADD_TEST(test_sni_tls13);
11352 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11354 ADD_TEST(test_inherit_verify_param);
11355 ADD_TEST(test_set_alpn);
11356 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11357 ADD_TEST(test_set_verify_cert_store_ssl);
11358 ADD_ALL_TESTS(test_session_timeout, 1);
11359 ADD_TEST(test_load_dhfile);
11360 #ifndef OSSL_NO_USABLE_TLS1_3
11361 ADD_TEST(test_read_ahead_key_change);
11362 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11364 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11365 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11367 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11368 ADD_ALL_TESTS(test_pipelining, 6);
11370 ADD_ALL_TESTS(test_version, 6);
11371 ADD_TEST(test_rstate_string);
11375 OPENSSL_free(cert);
11376 OPENSSL_free(privkey);
11377 OPENSSL_free(cert2);
11378 OPENSSL_free(privkey2);
11382 void cleanup_tests(void)
11384 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11385 EVP_PKEY_free(tmp_dh_params);
11387 OPENSSL_free(cert);
11388 OPENSSL_free(privkey);
11389 OPENSSL_free(cert2);
11390 OPENSSL_free(privkey2);
11391 OPENSSL_free(cert1024);
11392 OPENSSL_free(privkey1024);
11393 OPENSSL_free(cert3072);
11394 OPENSSL_free(privkey3072);
11395 OPENSSL_free(cert4096);
11396 OPENSSL_free(privkey4096);
11397 OPENSSL_free(cert8192);
11398 OPENSSL_free(privkey8192);
11399 bio_s_mempacket_test_free();
11400 bio_s_always_retry_free();
11401 OSSL_PROVIDER_unload(defctxnull);
11402 OSSL_LIB_CTX_free(libctx);