2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
97 static char *dhfile = NULL;
99 static int is_fips = 0;
100 static int fips_ems_check = 0;
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t server_log_buffer_index = 0;
105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t client_log_buffer_index = 0;
107 static int error_writing_log = 0;
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder[] = "Dummy OCSP Response";
111 static int ocsp_server_called = 0;
112 static int ocsp_client_called = 0;
114 static int cdummyarg = 1;
115 static X509 *ocspcert = NULL;
118 #define CLIENT_VERSION_LEN 2
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
124 struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
127 unsigned int client_early_secret_count;
128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
132 unsigned int early_exporter_secret_count;
133 unsigned int exporter_secret_count;
137 static int hostname_cb(SSL *s, int *al, void *arg)
139 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
142 || strcmp(hostname, "altgoodhost") == 0))
143 return SSL_TLSEXT_ERR_OK;
145 return SSL_TLSEXT_ERR_NOACK;
148 static void client_keylog_callback(const SSL *ssl, const char *line)
150 int line_length = strlen(line);
152 /* If the log doesn't fit, error out. */
153 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
154 TEST_info("Client log too full");
155 error_writing_log = 1;
159 strcat(client_log_buffer, line);
160 client_log_buffer_index += line_length;
161 client_log_buffer[client_log_buffer_index++] = '\n';
164 static void server_keylog_callback(const SSL *ssl, const char *line)
166 int line_length = strlen(line);
168 /* If the log doesn't fit, error out. */
169 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
170 TEST_info("Server log too full");
171 error_writing_log = 1;
175 strcat(server_log_buffer, line);
176 server_log_buffer_index += line_length;
177 server_log_buffer[server_log_buffer_index++] = '\n';
180 static int compare_hex_encoded_buffer(const char *hex_encoded,
188 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
192 sprintf(hexed, "%02x", raw[i]);
193 if (!TEST_int_eq(hexed[0], hex_encoded[j])
194 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
201 static int test_keylog_output(char *buffer, const SSL *ssl,
202 const SSL_SESSION *session,
203 struct sslapitest_log_counts *expected)
206 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
207 size_t client_random_size = SSL3_RANDOM_SIZE;
208 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
209 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
210 unsigned int rsa_key_exchange_count = 0;
211 unsigned int master_secret_count = 0;
212 unsigned int client_early_secret_count = 0;
213 unsigned int client_handshake_secret_count = 0;
214 unsigned int server_handshake_secret_count = 0;
215 unsigned int client_application_secret_count = 0;
216 unsigned int server_application_secret_count = 0;
217 unsigned int early_exporter_secret_count = 0;
218 unsigned int exporter_secret_count = 0;
220 for (token = strtok(buffer, " \n"); token != NULL;
221 token = strtok(NULL, " \n")) {
222 if (strcmp(token, "RSA") == 0) {
224 * Premaster secret. Tokens should be: 16 ASCII bytes of
225 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 if (!TEST_size_t_eq(strlen(token), 16))
232 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 * We can't sensibly check the log because the premaster secret is
236 * transient, and OpenSSL doesn't keep hold of it once the master
237 * secret is generated.
239 rsa_key_exchange_count++;
240 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
243 * client random, then the hex-encoded master secret.
245 client_random_size = SSL_get_client_random(ssl,
246 actual_client_random,
248 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 if (!TEST_size_t_eq(strlen(token), 64))
255 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
256 actual_client_random,
257 client_random_size)))
260 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 master_key_size = SSL_SESSION_get_master_key(session,
265 if (!TEST_size_t_ne(master_key_size, 0))
267 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
271 master_secret_count++;
272 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
274 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
276 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
278 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
281 * client random, and then the hex-encoded secret. In this case,
282 * we treat all of these secrets identically and then just
283 * distinguish between them when counting what we saw.
285 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
286 client_early_secret_count++;
287 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 client_handshake_secret_count++;
289 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 server_handshake_secret_count++;
291 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
292 client_application_secret_count++;
293 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
294 server_application_secret_count++;
295 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
296 early_exporter_secret_count++;
297 else if (strcmp(token, "EXPORTER_SECRET") == 0)
298 exporter_secret_count++;
300 client_random_size = SSL_get_client_random(ssl,
301 actual_client_random,
303 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 if (!TEST_size_t_eq(strlen(token), 64))
310 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
311 actual_client_random,
312 client_random_size)))
315 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 TEST_info("Unexpected token %s\n", token);
323 /* Got what we expected? */
324 if (!TEST_size_t_eq(rsa_key_exchange_count,
325 expected->rsa_key_exchange_count)
326 || !TEST_size_t_eq(master_secret_count,
327 expected->master_secret_count)
328 || !TEST_size_t_eq(client_early_secret_count,
329 expected->client_early_secret_count)
330 || !TEST_size_t_eq(client_handshake_secret_count,
331 expected->client_handshake_secret_count)
332 || !TEST_size_t_eq(server_handshake_secret_count,
333 expected->server_handshake_secret_count)
334 || !TEST_size_t_eq(client_application_secret_count,
335 expected->client_application_secret_count)
336 || !TEST_size_t_eq(server_application_secret_count,
337 expected->server_application_secret_count)
338 || !TEST_size_t_eq(early_exporter_secret_count,
339 expected->early_exporter_secret_count)
340 || !TEST_size_t_eq(exporter_secret_count,
341 expected->exporter_secret_count))
346 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
347 static int test_keylog(void)
349 SSL_CTX *cctx = NULL, *sctx = NULL;
350 SSL *clientssl = NULL, *serverssl = NULL;
352 struct sslapitest_log_counts expected;
354 /* Clean up logging space */
355 memset(&expected, 0, sizeof(expected));
356 memset(client_log_buffer, 0, sizeof(client_log_buffer));
357 memset(server_log_buffer, 0, sizeof(server_log_buffer));
358 client_log_buffer_index = 0;
359 server_log_buffer_index = 0;
360 error_writing_log = 0;
362 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 &sctx, &cctx, cert, privkey)))
368 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
369 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
370 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372 /* We also want to ensure that we use RSA-based key exchange. */
373 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
377 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
380 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
381 == client_keylog_callback))
383 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
384 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
385 == server_keylog_callback))
388 /* Now do a handshake and check that the logs have been written to. */
389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
390 &clientssl, NULL, NULL))
391 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 || !TEST_false(error_writing_log)
394 || !TEST_int_gt(client_log_buffer_index, 0)
395 || !TEST_int_gt(server_log_buffer_index, 0))
399 * Now we want to test that our output data was vaguely sensible. We
400 * do that by using strtok and confirming that we have more or less the
401 * data we expect. For both client and server, we expect to see one master
402 * secret. The client should also see an RSA key exchange.
404 expected.rsa_key_exchange_count = 1;
405 expected.master_secret_count = 1;
406 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
407 SSL_get_session(clientssl), &expected)))
410 expected.rsa_key_exchange_count = 0;
411 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
412 SSL_get_session(serverssl), &expected)))
427 #ifndef OSSL_NO_USABLE_TLS1_3
428 static int test_keylog_no_master_key(void)
430 SSL_CTX *cctx = NULL, *sctx = NULL;
431 SSL *clientssl = NULL, *serverssl = NULL;
432 SSL_SESSION *sess = NULL;
434 struct sslapitest_log_counts expected;
435 unsigned char buf[1];
436 size_t readbytes, written;
438 /* Clean up logging space */
439 memset(&expected, 0, sizeof(expected));
440 memset(client_log_buffer, 0, sizeof(client_log_buffer));
441 memset(server_log_buffer, 0, sizeof(server_log_buffer));
442 client_log_buffer_index = 0;
443 server_log_buffer_index = 0;
444 error_writing_log = 0;
446 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
447 TLS_client_method(), TLS1_VERSION, 0,
448 &sctx, &cctx, cert, privkey))
449 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
450 SSL3_RT_MAX_PLAIN_LENGTH)))
453 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
454 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
458 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
459 == client_keylog_callback))
462 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
463 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
464 == server_keylog_callback))
467 /* Now do a handshake and check that the logs have been written to. */
468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
469 &clientssl, NULL, NULL))
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 || !TEST_false(error_writing_log))
476 * Now we want to test that our output data was vaguely sensible. For this
477 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
478 * TLSv1.3, but we do expect both client and server to emit keys.
480 expected.client_handshake_secret_count = 1;
481 expected.server_handshake_secret_count = 1;
482 expected.client_application_secret_count = 1;
483 expected.server_application_secret_count = 1;
484 expected.exporter_secret_count = 1;
485 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
486 SSL_get_session(clientssl), &expected))
487 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
488 SSL_get_session(serverssl),
492 /* Terminate old session and resume with early data. */
493 sess = SSL_get1_session(clientssl);
494 SSL_shutdown(clientssl);
495 SSL_shutdown(serverssl);
498 serverssl = clientssl = NULL;
501 memset(client_log_buffer, 0, sizeof(client_log_buffer));
502 memset(server_log_buffer, 0, sizeof(server_log_buffer));
503 client_log_buffer_index = 0;
504 server_log_buffer_index = 0;
506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
507 &clientssl, NULL, NULL))
508 || !TEST_true(SSL_set_session(clientssl, sess))
509 /* Here writing 0 length early data is enough. */
510 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
511 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 SSL_READ_EARLY_DATA_ERROR)
514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
515 SSL_EARLY_DATA_ACCEPTED)
516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 || !TEST_true(SSL_session_reused(clientssl)))
521 /* In addition to the previous entries, expect early secrets. */
522 expected.client_early_secret_count = 1;
523 expected.early_exporter_secret_count = 1;
524 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
525 SSL_get_session(clientssl), &expected))
526 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
527 SSL_get_session(serverssl),
534 SSL_SESSION_free(sess);
544 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 int res = X509_verify_cert(ctx);
547 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 /* this should not happen but check anyway */
552 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
556 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
557 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
558 return SSL_set_retry_verify(ssl);
563 static int test_client_cert_verify_cb(void)
565 /* server key, cert, chain, and root */
566 char *skey = test_mk_file_path(certsdir, "leaf.key");
567 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
568 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
569 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
570 char *root = test_mk_file_path(certsdir, "rootCA.pem");
571 X509 *crt1 = NULL, *crt2 = NULL;
572 STACK_OF(X509) *server_chain;
573 SSL_CTX *cctx = NULL, *sctx = NULL;
574 SSL *clientssl = NULL, *serverssl = NULL;
577 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
578 TLS_client_method(), TLS1_VERSION, 0,
579 &sctx, &cctx, NULL, NULL)))
581 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
582 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
583 SSL_FILETYPE_PEM), 1)
584 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
589 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
591 &clientssl, NULL, NULL)))
594 /* attempt SSL_connect() with incomplete server chain */
595 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_RETRY_VERIFY)))
599 /* application provides intermediate certs needed to verify server cert */
600 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
601 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
602 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 /* add certs in reverse order to demonstrate real chain building */
605 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 if (!TEST_true(sk_X509_push(server_chain, crt2)))
612 /* continue SSL_connect(), must now succeed with completed server chain */
613 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
622 if (clientssl != NULL) {
623 SSL_shutdown(clientssl);
626 if (serverssl != NULL) {
627 SSL_shutdown(serverssl);
642 static int test_ssl_build_cert_chain(void)
645 SSL_CTX *ssl_ctx = NULL;
647 char *skey = test_mk_file_path(certsdir, "leaf.key");
648 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
655 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
656 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
657 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
660 | SSL_BUILD_CHAIN_FLAG_CHECK)))
665 SSL_CTX_free(ssl_ctx);
666 OPENSSL_free(leaf_chain);
671 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 static const char pass[] = "testpass";
675 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 memcpy(buf, pass, sizeof(pass) - 1);
679 return sizeof(pass) - 1;
682 static int test_ssl_ctx_build_cert_chain(void)
686 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
687 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
692 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
693 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
694 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
695 SSL_FILETYPE_PEM), 1)
696 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
699 | SSL_BUILD_CHAIN_FLAG_CHECK)))
704 OPENSSL_free(leaf_chain);
709 #ifndef OPENSSL_NO_TLS1_2
710 static int full_client_hello_callback(SSL *s, int *al, void *arg)
713 const unsigned char *p;
715 /* We only configure two ciphers, but the SCSV is added automatically. */
717 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 const int expected_extensions[] = {
723 #ifndef OPENSSL_NO_EC
729 /* Make sure we can defer processing and get called back. */
731 return SSL_CLIENT_HELLO_RETRY;
733 len = SSL_client_hello_get0_ciphers(s, &p);
734 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 SSL_client_hello_get0_compression_methods(s, &p), 1)
737 || !TEST_int_eq(*p, 0))
738 return SSL_CLIENT_HELLO_ERROR;
739 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (len != OSSL_NELEM(expected_extensions) ||
742 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
743 printf("ClientHello callback expected extensions mismatch\n");
745 return SSL_CLIENT_HELLO_ERROR;
748 return SSL_CLIENT_HELLO_SUCCESS;
751 static int test_client_hello_cb(void)
753 SSL_CTX *cctx = NULL, *sctx = NULL;
754 SSL *clientssl = NULL, *serverssl = NULL;
755 int testctr = 0, testresult = 0;
757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
758 TLS_client_method(), TLS1_VERSION, 0,
759 &sctx, &cctx, cert, privkey)))
761 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763 /* The gimpy cipher list we configure can't do TLS 1.3. */
764 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
767 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
768 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
769 &clientssl, NULL, NULL))
770 || !TEST_false(create_ssl_connection(serverssl, clientssl,
771 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 * Passing a -1 literal is a hack since
774 * the real value was lost.
776 || !TEST_int_eq(SSL_get_error(serverssl, -1),
777 SSL_ERROR_WANT_CLIENT_HELLO_CB)
778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
793 static int test_no_ems(void)
795 SSL_CTX *cctx = NULL, *sctx = NULL;
796 SSL *clientssl = NULL, *serverssl = NULL;
797 int testresult = 0, status;
799 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
800 TLS1_VERSION, TLS1_2_VERSION,
801 &sctx, &cctx, cert, privkey)) {
802 printf("Unable to create SSL_CTX pair\n");
806 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
809 printf("Unable to create SSL objects\n");
813 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
814 if (fips_ems_check) {
816 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
821 printf("Creating SSL connection failed\n");
824 if (SSL_get_extms_support(serverssl)) {
825 printf("Server reports Extended Master Secret support\n");
828 if (SSL_get_extms_support(clientssl)) {
829 printf("Client reports Extended Master Secret support\n");
845 * Very focused test to exercise a single case in the server-side state
846 * machine, when the ChangeCipherState message needs to actually change
847 * from one cipher to a different cipher (i.e., not changing from null
848 * encryption to real encryption).
850 static int test_ccs_change_cipher(void)
852 SSL_CTX *cctx = NULL, *sctx = NULL;
853 SSL *clientssl = NULL, *serverssl = NULL;
854 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
861 * Create a connection so we can resume and potentially (but not) use
862 * a different cipher in the second connection.
864 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
866 TLS1_VERSION, TLS1_2_VERSION,
867 &sctx, &cctx, cert, privkey))
868 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
869 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
875 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
878 shutdown_ssl_connection(serverssl, clientssl);
879 serverssl = clientssl = NULL;
881 /* Resume, preferring a different cipher. Our server will force the
882 * same cipher to be used as the initial handshake. */
883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 || !TEST_true(SSL_set_session(clientssl, sess))
886 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 || !TEST_true(SSL_session_reused(clientssl))
890 || !TEST_true(SSL_session_reused(serverssl))
891 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
892 || !TEST_ptr_eq(sesspre, sesspost)
893 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
894 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 shutdown_ssl_connection(serverssl, clientssl);
897 serverssl = clientssl = NULL;
900 * Now create a fresh connection and try to renegotiate a different
903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
909 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
910 || !TEST_true(SSL_renegotiate(clientssl))
911 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 /* Actually drive the renegotiation. */
914 for (i = 0; i < 3; i++) {
915 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
916 if (!TEST_ulong_eq(readbytes, 0))
918 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
919 SSL_ERROR_WANT_READ)) {
922 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
923 if (!TEST_ulong_eq(readbytes, 0))
925 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
926 SSL_ERROR_WANT_READ)) {
930 /* sesspre and sesspost should be different since the cipher changed. */
931 if (!TEST_false(SSL_renegotiate_pending(clientssl))
932 || !TEST_false(SSL_session_reused(clientssl))
933 || !TEST_false(SSL_session_reused(serverssl))
934 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
935 || !TEST_ptr_ne(sesspre, sesspost)
936 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
937 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
940 shutdown_ssl_connection(serverssl, clientssl);
941 serverssl = clientssl = NULL;
950 SSL_SESSION_free(sess);
956 static int execute_test_large_message(const SSL_METHOD *smeth,
957 const SSL_METHOD *cmeth,
958 int min_version, int max_version,
961 SSL_CTX *cctx = NULL, *sctx = NULL;
962 SSL *clientssl = NULL, *serverssl = NULL;
965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
970 #ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
985 * Test that read_ahead works correctly when dealing with large
988 SSL_CTX_set_read_ahead(cctx, 1);
991 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
994 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1001 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1004 if (!TEST_true(SSL_clear(serverssl)))
1009 SSL_free(serverssl);
1010 SSL_free(clientssl);
1017 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1018 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1019 /* sock must be connected */
1020 static int ktls_chk_platform(int sock)
1022 if (!ktls_enable(sock))
1027 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1029 static char count = 1;
1030 unsigned char cbuf[16000] = {0};
1031 unsigned char sbuf[16000];
1033 char crec_wseq_before[SEQ_NUM_SIZE];
1034 char crec_wseq_after[SEQ_NUM_SIZE];
1035 char crec_rseq_before[SEQ_NUM_SIZE];
1036 char crec_rseq_after[SEQ_NUM_SIZE];
1037 char srec_wseq_before[SEQ_NUM_SIZE];
1038 char srec_wseq_after[SEQ_NUM_SIZE];
1039 char srec_rseq_before[SEQ_NUM_SIZE];
1040 char srec_rseq_after[SEQ_NUM_SIZE];
1041 SSL_CONNECTION *clientsc, *serversc;
1043 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1044 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1048 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1049 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1053 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1056 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1057 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1062 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1065 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1066 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1071 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1072 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1076 /* verify the payload */
1077 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1081 * If ktls is used then kernel sequences are used instead of
1084 if (!BIO_get_ktls_send(clientsc->wbio)) {
1085 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1086 crec_wseq_after, SEQ_NUM_SIZE))
1089 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1090 crec_wseq_after, SEQ_NUM_SIZE))
1094 if (!BIO_get_ktls_send(serversc->wbio)) {
1095 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1096 srec_wseq_after, SEQ_NUM_SIZE))
1099 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1100 srec_wseq_after, SEQ_NUM_SIZE))
1104 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1105 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1106 crec_rseq_after, SEQ_NUM_SIZE))
1109 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1110 crec_rseq_after, SEQ_NUM_SIZE))
1114 if (!BIO_get_ktls_recv(serversc->wbio)) {
1115 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1116 srec_rseq_after, SEQ_NUM_SIZE))
1119 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1120 srec_rseq_after, SEQ_NUM_SIZE))
1129 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1130 int tls_version, const char *cipher)
1132 SSL_CTX *cctx = NULL, *sctx = NULL;
1133 SSL *clientssl = NULL, *serverssl = NULL;
1134 int ktls_used = 0, testresult = 0;
1135 int cfd = -1, sfd = -1;
1137 SSL_CONNECTION *clientsc, *serversc;
1139 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1142 /* Skip this test if the platform does not support ktls */
1143 if (!ktls_chk_platform(cfd)) {
1144 testresult = TEST_skip("Kernel does not support KTLS");
1148 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1149 testresult = TEST_skip("CHACHA is not supported in FIPS");
1153 /* Create a session based on SHA-256 */
1154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1155 TLS_client_method(),
1156 tls_version, tls_version,
1157 &sctx, &cctx, cert, privkey)))
1160 if (tls_version == TLS1_3_VERSION) {
1161 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1162 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1165 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1166 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1170 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1171 &clientssl, sfd, cfd)))
1174 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1175 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1179 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1184 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1188 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1192 * The running kernel may not support a given cipher suite
1193 * or direction, so just check that KTLS isn't used when it
1197 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1200 if (BIO_get_ktls_send(clientsc->wbio))
1205 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1208 if (BIO_get_ktls_send(serversc->wbio))
1212 #if defined(OPENSSL_NO_KTLS_RX)
1217 if (!cis_ktls || !rx_supported) {
1218 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1221 if (BIO_get_ktls_send(clientsc->rbio))
1225 if (!sis_ktls || !rx_supported) {
1226 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1229 if (BIO_get_ktls_send(serversc->rbio))
1233 if ((cis_ktls || sis_ktls) && !ktls_used) {
1234 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1235 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1240 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1246 SSL_shutdown(clientssl);
1247 SSL_free(clientssl);
1250 SSL_shutdown(serverssl);
1251 SSL_free(serverssl);
1255 serverssl = clientssl = NULL;
1263 #define SENDFILE_SZ (16 * 4096)
1264 #define SENDFILE_CHUNK (4 * 4096)
1265 #define min(a,b) ((a) > (b) ? (b) : (a))
1267 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1270 SSL_CTX *cctx = NULL, *sctx = NULL;
1271 SSL *clientssl = NULL, *serverssl = NULL;
1272 unsigned char *buf, *buf_dst;
1273 BIO *out = NULL, *in = NULL;
1274 int cfd = -1, sfd = -1, ffd, err;
1275 ssize_t chunk_size = 0;
1276 off_t chunk_off = 0;
1279 SSL_CONNECTION *serversc;
1281 buf = OPENSSL_zalloc(SENDFILE_SZ);
1282 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1283 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1284 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1287 /* Skip this test if the platform does not support ktls */
1288 if (!ktls_chk_platform(sfd)) {
1289 testresult = TEST_skip("Kernel does not support KTLS");
1293 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1294 testresult = TEST_skip("CHACHA is not supported in FIPS");
1298 /* Create a session based on SHA-256 */
1299 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1300 TLS_client_method(),
1301 tls_version, tls_version,
1302 &sctx, &cctx, cert, privkey)))
1305 if (tls_version == TLS1_3_VERSION) {
1306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1307 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1311 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1315 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1316 &clientssl, sfd, cfd)))
1319 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1322 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1326 if (!TEST_true(SSL_set_options(serverssl,
1327 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1331 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1335 if (!BIO_get_ktls_send(serversc->wbio)) {
1336 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1337 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1342 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1345 out = BIO_new_file(tmpfilename, "wb");
1349 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1354 in = BIO_new_file(tmpfilename, "rb");
1355 BIO_get_fp(in, &ffdp);
1358 while (chunk_off < SENDFILE_SZ) {
1359 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1360 while ((err = SSL_sendfile(serverssl,
1364 0)) != chunk_size) {
1365 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1368 while ((err = SSL_read(clientssl,
1369 buf_dst + chunk_off,
1370 chunk_size)) != chunk_size) {
1371 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1375 /* verify the payload */
1376 if (!TEST_mem_eq(buf_dst + chunk_off,
1382 chunk_off += chunk_size;
1388 SSL_shutdown(clientssl);
1389 SSL_free(clientssl);
1392 SSL_shutdown(serverssl);
1393 SSL_free(serverssl);
1397 serverssl = clientssl = NULL;
1405 OPENSSL_free(buf_dst);
1409 static struct ktls_test_cipher {
1412 } ktls_test_ciphers[] = {
1413 # if !defined(OPENSSL_NO_TLS1_2)
1414 # ifdef OPENSSL_KTLS_AES_GCM_128
1415 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1417 # ifdef OPENSSL_KTLS_AES_CCM_128
1418 { TLS1_2_VERSION, "AES128-CCM"},
1420 # ifdef OPENSSL_KTLS_AES_GCM_256
1421 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1423 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1424 # ifndef OPENSSL_NO_EC
1425 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1429 # if !defined(OSSL_NO_USABLE_TLS1_3)
1430 # ifdef OPENSSL_KTLS_AES_GCM_128
1431 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1433 # ifdef OPENSSL_KTLS_AES_CCM_128
1434 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1436 # ifdef OPENSSL_KTLS_AES_GCM_256
1437 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1439 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1440 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1445 #define NUM_KTLS_TEST_CIPHERS \
1446 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1448 static int test_ktls(int test)
1450 struct ktls_test_cipher *cipher;
1451 int cis_ktls, sis_ktls;
1453 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1454 cipher = &ktls_test_ciphers[test / 4];
1456 cis_ktls = (test & 1) != 0;
1457 sis_ktls = (test & 2) != 0;
1459 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1463 static int test_ktls_sendfile(int test)
1465 struct ktls_test_cipher *cipher;
1466 int tst = test >> 1;
1468 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1469 cipher = &ktls_test_ciphers[tst];
1471 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1476 static int test_large_message_tls(void)
1478 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1479 TLS1_VERSION, 0, 0);
1482 static int test_large_message_tls_read_ahead(void)
1484 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1485 TLS1_VERSION, 0, 1);
1488 #ifndef OPENSSL_NO_DTLS
1489 static int test_large_message_dtls(void)
1491 # ifdef OPENSSL_NO_DTLS1_2
1492 /* Not supported in the FIPS provider */
1497 * read_ahead is not relevant to DTLS because DTLS always acts as if
1498 * read_ahead is set.
1500 return execute_test_large_message(DTLS_server_method(),
1501 DTLS_client_method(),
1502 DTLS1_VERSION, 0, 0);
1507 * Test we can successfully send the maximum amount of application data. We
1508 * test each protocol version individually, each with and without EtM enabled.
1509 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1510 * simpler this way. We also test all combinations with and without the
1511 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1512 * underlying buffer.
1514 static int test_large_app_data(int tst)
1516 SSL_CTX *cctx = NULL, *sctx = NULL;
1517 SSL *clientssl = NULL, *serverssl = NULL;
1518 int testresult = 0, prot;
1519 unsigned char *msg, *buf = NULL;
1520 size_t written, readbytes;
1521 const SSL_METHOD *smeth = TLS_server_method();
1522 const SSL_METHOD *cmeth = TLS_client_method();
1526 #ifndef OSSL_NO_USABLE_TLS1_3
1527 prot = TLS1_3_VERSION;
1534 #ifndef OPENSSL_NO_TLS1_2
1535 prot = TLS1_2_VERSION;
1542 #ifndef OPENSSL_NO_TLS1_1
1543 prot = TLS1_1_VERSION;
1550 #ifndef OPENSSL_NO_TLS1
1551 prot = TLS1_VERSION;
1558 #ifndef OPENSSL_NO_SSL3
1559 prot = SSL3_VERSION;
1566 #ifndef OPENSSL_NO_DTLS1_2
1567 prot = DTLS1_2_VERSION;
1568 smeth = DTLS_server_method();
1569 cmeth = DTLS_client_method();
1576 #ifndef OPENSSL_NO_DTLS1
1577 prot = DTLS1_VERSION;
1578 smeth = DTLS_server_method();
1579 cmeth = DTLS_client_method();
1586 /* Shouldn't happen */
1590 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1593 /* Maximal sized message of zeros */
1594 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1598 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1601 /* Set whole buffer to all bits set */
1602 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1604 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1605 &sctx, &cctx, cert, privkey)))
1608 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1609 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1610 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1611 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1612 "DEFAULT:@SECLEVEL=0")))
1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1617 &clientssl, NULL, NULL)))
1620 if ((tst & 1) != 0) {
1621 /* Setting this option gives us a minimally sized underlying buffer */
1622 if (!TEST_true(SSL_set_options(serverssl,
1623 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1624 || !TEST_true(SSL_set_options(clientssl,
1625 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1629 if ((tst & 2) != 0) {
1631 * Setting this option means the MAC is added before encryption
1632 * giving us a larger record for the encryption process
1634 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1635 || !TEST_true(SSL_set_options(clientssl,
1636 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1640 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1643 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1645 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1648 /* We provide a buffer slightly larger than what we are actually expecting */
1649 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1653 if (!TEST_mem_eq(msg, written, buf, readbytes))
1660 SSL_free(serverssl);
1661 SSL_free(clientssl);
1667 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1668 || !defined(OPENSSL_NO_DTLS)
1669 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1670 const SSL_METHOD *cmeth,
1671 int min_version, int max_version)
1674 SSL_CTX *cctx = NULL, *sctx = NULL;
1675 SSL *clientssl = NULL, *serverssl = NULL;
1677 const unsigned char *zbuf;
1678 SSL_CONNECTION *serversc;
1681 static unsigned char cbuf[16000];
1682 static unsigned char sbuf[16000];
1684 if (!TEST_true(create_ssl_ctx_pair(libctx,
1686 min_version, max_version,
1691 # ifdef OPENSSL_NO_DTLS1_2
1692 if (smeth == DTLS_server_method()) {
1693 /* Not supported in the FIPS provider */
1699 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1702 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1703 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1704 "DEFAULT:@SECLEVEL=0")))
1709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1713 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1716 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1720 for (i = 0; i < sizeof(cbuf); i++) {
1724 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1727 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1730 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1734 * Since we called SSL_peek(), we know the data in the record
1735 * layer is a plaintext record. We can gather the pointer to check
1736 * for zeroization after SSL_read().
1738 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1740 rr = serversc->rlayer.tlsrecs;
1742 zbuf = &rr->data[rr->off];
1743 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1747 * After SSL_peek() the plaintext must still be stored in the
1750 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1753 memset(sbuf, 0, sizeof(sbuf));
1754 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1757 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1760 /* Check if rbuf is cleansed */
1761 memset(cbuf, 0, sizeof(cbuf));
1762 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1767 SSL_free(serverssl);
1768 SSL_free(clientssl);
1775 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1776 * || !defined(OPENSSL_NO_DTLS)
1779 static int test_cleanse_plaintext(void)
1781 #if !defined(OPENSSL_NO_TLS1_2)
1782 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1783 TLS_client_method(),
1790 #if !defined(OSSL_NO_USABLE_TLS1_3)
1791 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1792 TLS_client_method(),
1798 #if !defined(OPENSSL_NO_DTLS)
1800 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1801 DTLS_client_method(),
1809 #ifndef OPENSSL_NO_OCSP
1810 static int ocsp_server_cb(SSL *s, void *arg)
1812 int *argi = (int *)arg;
1813 unsigned char *copy = NULL;
1814 STACK_OF(OCSP_RESPID) *ids = NULL;
1815 OCSP_RESPID *id = NULL;
1818 /* In this test we are expecting exactly 1 OCSP_RESPID */
1819 SSL_get_tlsext_status_ids(s, &ids);
1820 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1821 return SSL_TLSEXT_ERR_ALERT_FATAL;
1823 id = sk_OCSP_RESPID_value(ids, 0);
1824 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1825 return SSL_TLSEXT_ERR_ALERT_FATAL;
1826 } else if (*argi != 1) {
1827 return SSL_TLSEXT_ERR_ALERT_FATAL;
1830 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1831 return SSL_TLSEXT_ERR_ALERT_FATAL;
1833 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1834 sizeof(orespder)))) {
1836 return SSL_TLSEXT_ERR_ALERT_FATAL;
1838 ocsp_server_called = 1;
1839 return SSL_TLSEXT_ERR_OK;
1842 static int ocsp_client_cb(SSL *s, void *arg)
1844 int *argi = (int *)arg;
1845 const unsigned char *respderin;
1848 if (*argi != 1 && *argi != 2)
1851 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1852 if (!TEST_mem_eq(orespder, len, respderin, len))
1855 ocsp_client_called = 1;
1859 static int test_tlsext_status_type(void)
1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
1864 STACK_OF(OCSP_RESPID) *ids = NULL;
1865 OCSP_RESPID *id = NULL;
1866 BIO *certbio = NULL;
1868 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1870 &sctx, &cctx, cert, privkey))
1873 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1876 /* First just do various checks getting and setting tlsext_status_type */
1878 clientssl = SSL_new(cctx);
1879 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1880 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1881 TLSEXT_STATUSTYPE_ocsp))
1882 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1883 TLSEXT_STATUSTYPE_ocsp))
1886 SSL_free(clientssl);
1889 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1890 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1893 clientssl = SSL_new(cctx);
1894 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1896 SSL_free(clientssl);
1900 * Now actually do a handshake and check OCSP information is exchanged and
1901 * the callbacks get called
1903 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1904 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1905 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1906 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1908 &clientssl, NULL, NULL))
1909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1911 || !TEST_true(ocsp_client_called)
1912 || !TEST_true(ocsp_server_called))
1914 SSL_free(serverssl);
1915 SSL_free(clientssl);
1919 /* Try again but this time force the server side callback to fail */
1920 ocsp_client_called = 0;
1921 ocsp_server_called = 0;
1923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1924 &clientssl, NULL, NULL))
1925 /* This should fail because the callback will fail */
1926 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1928 || !TEST_false(ocsp_client_called)
1929 || !TEST_false(ocsp_server_called))
1931 SSL_free(serverssl);
1932 SSL_free(clientssl);
1937 * This time we'll get the client to send an OCSP_RESPID that it will
1940 ocsp_client_called = 0;
1941 ocsp_server_called = 0;
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL)))
1948 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1949 * specific one. We'll use the server cert.
1951 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1952 || !TEST_ptr(id = OCSP_RESPID_new())
1953 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1954 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1955 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1956 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1957 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1960 SSL_set_tlsext_status_ids(clientssl, ids);
1961 /* Control has been transferred */
1967 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1969 || !TEST_true(ocsp_client_called)
1970 || !TEST_true(ocsp_server_called))
1976 SSL_free(serverssl);
1977 SSL_free(clientssl);
1980 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1981 OCSP_RESPID_free(id);
1983 X509_free(ocspcert);
1990 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1991 static int new_called, remove_called, get_called;
1993 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1997 * sess has been up-refed for us, but we don't actually need it so free it
2000 SSL_SESSION_free(sess);
2004 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2009 static SSL_SESSION *get_sess_val = NULL;
2011 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2016 return get_sess_val;
2019 static int execute_test_session(int maxprot, int use_int_cache,
2020 int use_ext_cache, long s_options)
2022 SSL_CTX *sctx = NULL, *cctx = NULL;
2023 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2024 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2025 # ifndef OPENSSL_NO_TLS1_1
2026 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2028 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2029 int testresult = 0, numnewsesstick = 1;
2031 new_called = remove_called = 0;
2033 /* TLSv1.3 sends 2 NewSessionTickets */
2034 if (maxprot == TLS1_3_VERSION)
2037 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2038 TLS_client_method(), TLS1_VERSION, 0,
2039 &sctx, &cctx, cert, privkey)))
2043 * Only allow the max protocol version so we can force a connection failure
2046 SSL_CTX_set_min_proto_version(cctx, maxprot);
2047 SSL_CTX_set_max_proto_version(cctx, maxprot);
2049 /* Set up session cache */
2050 if (use_ext_cache) {
2051 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2052 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2054 if (use_int_cache) {
2055 /* Also covers instance where both are set */
2056 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2058 SSL_CTX_set_session_cache_mode(cctx,
2059 SSL_SESS_CACHE_CLIENT
2060 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2064 SSL_CTX_set_options(sctx, s_options);
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2074 /* Should fail because it should already be in the cache */
2075 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2078 && (!TEST_int_eq(new_called, numnewsesstick)
2080 || !TEST_int_eq(remove_called, 0)))
2083 new_called = remove_called = 0;
2084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2085 &clientssl2, NULL, NULL))
2086 || !TEST_true(SSL_set_session(clientssl2, sess1))
2087 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2089 || !TEST_true(SSL_session_reused(clientssl2)))
2092 if (maxprot == TLS1_3_VERSION) {
2094 * In TLSv1.3 we should have created a new session even though we have
2095 * resumed. Since we attempted a resume we should also have removed the
2096 * old ticket from the cache so that we try to only use tickets once.
2099 && (!TEST_int_eq(new_called, 1)
2100 || !TEST_int_eq(remove_called, 1)))
2104 * In TLSv1.2 we expect to have resumed so no sessions added or
2108 && (!TEST_int_eq(new_called, 0)
2109 || !TEST_int_eq(remove_called, 0)))
2113 SSL_SESSION_free(sess1);
2114 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2116 shutdown_ssl_connection(serverssl2, clientssl2);
2117 serverssl2 = clientssl2 = NULL;
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2126 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2130 && (!TEST_int_eq(new_called, numnewsesstick)
2131 || !TEST_int_eq(remove_called, 0)))
2134 new_called = remove_called = 0;
2136 * This should clear sess2 from the cache because it is a "bad" session.
2137 * See SSL_set_session() documentation.
2139 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2142 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2144 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2147 if (use_int_cache) {
2148 /* Should succeeded because it should not already be in the cache */
2149 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2150 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2154 new_called = remove_called = 0;
2155 /* This shouldn't be in the cache so should fail */
2156 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2160 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2163 # if !defined(OPENSSL_NO_TLS1_1)
2164 new_called = remove_called = 0;
2165 /* Force a connection failure */
2166 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2168 &clientssl3, NULL, NULL))
2169 || !TEST_true(SSL_set_session(clientssl3, sess1))
2170 /* This should fail because of the mismatched protocol versions */
2171 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2175 /* We should have automatically removed the session from the cache */
2177 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2180 /* Should succeed because it should not already be in the cache */
2181 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2185 /* Now do some tests for server side caching */
2186 if (use_ext_cache) {
2187 SSL_CTX_sess_set_new_cb(cctx, NULL);
2188 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2189 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2190 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2191 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2192 get_sess_val = NULL;
2195 SSL_CTX_set_session_cache_mode(cctx, 0);
2196 /* Internal caching is the default on the server side */
2198 SSL_CTX_set_session_cache_mode(sctx,
2199 SSL_SESS_CACHE_SERVER
2200 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2202 SSL_free(serverssl1);
2203 SSL_free(clientssl1);
2204 serverssl1 = clientssl1 = NULL;
2205 SSL_free(serverssl2);
2206 SSL_free(clientssl2);
2207 serverssl2 = clientssl2 = NULL;
2208 SSL_SESSION_free(sess1);
2210 SSL_SESSION_free(sess2);
2213 SSL_CTX_set_max_proto_version(sctx, maxprot);
2214 if (maxprot == TLS1_2_VERSION)
2215 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2216 new_called = remove_called = get_called = 0;
2217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2219 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2221 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2222 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2225 if (use_int_cache) {
2226 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2228 * In TLSv1.3 it should not have been added to the internal cache,
2229 * except in the case where we also have an external cache (in that
2230 * case it gets added to the cache in order to generate remove
2231 * events after timeout).
2233 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2236 /* Should fail because it should already be in the cache */
2237 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2242 if (use_ext_cache) {
2243 SSL_SESSION *tmp = sess2;
2245 if (!TEST_int_eq(new_called, numnewsesstick)
2246 || !TEST_int_eq(remove_called, 0)
2247 || !TEST_int_eq(get_called, 0))
2250 * Delete the session from the internal cache to force a lookup from
2251 * the external cache. We take a copy first because
2252 * SSL_CTX_remove_session() also marks the session as non-resumable.
2254 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2255 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2256 || !TEST_true(sess2->owner != NULL)
2257 || !TEST_true(tmp->owner == NULL)
2258 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2260 SSL_SESSION_free(sess2);
2265 new_called = remove_called = get_called = 0;
2266 get_sess_val = sess2;
2267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2268 &clientssl2, NULL, NULL))
2269 || !TEST_true(SSL_set_session(clientssl2, sess1))
2270 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2272 || !TEST_true(SSL_session_reused(clientssl2)))
2275 if (use_ext_cache) {
2276 if (!TEST_int_eq(remove_called, 0))
2279 if (maxprot == TLS1_3_VERSION) {
2280 if (!TEST_int_eq(new_called, 1)
2281 || !TEST_int_eq(get_called, 0))
2284 if (!TEST_int_eq(new_called, 0)
2285 || !TEST_int_eq(get_called, 1))
2290 * Make a small cache, force out all other sessions but
2291 * sess2, try to add sess1, which should succeed. Then
2292 * make sure it's there by checking the owners. Despite
2293 * the timeouts, sess1 should have kicked out sess2
2296 /* Make sess1 expire before sess2 */
2297 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2298 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2299 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2300 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2303 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2306 /* Don't care about results - cache should only be sess2 at end */
2307 SSL_CTX_add_session(sctx, sess1);
2308 SSL_CTX_add_session(sctx, sess2);
2310 /* Now add sess1, and make sure it remains, despite timeout */
2311 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2312 || !TEST_ptr(sess1->owner)
2313 || !TEST_ptr_null(sess2->owner))
2319 SSL_free(serverssl1);
2320 SSL_free(clientssl1);
2321 SSL_free(serverssl2);
2322 SSL_free(clientssl2);
2323 # ifndef OPENSSL_NO_TLS1_1
2324 SSL_free(serverssl3);
2325 SSL_free(clientssl3);
2327 SSL_SESSION_free(sess1);
2328 SSL_SESSION_free(sess2);
2334 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2336 static int test_session_with_only_int_cache(void)
2338 #ifndef OSSL_NO_USABLE_TLS1_3
2339 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2343 #ifndef OPENSSL_NO_TLS1_2
2344 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2350 static int test_session_with_only_ext_cache(void)
2352 #ifndef OSSL_NO_USABLE_TLS1_3
2353 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2357 #ifndef OPENSSL_NO_TLS1_2
2358 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2364 static int test_session_with_both_cache(void)
2366 #ifndef OSSL_NO_USABLE_TLS1_3
2367 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2371 #ifndef OPENSSL_NO_TLS1_2
2372 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2378 static int test_session_wo_ca_names(void)
2380 #ifndef OSSL_NO_USABLE_TLS1_3
2381 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2385 #ifndef OPENSSL_NO_TLS1_2
2386 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2393 #ifndef OSSL_NO_USABLE_TLS1_3
2394 static SSL_SESSION *sesscache[6];
2395 static int do_cache;
2397 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2400 sesscache[new_called] = sess;
2402 /* We don't need the reference to the session, so free it */
2403 SSL_SESSION_free(sess);
2410 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2412 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2413 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2416 /* Start handshake on the server and client */
2417 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2418 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2419 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2420 || !TEST_true(create_ssl_connection(sssl, cssl,
2427 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2430 int sess_id_ctx = 1;
2432 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2433 TLS_client_method(), TLS1_VERSION, 0,
2434 sctx, cctx, cert, privkey))
2435 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2436 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2437 (void *)&sess_id_ctx,
2438 sizeof(sess_id_ctx))))
2442 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2444 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2445 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2446 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2451 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2453 SSL *serverssl = NULL, *clientssl = NULL;
2456 /* Test that we can resume with all the tickets we got given */
2457 for (i = 0; i < idx * 2; i++) {
2459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2460 &clientssl, NULL, NULL))
2461 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2464 SSL_set_post_handshake_auth(clientssl, 1);
2466 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2471 * Following a successful resumption we only get 1 ticket. After a
2472 * failed one we should get idx tickets.
2475 if (!TEST_true(SSL_session_reused(clientssl))
2476 || !TEST_int_eq(new_called, 1))
2479 if (!TEST_false(SSL_session_reused(clientssl))
2480 || !TEST_int_eq(new_called, idx))
2485 /* After a post-handshake authentication we should get 1 new ticket */
2487 && (!post_handshake_verify(serverssl, clientssl)
2488 || !TEST_int_eq(new_called, 1)))
2491 SSL_shutdown(clientssl);
2492 SSL_shutdown(serverssl);
2493 SSL_free(serverssl);
2494 SSL_free(clientssl);
2495 serverssl = clientssl = NULL;
2496 SSL_SESSION_free(sesscache[i]);
2497 sesscache[i] = NULL;
2503 SSL_free(clientssl);
2504 SSL_free(serverssl);
2508 static int test_tickets(int stateful, int idx)
2510 SSL_CTX *sctx = NULL, *cctx = NULL;
2511 SSL *serverssl = NULL, *clientssl = NULL;
2515 /* idx is the test number, but also the number of tickets we want */
2520 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2524 &clientssl, NULL, NULL)))
2527 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2529 /* Check we got the number of tickets we were expecting */
2530 || !TEST_int_eq(idx, new_called))
2533 SSL_shutdown(clientssl);
2534 SSL_shutdown(serverssl);
2535 SSL_free(serverssl);
2536 SSL_free(clientssl);
2539 clientssl = serverssl = NULL;
2543 * Now we try to resume with the tickets we previously created. The
2544 * resumption attempt is expected to fail (because we're now using a new
2545 * SSL_CTX). We should see idx number of tickets issued again.
2548 /* Stop caching sessions - just count them */
2551 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2554 if (!check_resumption(idx, sctx, cctx, 0))
2557 /* Start again with caching sessions */
2564 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2568 &clientssl, NULL, NULL)))
2571 SSL_set_post_handshake_auth(clientssl, 1);
2573 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2575 /* Check we got the number of tickets we were expecting */
2576 || !TEST_int_eq(idx, new_called))
2579 /* After a post-handshake authentication we should get new tickets issued */
2580 if (!post_handshake_verify(serverssl, clientssl)
2581 || !TEST_int_eq(idx * 2, new_called))
2584 SSL_shutdown(clientssl);
2585 SSL_shutdown(serverssl);
2586 SSL_free(serverssl);
2587 SSL_free(clientssl);
2588 serverssl = clientssl = NULL;
2590 /* Stop caching sessions - just count them */
2594 * Check we can resume with all the tickets we created. This time around the
2595 * resumptions should all be successful.
2597 if (!check_resumption(idx, sctx, cctx, 1))
2603 SSL_free(serverssl);
2604 SSL_free(clientssl);
2605 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2606 SSL_SESSION_free(sesscache[j]);
2607 sesscache[j] = NULL;
2615 static int test_stateless_tickets(int idx)
2617 return test_tickets(0, idx);
2620 static int test_stateful_tickets(int idx)
2622 return test_tickets(1, idx);
2625 static int test_psk_tickets(void)
2627 SSL_CTX *sctx = NULL, *cctx = NULL;
2628 SSL *serverssl = NULL, *clientssl = NULL;
2630 int sess_id_ctx = 1;
2632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2633 TLS_client_method(), TLS1_VERSION, 0,
2634 &sctx, &cctx, NULL, NULL))
2635 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2636 (void *)&sess_id_ctx,
2637 sizeof(sess_id_ctx))))
2640 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2641 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2642 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2643 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2644 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2645 use_session_cb_cnt = 0;
2646 find_session_cb_cnt = 0;
2650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2653 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2654 if (!TEST_ptr(clientpsk))
2656 SSL_SESSION_up_ref(clientpsk);
2658 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2660 || !TEST_int_eq(1, find_session_cb_cnt)
2661 || !TEST_int_eq(1, use_session_cb_cnt)
2662 /* We should always get 1 ticket when using external PSK */
2663 || !TEST_int_eq(1, new_called))
2669 SSL_free(serverssl);
2670 SSL_free(clientssl);
2673 SSL_SESSION_free(clientpsk);
2674 SSL_SESSION_free(serverpsk);
2675 clientpsk = serverpsk = NULL;
2680 static int test_extra_tickets(int idx)
2682 SSL_CTX *sctx = NULL, *cctx = NULL;
2683 SSL *serverssl = NULL, *clientssl = NULL;
2684 BIO *bretry = BIO_new(bio_s_always_retry());
2689 unsigned char c, buf[1];
2699 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2701 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2702 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2703 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2706 &clientssl, NULL, NULL)))
2710 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2711 * incremented by both client and server.
2713 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2715 /* Check we got the number of tickets we were expecting */
2716 || !TEST_int_eq(idx * 2, new_called)
2717 || !TEST_true(SSL_new_session_ticket(serverssl))
2718 || !TEST_true(SSL_new_session_ticket(serverssl))
2719 || !TEST_int_eq(idx * 2, new_called))
2722 /* Now try a (real) write to actually send the tickets */
2724 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2725 || !TEST_size_t_eq(1, nbytes)
2726 || !TEST_int_eq(idx * 2 + 2, new_called)
2727 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2728 || !TEST_int_eq(idx * 2 + 4, new_called)
2729 || !TEST_int_eq(sizeof(buf), nbytes)
2730 || !TEST_int_eq(c, buf[0])
2731 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2734 /* Try with only requesting one new ticket, too */
2737 if (!TEST_true(SSL_new_session_ticket(serverssl))
2738 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2739 || !TEST_size_t_eq(sizeof(c), nbytes)
2740 || !TEST_int_eq(1, new_called)
2741 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2742 || !TEST_int_eq(2, new_called)
2743 || !TEST_size_t_eq(sizeof(buf), nbytes)
2744 || !TEST_int_eq(c, buf[0]))
2747 /* Do it again but use dummy writes to drive the ticket generation */
2750 if (!TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_true(SSL_new_session_ticket(serverssl))
2752 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2753 || !TEST_size_t_eq(0, nbytes)
2754 || !TEST_int_eq(2, new_called)
2755 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2756 || !TEST_int_eq(4, new_called))
2759 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2762 if (!TEST_true(SSL_new_session_ticket(serverssl))
2763 || !TEST_true(SSL_new_session_ticket(serverssl))
2764 || !TEST_true(SSL_do_handshake(serverssl))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2767 || !TEST_int_eq(4, new_called))
2771 * Use the always-retry BIO to exercise the logic that forces ticket
2772 * generation to wait until a record boundary.
2776 tmp = SSL_get_wbio(serverssl);
2777 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2781 SSL_set0_wbio(serverssl, bretry);
2783 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2784 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2785 || !TEST_size_t_eq(nbytes, 0))
2787 /* Restore a BIO that will let the write succeed */
2788 SSL_set0_wbio(serverssl, tmp);
2791 * These calls should just queue the request and not send anything
2792 * even if we explicitly try to hit the state machine.
2794 if (!TEST_true(SSL_new_session_ticket(serverssl))
2795 || !TEST_true(SSL_new_session_ticket(serverssl))
2796 || !TEST_int_eq(0, new_called)
2797 || !TEST_true(SSL_do_handshake(serverssl))
2798 || !TEST_int_eq(0, new_called))
2800 /* Re-do the write; still no tickets sent */
2801 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2802 || !TEST_size_t_eq(1, nbytes)
2803 || !TEST_int_eq(0, new_called)
2804 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2805 || !TEST_int_eq(0, new_called)
2806 || !TEST_int_eq(sizeof(buf), nbytes)
2807 || !TEST_int_eq(c, buf[0])
2808 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2810 /* Even trying to hit the state machine now will still not send tickets */
2811 if (!TEST_true(SSL_do_handshake(serverssl))
2812 || !TEST_int_eq(0, new_called))
2814 /* Now the *next* write should send the tickets */
2816 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2817 || !TEST_size_t_eq(1, nbytes)
2818 || !TEST_int_eq(2, new_called)
2819 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2820 || !TEST_int_eq(4, new_called)
2821 || !TEST_int_eq(sizeof(buf), nbytes)
2822 || !TEST_int_eq(c, buf[0])
2823 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2826 SSL_shutdown(clientssl);
2827 SSL_shutdown(serverssl);
2833 SSL_free(serverssl);
2834 SSL_free(clientssl);
2837 clientssl = serverssl = NULL;
2846 #define USE_DEFAULT 3
2848 #define CONNTYPE_CONNECTION_SUCCESS 0
2849 #define CONNTYPE_CONNECTION_FAIL 1
2850 #define CONNTYPE_NO_CONNECTION 2
2852 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2853 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2854 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2855 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2857 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2860 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2861 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2862 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2864 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2881 * Tests calls to SSL_set_bio() under various conditions.
2883 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2884 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2885 * then do more tests where we create a successful connection first using our
2886 * standard connection setup functions, and then call SSL_set_bio() with
2887 * various combinations of valid BIOs or NULL. We then repeat these tests
2888 * following a failed connection. In this last case we are looking to check that
2889 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2891 static int test_ssl_set_bio(int idx)
2893 SSL_CTX *sctx = NULL, *cctx = NULL;
2896 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2897 SSL *serverssl = NULL, *clientssl = NULL;
2898 int initrbio, initwbio, newrbio, newwbio, conntype;
2901 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2909 conntype = CONNTYPE_NO_CONNECTION;
2911 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2912 initrbio = initwbio = USE_DEFAULT;
2920 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2921 TLS_client_method(), TLS1_VERSION, 0,
2922 &sctx, &cctx, cert, privkey)))
2925 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2927 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2928 * because we reduced the number of tests in the definition of
2929 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2930 * mismatched protocol versions we will force a connection failure.
2932 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2933 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2940 if (initrbio == USE_BIO_1
2941 || initwbio == USE_BIO_1
2942 || newrbio == USE_BIO_1
2943 || newwbio == USE_BIO_1) {
2944 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2948 if (initrbio == USE_BIO_2
2949 || initwbio == USE_BIO_2
2950 || newrbio == USE_BIO_2
2951 || newwbio == USE_BIO_2) {
2952 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2956 if (initrbio != USE_DEFAULT) {
2957 setupbio(&irbio, bio1, bio2, initrbio);
2958 setupbio(&iwbio, bio1, bio2, initwbio);
2959 SSL_set_bio(clientssl, irbio, iwbio);
2962 * We want to maintain our own refs to these BIO, so do an up ref for
2963 * each BIO that will have ownership transferred in the SSL_set_bio()
2968 if (iwbio != NULL && iwbio != irbio)
2972 if (conntype != CONNTYPE_NO_CONNECTION
2973 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2975 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2978 setupbio(&nrbio, bio1, bio2, newrbio);
2979 setupbio(&nwbio, bio1, bio2, newwbio);
2982 * We will (maybe) transfer ownership again so do more up refs.
2983 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2988 && (nwbio != iwbio || nrbio != nwbio))
2992 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2995 SSL_set_bio(clientssl, nrbio, nwbio);
3004 * This test is checking that the ref counting for SSL_set_bio is correct.
3005 * If we get here and we did too many frees then we will fail in the above
3008 SSL_free(serverssl);
3009 SSL_free(clientssl);
3015 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3017 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3019 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3024 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3025 || !TEST_ptr(ssl = SSL_new(ctx))
3026 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3027 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3030 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3033 * If anything goes wrong here then we could leak memory.
3035 BIO_push(sslbio, membio1);
3037 /* Verify changing the rbio/wbio directly does not cause leaks */
3038 if (change_bio != NO_BIO_CHANGE) {
3039 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3043 if (change_bio == CHANGE_RBIO)
3044 SSL_set0_rbio(ssl, membio2);
3046 SSL_set0_wbio(ssl, membio2);
3065 static int test_ssl_bio_pop_next_bio(void)
3067 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3070 static int test_ssl_bio_pop_ssl_bio(void)
3072 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3075 static int test_ssl_bio_change_rbio(void)
3077 return execute_test_ssl_bio(0, CHANGE_RBIO);
3080 static int test_ssl_bio_change_wbio(void)
3082 return execute_test_ssl_bio(0, CHANGE_WBIO);
3085 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3087 /* The list of sig algs */
3089 /* The length of the list */
3091 /* A sigalgs list in string format */
3092 const char *liststr;
3093 /* Whether setting the list should succeed */
3095 /* Whether creating a connection with the list should succeed */
3099 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3100 # ifndef OPENSSL_NO_EC
3101 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3102 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3104 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3105 static const int invalidlist2[] = {NID_sha256, NID_undef};
3106 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3107 static const int invalidlist4[] = {NID_sha256};
3108 static const sigalgs_list testsigalgs[] = {
3109 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3110 # ifndef OPENSSL_NO_EC
3111 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3112 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3114 {NULL, 0, "RSA+SHA256", 1, 1},
3115 # ifndef OPENSSL_NO_EC
3116 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3117 {NULL, 0, "ECDSA+SHA512", 1, 0},
3119 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3120 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3121 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3122 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3123 {NULL, 0, "RSA", 0, 0},
3124 {NULL, 0, "SHA256", 0, 0},
3125 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3126 {NULL, 0, "Invalid", 0, 0}
3129 static int test_set_sigalgs(int idx)
3131 SSL_CTX *cctx = NULL, *sctx = NULL;
3132 SSL *clientssl = NULL, *serverssl = NULL;
3134 const sigalgs_list *curr;
3137 /* Should never happen */
3138 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3141 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3142 curr = testctx ? &testsigalgs[idx]
3143 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3145 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3146 TLS_client_method(), TLS1_VERSION, 0,
3147 &sctx, &cctx, cert, privkey)))
3150 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3155 if (curr->list != NULL)
3156 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3158 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3162 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3168 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3174 &clientssl, NULL, NULL)))
3180 if (curr->list != NULL)
3181 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3183 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3186 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3195 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3203 SSL_free(serverssl);
3204 SSL_free(clientssl);
3212 #ifndef OSSL_NO_USABLE_TLS1_3
3213 static int psk_client_cb_cnt = 0;
3214 static int psk_server_cb_cnt = 0;
3216 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3217 size_t *idlen, SSL_SESSION **sess)
3219 switch (++use_session_cb_cnt) {
3221 /* The first call should always have a NULL md */
3227 /* The second call should always have an md */
3233 /* We should only be called a maximum of twice */
3237 if (clientpsk != NULL)
3238 SSL_SESSION_up_ref(clientpsk);
3241 *id = (const unsigned char *)pskid;
3242 *idlen = strlen(pskid);
3247 #ifndef OPENSSL_NO_PSK
3248 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3249 unsigned int max_id_len,
3251 unsigned int max_psk_len)
3253 unsigned int psklen = 0;
3255 psk_client_cb_cnt++;
3257 if (strlen(pskid) + 1 > max_id_len)
3260 /* We should only ever be called a maximum of twice per connection */
3261 if (psk_client_cb_cnt > 2)
3264 if (clientpsk == NULL)
3267 /* We'll reuse the PSK we set up for TLSv1.3 */
3268 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3270 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3271 strncpy(id, pskid, max_id_len);
3275 #endif /* OPENSSL_NO_PSK */
3277 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3278 size_t identity_len, SSL_SESSION **sess)
3280 find_session_cb_cnt++;
3282 /* We should only ever be called a maximum of twice per connection */
3283 if (find_session_cb_cnt > 2)
3286 if (serverpsk == NULL)
3289 /* Identity should match that set by the client */
3290 if (strlen(srvid) != identity_len
3291 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3292 /* No PSK found, continue but without a PSK */
3297 SSL_SESSION_up_ref(serverpsk);
3303 #ifndef OPENSSL_NO_PSK
3304 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3305 unsigned char *psk, unsigned int max_psk_len)
3307 unsigned int psklen = 0;
3309 psk_server_cb_cnt++;
3311 /* We should only ever be called a maximum of twice per connection */
3312 if (find_session_cb_cnt > 2)
3315 if (serverpsk == NULL)
3318 /* Identity should match that set by the client */
3319 if (strcmp(srvid, identity) != 0) {
3323 /* We'll reuse the PSK we set up for TLSv1.3 */
3324 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3326 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3330 #endif /* OPENSSL_NO_PSK */
3332 #define MSG1 "Hello"
3333 #define MSG2 "World."
3338 #define MSG7 "message."
3340 static int artificial_ticket_time = 0;
3342 static int ed_gen_cb(SSL *s, void *arg)
3344 SSL_SESSION *sess = SSL_get0_session(s);
3350 * Artificially give the ticket some age. Just do it for the number of
3351 * tickets we've been told to do.
3353 if (artificial_ticket_time == 0)
3355 artificial_ticket_time--;
3357 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3364 * Helper method to setup objects for early data test. Caller frees objects on
3367 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3368 SSL **serverssl, SSL_SESSION **sess, int idx,
3371 int artificial = (artificial_ticket_time > 0);
3374 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3375 TLS_client_method(),
3377 sctx, cctx, cert, privkey)))
3381 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3383 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3387 /* When idx == 1 we repeat the tests with read_ahead set */
3388 SSL_CTX_set_read_ahead(*cctx, 1);
3389 SSL_CTX_set_read_ahead(*sctx, 1);
3390 } else if (idx == 2) {
3391 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3392 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3393 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3394 use_session_cb_cnt = 0;
3395 find_session_cb_cnt = 0;
3399 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3404 * For one of the run throughs (doesn't matter which one), we'll try sending
3405 * some SNI data in the initial ClientHello. This will be ignored (because
3406 * there is no SNI cb set up by the server), so it should not impact
3410 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3414 clientpsk = create_a_psk(*clientssl, mdsize);
3415 if (!TEST_ptr(clientpsk)
3417 * We just choose an arbitrary value for max_early_data which
3418 * should be big enough for testing purposes.
3420 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3422 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3423 SSL_SESSION_free(clientpsk);
3427 serverpsk = clientpsk;
3430 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3431 SSL_SESSION_free(clientpsk);
3432 SSL_SESSION_free(serverpsk);
3433 clientpsk = serverpsk = NULL;
3444 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3448 *sess = SSL_get1_session(*clientssl);
3449 SSL_shutdown(*clientssl);
3450 SSL_shutdown(*serverssl);
3451 SSL_free(*serverssl);
3452 SSL_free(*clientssl);
3453 *serverssl = *clientssl = NULL;
3456 * Artificially give the ticket some age to match the artificial age we
3457 * gave it on the server side
3460 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3461 SSL_SESSION_get_time(*sess) - 10), 0))
3464 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3465 clientssl, NULL, NULL))
3466 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3472 static int test_early_data_read_write(int idx)
3474 SSL_CTX *cctx = NULL, *sctx = NULL;
3475 SSL *clientssl = NULL, *serverssl = NULL;
3477 SSL_SESSION *sess = NULL;
3478 unsigned char buf[20], data[1024];
3479 size_t readbytes, written, eoedlen, rawread, rawwritten;
3482 /* Artificially give the next 2 tickets some age for non PSK sessions */
3484 artificial_ticket_time = 2;
3485 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3486 &serverssl, &sess, idx,
3487 SHA384_DIGEST_LENGTH))) {
3488 artificial_ticket_time = 0;
3491 artificial_ticket_time = 0;
3493 /* Write and read some early data */
3494 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3496 || !TEST_size_t_eq(written, strlen(MSG1))
3497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3498 sizeof(buf), &readbytes),
3499 SSL_READ_EARLY_DATA_SUCCESS)
3500 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3502 SSL_EARLY_DATA_ACCEPTED))
3506 * Server should be able to write data, and client should be able to
3509 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3511 || !TEST_size_t_eq(written, strlen(MSG2))
3512 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3513 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3516 /* Even after reading normal data, client should be able write early data */
3517 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3519 || !TEST_size_t_eq(written, strlen(MSG3)))
3522 /* Server should still be able read early data after writing data */
3523 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3525 SSL_READ_EARLY_DATA_SUCCESS)
3526 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3529 /* Write more data from server and read it from client */
3530 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3532 || !TEST_size_t_eq(written, strlen(MSG4))
3533 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3534 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3538 * If client writes normal data it should mean writing early data is no
3541 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3542 || !TEST_size_t_eq(written, strlen(MSG5))
3543 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3544 SSL_EARLY_DATA_ACCEPTED))
3548 * At this point the client has written EndOfEarlyData, ClientFinished and
3549 * normal (fully protected) data. We are going to cause a delay between the
3550 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3551 * in the read BIO, and then just put back the EndOfEarlyData message.
3553 rbio = SSL_get_rbio(serverssl);
3554 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3555 || !TEST_size_t_lt(rawread, sizeof(data))
3556 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3559 /* Record length is in the 4th and 5th bytes of the record header */
3560 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3561 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3562 || !TEST_size_t_eq(rawwritten, eoedlen))
3565 /* Server should be told that there is no more early data */
3566 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3568 SSL_READ_EARLY_DATA_FINISH)
3569 || !TEST_size_t_eq(readbytes, 0))
3573 * Server has not finished init yet, so should still be able to write early
3576 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3578 || !TEST_size_t_eq(written, strlen(MSG6)))
3581 /* Push the ClientFinished and the normal data back into the server rbio */
3582 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3584 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3587 /* Server should be able to read normal data */
3588 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3589 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3592 /* Client and server should not be able to write/read early data now */
3593 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3597 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3599 SSL_READ_EARLY_DATA_ERROR))
3603 /* Client should be able to read the data sent by the server */
3604 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3605 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3609 * Make sure we process the two NewSessionTickets. These arrive
3610 * post-handshake. We attempt reads which we do not expect to return any
3613 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3614 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3618 /* Server should be able to write normal data */
3619 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3620 || !TEST_size_t_eq(written, strlen(MSG7))
3621 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3622 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3625 SSL_SESSION_free(sess);
3626 sess = SSL_get1_session(clientssl);
3627 use_session_cb_cnt = 0;
3628 find_session_cb_cnt = 0;
3630 SSL_shutdown(clientssl);
3631 SSL_shutdown(serverssl);
3632 SSL_free(serverssl);
3633 SSL_free(clientssl);
3634 serverssl = clientssl = NULL;
3635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3636 &clientssl, NULL, NULL))
3637 || !TEST_true(SSL_set_session(clientssl, sess)))
3640 /* Write and read some early data */
3641 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3643 || !TEST_size_t_eq(written, strlen(MSG1))
3644 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3646 SSL_READ_EARLY_DATA_SUCCESS)
3647 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3650 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3651 || !TEST_int_gt(SSL_accept(serverssl), 0))
3654 /* Client and server should not be able to write/read early data now */
3655 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3659 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3661 SSL_READ_EARLY_DATA_ERROR))
3665 /* Client and server should be able to write/read normal data */
3666 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3667 || !TEST_size_t_eq(written, strlen(MSG5))
3668 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3669 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3675 SSL_SESSION_free(sess);
3676 SSL_SESSION_free(clientpsk);
3677 SSL_SESSION_free(serverpsk);
3678 clientpsk = serverpsk = NULL;
3679 SSL_free(serverssl);
3680 SSL_free(clientssl);
3686 static int allow_ed_cb_called = 0;
3688 static int allow_early_data_cb(SSL *s, void *arg)
3690 int *usecb = (int *)arg;
3692 allow_ed_cb_called++;
3701 * idx == 0: Standard early_data setup
3702 * idx == 1: early_data setup using read_ahead
3703 * usecb == 0: Don't use a custom early data callback
3704 * usecb == 1: Use a custom early data callback and reject the early data
3705 * usecb == 2: Use a custom early data callback and accept the early data
3706 * confopt == 0: Configure anti-replay directly
3707 * confopt == 1: Configure anti-replay using SSL_CONF
3709 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3711 SSL_CTX *cctx = NULL, *sctx = NULL;
3712 SSL *clientssl = NULL, *serverssl = NULL;
3714 SSL_SESSION *sess = NULL;
3715 size_t readbytes, written;
3716 unsigned char buf[20];
3718 allow_ed_cb_called = 0;
3720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3721 TLS_client_method(), TLS1_VERSION, 0,
3722 &sctx, &cctx, cert, privkey)))
3727 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3729 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3731 if (!TEST_ptr(confctx))
3733 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3734 | SSL_CONF_FLAG_SERVER);
3735 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3736 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3738 SSL_CONF_CTX_free(confctx);
3741 SSL_CONF_CTX_free(confctx);
3743 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3746 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3747 &serverssl, &sess, idx,
3748 SHA384_DIGEST_LENGTH)))
3752 * The server is configured to accept early data. Create a connection to
3753 * "use up" the ticket
3755 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3756 || !TEST_true(SSL_session_reused(clientssl)))
3759 SSL_shutdown(clientssl);
3760 SSL_shutdown(serverssl);
3761 SSL_free(serverssl);
3762 SSL_free(clientssl);
3763 serverssl = clientssl = NULL;
3765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3766 &clientssl, NULL, NULL))
3767 || !TEST_true(SSL_set_session(clientssl, sess)))
3770 /* Write and read some early data */
3771 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3773 || !TEST_size_t_eq(written, strlen(MSG1)))
3777 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3779 SSL_READ_EARLY_DATA_FINISH)
3781 * The ticket was reused, so the we should have rejected the
3784 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3785 SSL_EARLY_DATA_REJECTED))
3788 /* In this case the callback decides to accept the early data */
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3791 SSL_READ_EARLY_DATA_SUCCESS)
3792 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3794 * Server will have sent its flight so client can now send
3795 * end of early data and complete its half of the handshake
3797 || !TEST_int_gt(SSL_connect(clientssl), 0)
3798 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3800 SSL_READ_EARLY_DATA_FINISH)
3801 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3802 SSL_EARLY_DATA_ACCEPTED))
3806 /* Complete the connection */
3807 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3808 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3809 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3815 SSL_SESSION_free(sess);
3816 SSL_SESSION_free(clientpsk);
3817 SSL_SESSION_free(serverpsk);
3818 clientpsk = serverpsk = NULL;
3819 SSL_free(serverssl);
3820 SSL_free(clientssl);
3826 static int test_early_data_replay(int idx)
3828 int ret = 1, usecb, confopt;
3830 for (usecb = 0; usecb < 3; usecb++) {
3831 for (confopt = 0; confopt < 2; confopt++)
3832 ret &= test_early_data_replay_int(idx, usecb, confopt);
3838 static const char *ciphersuites[] = {
3839 "TLS_AES_128_CCM_8_SHA256",
3840 "TLS_AES_128_GCM_SHA256",
3841 "TLS_AES_256_GCM_SHA384",
3842 "TLS_AES_128_CCM_SHA256",
3843 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3844 "TLS_CHACHA20_POLY1305_SHA256"
3849 * Helper function to test that a server attempting to read early data can
3850 * handle a connection from a client where the early data should be skipped.
3851 * testtype: 0 == No HRR
3852 * testtype: 1 == HRR
3853 * testtype: 2 == HRR, invalid early_data sent after HRR
3854 * testtype: 3 == recv_max_early_data set to 0
3856 static int early_data_skip_helper(int testtype, int cipher, int idx)
3858 SSL_CTX *cctx = NULL, *sctx = NULL;
3859 SSL *clientssl = NULL, *serverssl = NULL;
3861 SSL_SESSION *sess = NULL;
3862 unsigned char buf[20];
3863 size_t readbytes, written;
3865 if (is_fips && cipher == 4)
3868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3869 TLS_client_method(),
3871 &sctx, &cctx, cert, privkey)))
3875 SSL_CTX_set_security_level(sctx, 0);
3876 SSL_CTX_set_security_level(cctx, 0);
3879 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3880 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3883 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3884 &serverssl, &sess, idx,
3885 cipher == 2 ? SHA384_DIGEST_LENGTH
3886 : SHA256_DIGEST_LENGTH)))
3889 if (testtype == 1 || testtype == 2) {
3890 /* Force an HRR to occur */
3891 #if defined(OPENSSL_NO_EC)
3892 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3895 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3898 } else if (idx == 2) {
3900 * We force early_data rejection by ensuring the PSK identity is
3903 srvid = "Dummy Identity";
3906 * Deliberately corrupt the creation time. We take 20 seconds off the
3907 * time. It could be any value as long as it is not within tolerance.
3908 * This should mean the ticket is rejected.
3910 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3915 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3918 /* Write some early data */
3919 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3921 || !TEST_size_t_eq(written, strlen(MSG1)))
3924 /* Server should reject the early data */
3925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3927 SSL_READ_EARLY_DATA_FINISH)
3928 || !TEST_size_t_eq(readbytes, 0)
3929 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3930 SSL_EARLY_DATA_REJECTED))
3940 * Finish off the handshake. We perform the same writes and reads as
3941 * further down but we expect them to fail due to the incomplete
3944 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3945 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3952 BIO *wbio = SSL_get_wbio(clientssl);
3953 /* A record that will appear as bad early_data */
3954 const unsigned char bad_early_data[] = {
3955 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3959 * We force the client to attempt a write. This will fail because
3960 * we're still in the handshake. It will cause the second
3961 * ClientHello to be sent.
3963 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3968 * Inject some early_data after the second ClientHello. This should
3969 * cause the server to fail
3971 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3972 sizeof(bad_early_data), &written)))
3979 * This client has sent more early_data than we are willing to skip
3980 * (case 3) or sent invalid early_data (case 2) so the connection should
3983 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3984 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3987 /* Connection has failed - nothing more to do */
3992 TEST_error("Invalid test type");
3998 * Should be able to send normal data despite rejection of early data. The
3999 * early_data should be skipped.
4001 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4002 || !TEST_size_t_eq(written, strlen(MSG2))
4003 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4004 SSL_EARLY_DATA_REJECTED)
4005 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4006 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4010 * Failure to decrypt early data records should not leave spurious errors
4011 * on the error stack
4013 if (!TEST_long_eq(ERR_peek_error(), 0))
4019 SSL_SESSION_free(clientpsk);
4020 SSL_SESSION_free(serverpsk);
4021 clientpsk = serverpsk = NULL;
4022 SSL_SESSION_free(sess);
4023 SSL_free(serverssl);
4024 SSL_free(clientssl);
4031 * Test that a server attempting to read early data can handle a connection
4032 * from a client where the early data is not acceptable.
4034 static int test_early_data_skip(int idx)
4036 return early_data_skip_helper(0,
4037 idx % OSSL_NELEM(ciphersuites),
4038 idx / OSSL_NELEM(ciphersuites));
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client where an HRR occurs.
4045 static int test_early_data_skip_hrr(int idx)
4047 return early_data_skip_helper(1,
4048 idx % OSSL_NELEM(ciphersuites),
4049 idx / OSSL_NELEM(ciphersuites));
4053 * Test that a server attempting to read early data can handle a connection
4054 * from a client where an HRR occurs and correctly fails if early_data is sent
4057 static int test_early_data_skip_hrr_fail(int idx)
4059 return early_data_skip_helper(2,
4060 idx % OSSL_NELEM(ciphersuites),
4061 idx / OSSL_NELEM(ciphersuites));
4065 * Test that a server attempting to read early data will abort if it tries to
4066 * skip over too much.
4068 static int test_early_data_skip_abort(int idx)
4070 return early_data_skip_helper(3,
4071 idx % OSSL_NELEM(ciphersuites),
4072 idx / OSSL_NELEM(ciphersuites));
4076 * Test that a server attempting to read early data can handle a connection
4077 * from a client that doesn't send any.
4079 static int test_early_data_not_sent(int idx)
4081 SSL_CTX *cctx = NULL, *sctx = NULL;
4082 SSL *clientssl = NULL, *serverssl = NULL;
4084 SSL_SESSION *sess = NULL;
4085 unsigned char buf[20];
4086 size_t readbytes, written;
4088 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4089 &serverssl, &sess, idx,
4090 SHA384_DIGEST_LENGTH)))
4093 /* Write some data - should block due to handshake with server */
4094 SSL_set_connect_state(clientssl);
4095 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4098 /* Server should detect that early data has not been sent */
4099 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4101 SSL_READ_EARLY_DATA_FINISH)
4102 || !TEST_size_t_eq(readbytes, 0)
4103 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4104 SSL_EARLY_DATA_NOT_SENT)
4105 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4106 SSL_EARLY_DATA_NOT_SENT))
4109 /* Continue writing the message we started earlier */
4110 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4111 || !TEST_size_t_eq(written, strlen(MSG1))
4112 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4113 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4114 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4115 || !TEST_size_t_eq(written, strlen(MSG2)))
4118 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4119 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4125 SSL_SESSION_free(sess);
4126 SSL_SESSION_free(clientpsk);
4127 SSL_SESSION_free(serverpsk);
4128 clientpsk = serverpsk = NULL;
4129 SSL_free(serverssl);
4130 SSL_free(clientssl);
4136 static const char *servalpn;
4138 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4139 unsigned char *outlen, const unsigned char *in,
4140 unsigned int inlen, void *arg)
4142 unsigned int protlen = 0;
4143 const unsigned char *prot;
4145 for (prot = in; prot < in + inlen; prot += protlen) {
4147 if (in + inlen < prot + protlen)
4148 return SSL_TLSEXT_ERR_NOACK;
4150 if (protlen == strlen(servalpn)
4151 && memcmp(prot, servalpn, protlen) == 0) {
4154 return SSL_TLSEXT_ERR_OK;
4158 return SSL_TLSEXT_ERR_NOACK;
4161 /* Test that a PSK can be used to send early_data */
4162 static int test_early_data_psk(int idx)
4164 SSL_CTX *cctx = NULL, *sctx = NULL;
4165 SSL *clientssl = NULL, *serverssl = NULL;
4167 SSL_SESSION *sess = NULL;
4168 unsigned char alpnlist[] = {
4169 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4172 #define GOODALPNLEN 9
4173 #define BADALPNLEN 8
4174 #define GOODALPN (alpnlist)
4175 #define BADALPN (alpnlist + GOODALPNLEN)
4177 unsigned char buf[20];
4178 size_t readbytes, written;
4179 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4180 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4182 /* We always set this up with a final parameter of "2" for PSK */
4183 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4184 &serverssl, &sess, 2,
4185 SHA384_DIGEST_LENGTH)))
4188 servalpn = "goodalpn";
4191 * Note: There is no test for inconsistent SNI with late client detection.
4192 * This is because servers do not acknowledge SNI even if they are using
4193 * it in a resumption handshake - so it is not actually possible for a
4194 * client to detect a problem.
4198 /* Set inconsistent SNI (early client detection) */
4199 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4200 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4201 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4206 /* Set inconsistent ALPN (early client detection) */
4207 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4208 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4209 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4211 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4218 * Set invalid protocol version. Technically this affects PSKs without
4219 * early_data too, but we test it here because it is similar to the
4220 * SNI/ALPN consistency tests.
4222 err = SSL_R_BAD_PSK;
4223 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4229 * Set inconsistent SNI (server side). In this case the connection
4230 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4231 * is associated with each handshake - not the session. Therefore it
4232 * should not matter that we used a different server name last time.
4234 SSL_SESSION_free(serverpsk);
4235 serverpsk = SSL_SESSION_dup(clientpsk);
4236 if (!TEST_ptr(serverpsk)
4237 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4241 /* Set consistent SNI */
4242 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4243 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4244 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4251 * Set inconsistent ALPN (server detected). In this case the connection
4252 * will succeed but reject early_data.
4254 servalpn = "badalpn";
4255 edstatus = SSL_EARLY_DATA_REJECTED;
4256 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4260 * Set consistent ALPN.
4261 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4262 * accepts a list of protos (each one length prefixed).
4263 * SSL_set1_alpn_selected accepts a single protocol (not length
4266 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4268 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4272 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4276 /* Set inconsistent ALPN (late client detection) */
4277 SSL_SESSION_free(serverpsk);
4278 serverpsk = SSL_SESSION_dup(clientpsk);
4279 if (!TEST_ptr(serverpsk)
4280 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4283 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4286 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4289 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4290 edstatus = SSL_EARLY_DATA_ACCEPTED;
4291 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4292 /* SSL_connect() call should fail */
4297 TEST_error("Bad test index");
4301 SSL_set_connect_state(clientssl);
4303 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4305 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4306 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4309 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4313 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4314 &readbytes), readearlyres)
4315 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4316 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4317 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4318 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4325 SSL_SESSION_free(sess);
4326 SSL_SESSION_free(clientpsk);
4327 SSL_SESSION_free(serverpsk);
4328 clientpsk = serverpsk = NULL;
4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4337 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4338 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4339 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4340 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4341 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4342 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4344 static int test_early_data_psk_with_all_ciphers(int idx)
4346 SSL_CTX *cctx = NULL, *sctx = NULL;
4347 SSL *clientssl = NULL, *serverssl = NULL;
4349 SSL_SESSION *sess = NULL;
4350 unsigned char buf[20];
4351 size_t readbytes, written;
4352 const SSL_CIPHER *cipher;
4353 const char *cipher_str[] = {
4354 TLS1_3_RFC_AES_128_GCM_SHA256,
4355 TLS1_3_RFC_AES_256_GCM_SHA384,
4356 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4357 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4361 TLS1_3_RFC_AES_128_CCM_SHA256,
4362 TLS1_3_RFC_AES_128_CCM_8_SHA256
4364 const unsigned char *cipher_bytes[] = {
4365 TLS13_AES_128_GCM_SHA256_BYTES,
4366 TLS13_AES_256_GCM_SHA384_BYTES,
4367 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4368 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4372 TLS13_AES_128_CCM_SHA256_BYTES,
4373 TLS13_AES_128_CCM_8_SHA256_BYTES
4376 if (cipher_str[idx] == NULL)
4378 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4379 if (idx == 2 && is_fips == 1)
4382 /* We always set this up with a final parameter of "2" for PSK */
4383 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4384 &serverssl, &sess, 2,
4385 SHA384_DIGEST_LENGTH)))
4389 /* CCM8 ciphers are considered low security due to their short tag */
4390 SSL_set_security_level(clientssl, 0);
4391 SSL_set_security_level(serverssl, 0);
4394 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4395 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4399 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4400 * and assigns to both client and server with incremented reference
4401 * and the same instance is updated in 'sess'.
4402 * So updating ciphersuite in 'sess' which will get reflected in
4403 * PSK handshake using psk use sess and find sess cb.
4405 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4406 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4409 SSL_set_connect_state(clientssl);
4410 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4414 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4416 SSL_READ_EARLY_DATA_SUCCESS)
4417 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4418 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4419 SSL_EARLY_DATA_ACCEPTED)
4420 || !TEST_int_eq(SSL_connect(clientssl), 1)
4421 || !TEST_int_eq(SSL_accept(serverssl), 1))
4424 /* Send some normal data from client to server */
4425 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4426 || !TEST_size_t_eq(written, strlen(MSG2)))
4429 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4430 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4435 SSL_SESSION_free(sess);
4436 SSL_SESSION_free(clientpsk);
4437 SSL_SESSION_free(serverpsk);
4438 clientpsk = serverpsk = NULL;
4439 if (clientssl != NULL)
4440 SSL_shutdown(clientssl);
4441 if (serverssl != NULL)
4442 SSL_shutdown(serverssl);
4443 SSL_free(serverssl);
4444 SSL_free(clientssl);
4451 * Test that a server that doesn't try to read early data can handle a
4452 * client sending some.
4454 static int test_early_data_not_expected(int idx)
4456 SSL_CTX *cctx = NULL, *sctx = NULL;
4457 SSL *clientssl = NULL, *serverssl = NULL;
4459 SSL_SESSION *sess = NULL;
4460 unsigned char buf[20];
4461 size_t readbytes, written;
4463 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4464 &serverssl, &sess, idx,
4465 SHA384_DIGEST_LENGTH)))
4468 /* Write some early data */
4469 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4474 * Server should skip over early data and then block waiting for client to
4475 * continue handshake
4477 if (!TEST_int_le(SSL_accept(serverssl), 0)
4478 || !TEST_int_gt(SSL_connect(clientssl), 0)
4479 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4480 SSL_EARLY_DATA_REJECTED)
4481 || !TEST_int_gt(SSL_accept(serverssl), 0)
4482 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4483 SSL_EARLY_DATA_REJECTED))
4486 /* Send some normal data from client to server */
4487 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4488 || !TEST_size_t_eq(written, strlen(MSG2)))
4491 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4492 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4498 SSL_SESSION_free(sess);
4499 SSL_SESSION_free(clientpsk);
4500 SSL_SESSION_free(serverpsk);
4501 clientpsk = serverpsk = NULL;
4502 SSL_free(serverssl);
4503 SSL_free(clientssl);
4510 # ifndef OPENSSL_NO_TLS1_2
4512 * Test that a server attempting to read early data can handle a connection
4513 * from a TLSv1.2 client.
4515 static int test_early_data_tls1_2(int idx)
4517 SSL_CTX *cctx = NULL, *sctx = NULL;
4518 SSL *clientssl = NULL, *serverssl = NULL;
4520 unsigned char buf[20];
4521 size_t readbytes, written;
4523 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4524 &serverssl, NULL, idx,
4525 SHA384_DIGEST_LENGTH)))
4528 /* Write some data - should block due to handshake with server */
4529 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4530 SSL_set_connect_state(clientssl);
4531 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4535 * Server should do TLSv1.2 handshake. First it will block waiting for more
4536 * messages from client after ServerDone. Then SSL_read_early_data should
4537 * finish and detect that early data has not been sent
4539 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4541 SSL_READ_EARLY_DATA_ERROR))
4545 * Continue writing the message we started earlier. Will still block waiting
4546 * for the CCS/Finished from server
4548 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4549 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4551 SSL_READ_EARLY_DATA_FINISH)
4552 || !TEST_size_t_eq(readbytes, 0)
4553 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4554 SSL_EARLY_DATA_NOT_SENT))
4557 /* Continue writing the message we started earlier */
4558 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4559 || !TEST_size_t_eq(written, strlen(MSG1))
4560 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4561 SSL_EARLY_DATA_NOT_SENT)
4562 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4563 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4564 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4565 || !TEST_size_t_eq(written, strlen(MSG2))
4566 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4567 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4573 SSL_SESSION_free(clientpsk);
4574 SSL_SESSION_free(serverpsk);
4575 clientpsk = serverpsk = NULL;
4576 SSL_free(serverssl);
4577 SSL_free(clientssl);
4583 # endif /* OPENSSL_NO_TLS1_2 */
4586 * Test configuring the TLSv1.3 ciphersuites
4588 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4589 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4590 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4591 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4592 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4593 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4594 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4595 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4596 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4597 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4599 static int test_set_ciphersuite(int idx)
4601 SSL_CTX *cctx = NULL, *sctx = NULL;
4602 SSL *clientssl = NULL, *serverssl = NULL;
4605 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4606 TLS_client_method(), TLS1_VERSION, 0,
4607 &sctx, &cctx, cert, privkey))
4608 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4609 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4612 if (idx >=4 && idx <= 7) {
4613 /* SSL_CTX explicit cipher list */
4614 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4618 if (idx == 0 || idx == 4) {
4619 /* Default ciphersuite */
4620 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4621 "TLS_AES_128_GCM_SHA256")))
4623 } else if (idx == 1 || idx == 5) {
4624 /* Non default ciphersuite */
4625 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4626 "TLS_AES_128_CCM_SHA256")))
4630 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4631 &clientssl, NULL, NULL)))
4634 if (idx == 8 || idx == 9) {
4635 /* SSL explicit cipher list */
4636 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4640 if (idx == 2 || idx == 6 || idx == 8) {
4641 /* Default ciphersuite */
4642 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4643 "TLS_AES_128_GCM_SHA256")))
4645 } else if (idx == 3 || idx == 7 || idx == 9) {
4646 /* Non default ciphersuite */
4647 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4648 "TLS_AES_128_CCM_SHA256")))
4652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4658 SSL_free(serverssl);
4659 SSL_free(clientssl);
4666 static int test_ciphersuite_change(void)
4668 SSL_CTX *cctx = NULL, *sctx = NULL;
4669 SSL *clientssl = NULL, *serverssl = NULL;
4670 SSL_SESSION *clntsess = NULL;
4672 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4674 /* Create a session based on SHA-256 */
4675 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4676 TLS_client_method(), TLS1_VERSION, 0,
4677 &sctx, &cctx, cert, privkey))
4678 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4679 "TLS_AES_128_GCM_SHA256:"
4680 "TLS_AES_256_GCM_SHA384:"
4681 "TLS_AES_128_CCM_SHA256"))
4682 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4683 "TLS_AES_128_GCM_SHA256")))
4686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4692 clntsess = SSL_get1_session(clientssl);
4693 /* Save for later */
4694 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4695 SSL_shutdown(clientssl);
4696 SSL_shutdown(serverssl);
4697 SSL_free(serverssl);
4698 SSL_free(clientssl);
4699 serverssl = clientssl = NULL;
4701 /* Check we can resume a session with a different SHA-256 ciphersuite */
4702 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4703 "TLS_AES_128_CCM_SHA256"))
4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL))
4706 || !TEST_true(SSL_set_session(clientssl, clntsess))
4707 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4709 || !TEST_true(SSL_session_reused(clientssl)))
4712 SSL_SESSION_free(clntsess);
4713 clntsess = SSL_get1_session(clientssl);
4714 SSL_shutdown(clientssl);
4715 SSL_shutdown(serverssl);
4716 SSL_free(serverssl);
4717 SSL_free(clientssl);
4718 serverssl = clientssl = NULL;
4721 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4722 * succeeds but does not resume.
4724 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4725 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4727 || !TEST_true(SSL_set_session(clientssl, clntsess))
4728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4730 || !TEST_false(SSL_session_reused(clientssl)))
4733 SSL_SESSION_free(clntsess);
4735 SSL_shutdown(clientssl);
4736 SSL_shutdown(serverssl);
4737 SSL_free(serverssl);
4738 SSL_free(clientssl);
4739 serverssl = clientssl = NULL;
4741 /* Create a session based on SHA384 */
4742 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4743 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4744 &clientssl, NULL, NULL))
4745 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4749 clntsess = SSL_get1_session(clientssl);
4750 SSL_shutdown(clientssl);
4751 SSL_shutdown(serverssl);
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 serverssl = clientssl = NULL;
4756 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4757 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4758 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4759 "TLS_AES_256_GCM_SHA384"))
4760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4762 || !TEST_true(SSL_set_session(clientssl, clntsess))
4764 * We use SSL_ERROR_WANT_READ below so that we can pause the
4765 * connection after the initial ClientHello has been sent to
4766 * enable us to make some session changes.
4768 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4769 SSL_ERROR_WANT_READ)))
4772 /* Trick the client into thinking this session is for a different digest */
4773 clntsess->cipher = aes_128_gcm_sha256;
4774 clntsess->cipher_id = clntsess->cipher->id;
4777 * Continue the previously started connection. Server has selected a SHA-384
4778 * ciphersuite, but client thinks the session is for SHA-256, so it should
4781 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4783 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4784 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4790 SSL_SESSION_free(clntsess);
4791 SSL_free(serverssl);
4792 SSL_free(clientssl);
4800 * Test TLSv1.3 Key exchange
4801 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4802 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4803 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4804 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4805 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4806 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4807 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4808 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4809 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4810 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4811 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4812 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4813 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4814 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4816 # ifndef OPENSSL_NO_EC
4817 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4819 # ifndef OPENSSL_NO_ECX
4820 NID_X25519, NID_X448
4824 # ifndef OPENSSL_NO_DH
4825 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4826 NID_ffdhe6144, NID_ffdhe8192};
4828 static int test_key_exchange(int idx)
4830 SSL_CTX *sctx = NULL, *cctx = NULL;
4831 SSL *serverssl = NULL, *clientssl = NULL;
4834 int *kexch_groups = &kexch_alg;
4835 int kexch_groups_size = 1;
4836 int max_version = TLS1_3_VERSION;
4837 char *kexch_name0 = NULL;
4840 # ifndef OPENSSL_NO_EC
4841 # ifndef OPENSSL_NO_TLS1_2
4843 max_version = TLS1_2_VERSION;
4847 kexch_groups = ecdhe_kexch_groups;
4848 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4849 kexch_name0 = "secp256r1";
4852 kexch_alg = NID_X9_62_prime256v1;
4853 kexch_name0 = "secp256r1";
4856 kexch_alg = NID_secp384r1;
4857 kexch_name0 = "secp384r1";
4860 kexch_alg = NID_secp521r1;
4861 kexch_name0 = "secp521r1";
4863 # ifndef OPENSSL_NO_ECX
4865 kexch_alg = NID_X25519;
4866 kexch_name0 = "x25519";
4869 kexch_alg = NID_X448;
4870 kexch_name0 = "x448";
4874 # ifndef OPENSSL_NO_DH
4875 # ifndef OPENSSL_NO_TLS1_2
4877 max_version = TLS1_2_VERSION;
4878 kexch_name0 = "ffdhe2048";
4882 kexch_groups = ffdhe_kexch_groups;
4883 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4884 kexch_name0 = "ffdhe2048";
4887 kexch_alg = NID_ffdhe2048;
4888 kexch_name0 = "ffdhe2048";
4891 kexch_alg = NID_ffdhe3072;
4892 kexch_name0 = "ffdhe3072";
4895 kexch_alg = NID_ffdhe4096;
4896 kexch_name0 = "ffdhe4096";
4899 kexch_alg = NID_ffdhe6144;
4900 kexch_name0 = "ffdhe6144";
4903 kexch_alg = NID_ffdhe8192;
4904 kexch_name0 = "ffdhe8192";
4908 /* We're skipping this test */
4912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4913 TLS_client_method(), TLS1_VERSION,
4914 max_version, &sctx, &cctx, cert,
4918 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4919 TLS1_3_RFC_AES_128_GCM_SHA256)))
4922 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4923 TLS1_3_RFC_AES_128_GCM_SHA256)))
4926 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4927 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4928 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4929 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4933 * Must include an EC ciphersuite so that we send supported groups in
4936 # ifndef OPENSSL_NO_TLS1_2
4937 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4938 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4939 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4947 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4948 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4951 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4955 * If Handshake succeeds the negotiated kexch alg should be the first one in
4956 * configured, except in the case of FFDHE groups (idx 13), which are
4957 * TLSv1.3 only so we expect no shared group to exist.
4959 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4960 idx == 13 ? 0 : kexch_groups[0]))
4963 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4967 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4969 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
4970 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
4972 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4974 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4980 SSL_free(serverssl);
4981 SSL_free(clientssl);
4987 # if !defined(OPENSSL_NO_TLS1_2) \
4988 && !defined(OPENSSL_NO_EC) \
4989 && !defined(OPENSSL_NO_DH)
4990 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4991 int isecdhe, int idx)
4994 int *kexch_groups = &kexch_alg;
4997 numec = OSSL_NELEM(ecdhe_kexch_groups);
4998 numff = OSSL_NELEM(ffdhe_kexch_groups);
5000 kexch_alg = ecdhe_kexch_groups[idx];
5002 kexch_alg = ffdhe_kexch_groups[idx];
5005 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5008 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5012 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5017 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5020 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5024 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5033 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5034 * Run through both the ECDHE and FFDHE group lists used in the previous
5035 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5036 * confirming the expected result; then perform a resumption handshake
5037 * while offering the same group list, and another resumption handshake
5038 * offering a different group list. The returned value should be the
5039 * negotiated group for the initial handshake; for TLS 1.3 resumption
5040 * handshakes the returned value will be negotiated on the resumption
5041 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5042 * be cached in the session from the original handshake, regardless of what
5043 * was offered in the resumption ClientHello.
5045 * Using E for the number of EC groups and F for the number of FF groups:
5046 * E tests of ECDHE with TLS 1.3, server only has one group
5047 * F tests of FFDHE with TLS 1.3, server only has one group
5048 * E tests of ECDHE with TLS 1.2, server only has one group
5049 * F tests of FFDHE with TLS 1.2, server only has one group
5050 * E tests of ECDHE with TLS 1.3, client sends only one group
5051 * F tests of FFDHE with TLS 1.3, client sends only one group
5052 * E tests of ECDHE with TLS 1.2, client sends only one group
5053 * F tests of FFDHE with TLS 1.2, client sends only one group
5055 static int test_negotiated_group(int idx)
5057 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5059 SSL_CTX *sctx = NULL, *cctx = NULL;
5060 SSL *serverssl = NULL, *clientssl = NULL;
5061 SSL_SESSION *origsess = NULL;
5064 int max_version = TLS1_3_VERSION;
5066 numec = OSSL_NELEM(ecdhe_kexch_groups);
5067 numff = OSSL_NELEM(ffdhe_kexch_groups);
5068 numgroups = numec + numff;
5069 clientmulti = (idx < 2 * numgroups);
5070 idx = idx % (2 * numgroups);
5071 istls13 = (idx < numgroups);
5072 idx = idx % numgroups;
5073 isecdhe = (idx < numec);
5076 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5078 kexch_alg = ecdhe_kexch_groups[idx];
5080 kexch_alg = ffdhe_kexch_groups[idx];
5081 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5082 if (!istls13 && !isecdhe)
5083 expectednid = NID_undef;
5085 expectednid = kexch_alg;
5088 max_version = TLS1_2_VERSION;
5090 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5091 TLS_client_method(), TLS1_VERSION,
5092 max_version, &sctx, &cctx, cert,
5097 * Force (EC)DHE ciphers for TLS 1.2.
5098 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5100 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5101 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5102 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5103 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5105 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5106 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5107 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5114 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5118 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5121 /* Initial handshake; always the configured one */
5122 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5123 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5126 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5129 SSL_shutdown(clientssl);
5130 SSL_shutdown(serverssl);
5131 SSL_free(serverssl);
5132 SSL_free(clientssl);
5133 serverssl = clientssl = NULL;
5135 /* First resumption attempt; use the same config as initial handshake */
5136 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5138 || !TEST_true(SSL_set_session(clientssl, origsess))
5139 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5143 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5144 || !TEST_true(SSL_session_reused(clientssl)))
5147 /* Still had better agree, since nothing changed... */
5148 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5149 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5152 SSL_shutdown(clientssl);
5153 SSL_shutdown(serverssl);
5154 SSL_free(serverssl);
5155 SSL_free(clientssl);
5156 serverssl = clientssl = NULL;
5159 * Second resumption attempt
5160 * The party that picks one group changes it, which we effectuate by
5161 * changing 'idx' and updating what we expect.
5169 expectednid = ecdhe_kexch_groups[idx];
5171 expectednid = ffdhe_kexch_groups[idx];
5172 /* Verify that we are changing what we expect. */
5173 if (!TEST_int_ne(expectednid, kexch_alg))
5176 /* TLS 1.2 only supports named groups for ECDHE. */
5178 expectednid = kexch_alg;
5182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5184 || !TEST_true(SSL_set_session(clientssl, origsess))
5185 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5189 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5190 || !TEST_true(SSL_session_reused(clientssl)))
5193 /* Check that we get what we expected */
5194 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5195 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5200 SSL_free(serverssl);
5201 SSL_free(clientssl);
5204 SSL_SESSION_free(origsess);
5207 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5210 * Test TLSv1.3 Cipher Suite
5211 * Test 0 = Set TLS1.3 cipher on context
5212 * Test 1 = Set TLS1.3 cipher on SSL
5213 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5214 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5216 static int test_tls13_ciphersuite(int idx)
5218 SSL_CTX *sctx = NULL, *cctx = NULL;
5219 SSL *serverssl = NULL, *clientssl = NULL;
5220 static const struct {
5221 const char *ciphername;
5225 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5226 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5227 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5228 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5229 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5230 { TLS1_3_RFC_AES_256_GCM_SHA384
5231 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5233 /* CCM8 ciphers are considered low security due to their short tag */
5234 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5235 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5237 const char *t13_cipher = NULL;
5238 const char *t12_cipher = NULL;
5239 const char *negotiated_scipher;
5240 const char *negotiated_ccipher;
5256 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5260 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5264 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5265 # ifdef OPENSSL_NO_TLS1_2
5266 if (max_ver == TLS1_2_VERSION)
5269 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5270 if (is_fips && !t13_ciphers[i].fipscapable)
5272 t13_cipher = t13_ciphers[i].ciphername;
5273 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5274 TLS_client_method(),
5275 TLS1_VERSION, max_ver,
5276 &sctx, &cctx, cert, privkey)))
5279 if (t13_ciphers[i].low_security) {
5280 SSL_CTX_set_security_level(sctx, 0);
5281 SSL_CTX_set_security_level(cctx, 0);
5285 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5286 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5288 if (t12_cipher != NULL) {
5289 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5290 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5297 &clientssl, NULL, NULL)))
5301 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5302 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5304 if (t12_cipher != NULL) {
5305 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5306 || !TEST_true(SSL_set_cipher_list(clientssl,
5312 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5316 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5318 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5320 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5324 * TEST_strn_eq is used below because t13_cipher can contain
5325 * multiple ciphersuites
5327 if (max_ver == TLS1_3_VERSION
5328 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5329 strlen(negotiated_scipher)))
5332 # ifndef OPENSSL_NO_TLS1_2
5333 /* Below validation is not done when t12_cipher is NULL */
5334 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5335 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5339 SSL_free(serverssl);
5341 SSL_free(clientssl);
5352 SSL_free(serverssl);
5353 SSL_free(clientssl);
5361 * Test 0 = Test new style callbacks
5362 * Test 1 = Test both new and old style callbacks
5363 * Test 2 = Test old style callbacks
5364 * Test 3 = Test old style callbacks with no certificate
5366 static int test_tls13_psk(int idx)
5368 SSL_CTX *sctx = NULL, *cctx = NULL;
5369 SSL *serverssl = NULL, *clientssl = NULL;
5370 const SSL_CIPHER *cipher = NULL;
5371 const unsigned char key[] = {
5372 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5373 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5374 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5375 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5379 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5380 TLS_client_method(), TLS1_VERSION, 0,
5381 &sctx, &cctx, idx == 3 ? NULL : cert,
5382 idx == 3 ? NULL : privkey)))
5387 * We use a ciphersuite with SHA256 to ease testing old style PSK
5388 * callbacks which will always default to SHA256. This should not be
5389 * necessary if we have no cert/priv key. In that case the server should
5390 * prefer SHA256 automatically.
5392 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5393 "TLS_AES_128_GCM_SHA256")))
5397 * As noted above the server should prefer SHA256 automatically. However
5398 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5399 * code works even if we are testing with only the FIPS provider loaded.
5401 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5402 "TLS_AES_256_GCM_SHA384:"
5403 "TLS_AES_128_GCM_SHA256")))
5408 * Test 0: New style callbacks only
5409 * Test 1: New and old style callbacks (only the new ones should be used)
5410 * Test 2: Old style callbacks only
5412 if (idx == 0 || idx == 1) {
5413 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5414 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5416 #ifndef OPENSSL_NO_PSK
5418 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5419 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5423 use_session_cb_cnt = 0;
5424 find_session_cb_cnt = 0;
5425 psk_client_cb_cnt = 0;
5426 psk_server_cb_cnt = 0;
5430 * Check we can create a connection if callback decides not to send a
5433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5437 || !TEST_false(SSL_session_reused(clientssl))
5438 || !TEST_false(SSL_session_reused(serverssl)))
5441 if (idx == 0 || idx == 1) {
5442 if (!TEST_true(use_session_cb_cnt == 1)
5443 || !TEST_true(find_session_cb_cnt == 0)
5445 * If no old style callback then below should be 0
5448 || !TEST_true(psk_client_cb_cnt == idx)
5449 || !TEST_true(psk_server_cb_cnt == 0))
5452 if (!TEST_true(use_session_cb_cnt == 0)
5453 || !TEST_true(find_session_cb_cnt == 0)
5454 || !TEST_true(psk_client_cb_cnt == 1)
5455 || !TEST_true(psk_server_cb_cnt == 0))
5459 shutdown_ssl_connection(serverssl, clientssl);
5460 serverssl = clientssl = NULL;
5461 use_session_cb_cnt = psk_client_cb_cnt = 0;
5464 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5468 /* Create the PSK */
5469 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5470 clientpsk = SSL_SESSION_new();
5471 if (!TEST_ptr(clientpsk)
5472 || !TEST_ptr(cipher)
5473 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5475 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5476 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5478 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5480 serverpsk = clientpsk;
5482 /* Check we can create a connection and the PSK is used */
5483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5484 || !TEST_true(SSL_session_reused(clientssl))
5485 || !TEST_true(SSL_session_reused(serverssl)))
5488 if (idx == 0 || idx == 1) {
5489 if (!TEST_true(use_session_cb_cnt == 1)
5490 || !TEST_true(find_session_cb_cnt == 1)
5491 || !TEST_true(psk_client_cb_cnt == 0)
5492 || !TEST_true(psk_server_cb_cnt == 0))
5495 if (!TEST_true(use_session_cb_cnt == 0)
5496 || !TEST_true(find_session_cb_cnt == 0)
5497 || !TEST_true(psk_client_cb_cnt == 1)
5498 || !TEST_true(psk_server_cb_cnt == 1))
5502 shutdown_ssl_connection(serverssl, clientssl);
5503 serverssl = clientssl = NULL;
5504 use_session_cb_cnt = find_session_cb_cnt = 0;
5505 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5512 #if defined(OPENSSL_NO_EC)
5513 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5521 * Check we can create a connection, the PSK is used and the callbacks are
5524 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5525 || !TEST_true(SSL_session_reused(clientssl))
5526 || !TEST_true(SSL_session_reused(serverssl)))
5529 if (idx == 0 || idx == 1) {
5530 if (!TEST_true(use_session_cb_cnt == 2)
5531 || !TEST_true(find_session_cb_cnt == 2)
5532 || !TEST_true(psk_client_cb_cnt == 0)
5533 || !TEST_true(psk_server_cb_cnt == 0))
5536 if (!TEST_true(use_session_cb_cnt == 0)
5537 || !TEST_true(find_session_cb_cnt == 0)
5538 || !TEST_true(psk_client_cb_cnt == 2)
5539 || !TEST_true(psk_server_cb_cnt == 2))
5543 shutdown_ssl_connection(serverssl, clientssl);
5544 serverssl = clientssl = NULL;
5545 use_session_cb_cnt = find_session_cb_cnt = 0;
5546 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5550 * Check that if the server rejects the PSK we can still connect, but with
5553 srvid = "Dummy Identity";
5554 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5556 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5558 || !TEST_false(SSL_session_reused(clientssl))
5559 || !TEST_false(SSL_session_reused(serverssl)))
5562 if (idx == 0 || idx == 1) {
5563 if (!TEST_true(use_session_cb_cnt == 1)
5564 || !TEST_true(find_session_cb_cnt == 1)
5565 || !TEST_true(psk_client_cb_cnt == 0)
5567 * If no old style callback then below should be 0
5570 || !TEST_true(psk_server_cb_cnt == idx))
5573 if (!TEST_true(use_session_cb_cnt == 0)
5574 || !TEST_true(find_session_cb_cnt == 0)
5575 || !TEST_true(psk_client_cb_cnt == 1)
5576 || !TEST_true(psk_server_cb_cnt == 1))
5580 shutdown_ssl_connection(serverssl, clientssl);
5581 serverssl = clientssl = NULL;
5586 SSL_SESSION_free(clientpsk);
5587 SSL_SESSION_free(serverpsk);
5588 clientpsk = serverpsk = NULL;
5589 SSL_free(serverssl);
5590 SSL_free(clientssl);
5596 static unsigned char cookie_magic_value[] = "cookie magic";
5598 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5599 unsigned int *cookie_len)
5602 * Not suitable as a real cookie generation function but good enough for
5605 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5606 *cookie_len = sizeof(cookie_magic_value) - 1;
5611 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5612 unsigned int cookie_len)
5614 if (cookie_len == sizeof(cookie_magic_value) - 1
5615 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5621 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5625 int res = generate_cookie_callback(ssl, cookie, &temp);
5630 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5633 return verify_cookie_callback(ssl, cookie, cookie_len);
5636 static int test_stateless(void)
5638 SSL_CTX *sctx = NULL, *cctx = NULL;
5639 SSL *serverssl = NULL, *clientssl = NULL;
5642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5643 TLS_client_method(), TLS1_VERSION, 0,
5644 &sctx, &cctx, cert, privkey)))
5647 /* The arrival of CCS messages can confuse the test */
5648 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5652 /* Send the first ClientHello */
5653 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5654 SSL_ERROR_WANT_READ))
5656 * This should fail with a -1 return because we have no callbacks
5659 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5662 /* Fatal error so abandon the connection from this client */
5663 SSL_free(clientssl);
5666 /* Set up the cookie generation and verification callbacks */
5667 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5668 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5671 * Create a new connection from the client (we can reuse the server SSL
5674 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5676 /* Send the first ClientHello */
5677 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5678 SSL_ERROR_WANT_READ))
5679 /* This should fail because there is no cookie */
5680 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5683 /* Abandon the connection from this client */
5684 SSL_free(clientssl);
5688 * Now create a connection from a new client but with the same server SSL
5691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5693 /* Send the first ClientHello */
5694 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5695 SSL_ERROR_WANT_READ))
5696 /* This should fail because there is no cookie */
5697 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5698 /* Send the second ClientHello */
5699 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5700 SSL_ERROR_WANT_READ))
5701 /* This should succeed because a cookie is now present */
5702 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5703 /* Complete the connection */
5704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5708 shutdown_ssl_connection(serverssl, clientssl);
5709 serverssl = clientssl = NULL;
5713 SSL_free(serverssl);
5714 SSL_free(clientssl);
5720 #endif /* OSSL_NO_USABLE_TLS1_3 */
5722 static int clntaddoldcb = 0;
5723 static int clntparseoldcb = 0;
5724 static int srvaddoldcb = 0;
5725 static int srvparseoldcb = 0;
5726 static int clntaddnewcb = 0;
5727 static int clntparsenewcb = 0;
5728 static int srvaddnewcb = 0;
5729 static int srvparsenewcb = 0;
5730 static int snicb = 0;
5732 #define TEST_EXT_TYPE1 0xff00
5734 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5735 size_t *outlen, int *al, void *add_arg)
5737 int *server = (int *)add_arg;
5738 unsigned char *data;
5740 if (SSL_is_server(s))
5745 if (*server != SSL_is_server(s)
5746 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5751 *outlen = sizeof(char);
5755 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5758 OPENSSL_free((unsigned char *)out);
5761 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5762 size_t inlen, int *al, void *parse_arg)
5764 int *server = (int *)parse_arg;
5766 if (SSL_is_server(s))
5771 if (*server != SSL_is_server(s)
5772 || inlen != sizeof(char)
5779 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5780 const unsigned char **out, size_t *outlen, X509 *x,
5781 size_t chainidx, int *al, void *add_arg)
5783 int *server = (int *)add_arg;
5784 unsigned char *data;
5786 if (SSL_is_server(s))
5791 if (*server != SSL_is_server(s)
5792 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5797 *outlen = sizeof(*data);
5801 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5802 const unsigned char *out, void *add_arg)
5804 OPENSSL_free((unsigned char *)out);
5807 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5808 const unsigned char *in, size_t inlen, X509 *x,
5809 size_t chainidx, int *al, void *parse_arg)
5811 int *server = (int *)parse_arg;
5813 if (SSL_is_server(s))
5818 if (*server != SSL_is_server(s)
5819 || inlen != sizeof(char) || *in != 1)
5825 static int sni_cb(SSL *s, int *al, void *arg)
5827 SSL_CTX *ctx = (SSL_CTX *)arg;
5829 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5830 *al = SSL_AD_INTERNAL_ERROR;
5831 return SSL_TLSEXT_ERR_ALERT_FATAL;
5834 return SSL_TLSEXT_ERR_OK;
5837 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5843 * Custom call back tests.
5844 * Test 0: Old style callbacks in TLSv1.2
5845 * Test 1: New style callbacks in TLSv1.2
5846 * Test 2: New style callbacks in TLSv1.2 with SNI
5847 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5848 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5849 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5851 static int test_custom_exts(int tst)
5853 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5854 SSL *clientssl = NULL, *serverssl = NULL;
5856 static int server = 1;
5857 static int client = 0;
5858 SSL_SESSION *sess = NULL;
5859 unsigned int context;
5861 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5862 /* Skip tests for TLSv1.2 and below in this case */
5867 /* Reset callback counters */
5868 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5869 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5873 TLS_client_method(), TLS1_VERSION, 0,
5874 &sctx, &cctx, cert, privkey)))
5878 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5880 &sctx2, NULL, cert, privkey)))
5885 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5886 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5888 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5892 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5893 | SSL_EXT_TLS1_3_CERTIFICATE;
5894 SSL_CTX_set_verify(sctx,
5895 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5897 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5898 SSL_FILETYPE_PEM), 1)
5899 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5900 SSL_FILETYPE_PEM), 1)
5901 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5903 } else if (tst == 4) {
5904 context = SSL_EXT_CLIENT_HELLO
5905 | SSL_EXT_TLS1_2_SERVER_HELLO
5906 | SSL_EXT_TLS1_3_SERVER_HELLO
5907 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5908 | SSL_EXT_TLS1_3_CERTIFICATE
5909 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5911 context = SSL_EXT_CLIENT_HELLO
5912 | SSL_EXT_TLS1_2_SERVER_HELLO
5913 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5916 /* Create a client side custom extension */
5918 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5919 old_add_cb, old_free_cb,
5920 &client, old_parse_cb,
5924 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5925 new_add_cb, new_free_cb,
5926 &client, new_parse_cb, &client)))
5930 /* Should not be able to add duplicates */
5931 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5932 old_add_cb, old_free_cb,
5933 &client, old_parse_cb,
5935 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5936 context, new_add_cb,
5937 new_free_cb, &client,
5938 new_parse_cb, &client)))
5941 /* Create a server side custom extension */
5943 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5944 old_add_cb, old_free_cb,
5945 &server, old_parse_cb,
5949 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5950 new_add_cb, new_free_cb,
5951 &server, new_parse_cb, &server)))
5954 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5955 context, new_add_cb,
5956 new_free_cb, &server,
5957 new_parse_cb, &server)))
5961 /* Should not be able to add duplicates */
5962 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5963 old_add_cb, old_free_cb,
5964 &server, old_parse_cb,
5966 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5967 context, new_add_cb,
5968 new_free_cb, &server,
5969 new_parse_cb, &server)))
5974 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5975 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5980 &clientssl, NULL, NULL))
5981 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5986 if (clntaddoldcb != 1
5987 || clntparseoldcb != 1
5989 || srvparseoldcb != 1)
5991 } else if (tst == 1 || tst == 2 || tst == 3) {
5992 if (clntaddnewcb != 1
5993 || clntparsenewcb != 1
5995 || srvparsenewcb != 1
5996 || (tst != 2 && snicb != 0)
5997 || (tst == 2 && snicb != 1))
5999 } else if (tst == 5) {
6000 if (clntaddnewcb != 1
6001 || clntparsenewcb != 1
6003 || srvparsenewcb != 1)
6006 /* In this case there 2 NewSessionTicket messages created */
6007 if (clntaddnewcb != 1
6008 || clntparsenewcb != 5
6010 || srvparsenewcb != 1)
6014 sess = SSL_get1_session(clientssl);
6015 SSL_shutdown(clientssl);
6016 SSL_shutdown(serverssl);
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6019 serverssl = clientssl = NULL;
6021 if (tst == 3 || tst == 5) {
6022 /* We don't bother with the resumption aspects for these tests */
6027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6029 || !TEST_true(SSL_set_session(clientssl, sess))
6030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6035 * For a resumed session we expect to add the ClientHello extension. For the
6036 * old style callbacks we ignore it on the server side because they set
6037 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6041 if (clntaddoldcb != 2
6042 || clntparseoldcb != 1
6044 || srvparseoldcb != 1)
6046 } else if (tst == 1 || tst == 2 || tst == 3) {
6047 if (clntaddnewcb != 2
6048 || clntparsenewcb != 2
6050 || srvparsenewcb != 2)
6054 * No Certificate message extensions in the resumption handshake,
6055 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6057 if (clntaddnewcb != 2
6058 || clntparsenewcb != 8
6060 || srvparsenewcb != 2)
6067 SSL_SESSION_free(sess);
6068 SSL_free(serverssl);
6069 SSL_free(clientssl);
6070 SSL_CTX_free(sctx2);
6076 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6078 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6079 | SSL_EXT_CLIENT_HELLO \
6080 | SSL_EXT_TLS1_2_SERVER_HELLO \
6081 | SSL_EXT_IGNORE_ON_RESUMPTION)
6083 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6084 | SSL_EXT_TLS1_2_SERVER_HELLO \
6085 | SSL_EXT_CLIENT_HELLO)
6087 #define SERVERINFO_CUSTOM \
6088 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6092 static const unsigned char serverinfo_custom_tls13[] = {
6093 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6096 static const unsigned char serverinfo_custom_v2[] = {
6097 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6100 static const unsigned char serverinfo_custom_v1[] = {
6103 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6104 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6105 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6107 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6108 unsigned int context,
6109 const unsigned char *in,
6110 size_t inlen, X509 *x,
6111 size_t chainidx, int *al,
6114 const size_t len = serverinfo_custom_v1_len;
6115 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6116 int *p_cb_result = (int*)parse_arg;
6117 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6121 static int test_serverinfo_custom(const int idx)
6123 SSL_CTX *sctx = NULL, *cctx = NULL;
6124 SSL *clientssl = NULL, *serverssl = NULL;
6129 * Following variables are set in the switch statement
6130 * according to the test iteration.
6131 * Default values do not make much sense: test would fail with them.
6133 int serverinfo_version = 0;
6134 int protocol_version = 0;
6135 unsigned int extension_context = 0;
6136 const unsigned char *si = NULL;
6139 const int call_use_serverinfo_ex = idx > 0;
6141 case 0: /* FALLTHROUGH */
6143 serverinfo_version = SSL_SERVERINFOV1;
6144 protocol_version = TLS1_2_VERSION;
6145 extension_context = SYNTHV1CONTEXT;
6146 si = serverinfo_custom_v1;
6147 si_len = serverinfo_custom_v1_len;
6150 serverinfo_version = SSL_SERVERINFOV2;
6151 protocol_version = TLS1_2_VERSION;
6152 extension_context = SYNTHV1CONTEXT;
6153 si = serverinfo_custom_v2;
6154 si_len = serverinfo_custom_v2_len;
6157 serverinfo_version = SSL_SERVERINFOV2;
6158 protocol_version = TLS1_3_VERSION;
6159 extension_context = TLS13CONTEXT;
6160 si = serverinfo_custom_tls13;
6161 si_len = serverinfo_custom_tls13_len;
6165 if (!TEST_true(create_ssl_ctx_pair(libctx,
6170 &sctx, &cctx, cert, privkey)))
6173 if (call_use_serverinfo_ex) {
6174 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6178 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6182 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6185 serverinfo_custom_parse_cb,
6187 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6189 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6191 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6194 if (!TEST_true(cb_result))
6200 SSL_free(serverssl);
6201 SSL_free(clientssl);
6210 * Test that SSL_export_keying_material() produces expected results. There are
6211 * no test vectors so all we do is test that both sides of the communication
6212 * produce the same results for different protocol versions.
6214 #define SMALL_LABEL_LEN 10
6215 #define LONG_LABEL_LEN 249
6216 static int test_export_key_mat(int tst)
6219 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6220 SSL *clientssl = NULL, *serverssl = NULL;
6221 const char label[LONG_LABEL_LEN + 1] = "test label";
6222 const unsigned char context[] = "context";
6223 const unsigned char *emptycontext = NULL;
6224 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6225 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6227 const int protocols[] = {
6236 #ifdef OPENSSL_NO_TLS1
6240 #ifdef OPENSSL_NO_TLS1_1
6244 if (is_fips && (tst == 0 || tst == 1))
6246 #ifdef OPENSSL_NO_TLS1_2
6250 #ifdef OSSL_NO_USABLE_TLS1_3
6254 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6255 TLS_client_method(), TLS1_VERSION, 0,
6256 &sctx, &cctx, cert, privkey)))
6259 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6260 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6261 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6262 if ((protocols[tst] < TLS1_2_VERSION) &&
6263 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6264 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6272 * Premature call of SSL_export_keying_material should just fail.
6274 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6275 sizeof(ckeymat1), label,
6276 SMALL_LABEL_LEN + 1, context,
6277 sizeof(context) - 1, 1), 0))
6280 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6286 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6289 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6290 sizeof(ckeymat1), label,
6291 LONG_LABEL_LEN + 1, context,
6292 sizeof(context) - 1, 1), 0))
6297 } else if (tst == 4) {
6298 labellen = LONG_LABEL_LEN;
6300 labellen = SMALL_LABEL_LEN;
6303 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6304 sizeof(ckeymat1), label,
6306 sizeof(context) - 1, 1), 1)
6307 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6308 sizeof(ckeymat2), label,
6312 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6313 sizeof(ckeymat3), label,
6316 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6317 sizeof(skeymat1), label,
6320 sizeof(context) -1, 1),
6322 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6323 sizeof(skeymat2), label,
6327 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6328 sizeof(skeymat3), label,
6332 * Check that both sides created the same key material with the
6335 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6338 * Check that both sides created the same key material with an
6341 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6344 * Check that both sides created the same key material without a
6347 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6349 /* Different contexts should produce different results */
6350 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6355 * Check that an empty context and no context produce different results in
6356 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6358 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6360 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6367 SSL_free(serverssl);
6368 SSL_free(clientssl);
6369 SSL_CTX_free(sctx2);
6376 #ifndef OSSL_NO_USABLE_TLS1_3
6378 * Test that SSL_export_keying_material_early() produces expected
6379 * results. There are no test vectors so all we do is test that both
6380 * sides of the communication produce the same results for different
6381 * protocol versions.
6383 static int test_export_key_mat_early(int idx)
6385 static const char label[] = "test label";
6386 static const unsigned char context[] = "context";
6388 SSL_CTX *cctx = NULL, *sctx = NULL;
6389 SSL *clientssl = NULL, *serverssl = NULL;
6390 SSL_SESSION *sess = NULL;
6391 const unsigned char *emptycontext = NULL;
6392 unsigned char ckeymat1[80], ckeymat2[80];
6393 unsigned char skeymat1[80], skeymat2[80];
6394 unsigned char buf[1];
6395 size_t readbytes, written;
6397 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6398 &sess, idx, SHA384_DIGEST_LENGTH)))
6401 /* Here writing 0 length early data is enough. */
6402 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6403 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6405 SSL_READ_EARLY_DATA_ERROR)
6406 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6407 SSL_EARLY_DATA_ACCEPTED))
6410 if (!TEST_int_eq(SSL_export_keying_material_early(
6411 clientssl, ckeymat1, sizeof(ckeymat1), label,
6412 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6413 || !TEST_int_eq(SSL_export_keying_material_early(
6414 clientssl, ckeymat2, sizeof(ckeymat2), label,
6415 sizeof(label) - 1, emptycontext, 0), 1)
6416 || !TEST_int_eq(SSL_export_keying_material_early(
6417 serverssl, skeymat1, sizeof(skeymat1), label,
6418 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6419 || !TEST_int_eq(SSL_export_keying_material_early(
6420 serverssl, skeymat2, sizeof(skeymat2), label,
6421 sizeof(label) - 1, emptycontext, 0), 1)
6423 * Check that both sides created the same key material with the
6426 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6429 * Check that both sides created the same key material with an
6432 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6434 /* Different contexts should produce different results */
6435 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6442 SSL_SESSION_free(sess);
6443 SSL_SESSION_free(clientpsk);
6444 SSL_SESSION_free(serverpsk);
6445 clientpsk = serverpsk = NULL;
6446 SSL_free(serverssl);
6447 SSL_free(clientssl);
6454 #define NUM_KEY_UPDATE_MESSAGES 40
6458 static int test_key_update(void)
6460 SSL_CTX *cctx = NULL, *sctx = NULL;
6461 SSL *clientssl = NULL, *serverssl = NULL;
6462 int testresult = 0, i, j;
6464 static char *mess = "A test message";
6466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6467 TLS_client_method(),
6470 &sctx, &cctx, cert, privkey))
6471 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6477 for (j = 0; j < 2; j++) {
6478 /* Send lots of KeyUpdate messages */
6479 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6480 if (!TEST_true(SSL_key_update(clientssl,
6482 ? SSL_KEY_UPDATE_NOT_REQUESTED
6483 : SSL_KEY_UPDATE_REQUESTED))
6484 || !TEST_true(SSL_do_handshake(clientssl)))
6488 /* Check that sending and receiving app data is ok */
6489 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6494 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6495 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6503 SSL_free(serverssl);
6504 SSL_free(clientssl);
6512 * Test we can handle a KeyUpdate (update requested) message while
6513 * write data is pending in peer.
6514 * Test 0: Client sends KeyUpdate while Server is writing
6515 * Test 1: Server sends KeyUpdate while Client is writing
6517 static int test_key_update_peer_in_write(int tst)
6519 SSL_CTX *cctx = NULL, *sctx = NULL;
6520 SSL *clientssl = NULL, *serverssl = NULL;
6523 static char *mess = "A test message";
6524 BIO *bretry = BIO_new(bio_s_always_retry());
6526 SSL *peerupdate = NULL, *peerwrite = NULL;
6528 if (!TEST_ptr(bretry)
6529 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6530 TLS_client_method(),
6533 &sctx, &cctx, cert, privkey))
6534 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6536 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6540 peerupdate = tst == 0 ? clientssl : serverssl;
6541 peerwrite = tst == 0 ? serverssl : clientssl;
6543 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6544 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6547 /* Swap the writing endpoint's write BIO to force a retry */
6548 tmp = SSL_get_wbio(peerwrite);
6549 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6553 SSL_set0_wbio(peerwrite, bretry);
6556 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6557 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6558 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6559 || !TEST_true(SSL_want_write(peerwrite))
6560 || !TEST_true(SSL_net_write_desired(peerwrite)))
6563 /* Reinstate the original writing endpoint's write BIO */
6564 SSL_set0_wbio(peerwrite, tmp);
6567 /* Now read some data - we will read the key update */
6568 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6569 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6570 || !TEST_true(SSL_want_read(peerwrite))
6571 || !TEST_true(SSL_net_read_desired(peerwrite)))
6575 * Complete the write we started previously and read it from the other
6578 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6579 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6582 /* Write more data to ensure we send the KeyUpdate message back */
6583 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6584 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6587 if (!TEST_false(SSL_net_read_desired(peerwrite))
6588 || !TEST_false(SSL_net_write_desired(peerwrite))
6589 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6595 SSL_free(serverssl);
6596 SSL_free(clientssl);
6606 * Test we can handle a KeyUpdate (update requested) message while
6607 * peer read data is pending after peer accepted keyupdate(the msg header
6608 * had been read 5 bytes).
6609 * Test 0: Client sends KeyUpdate while Server is reading
6610 * Test 1: Server sends KeyUpdate while Client is reading
6612 static int test_key_update_peer_in_read(int tst)
6614 SSL_CTX *cctx = NULL, *sctx = NULL;
6615 SSL *clientssl = NULL, *serverssl = NULL;
6617 char prbuf[515], lwbuf[515] = {0};
6618 static char *mess = "A test message";
6619 BIO *lbio = NULL, *pbio = NULL;
6620 SSL *local = NULL, *peer = NULL;
6622 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6623 TLS_client_method(),
6626 &sctx, &cctx, cert, privkey))
6627 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6629 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6633 local = tst == 0 ? clientssl : serverssl;
6634 peer = tst == 0 ? serverssl : clientssl;
6636 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6639 SSL_set_bio(local, lbio, lbio);
6640 SSL_set_bio(peer, pbio, pbio);
6643 * we first write keyupdate msg then appdata in local
6644 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6645 * lwbuf app data msg size + key updata msg size > 512(the size of
6646 * the bio pair buffer)
6648 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6649 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6650 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6654 * first read keyupdate msg in peer in peer
6655 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6657 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6658 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6661 /* Now write some data in peer - we will write the key update */
6662 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6666 * write data in local previously that we will complete
6667 * read data in peer previously that we will complete
6669 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6670 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6673 /* check that sending and receiving appdata ok */
6674 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6675 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6681 SSL_free(serverssl);
6682 SSL_free(clientssl);
6690 * Test we can't send a KeyUpdate (update requested) message while
6691 * local write data is pending.
6692 * Test 0: Client sends KeyUpdate while Client is writing
6693 * Test 1: Server sends KeyUpdate while Server is writing
6695 static int test_key_update_local_in_write(int tst)
6697 SSL_CTX *cctx = NULL, *sctx = NULL;
6698 SSL *clientssl = NULL, *serverssl = NULL;
6701 static char *mess = "A test message";
6702 BIO *bretry = BIO_new(bio_s_always_retry());
6704 SSL *local = NULL, *peer = NULL;
6706 if (!TEST_ptr(bretry)
6707 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6708 TLS_client_method(),
6711 &sctx, &cctx, cert, privkey))
6712 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6714 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6718 local = tst == 0 ? clientssl : serverssl;
6719 peer = tst == 0 ? serverssl : clientssl;
6721 /* Swap the writing endpoint's write BIO to force a retry */
6722 tmp = SSL_get_wbio(local);
6723 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6727 SSL_set0_wbio(local, bretry);
6730 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6731 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6732 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6735 /* Reinstate the original writing endpoint's write BIO */
6736 SSL_set0_wbio(local, tmp);
6739 /* SSL_key_update will fail, because writing in local*/
6740 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6741 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6745 /* write data in local previously that we will complete */
6746 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6749 /* SSL_key_update will succeed because there is no pending write data */
6750 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6751 || !TEST_int_eq(SSL_do_handshake(local), 1))
6755 * we write some appdata in local
6756 * read data in peer - we will read the keyupdate msg
6758 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6759 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6762 /* Write more peer more data to ensure we send the keyupdate message back */
6763 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6764 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6770 SSL_free(serverssl);
6771 SSL_free(clientssl);
6781 * Test we can handle a KeyUpdate (update requested) message while
6782 * local read data is pending(the msg header had been read 5 bytes).
6783 * Test 0: Client sends KeyUpdate while Client is reading
6784 * Test 1: Server sends KeyUpdate while Server is reading
6786 static int test_key_update_local_in_read(int tst)
6788 SSL_CTX *cctx = NULL, *sctx = NULL;
6789 SSL *clientssl = NULL, *serverssl = NULL;
6791 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6792 static char *mess = "A test message";
6793 BIO *lbio = NULL, *pbio = NULL;
6794 SSL *local = NULL, *peer = NULL;
6796 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6797 TLS_client_method(),
6800 &sctx, &cctx, cert, privkey))
6801 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6803 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6807 local = tst == 0 ? clientssl : serverssl;
6808 peer = tst == 0 ? serverssl : clientssl;
6810 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6813 SSL_set_bio(local, lbio, lbio);
6814 SSL_set_bio(peer, pbio, pbio);
6816 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6817 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6818 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6821 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6822 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6823 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6826 /* SSL_do_handshake will send keyupdate msg */
6827 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6828 || !TEST_int_eq(SSL_do_handshake(local), 1))
6832 * write data in peer previously that we will complete
6833 * read data in local previously that we will complete
6835 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6836 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6840 * write data in local
6841 * read data in peer - we will read the key update
6843 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6844 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6847 /* Write more peer data to ensure we send the keyupdate message back */
6848 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6849 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6855 SSL_free(serverssl);
6856 SSL_free(clientssl);
6862 #endif /* OSSL_NO_USABLE_TLS1_3 */
6864 static int test_ssl_clear(int idx)
6866 SSL_CTX *cctx = NULL, *sctx = NULL;
6867 SSL *clientssl = NULL, *serverssl = NULL;
6870 #ifdef OPENSSL_NO_TLS1_2
6875 /* Create an initial connection */
6876 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6877 TLS_client_method(), TLS1_VERSION, 0,
6878 &sctx, &cctx, cert, privkey))
6880 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6882 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6883 &clientssl, NULL, NULL))
6884 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6888 SSL_shutdown(clientssl);
6889 SSL_shutdown(serverssl);
6890 SSL_free(serverssl);
6893 /* Clear clientssl - we're going to reuse the object */
6894 if (!TEST_true(SSL_clear(clientssl)))
6897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6899 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6901 || !TEST_true(SSL_session_reused(clientssl)))
6904 SSL_shutdown(clientssl);
6905 SSL_shutdown(serverssl);
6910 SSL_free(serverssl);
6911 SSL_free(clientssl);
6918 /* Parse CH and retrieve any MFL extension value if present */
6919 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6922 unsigned char *data;
6923 PACKET pkt, pkt2, pkt3;
6924 unsigned int MFL_code = 0, type = 0;
6926 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6929 memset(&pkt, 0, sizeof(pkt));
6930 memset(&pkt2, 0, sizeof(pkt2));
6931 memset(&pkt3, 0, sizeof(pkt3));
6933 if (!TEST_long_gt(len, 0)
6934 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6935 /* Skip the record header */
6936 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6937 /* Skip the handshake message header */
6938 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6939 /* Skip client version and random */
6940 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6941 + SSL3_RANDOM_SIZE))
6942 /* Skip session id */
6943 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6945 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6946 /* Skip compression */
6947 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6948 /* Extensions len */
6949 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6952 /* Loop through all extensions */
6953 while (PACKET_remaining(&pkt2)) {
6954 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6955 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6958 if (type == TLSEXT_TYPE_max_fragment_length) {
6959 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6960 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6963 *mfl_codemfl_code = MFL_code;
6972 /* Maximum-Fragment-Length TLS extension mode to test */
6973 static const unsigned char max_fragment_len_test[] = {
6974 TLSEXT_max_fragment_length_512,
6975 TLSEXT_max_fragment_length_1024,
6976 TLSEXT_max_fragment_length_2048,
6977 TLSEXT_max_fragment_length_4096
6980 static int test_max_fragment_len_ext(int idx_tst)
6982 SSL_CTX *ctx = NULL;
6984 int testresult = 0, MFL_mode = 0;
6987 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6988 TLS1_VERSION, 0, NULL, &ctx, NULL,
6992 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6993 ctx, max_fragment_len_test[idx_tst])))
7000 rbio = BIO_new(BIO_s_mem());
7001 wbio = BIO_new(BIO_s_mem());
7002 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7008 SSL_set_bio(con, rbio, wbio);
7010 if (!TEST_int_le(SSL_connect(con), 0)) {
7011 /* This shouldn't succeed because we don't have a server! */
7015 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7016 /* no MFL in client hello */
7018 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7030 #ifndef OSSL_NO_USABLE_TLS1_3
7031 static int test_pha_key_update(void)
7033 SSL_CTX *cctx = NULL, *sctx = NULL;
7034 SSL *clientssl = NULL, *serverssl = NULL;
7037 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7038 TLS_client_method(), TLS1_VERSION, 0,
7039 &sctx, &cctx, cert, privkey)))
7042 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7043 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7044 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7045 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7048 SSL_CTX_set_post_handshake_auth(cctx, 1);
7050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7054 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7058 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7059 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7062 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7065 /* Start handshake on the server */
7066 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7069 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7070 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7074 SSL_shutdown(clientssl);
7075 SSL_shutdown(serverssl);
7080 SSL_free(serverssl);
7081 SSL_free(clientssl);
7088 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7090 static SRP_VBASE *vbase = NULL;
7092 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7094 int ret = SSL3_AL_FATAL;
7096 SRP_user_pwd *user = NULL;
7098 username = SSL_get_srp_username(s);
7099 if (username == NULL) {
7100 *ad = SSL_AD_INTERNAL_ERROR;
7104 user = SRP_VBASE_get1_by_user(vbase, username);
7106 *ad = SSL_AD_INTERNAL_ERROR;
7110 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7112 *ad = SSL_AD_INTERNAL_ERROR;
7119 SRP_user_pwd_free(user);
7123 static int create_new_vfile(char *userid, char *password, const char *filename)
7126 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7129 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7132 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7135 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7136 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7137 if (!TEST_ptr(gNid))
7141 * The only way to create an empty TXT_DB is to provide a BIO with no data
7144 db = TXT_DB_read(dummy, DB_NUMBER);
7148 out = BIO_new_file(filename, "w");
7152 row[DB_srpid] = OPENSSL_strdup(userid);
7153 row[DB_srptype] = OPENSSL_strdup("V");
7154 row[DB_srpgN] = OPENSSL_strdup(gNid);
7156 if (!TEST_ptr(row[DB_srpid])
7157 || !TEST_ptr(row[DB_srptype])
7158 || !TEST_ptr(row[DB_srpgN])
7159 || !TEST_true(TXT_DB_insert(db, row)))
7164 if (TXT_DB_write(out, db) <= 0)
7170 for (i = 0; i < DB_NUMBER; i++)
7171 OPENSSL_free(row[i]);
7181 static int create_new_vbase(char *userid, char *password)
7183 BIGNUM *verifier = NULL, *salt = NULL;
7184 const SRP_gN *lgN = NULL;
7185 SRP_user_pwd *user_pwd = NULL;
7188 lgN = SRP_get_default_gN(NULL);
7192 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7193 lgN->N, lgN->g, libctx, NULL)))
7196 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7197 if (!TEST_ptr(user_pwd))
7200 user_pwd->N = lgN->N;
7201 user_pwd->g = lgN->g;
7202 user_pwd->id = OPENSSL_strdup(userid);
7203 if (!TEST_ptr(user_pwd->id))
7206 user_pwd->v = verifier;
7208 verifier = salt = NULL;
7210 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7216 SRP_user_pwd_free(user_pwd);
7226 * Test 0: Simple successful SRP connection, new vbase
7227 * Test 1: Connection failure due to bad password, new vbase
7228 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7229 * Test 3: Connection failure due to bad password, vbase loaded from existing
7231 * Test 4: Simple successful SRP connection, vbase loaded from new file
7232 * Test 5: Connection failure due to bad password, vbase loaded from new file
7234 static int test_srp(int tst)
7236 char *userid = "test", *password = "password", *tstsrpfile;
7237 SSL_CTX *cctx = NULL, *sctx = NULL;
7238 SSL *clientssl = NULL, *serverssl = NULL;
7239 int ret, testresult = 0;
7241 vbase = SRP_VBASE_new(NULL);
7242 if (!TEST_ptr(vbase))
7245 if (tst == 0 || tst == 1) {
7246 if (!TEST_true(create_new_vbase(userid, password)))
7249 if (tst == 4 || tst == 5) {
7250 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7252 tstsrpfile = tmpfilename;
7254 tstsrpfile = srpvfile;
7256 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7260 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7261 TLS_client_method(), TLS1_VERSION, 0,
7262 &sctx, &cctx, cert, privkey)))
7265 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7266 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7267 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7268 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7269 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7273 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7276 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7284 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7286 if (!TEST_true(tst % 2 == 0))
7289 if (!TEST_true(tst % 2 == 1))
7296 SRP_VBASE_free(vbase);
7298 SSL_free(serverssl);
7299 SSL_free(clientssl);
7307 static int info_cb_failed = 0;
7308 static int info_cb_offset = 0;
7309 static int info_cb_this_state = -1;
7311 static struct info_cb_states_st {
7313 const char *statestr;
7314 } info_cb_states[][60] = {
7316 /* TLSv1.2 server followed by resumption */
7317 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7318 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7319 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7320 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7321 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7322 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7323 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7324 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7325 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7326 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7327 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7328 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7329 {SSL_CB_EXIT, NULL}, {0, NULL},
7331 /* TLSv1.2 client followed by resumption */
7332 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7333 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7334 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7335 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7336 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7337 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7338 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7339 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7340 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7341 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7342 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7343 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7345 /* TLSv1.3 server followed by resumption */
7346 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7347 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7348 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7349 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7350 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7351 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7352 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7353 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7354 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7355 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7356 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7357 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7358 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7360 /* TLSv1.3 client followed by resumption */
7361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7362 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7363 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7364 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7365 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7366 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7367 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7368 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7369 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7370 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7372 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7373 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7374 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7375 {SSL_CB_EXIT, NULL}, {0, NULL},
7377 /* TLSv1.3 server, early_data */
7378 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7379 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7380 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7381 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7382 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7383 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7384 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7385 {SSL_CB_EXIT, NULL}, {0, NULL},
7387 /* TLSv1.3 client, early_data */
7388 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7389 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7390 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7391 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7392 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7393 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7394 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7395 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7396 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7398 /* TLSv1.3 server, certificate compression, followed by resumption */
7399 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7400 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7401 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7402 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7403 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7404 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7405 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7406 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7407 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7408 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7409 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7410 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7411 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7413 /* TLSv1.3 client, certificate compression, followed by resumption */
7414 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7415 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7416 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7417 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7418 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7419 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7420 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7421 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7422 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7423 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7424 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7425 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7426 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7427 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7428 {SSL_CB_EXIT, NULL}, {0, NULL},
7434 static void sslapi_info_callback(const SSL *s, int where, int ret)
7436 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7438 /* We do not ever expect a connection to fail in this test */
7439 if (!TEST_false(ret == 0)) {
7445 * Do some sanity checks. We never expect these things to happen in this
7448 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7449 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7450 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7455 /* Now check we're in the right state */
7456 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7460 if ((where & SSL_CB_LOOP) != 0
7461 && !TEST_int_eq(strcmp(SSL_state_string(s),
7462 state[info_cb_this_state].statestr), 0)) {
7468 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7470 if ((where & SSL_CB_HANDSHAKE_DONE)
7471 && SSL_in_init((SSL *)s) != 0) {
7478 * Test the info callback gets called when we expect it to.
7480 * Test 0: TLSv1.2, server
7481 * Test 1: TLSv1.2, client
7482 * Test 2: TLSv1.3, server
7483 * Test 3: TLSv1.3, client
7484 * Test 4: TLSv1.3, server, early_data
7485 * Test 5: TLSv1.3, client, early_data
7486 * Test 6: TLSv1.3, server, compressed certificate
7487 * Test 7: TLSv1.3, client, compressed certificate
7489 static int test_info_callback(int tst)
7491 SSL_CTX *cctx = NULL, *sctx = NULL;
7492 SSL *clientssl = NULL, *serverssl = NULL;
7493 SSL_SESSION *clntsess = NULL;
7498 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7499 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7500 || !defined(OPENSSL_NO_DH))
7501 tlsvers = TLS1_2_VERSION;
7506 #ifndef OSSL_NO_USABLE_TLS1_3
7507 tlsvers = TLS1_3_VERSION;
7515 info_cb_this_state = -1;
7516 info_cb_offset = tst;
7518 #ifndef OSSL_NO_USABLE_TLS1_3
7519 if (tst >= 4 && tst < 6) {
7520 SSL_SESSION *sess = NULL;
7521 size_t written, readbytes;
7522 unsigned char buf[80];
7524 /* early_data tests */
7525 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7526 &serverssl, &sess, 0,
7527 SHA384_DIGEST_LENGTH)))
7530 /* We don't actually need this reference */
7531 SSL_SESSION_free(sess);
7533 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7534 sslapi_info_callback);
7536 /* Write and read some early data and then complete the connection */
7537 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7539 || !TEST_size_t_eq(written, strlen(MSG1))
7540 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7541 sizeof(buf), &readbytes),
7542 SSL_READ_EARLY_DATA_SUCCESS)
7543 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7544 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7545 SSL_EARLY_DATA_ACCEPTED)
7546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7548 || !TEST_false(info_cb_failed))
7556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7557 TLS_client_method(),
7558 tlsvers, tlsvers, &sctx, &cctx, cert,
7562 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7566 * For even numbered tests we check the server callbacks. For odd numbers we
7569 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7570 sslapi_info_callback);
7572 if (!SSL_CTX_compress_certs(sctx, 0))
7576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7577 &clientssl, NULL, NULL))
7578 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7580 || !TEST_false(info_cb_failed))
7585 clntsess = SSL_get1_session(clientssl);
7586 SSL_shutdown(clientssl);
7587 SSL_shutdown(serverssl);
7588 SSL_free(serverssl);
7589 SSL_free(clientssl);
7590 serverssl = clientssl = NULL;
7592 /* Now do a resumption */
7593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7595 || !TEST_true(SSL_set_session(clientssl, clntsess))
7596 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7598 || !TEST_true(SSL_session_reused(clientssl))
7599 || !TEST_false(info_cb_failed))
7605 SSL_free(serverssl);
7606 SSL_free(clientssl);
7607 SSL_SESSION_free(clntsess);
7613 static int test_ssl_pending(int tst)
7615 SSL_CTX *cctx = NULL, *sctx = NULL;
7616 SSL *clientssl = NULL, *serverssl = NULL;
7618 char msg[] = "A test message";
7620 size_t written, readbytes;
7623 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7624 TLS_client_method(),
7626 &sctx, &cctx, cert, privkey)))
7629 #ifndef OPENSSL_NO_DTLS
7630 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7631 DTLS_client_method(),
7633 &sctx, &cctx, cert, privkey)))
7636 # ifdef OPENSSL_NO_DTLS1_2
7637 /* Not supported in the FIPS provider */
7643 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7646 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7647 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7648 "DEFAULT:@SECLEVEL=0")))
7656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7662 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7663 || !TEST_false(SSL_has_pending(clientssl))
7664 || !TEST_int_eq(SSL_pending(serverssl), 0)
7665 || !TEST_false(SSL_has_pending(serverssl))
7666 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7667 || !TEST_size_t_eq(written, sizeof(msg))
7668 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7669 || !TEST_size_t_eq(readbytes, sizeof(buf))
7670 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7671 || !TEST_true(SSL_has_pending(clientssl)))
7677 SSL_free(serverssl);
7678 SSL_free(clientssl);
7686 unsigned int maxprot;
7687 const char *clntciphers;
7688 const char *clnttls13ciphers;
7689 const char *srvrciphers;
7690 const char *srvrtls13ciphers;
7692 const char *fipsshared;
7693 } shared_ciphers_data[] = {
7695 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7696 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7698 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7701 "AES128-SHA:AES256-SHA",
7703 "AES256-SHA:DHE-RSA-AES128-SHA",
7708 # if !defined(OPENSSL_NO_CHACHA) \
7709 && !defined(OPENSSL_NO_POLY1305) \
7710 && !defined(OPENSSL_NO_EC)
7713 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7715 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7717 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7723 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7725 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7727 "AES128-SHA:AES256-SHA",
7728 "AES128-SHA:AES256-SHA"
7732 "AES128-SHA:AES256-SHA",
7734 "AES128-SHA:DHE-RSA-AES128-SHA",
7741 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7744 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7745 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7748 "AES128-SHA:AES256-SHA",
7750 "AES256-SHA:AES128-SHA256",
7752 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7753 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7754 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7757 #ifndef OSSL_NO_USABLE_TLS1_3
7761 "TLS_AES_256_GCM_SHA384",
7763 "TLS_AES_256_GCM_SHA384",
7764 "TLS_AES_256_GCM_SHA384",
7765 "TLS_AES_256_GCM_SHA384"
7770 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7772 SSL_CTX *cctx = NULL, *sctx = NULL;
7773 SSL *clientssl = NULL, *serverssl = NULL;
7776 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7778 if (!TEST_ptr(tmplibctx))
7782 * Regardless of whether we're testing with the FIPS provider loaded into
7783 * libctx, we want one peer to always use the full set of ciphersuites
7784 * available. Therefore we use a separate libctx with the default provider
7785 * loaded into it. We run the same tests twice - once with the client side
7786 * having the full set of ciphersuites and once with the server side.
7789 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7790 if (!TEST_ptr(cctx))
7793 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7794 if (!TEST_ptr(sctx))
7798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7799 TLS_client_method(),
7801 shared_ciphers_data[tst].maxprot,
7802 &sctx, &cctx, cert, privkey)))
7805 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7806 shared_ciphers_data[tst].clntciphers))
7807 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7808 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7809 shared_ciphers_data[tst].clnttls13ciphers)))
7810 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7811 shared_ciphers_data[tst].srvrciphers))
7812 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7813 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7814 shared_ciphers_data[tst].srvrtls13ciphers))))
7818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7820 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7824 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7825 || !TEST_int_eq(strcmp(buf,
7827 ? shared_ciphers_data[tst].fipsshared
7828 : shared_ciphers_data[tst].shared),
7830 TEST_info("Shared ciphers are: %s\n", buf);
7837 SSL_free(serverssl);
7838 SSL_free(clientssl);
7841 OSSL_LIB_CTX_free(tmplibctx);
7846 static int test_ssl_get_shared_ciphers(int tst)
7848 return int_test_ssl_get_shared_ciphers(tst, 0)
7849 && int_test_ssl_get_shared_ciphers(tst, 1);
7853 static const char *appdata = "Hello World";
7854 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7855 static int tick_key_renew = 0;
7856 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7858 static int gen_tick_cb(SSL *s, void *arg)
7860 gen_tick_called = 1;
7862 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7866 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7867 const unsigned char *keyname,
7868 size_t keyname_length,
7869 SSL_TICKET_STATUS status,
7875 dec_tick_called = 1;
7877 if (status == SSL_TICKET_EMPTY)
7878 return SSL_TICKET_RETURN_IGNORE_RENEW;
7880 if (!TEST_true(status == SSL_TICKET_SUCCESS
7881 || status == SSL_TICKET_SUCCESS_RENEW))
7882 return SSL_TICKET_RETURN_ABORT;
7884 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7886 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7887 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7888 return SSL_TICKET_RETURN_ABORT;
7890 if (tick_key_cb_called) {
7891 /* Don't change what the ticket key callback wanted to do */
7893 case SSL_TICKET_NO_DECRYPT:
7894 return SSL_TICKET_RETURN_IGNORE_RENEW;
7896 case SSL_TICKET_SUCCESS:
7897 return SSL_TICKET_RETURN_USE;
7899 case SSL_TICKET_SUCCESS_RENEW:
7900 return SSL_TICKET_RETURN_USE_RENEW;
7903 return SSL_TICKET_RETURN_ABORT;
7906 return tick_dec_ret;
7910 #ifndef OPENSSL_NO_DEPRECATED_3_0
7911 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7912 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7913 HMAC_CTX *hctx, int enc)
7915 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7916 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7917 EVP_CIPHER *aes128cbc;
7921 tick_key_cb_called = 1;
7923 if (tick_key_renew == -1)
7926 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7927 if (!TEST_ptr(aes128cbc))
7929 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7930 if (!TEST_ptr(sha256)) {
7931 EVP_CIPHER_free(aes128cbc);
7935 memset(iv, 0, AES_BLOCK_SIZE);
7936 memset(key_name, 0, 16);
7937 if (aes128cbc == NULL
7939 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7940 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7944 ret = tick_key_renew ? 2 : 1;
7946 EVP_CIPHER_free(aes128cbc);
7947 EVP_MD_free(sha256);
7953 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7954 unsigned char iv[EVP_MAX_IV_LENGTH],
7955 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7957 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7958 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7959 OSSL_PARAM params[2];
7960 EVP_CIPHER *aes128cbc;
7963 tick_key_cb_called = 1;
7965 if (tick_key_renew == -1)
7968 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7969 if (!TEST_ptr(aes128cbc))
7972 memset(iv, 0, AES_BLOCK_SIZE);
7973 memset(key_name, 0, 16);
7974 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7976 params[1] = OSSL_PARAM_construct_end();
7977 if (aes128cbc == NULL
7978 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7979 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7983 ret = tick_key_renew ? 2 : 1;
7985 EVP_CIPHER_free(aes128cbc);
7991 * Test the various ticket callbacks
7992 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7993 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7994 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7995 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7996 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7997 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7998 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7999 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8000 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8001 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8002 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8003 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8004 * Test 12: TLSv1.2, old ticket key callback, no ticket
8005 * Test 13: TLSv1.3, old ticket key callback, no ticket
8006 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8007 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8008 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8009 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8010 * Test 18: TLSv1.2, ticket key callback, no ticket
8011 * Test 19: TLSv1.3, ticket key callback, no ticket
8013 static int test_ticket_callbacks(int tst)
8015 SSL_CTX *cctx = NULL, *sctx = NULL;
8016 SSL *clientssl = NULL, *serverssl = NULL;
8017 SSL_SESSION *clntsess = NULL;
8020 #ifdef OPENSSL_NO_TLS1_2
8024 #ifdef OSSL_NO_USABLE_TLS1_3
8028 #ifdef OPENSSL_NO_DEPRECATED_3_0
8029 if (tst >= 8 && tst <= 13)
8033 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8035 /* Which tests the ticket key callback should request renewal for */
8037 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8039 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8040 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8044 /* Which tests the decrypt ticket callback should request renewal for */
8048 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8053 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8058 tick_dec_ret = SSL_TICKET_RETURN_USE;
8063 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8067 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8070 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8071 TLS_client_method(),
8073 ((tst % 2) == 0) ? TLS1_2_VERSION
8075 &sctx, &cctx, cert, privkey)))
8079 * We only want sessions to resume from tickets - not the session cache. So
8080 * switch the cache off.
8082 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8085 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8090 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8092 #ifndef OPENSSL_NO_DEPRECATED_3_0
8093 } else if (tst >= 8) {
8094 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8101 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8106 * The decrypt ticket key callback in TLSv1.2 should be called even though
8107 * we have no ticket yet, because it gets called with a status of
8108 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8109 * actually send any ticket data). This does not happen in TLSv1.3 because
8110 * it is not valid to send empty ticket data in TLSv1.3.
8112 if (!TEST_int_eq(gen_tick_called, 1)
8113 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8116 gen_tick_called = dec_tick_called = 0;
8118 clntsess = SSL_get1_session(clientssl);
8119 SSL_shutdown(clientssl);
8120 SSL_shutdown(serverssl);
8121 SSL_free(serverssl);
8122 SSL_free(clientssl);
8123 serverssl = clientssl = NULL;
8125 /* Now do a resumption */
8126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8128 || !TEST_true(SSL_set_session(clientssl, clntsess))
8129 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8133 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8134 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8135 || tick_key_renew == -1) {
8136 if (!TEST_false(SSL_session_reused(clientssl)))
8139 if (!TEST_true(SSL_session_reused(clientssl)))
8143 if (!TEST_int_eq(gen_tick_called,
8145 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8146 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8148 /* There is no ticket to decrypt in tests 13 and 19 */
8149 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8155 SSL_SESSION_free(clntsess);
8156 SSL_free(serverssl);
8157 SSL_free(clientssl);
8165 * Test incorrect shutdown.
8166 * Test 0: client does not shutdown properly,
8167 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8168 * server should get SSL_ERROR_SSL
8169 * Test 1: client does not shutdown properly,
8170 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8171 * server should get SSL_ERROR_ZERO_RETURN
8173 static int test_incorrect_shutdown(int tst)
8175 SSL_CTX *cctx = NULL, *sctx = NULL;
8176 SSL *clientssl = NULL, *serverssl = NULL;
8181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8182 TLS_client_method(), 0, 0,
8183 &sctx, &cctx, cert, privkey)))
8187 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8189 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8193 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8197 c2s = SSL_get_rbio(serverssl);
8198 BIO_set_mem_eof_return(c2s, 0);
8200 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8203 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8205 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8211 SSL_free(serverssl);
8212 SSL_free(clientssl);
8220 * Test bi-directional shutdown.
8222 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8223 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8224 * Test 3: TLSv1.3, pending NewSessionTicket messages
8225 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8226 * sends key update, client reads it
8227 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8228 * sends CertificateRequest, client reads and ignores it
8229 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8232 static int test_shutdown(int tst)
8234 SSL_CTX *cctx = NULL, *sctx = NULL;
8235 SSL *clientssl = NULL, *serverssl = NULL;
8237 char msg[] = "A test message";
8239 size_t written, readbytes;
8242 #ifdef OPENSSL_NO_TLS1_2
8246 #ifdef OSSL_NO_USABLE_TLS1_3
8251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8252 TLS_client_method(),
8254 (tst <= 1) ? TLS1_2_VERSION
8256 &sctx, &cctx, cert, privkey)))
8260 SSL_CTX_set_post_handshake_auth(cctx, 1);
8262 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8267 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8268 SSL_ERROR_NONE, 1, 0))
8269 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8270 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8272 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8274 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8275 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8279 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8284 * Reading on the server after the client has sent close_notify should
8285 * fail and provide SSL_ERROR_ZERO_RETURN
8287 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8288 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8289 SSL_ERROR_ZERO_RETURN)
8290 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8291 SSL_RECEIVED_SHUTDOWN)
8293 * Even though we're shutdown on receive we should still be
8296 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8299 && !TEST_true(SSL_key_update(serverssl,
8300 SSL_KEY_UPDATE_REQUESTED)))
8303 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8304 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8307 if ((tst == 4 || tst == 5)
8308 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8310 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8312 if (tst == 4 || tst == 5) {
8313 /* Should still be able to read data from server */
8314 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8316 || !TEST_size_t_eq(readbytes, sizeof(msg))
8317 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8318 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8320 || !TEST_size_t_eq(readbytes, sizeof(msg))
8321 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8326 /* Writing on the client after sending close_notify shouldn't be possible */
8327 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8332 * For these tests the client has sent close_notify but it has not yet
8333 * been received by the server. The server has not sent close_notify
8336 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8338 * Writing on the server after sending close_notify shouldn't
8341 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8342 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8343 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8344 || !TEST_true(SSL_SESSION_is_resumable(sess))
8345 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8347 } else if (tst == 4 || tst == 5) {
8349 * In this test the client has sent close_notify and it has been
8350 * received by the server which has responded with a close_notify. The
8351 * client needs to read the close_notify sent by the server.
8353 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8354 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8355 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8361 * The client has sent close_notify and is expecting a close_notify
8362 * back, but instead there is application data first. The shutdown
8363 * should fail with a fatal error.
8365 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8366 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8373 SSL_free(serverssl);
8374 SSL_free(clientssl);
8382 * Test that sending close_notify alerts works correctly in the case of a
8383 * retryable write failure.
8385 static int test_async_shutdown(void)
8387 SSL_CTX *cctx = NULL, *sctx = NULL;
8388 SSL *clientssl = NULL, *serverssl = NULL;
8390 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8392 if (!TEST_ptr(bretry))
8395 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8396 TLS_client_method(),
8398 &sctx, &cctx, cert, privkey)))
8401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8405 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8408 /* Close write side of clientssl */
8409 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8412 tmp = SSL_get_wbio(serverssl);
8413 if (!TEST_true(BIO_up_ref(tmp))) {
8417 SSL_set0_wbio(serverssl, bretry);
8420 /* First server shutdown should fail because of a retrable write failure */
8421 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8422 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8425 /* Second server shutdown should fail for the same reason */
8426 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8427 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8430 SSL_set0_wbio(serverssl, tmp);
8433 /* Third server shutdown should send close_notify */
8434 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8437 /* Fourth server shutdown should read close_notify from client and finish */
8438 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8441 /* Client should also successfully fully shutdown */
8442 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8447 SSL_free(serverssl);
8448 SSL_free(clientssl);
8457 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8458 static int cert_cb_cnt;
8460 static int cert_cb(SSL *s, void *arg)
8462 SSL_CTX *ctx = (SSL_CTX *)arg;
8464 EVP_PKEY *pkey = NULL;
8465 X509 *x509 = NULL, *rootx = NULL;
8466 STACK_OF(X509) *chain = NULL;
8467 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8470 if (cert_cb_cnt == 0) {
8471 /* Suspend the handshake */
8474 } else if (cert_cb_cnt == 1) {
8476 * Update the SSL_CTX, set the certificate and private key and then
8477 * continue the handshake normally.
8479 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8482 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8483 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8485 || !TEST_true(SSL_check_private_key(s)))
8489 } else if (cert_cb_cnt == 3) {
8492 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8493 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8494 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8495 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8497 chain = sk_X509_new_null();
8498 if (!TEST_ptr(chain))
8500 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8501 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8502 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8503 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8504 || !TEST_true(sk_X509_push(chain, rootx)))
8508 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8509 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8510 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8511 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8514 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8515 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8516 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8520 rv = SSL_check_chain(s, x509, pkey, chain);
8522 * If the cert doesn't show as valid here (e.g., because we don't
8523 * have any shared sigalgs), then we will not set it, and there will
8524 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8525 * will cause tls_choose_sigalgs() to fail the connection.
8527 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8528 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8529 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8536 /* Abort the handshake */
8538 OPENSSL_free(ecdsacert);
8539 OPENSSL_free(ecdsakey);
8540 OPENSSL_free(rootfile);
8542 EVP_PKEY_free(pkey);
8545 OSSL_STACK_OF_X509_free(chain);
8550 * Test the certificate callback.
8551 * Test 0: Callback fails
8552 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8553 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8554 * Test 3: Success - Call SSL_check_chain from the callback
8555 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8557 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8559 static int test_cert_cb_int(int prot, int tst)
8561 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8562 SSL *clientssl = NULL, *serverssl = NULL;
8563 int testresult = 0, ret;
8565 #ifdef OPENSSL_NO_EC
8566 /* We use an EC cert in these tests, so we skip in a no-ec build */
8571 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8572 TLS_client_method(),
8575 &sctx, &cctx, NULL, NULL)))
8586 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8587 if (!TEST_ptr(snictx))
8591 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8599 * We cause SSL_check_chain() to fail by specifying sig_algs that
8600 * the chain doesn't meet (the root uses an RSA cert)
8602 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8603 "ecdsa_secp256r1_sha256")))
8605 } else if (tst == 5) {
8607 * We cause SSL_check_chain() to fail by specifying sig_algs that
8608 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8610 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8611 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8615 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8616 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8618 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8625 SSL_free(serverssl);
8626 SSL_free(clientssl);
8629 SSL_CTX_free(snictx);
8635 static int test_cert_cb(int tst)
8639 #ifndef OPENSSL_NO_TLS1_2
8640 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8642 #ifndef OSSL_NO_USABLE_TLS1_3
8643 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8649 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8654 BIO *priv_in = NULL;
8656 /* Check that SSL_get0_peer_certificate() returns something sensible */
8657 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8660 in = BIO_new_file(cert, "r");
8664 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8665 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8666 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8667 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8685 static int test_client_cert_cb(int tst)
8687 SSL_CTX *cctx = NULL, *sctx = NULL;
8688 SSL *clientssl = NULL, *serverssl = NULL;
8691 #ifdef OPENSSL_NO_TLS1_2
8695 #ifdef OSSL_NO_USABLE_TLS1_3
8700 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8701 TLS_client_method(),
8703 tst == 0 ? TLS1_2_VERSION
8705 &sctx, &cctx, cert, privkey)))
8709 * Test that setting a client_cert_cb results in a client certificate being
8712 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8713 SSL_CTX_set_verify(sctx,
8714 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8726 SSL_free(serverssl);
8727 SSL_free(clientssl);
8734 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8736 * Test setting certificate authorities on both client and server.
8738 * Test 0: SSL_CTX_set0_CA_list() only
8739 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8740 * Test 2: Only SSL_CTX_set_client_CA_list()
8742 static int test_ca_names_int(int prot, int tst)
8744 SSL_CTX *cctx = NULL, *sctx = NULL;
8745 SSL *clientssl = NULL, *serverssl = NULL;
8748 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8749 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8750 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8751 const STACK_OF(X509_NAME) *sktmp = NULL;
8753 for (i = 0; i < OSSL_NELEM(name); i++) {
8754 name[i] = X509_NAME_new();
8755 if (!TEST_ptr(name[i])
8756 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8764 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8765 TLS_client_method(),
8768 &sctx, &cctx, cert, privkey)))
8771 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8773 if (tst == 0 || tst == 1) {
8774 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8775 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8776 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8777 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8778 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8779 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8782 SSL_CTX_set0_CA_list(sctx, sk1);
8783 SSL_CTX_set0_CA_list(cctx, sk2);
8786 if (tst == 1 || tst == 2) {
8787 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8788 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8789 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8790 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8791 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8792 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8795 SSL_CTX_set_client_CA_list(sctx, sk1);
8796 SSL_CTX_set_client_CA_list(cctx, sk2);
8800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8802 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8807 * We only expect certificate authorities to have been sent to the server
8808 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8810 sktmp = SSL_get0_peer_CA_list(serverssl);
8811 if (prot == TLS1_3_VERSION
8812 && (tst == 0 || tst == 1)) {
8813 if (!TEST_ptr(sktmp)
8814 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8815 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8817 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8820 } else if (!TEST_ptr_null(sktmp)) {
8825 * In all tests we expect certificate authorities to have been sent to the
8826 * client. However, SSL_set_client_CA_list() should override
8827 * SSL_set0_CA_list()
8829 sktmp = SSL_get0_peer_CA_list(clientssl);
8830 if (!TEST_ptr(sktmp)
8831 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8832 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8833 name[tst == 0 ? 0 : 2]), 0)
8834 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8835 name[tst == 0 ? 1 : 3]), 0))
8841 SSL_free(serverssl);
8842 SSL_free(clientssl);
8845 for (i = 0; i < OSSL_NELEM(name); i++)
8846 X509_NAME_free(name[i]);
8847 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8848 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8854 static int test_ca_names(int tst)
8858 #ifndef OPENSSL_NO_TLS1_2
8859 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8861 #ifndef OSSL_NO_USABLE_TLS1_3
8862 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8868 #ifndef OPENSSL_NO_TLS1_2
8869 static const char *multiblock_cipherlist_data[]=
8877 /* Reduce the fragment size - so the multiblock test buffer can be small */
8878 # define MULTIBLOCK_FRAGSIZE 512
8880 static int test_multiblock_write(int test_index)
8882 static const char *fetchable_ciphers[]=
8884 "AES-128-CBC-HMAC-SHA1",
8885 "AES-128-CBC-HMAC-SHA256",
8886 "AES-256-CBC-HMAC-SHA1",
8887 "AES-256-CBC-HMAC-SHA256"
8889 const char *cipherlist = multiblock_cipherlist_data[test_index];
8890 const SSL_METHOD *smeth = TLS_server_method();
8891 const SSL_METHOD *cmeth = TLS_client_method();
8892 int min_version = TLS1_VERSION;
8893 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8894 SSL_CTX *cctx = NULL, *sctx = NULL;
8895 SSL *clientssl = NULL, *serverssl = NULL;
8899 * Choose a buffer large enough to perform a multi-block operation
8900 * i.e: write_len >= 4 * frag_size
8901 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8903 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8904 unsigned char buf[sizeof(msg)], *p = buf;
8905 size_t readbytes, written, len;
8906 EVP_CIPHER *ciph = NULL;
8909 * Check if the cipher exists before attempting to use it since it only has
8910 * a hardware specific implementation.
8912 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8914 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8917 EVP_CIPHER_free(ciph);
8919 /* Set up a buffer with some data that will be sent to the client */
8920 RAND_bytes(msg, sizeof(msg));
8922 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8923 max_version, &sctx, &cctx, cert,
8927 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8934 /* settings to force it to use AES-CBC-HMAC_SHA */
8935 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8936 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8939 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8942 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8943 || !TEST_size_t_eq(written, sizeof(msg)))
8948 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8953 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8958 SSL_free(serverssl);
8959 SSL_free(clientssl);
8965 #endif /* OPENSSL_NO_TLS1_2 */
8967 static int test_session_timeout(int test)
8970 * Test session ordering and timeout
8971 * Can't explicitly test performance of the new code,
8972 * but can test to see if the ordering of the sessions
8973 * are correct, and they are removed as expected
8975 SSL_SESSION *early = NULL;
8976 SSL_SESSION *middle = NULL;
8977 SSL_SESSION *late = NULL;
8980 long now = (long)time(NULL);
8983 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8984 || !TEST_ptr(early = SSL_SESSION_new())
8985 || !TEST_ptr(middle = SSL_SESSION_new())
8986 || !TEST_ptr(late = SSL_SESSION_new()))
8989 /* assign unique session ids */
8990 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8991 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8992 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8993 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8994 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8995 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8997 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8998 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8999 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9002 /* Make sure they are all added */
9003 if (!TEST_ptr(early->prev)
9004 || !TEST_ptr(middle->prev)
9005 || !TEST_ptr(late->prev))
9008 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9009 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9010 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9013 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9014 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9015 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9018 /* Make sure they are all still there */
9019 if (!TEST_ptr(early->prev)
9020 || !TEST_ptr(middle->prev)
9021 || !TEST_ptr(late->prev))
9024 /* Make sure they are in the expected order */
9025 if (!TEST_ptr_eq(late->next, middle)
9026 || !TEST_ptr_eq(middle->next, early)
9027 || !TEST_ptr_eq(early->prev, middle)
9028 || !TEST_ptr_eq(middle->prev, late))
9031 /* This should remove "early" */
9032 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9033 if (!TEST_ptr_null(early->prev)
9034 || !TEST_ptr(middle->prev)
9035 || !TEST_ptr(late->prev))
9038 /* This should remove "middle" */
9039 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9040 if (!TEST_ptr_null(early->prev)
9041 || !TEST_ptr_null(middle->prev)
9042 || !TEST_ptr(late->prev))
9045 /* This should remove "late" */
9046 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9047 if (!TEST_ptr_null(early->prev)
9048 || !TEST_ptr_null(middle->prev)
9049 || !TEST_ptr_null(late->prev))
9052 /* Add them back in again */
9053 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9054 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9055 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9058 /* Make sure they are all added */
9059 if (!TEST_ptr(early->prev)
9060 || !TEST_ptr(middle->prev)
9061 || !TEST_ptr(late->prev))
9064 /* This should remove all of them */
9065 SSL_CTX_flush_sessions(ctx, 0);
9066 if (!TEST_ptr_null(early->prev)
9067 || !TEST_ptr_null(middle->prev)
9068 || !TEST_ptr_null(late->prev))
9071 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9072 | SSL_CTX_get_session_cache_mode(ctx));
9074 /* make sure |now| is NOT equal to the current time */
9076 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9077 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9078 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9084 SSL_SESSION_free(early);
9085 SSL_SESSION_free(middle);
9086 SSL_SESSION_free(late);
9091 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9092 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9093 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9094 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9095 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9096 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9097 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9098 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9099 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9100 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9102 static int test_servername(int tst)
9104 SSL_CTX *cctx = NULL, *sctx = NULL;
9105 SSL *clientssl = NULL, *serverssl = NULL;
9107 SSL_SESSION *sess = NULL;
9108 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9110 #ifdef OPENSSL_NO_TLS1_2
9114 #ifdef OSSL_NO_USABLE_TLS1_3
9119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9120 TLS_client_method(),
9122 (tst <= 4) ? TLS1_2_VERSION
9124 &sctx, &cctx, cert, privkey))
9125 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9129 if (tst != 1 && tst != 6) {
9130 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9135 if (tst != 3 && tst != 8) {
9136 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9138 sexpectedhost = cexpectedhost = "goodhost";
9141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9144 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9146 || !TEST_str_eq(SSL_get_servername(serverssl,
9147 TLSEXT_NAMETYPE_host_name),
9151 /* Now repeat with a resumption handshake */
9153 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9154 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9155 || !TEST_true(SSL_SESSION_is_resumable(sess))
9156 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9159 SSL_free(clientssl);
9160 SSL_free(serverssl);
9161 clientssl = serverssl = NULL;
9163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9167 if (!TEST_true(SSL_set_session(clientssl, sess)))
9170 sexpectedhost = cexpectedhost = "goodhost";
9171 if (tst == 2 || tst == 7) {
9172 /* Set an inconsistent hostname */
9173 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9176 * In TLSv1.2 we expect the hostname from the original handshake, in
9177 * TLSv1.3 we expect the hostname from this handshake
9180 sexpectedhost = cexpectedhost = "altgoodhost";
9182 if (!TEST_str_eq(SSL_get_servername(clientssl,
9183 TLSEXT_NAMETYPE_host_name),
9186 } else if (tst == 4 || tst == 9) {
9188 * A TLSv1.3 session does not associate a session with a servername,
9189 * but a TLSv1.2 session does.
9192 sexpectedhost = cexpectedhost = NULL;
9194 if (!TEST_str_eq(SSL_get_servername(clientssl,
9195 TLSEXT_NAMETYPE_host_name),
9199 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9202 * In a TLSv1.2 resumption where the hostname was not acknowledged
9203 * we expect the hostname on the server to be empty. On the client we
9204 * return what was requested in this case.
9206 * Similarly if the client didn't set a hostname on an original TLSv1.2
9207 * session but is now, the server hostname will be empty, but the client
9210 if (tst == 1 || tst == 3)
9211 sexpectedhost = NULL;
9213 if (!TEST_str_eq(SSL_get_servername(clientssl,
9214 TLSEXT_NAMETYPE_host_name),
9219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9222 if (!TEST_true(SSL_session_reused(clientssl))
9223 || !TEST_true(SSL_session_reused(serverssl))
9224 || !TEST_str_eq(SSL_get_servername(clientssl,
9225 TLSEXT_NAMETYPE_host_name),
9227 || !TEST_str_eq(SSL_get_servername(serverssl,
9228 TLSEXT_NAMETYPE_host_name),
9235 SSL_SESSION_free(sess);
9236 SSL_free(serverssl);
9237 SSL_free(clientssl);
9244 #if !defined(OPENSSL_NO_EC) \
9245 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9247 * Test that if signature algorithms are not available, then we do not offer or
9249 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9250 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9251 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9252 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9253 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9254 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9256 static int test_sigalgs_available(int idx)
9258 SSL_CTX *cctx = NULL, *sctx = NULL;
9259 SSL *clientssl = NULL, *serverssl = NULL;
9261 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9262 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9263 OSSL_PROVIDER *filterprov = NULL;
9266 if (!TEST_ptr(tmpctx))
9269 if (idx != 0 && idx != 3) {
9270 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9271 filter_provider_init)))
9274 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9275 if (!TEST_ptr(filterprov))
9280 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9281 * or accepted for the peer that uses this libctx. Note that libssl
9282 * *requires* SHA2-256 to be available so we cannot disable that. We
9283 * also need SHA1 for our certificate.
9285 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9289 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9291 # ifdef OPENSSL_NO_ECX
9292 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9294 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9301 if (idx == 1 || idx == 4)
9307 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9308 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9309 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9313 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9314 TLS_client_method(),
9317 &sctx, &cctx, cert, privkey)))
9320 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9321 TLS_client_method(),
9324 &sctx, &cctx, cert2, privkey2)))
9328 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9330 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9331 "ECDHE-RSA-AES128-GCM-SHA256")))
9334 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9335 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9340 if (!SSL_CTX_set1_sigalgs_list(cctx,
9341 "rsa_pss_rsae_sha384"
9342 ":rsa_pss_rsae_sha256")
9343 || !SSL_CTX_set1_sigalgs_list(sctx,
9344 "rsa_pss_rsae_sha384"
9345 ":rsa_pss_rsae_sha256"))
9348 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9349 || !SSL_CTX_set1_sigalgs_list(sctx,
9350 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9355 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9356 SSL_FILETYPE_PEM), 1)
9357 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9359 SSL_FILETYPE_PEM), 1)
9360 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9363 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9367 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9370 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9371 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9373 (idx == 0 || idx == 3) ? 2 : 1))
9376 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9379 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9383 testresult = filter_provider_check_clean_finish();
9386 SSL_free(serverssl);
9387 SSL_free(clientssl);
9390 OSSL_PROVIDER_unload(filterprov);
9391 OSSL_LIB_CTX_free(tmpctx);
9396 * !defined(OPENSSL_NO_EC) \
9397 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9400 #ifndef OPENSSL_NO_TLS1_3
9401 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9402 static int test_pluggable_group(int idx)
9404 SSL_CTX *cctx = NULL, *sctx = NULL;
9405 SSL *clientssl = NULL, *serverssl = NULL;
9407 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9408 /* Check that we are not impacted by a provider without any groups */
9409 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9410 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9412 if (!TEST_ptr(tlsprov))
9415 if (legacyprov == NULL) {
9417 * In this case we assume we've been built with "no-legacy" and skip
9418 * this test (there is no OPENSSL_NO_LEGACY)
9424 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9425 TLS_client_method(),
9428 &sctx, &cctx, cert, privkey))
9429 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9433 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9434 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9437 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9440 if (!TEST_str_eq(group_name,
9441 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9444 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9445 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9451 SSL_free(serverssl);
9452 SSL_free(clientssl);
9455 OSSL_PROVIDER_unload(tlsprov);
9456 OSSL_PROVIDER_unload(legacyprov);
9462 * This function triggers encode, decode and sign functions
9463 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9464 * creating private key and certificate files for use in TLS testing.
9466 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9468 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9469 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9470 EVP_PKEY *pkey = NULL;
9471 X509 *x509 = X509_new();
9472 X509_NAME *name = NULL;
9473 BIO *keybio = NULL, *certbio = NULL;
9476 if (!TEST_ptr(evpctx)
9477 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9478 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9481 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9482 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9483 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9484 || !TEST_true(X509_set_pubkey(x509, pkey))
9485 || !TEST_ptr(name = X509_get_subject_name(x509))
9486 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9487 (unsigned char *)"CH", -1, -1, 0))
9488 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9489 (unsigned char *)"test.org", -1, -1, 0))
9490 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9491 (unsigned char *)"localhost", -1, -1, 0))
9492 || !TEST_true(X509_set_issuer_name(x509, name))
9493 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9494 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9495 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9496 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9497 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9500 EVP_PKEY_free(pkey);
9502 EVP_PKEY_CTX_free(evpctx);
9509 * Test that signature algorithms loaded via the provider interface can
9510 * correctly establish a TLS (1.3) connection.
9511 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9512 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9513 * Test 2: Test 0 using RPK
9514 * Test 3: Test 1 using RPK
9516 static int test_pluggable_signature(int idx)
9518 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9519 SSL_CTX *cctx = NULL, *sctx = NULL;
9520 SSL *clientssl = NULL, *serverssl = NULL;
9522 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9523 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9524 char *certfilename = "tls-prov-cert.pem";
9525 char *privkeyfilename = "tls-prov-key.pem";
9526 int sigidx = idx % 2;
9527 int rpkidx = idx / 2;
9529 /* create key and certificate for the different algorithm types */
9530 if (!TEST_ptr(tlsprov)
9531 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9534 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9535 TLS_client_method(),
9538 &sctx, &cctx, certfilename, privkeyfilename))
9539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9543 /* Enable RPK for server cert */
9545 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9546 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9550 /* This is necessary to pass minimal setup w/o other groups configured */
9551 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9552 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9556 * If this connection gets established, it must have been completed
9557 * via the tls-provider-implemented "hmacsig" algorithm, testing
9558 * both sign and verify functions during handshake.
9560 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9563 /* If using RPK, make sure we got one */
9564 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9570 SSL_free(serverssl);
9571 SSL_free(clientssl);
9574 OSSL_PROVIDER_unload(tlsprov);
9575 OSSL_PROVIDER_unload(defaultprov);
9581 #ifndef OPENSSL_NO_TLS1_2
9582 static int test_ssl_dup(void)
9584 SSL_CTX *cctx = NULL, *sctx = NULL;
9585 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9587 BIO *rbio = NULL, *wbio = NULL;
9589 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9590 TLS_client_method(),
9593 &sctx, &cctx, cert, privkey)))
9596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9600 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9601 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9604 client2ssl = SSL_dup(clientssl);
9605 rbio = SSL_get_rbio(clientssl);
9607 || !TEST_true(BIO_up_ref(rbio)))
9609 SSL_set0_rbio(client2ssl, rbio);
9612 wbio = SSL_get_wbio(clientssl);
9613 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9615 SSL_set0_wbio(client2ssl, wbio);
9618 if (!TEST_ptr(client2ssl)
9619 /* Handshake not started so pointers should be different */
9620 || !TEST_ptr_ne(clientssl, client2ssl))
9623 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9624 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9627 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9630 SSL_free(clientssl);
9631 clientssl = SSL_dup(client2ssl);
9632 if (!TEST_ptr(clientssl)
9633 /* Handshake has finished so pointers should be the same */
9634 || !TEST_ptr_eq(clientssl, client2ssl))
9640 SSL_free(serverssl);
9641 SSL_free(clientssl);
9642 SSL_free(client2ssl);
9649 # ifndef OPENSSL_NO_DH
9651 static EVP_PKEY *tmp_dh_params = NULL;
9653 /* Helper function for the test_set_tmp_dh() tests */
9654 static EVP_PKEY *get_tmp_dh_params(void)
9656 if (tmp_dh_params == NULL) {
9658 OSSL_PARAM_BLD *tmpl = NULL;
9659 EVP_PKEY_CTX *pctx = NULL;
9660 OSSL_PARAM *params = NULL;
9661 EVP_PKEY *dhpkey = NULL;
9663 p = BN_get_rfc3526_prime_2048(NULL);
9667 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9669 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9672 tmpl = OSSL_PARAM_BLD_new();
9674 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9675 OSSL_PKEY_PARAM_FFC_P,
9677 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9678 OSSL_PKEY_PARAM_FFC_G,
9682 params = OSSL_PARAM_BLD_to_param(tmpl);
9683 if (!TEST_ptr(params)
9684 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9685 EVP_PKEY_KEY_PARAMETERS,
9689 tmp_dh_params = dhpkey;
9692 EVP_PKEY_CTX_free(pctx);
9693 OSSL_PARAM_BLD_free(tmpl);
9694 OSSL_PARAM_free(params);
9697 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9700 return tmp_dh_params;
9703 # ifndef OPENSSL_NO_DEPRECATED_3_0
9704 /* Callback used by test_set_tmp_dh() */
9705 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9707 EVP_PKEY *dhpkey = get_tmp_dh_params();
9710 if (!TEST_ptr(dhpkey))
9714 * libssl does not free the returned DH, so we free it now knowing that even
9715 * after we free dhpkey, there will still be a reference to the owning
9716 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9717 * of time we need it for.
9719 ret = EVP_PKEY_get1_DH(dhpkey);
9722 EVP_PKEY_free(dhpkey);
9729 * Test the various methods for setting temporary DH parameters
9731 * Test 0: Default (no auto) setting
9732 * Test 1: Explicit SSL_CTX auto off
9733 * Test 2: Explicit SSL auto off
9734 * Test 3: Explicit SSL_CTX auto on
9735 * Test 4: Explicit SSL auto on
9736 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9737 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9739 * The following are testing deprecated APIs, so we only run them if available
9740 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9741 * Test 8: Explicit SSL auto off, custom DH params via DH
9742 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9743 * Test 10: Explicit SSL auto off, custom DH params via callback
9745 static int test_set_tmp_dh(int idx)
9747 SSL_CTX *cctx = NULL, *sctx = NULL;
9748 SSL *clientssl = NULL, *serverssl = NULL;
9750 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9751 int expected = (idx <= 2) ? 0 : 1;
9752 EVP_PKEY *dhpkey = NULL;
9753 # ifndef OPENSSL_NO_DEPRECATED_3_0
9761 if (idx >= 5 && idx <= 8) {
9762 dhpkey = get_tmp_dh_params();
9763 if (!TEST_ptr(dhpkey))
9766 # ifndef OPENSSL_NO_DEPRECATED_3_0
9767 if (idx == 7 || idx == 8) {
9768 dh = EVP_PKEY_get1_DH(dhpkey);
9774 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9775 TLS_client_method(),
9778 &sctx, &cctx, cert, privkey)))
9781 if ((idx & 1) == 1) {
9782 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9787 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9791 # ifndef OPENSSL_NO_DEPRECATED_3_0
9792 else if (idx == 7) {
9793 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9795 } else if (idx == 9) {
9796 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9804 if ((idx & 1) == 0 && idx != 0) {
9805 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9809 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9813 # ifndef OPENSSL_NO_DEPRECATED_3_0
9814 else if (idx == 8) {
9815 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9817 } else if (idx == 10) {
9818 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9822 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9823 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9824 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9828 * If autoon then we should succeed. Otherwise we expect failure because
9829 * there are no parameters
9831 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9832 SSL_ERROR_NONE), expected))
9838 # ifndef OPENSSL_NO_DEPRECATED_3_0
9841 SSL_free(serverssl);
9842 SSL_free(clientssl);
9845 EVP_PKEY_free(dhpkey);
9851 * Test the auto DH keys are appropriately sized
9853 static int test_dh_auto(int idx)
9855 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9856 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9857 SSL *clientssl = NULL, *serverssl = NULL;
9859 EVP_PKEY *tmpkey = NULL;
9860 char *thiscert = NULL, *thiskey = NULL;
9861 size_t expdhsize = 0;
9862 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9864 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9869 /* The FIPS provider doesn't support this DH size - so we ignore it */
9874 thiscert = cert1024;
9875 thiskey = privkey1024;
9877 SSL_CTX_set_security_level(sctx, 1);
9878 SSL_CTX_set_security_level(cctx, 1);
9881 /* 2048 bit prime */
9887 thiscert = cert3072;
9888 thiskey = privkey3072;
9892 thiscert = cert4096;
9893 thiskey = privkey4096;
9897 thiscert = cert8192;
9898 thiskey = privkey8192;
9901 /* No certificate cases */
9903 /* The FIPS provider doesn't support this DH size - so we ignore it */
9908 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9912 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9916 TEST_error("Invalid text index");
9920 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9924 &sctx, &cctx, thiscert, thiskey)))
9927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9931 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9932 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9933 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9934 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9935 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9939 * Send the server's first flight. At this point the server has created the
9940 * temporary DH key but hasn't finished using it yet. Once used it is
9941 * removed, so we cannot test it.
9943 if (!TEST_int_le(SSL_connect(clientssl), 0)
9944 || !TEST_int_le(SSL_accept(serverssl), 0))
9947 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9949 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9952 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9958 SSL_free(serverssl);
9959 SSL_free(clientssl);
9962 EVP_PKEY_free(tmpkey);
9967 # endif /* OPENSSL_NO_DH */
9968 #endif /* OPENSSL_NO_TLS1_2 */
9970 #ifndef OSSL_NO_USABLE_TLS1_3
9972 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9973 * that it works even without a certificate configured for the original
9976 static int test_sni_tls13(void)
9978 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9979 SSL *clientssl = NULL, *serverssl = NULL;
9982 /* Reset callback counter */
9985 /* Create an initial SSL_CTX with no certificate configured */
9986 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9987 if (!TEST_ptr(sctx))
9989 /* Require TLSv1.3 as a minimum */
9990 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9991 TLS_client_method(), TLS1_3_VERSION, 0,
9992 &sctx2, &cctx, cert, privkey)))
9996 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9997 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10001 * Connection should still succeed because the final SSL_CTX has the right
10002 * certificates configured.
10004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10005 &clientssl, NULL, NULL))
10006 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10010 /* We should have had the SNI callback called exactly once */
10011 if (!TEST_int_eq(snicb, 1))
10017 SSL_free(serverssl);
10018 SSL_free(clientssl);
10019 SSL_CTX_free(sctx2);
10020 SSL_CTX_free(sctx);
10021 SSL_CTX_free(cctx);
10026 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10030 static int test_ticket_lifetime(int idx)
10032 SSL_CTX *cctx = NULL, *sctx = NULL;
10033 SSL *clientssl = NULL, *serverssl = NULL;
10034 int testresult = 0;
10035 int version = TLS1_3_VERSION;
10037 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10038 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10041 #ifdef OPENSSL_NO_TLS1_2
10042 return TEST_skip("TLS 1.2 is disabled.");
10044 version = TLS1_2_VERSION;
10048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10049 TLS_client_method(), version, version,
10050 &sctx, &cctx, cert, privkey)))
10053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10054 &clientssl, NULL, NULL)))
10058 * Set the timeout to be more than 1 week
10059 * make sure the returned value is the default
10061 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10062 SSL_get_default_timeout(serverssl)))
10065 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10069 /* TLSv1.2 uses the set value */
10070 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10073 /* TLSv1.3 uses the limited value */
10074 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10080 SSL_free(serverssl);
10081 SSL_free(clientssl);
10082 SSL_CTX_free(sctx);
10083 SSL_CTX_free(cctx);
10088 * Test that setting an ALPN does not violate RFC
10090 static int test_set_alpn(void)
10092 SSL_CTX *ctx = NULL;
10094 int testresult = 0;
10096 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10097 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10098 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10099 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10100 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10101 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10103 /* Create an initial SSL_CTX with no certificate configured */
10104 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10105 if (!TEST_ptr(ctx))
10108 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10109 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10111 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10113 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10115 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10117 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10119 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10121 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10123 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10125 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10128 ssl = SSL_new(ctx);
10129 if (!TEST_ptr(ssl))
10132 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10134 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10136 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10138 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10140 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10142 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10144 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10146 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10148 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10160 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10162 static int test_set_verify_cert_store_ssl_ctx(void)
10164 SSL_CTX *ctx = NULL;
10165 int testresult = 0;
10166 X509_STORE *store = NULL, *new_store = NULL,
10167 *cstore = NULL, *new_cstore = NULL;
10169 /* Create an initial SSL_CTX. */
10170 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10171 if (!TEST_ptr(ctx))
10174 /* Retrieve verify store pointer. */
10175 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10178 /* Retrieve chain store pointer. */
10179 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10182 /* We haven't set any yet, so this should be NULL. */
10183 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10186 /* Create stores. We use separate stores so pointers are different. */
10187 new_store = X509_STORE_new();
10188 if (!TEST_ptr(new_store))
10191 new_cstore = X509_STORE_new();
10192 if (!TEST_ptr(new_cstore))
10196 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10199 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10202 /* Should be able to retrieve the same pointer. */
10203 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10206 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10209 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10212 /* Should be able to unset again. */
10213 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10216 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10219 /* Should now be NULL. */
10220 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10223 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10226 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10232 X509_STORE_free(new_store);
10233 X509_STORE_free(new_cstore);
10239 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10241 static int test_set_verify_cert_store_ssl(void)
10243 SSL_CTX *ctx = NULL;
10245 int testresult = 0;
10246 X509_STORE *store = NULL, *new_store = NULL,
10247 *cstore = NULL, *new_cstore = NULL;
10249 /* Create an initial SSL_CTX. */
10250 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10251 if (!TEST_ptr(ctx))
10254 /* Create an SSL object. */
10255 ssl = SSL_new(ctx);
10256 if (!TEST_ptr(ssl))
10259 /* Retrieve verify store pointer. */
10260 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10263 /* Retrieve chain store pointer. */
10264 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10267 /* We haven't set any yet, so this should be NULL. */
10268 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10271 /* Create stores. We use separate stores so pointers are different. */
10272 new_store = X509_STORE_new();
10273 if (!TEST_ptr(new_store))
10276 new_cstore = X509_STORE_new();
10277 if (!TEST_ptr(new_cstore))
10281 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10284 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10287 /* Should be able to retrieve the same pointer. */
10288 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10291 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10294 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10297 /* Should be able to unset again. */
10298 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10301 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10304 /* Should now be NULL. */
10305 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10308 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10311 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10317 X509_STORE_free(new_store);
10318 X509_STORE_free(new_cstore);
10325 static int test_inherit_verify_param(void)
10327 int testresult = 0;
10329 SSL_CTX *ctx = NULL;
10330 X509_VERIFY_PARAM *cp = NULL;
10332 X509_VERIFY_PARAM *sp = NULL;
10333 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10335 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10336 if (!TEST_ptr(ctx))
10339 cp = SSL_CTX_get0_param(ctx);
10342 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10345 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10347 ssl = SSL_new(ctx);
10348 if (!TEST_ptr(ssl))
10351 sp = SSL_get0_param(ssl);
10354 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10366 static int test_load_dhfile(void)
10368 #ifndef OPENSSL_NO_DH
10369 int testresult = 0;
10371 SSL_CTX *ctx = NULL;
10372 SSL_CONF_CTX *cctx = NULL;
10374 if (dhfile == NULL)
10377 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10378 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10381 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10382 SSL_CONF_CTX_set_flags(cctx,
10383 SSL_CONF_FLAG_CERTIFICATE
10384 | SSL_CONF_FLAG_SERVER
10385 | SSL_CONF_FLAG_FILE);
10387 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10392 SSL_CONF_CTX_free(cctx);
10397 return TEST_skip("DH not supported by this build");
10401 #ifndef OSSL_NO_USABLE_TLS1_3
10402 /* Test that read_ahead works across a key change */
10403 static int test_read_ahead_key_change(void)
10405 SSL_CTX *cctx = NULL, *sctx = NULL;
10406 SSL *clientssl = NULL, *serverssl = NULL;
10407 int testresult = 0;
10408 char *msg = "Hello World";
10409 size_t written, readbytes;
10413 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10414 TLS_client_method(), TLS1_3_VERSION, 0,
10415 &sctx, &cctx, cert, privkey)))
10418 SSL_CTX_set_read_ahead(sctx, 1);
10420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10421 &clientssl, NULL, NULL)))
10424 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10427 /* Write some data, send a key update, write more data */
10428 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10429 || !TEST_size_t_eq(written, strlen(msg)))
10432 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10435 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10436 || !TEST_size_t_eq(written, strlen(msg)))
10440 * Since read_ahead is on the first read below should read the record with
10441 * the first app data, the second record with the key update message, and
10442 * the third record with the app data all in one go. We should be able to
10443 * still process the read_ahead data correctly even though it crosses
10446 for (i = 0; i < 2; i++) {
10447 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10451 buf[readbytes] = '\0';
10452 if (!TEST_str_eq(buf, msg))
10459 SSL_free(serverssl);
10460 SSL_free(clientssl);
10461 SSL_CTX_free(sctx);
10462 SSL_CTX_free(cctx);
10466 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10470 switch ((*called)++) {
10472 /* Add some padding to first record */
10475 /* Maximally pad the second record */
10476 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10479 * Exceeding the maximum padding should be fine. It should just pad to
10480 * the maximum anyway
10482 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10485 * Very large padding should also be ok. Should just pad to the maximum
10495 * Test that setting record padding in TLSv1.3 works as expected
10496 * Test 0: Record padding callback on the SSL_CTX
10497 * Test 1: Record padding callback on the SSL
10498 * Test 2: Record block padding on the SSL_CTX
10499 * Test 3: Record block padding on the SSL
10501 static int test_tls13_record_padding(int idx)
10503 SSL_CTX *cctx = NULL, *sctx = NULL;
10504 SSL *clientssl = NULL, *serverssl = NULL;
10505 int testresult = 0;
10506 char *msg = "Hello World";
10507 size_t written, readbytes;
10512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10513 TLS_client_method(), TLS1_3_VERSION, 0,
10514 &sctx, &cctx, cert, privkey)))
10518 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10519 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10520 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10522 } else if (idx == 2) {
10523 /* Exceeding the max plain length should fail */
10524 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10525 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10527 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10532 &clientssl, NULL, NULL)))
10536 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10537 SSL_set_record_padding_callback_arg(clientssl, &called);
10538 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10540 } else if (idx == 3) {
10541 /* Exceeding the max plain length should fail */
10542 if (!TEST_false(SSL_set_block_padding(clientssl,
10543 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10545 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10549 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10554 * Write some data, then check we can read it. Do this four times to check
10555 * we can continue to write and read padded data after the initial record
10556 * padding has been added. We don't actually check that the padding has
10557 * been applied to the record - just that we can continue to communicate
10558 * normally and that the callback has been called (if appropriate).
10560 for (i = 0; i < 4; i++) {
10561 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10562 || !TEST_size_t_eq(written, strlen(msg)))
10565 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10567 || !TEST_size_t_eq(written, readbytes))
10570 buf[readbytes] = '\0';
10571 if (!TEST_str_eq(buf, msg))
10575 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10580 SSL_free(serverssl);
10581 SSL_free(clientssl);
10582 SSL_CTX_free(sctx);
10583 SSL_CTX_free(cctx);
10586 #endif /* OSSL_NO_USABLE_TLS1_3 */
10588 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10590 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10591 * support this yet. The only pipeline capable cipher that we have is in the
10592 * dasync engine (providers don't support this yet), so we have to use
10593 * deprecated APIs for this test.
10595 * Test 0: Client has pipelining enabled, server does not
10596 * Test 1: Server has pipelining enabled, client does not
10597 * Test 2: Client has pipelining enabled, server does not: not enough data to
10598 * fill all the pipelines
10599 * Test 3: Client has pipelining enabled, server does not: not enough data to
10600 * fill all the pipelines by more than a full pipeline's worth
10601 * Test 4: Client has pipelining enabled, server does not: more data than all
10602 * the available pipelines can take
10603 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10605 static int test_pipelining(int idx)
10607 SSL_CTX *cctx = NULL, *sctx = NULL;
10608 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10609 int testresult = 0, numreads;
10610 /* A 55 byte message */
10611 unsigned char *msg = (unsigned char *)
10612 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10613 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10614 size_t expectedreads;
10615 unsigned char *buf = NULL;
10618 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10621 if (!TEST_true(ENGINE_init(e))) {
10626 if (!TEST_true(ENGINE_register_ciphers(e)))
10629 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10630 TLS_client_method(), 0,
10631 TLS1_2_VERSION, &sctx, &cctx, cert,
10635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10636 &clientssl, NULL, NULL)))
10639 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10642 /* peera is always configured for pipelining, while peerb is not. */
10654 /* Maximum allowed fragment size */
10655 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10656 msglen = fragsize * numpipes;
10657 msg = OPENSSL_malloc(msglen);
10658 if (!TEST_ptr(msg))
10660 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10662 } else if (idx == 4) {
10668 msglen -= 2; /* Send 2 less bytes */
10670 msglen -= 12; /* Send 12 less bytes */
10672 buf = OPENSSL_malloc(msglen);
10673 if (!TEST_ptr(buf))
10678 * Test that setting a split send fragment longer than the maximum
10681 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10686 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10687 * (50 bytes in total). This is a ridiculously small number of bytes -
10688 * but sufficient for our purposes
10690 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10691 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10694 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10697 /* Write some data from peera to peerb */
10698 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10699 || !TEST_size_t_eq(written, msglen))
10703 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10704 * have been used - except in test 3 where only |numpipes - 1| pipelines
10705 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10706 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10707 * expect this to be read in |numpipes| or |numpipes - 1| separate
10708 * SSL_read_ex calls. In the case of test 4, there is then one additional
10709 * read for left over data that couldn't fit in the previous pipelines
10711 for (offset = 0, numreads = 0;
10713 offset += readbytes, numreads++) {
10714 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10715 msglen - offset, &readbytes)))
10719 expectedreads = idx == 4 ? numpipes + 1
10720 : (idx == 3 ? numpipes - 1 : numpipes);
10721 if (!TEST_mem_eq(msg, msglen, buf, offset)
10722 || !TEST_int_eq(numreads, expectedreads))
10726 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10727 * chunks to exercise the read pipelining code on peera.
10729 for (offset = 0; offset < msglen; offset += fragsize) {
10730 size_t sendlen = msglen - offset;
10732 if (sendlen > fragsize)
10733 sendlen = fragsize;
10734 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10735 || !TEST_size_t_eq(written, sendlen))
10740 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10741 * separate chunks (depending on which test we are running). If the
10742 * pipelining is working then we expect peera to read up to numpipes chunks
10743 * and process them in parallel, giving back the complete result in a single
10744 * call to SSL_read_ex
10746 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10747 || !TEST_size_t_le(readbytes, msglen))
10753 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10754 msglen - readbytes, &readbytes2)))
10756 readbytes += readbytes2;
10757 if (!TEST_size_t_le(readbytes, msglen))
10761 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10766 SSL_free(serverssl);
10767 SSL_free(clientssl);
10768 SSL_CTX_free(sctx);
10769 SSL_CTX_free(cctx);
10770 ENGINE_unregister_ciphers(e);
10774 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10778 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10780 static int check_version_string(SSL *s, int version)
10782 const char *verstr = NULL;
10791 case TLS1_1_VERSION:
10792 verstr = "TLSv1.1";
10794 case TLS1_2_VERSION:
10795 verstr = "TLSv1.2";
10797 case TLS1_3_VERSION:
10798 verstr = "TLSv1.3";
10800 case DTLS1_VERSION:
10803 case DTLS1_2_VERSION:
10804 verstr = "DTLSv1.2";
10807 return TEST_str_eq(verstr, SSL_get_version(s));
10811 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10812 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10813 * test_version() in quicapitest.c which does the same thing for QUIC
10816 static int test_version(int idx)
10818 SSL_CTX *cctx = NULL, *sctx = NULL;
10819 SSL *clientssl = NULL, *serverssl = NULL;
10820 int testresult = 0, version;
10821 const SSL_METHOD *servmeth = TLS_server_method();
10822 const SSL_METHOD *clientmeth = TLS_client_method();
10825 #if !defined(OPENSSL_NO_SSL3)
10827 version = SSL3_VERSION;
10830 #if !defined(OPENSSL_NO_TLS1)
10832 version = TLS1_VERSION;
10835 #if !defined(OPENSSL_NO_TLS1_2)
10837 version = TLS1_2_VERSION;
10840 #if !defined(OSSL_NO_USABLE_TLS1_3)
10842 version = TLS1_3_VERSION;
10845 #if !defined(OPENSSL_NO_DTLS1)
10847 version = DTLS1_VERSION;
10850 #if !defined(OPENSSL_NO_DTLS1_2)
10852 version = DTLS1_2_VERSION;
10856 * NB we do not support QUIC in this test. That is covered by quicapitest.c
10857 * We also don't support DTLS1_BAD_VER since we have no server support for
10861 TEST_skip("Unsupported protocol version");
10866 && (version == SSL3_VERSION
10867 || version == TLS1_VERSION
10868 || version == DTLS1_VERSION)) {
10869 TEST_skip("Protocol version not supported with FIPS");
10873 #if !defined(OPENSSL_NO_DTLS)
10874 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10875 servmeth = DTLS_server_method();
10876 clientmeth = DTLS_client_method();
10880 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
10881 version, &sctx, &cctx, cert, privkey)))
10884 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
10885 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
10886 "DEFAULT:@SECLEVEL=0")))
10889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10890 &clientssl, NULL, NULL)))
10893 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10896 if (!TEST_int_eq(SSL_version(serverssl), version)
10897 || !TEST_int_eq(SSL_version(clientssl), version)
10898 || !TEST_true(check_version_string(serverssl, version))
10899 || !TEST_true(check_version_string(clientssl, version)))
10902 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10903 if (!TEST_true(SSL_is_dtls(serverssl))
10904 || !TEST_true(SSL_is_dtls(clientssl))
10905 || !TEST_false(SSL_is_tls(serverssl))
10906 || !TEST_false(SSL_is_tls(clientssl))
10907 || !TEST_false(SSL_is_quic(serverssl))
10908 || !TEST_false(SSL_is_quic(clientssl)))
10911 if (!TEST_true(SSL_is_tls(serverssl))
10912 || !TEST_true(SSL_is_tls(clientssl))
10913 || !TEST_false(SSL_is_dtls(serverssl))
10914 || !TEST_false(SSL_is_dtls(clientssl))
10915 || !TEST_false(SSL_is_quic(serverssl))
10916 || !TEST_false(SSL_is_quic(clientssl)))
10922 SSL_free(serverssl);
10923 SSL_free(clientssl);
10924 SSL_CTX_free(sctx);
10925 SSL_CTX_free(cctx);
10930 * Test that the SSL_rstate_string*() APIs return sane results
10932 static int test_rstate_string(void)
10934 SSL_CTX *cctx = NULL, *sctx = NULL;
10935 SSL *clientssl = NULL, *serverssl = NULL;
10936 int testresult = 0, version;
10937 const SSL_METHOD *servmeth = TLS_server_method();
10938 const SSL_METHOD *clientmeth = TLS_client_method();
10939 size_t written, readbytes;
10940 unsigned char buf[2];
10941 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
10942 SSL3_RT_APPLICATION_DATA,
10943 TLS1_2_VERSION_MAJOR,
10944 0, /* To be filled in later */
10949 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
10950 0, &sctx, &cctx, cert, privkey)))
10953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10954 &clientssl, NULL, NULL)))
10957 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
10958 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
10961 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10964 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
10965 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
10968 /* Fill in the correct version for the record header */
10969 version = SSL_version(serverssl);
10970 if (version == TLS1_3_VERSION)
10971 version = TLS1_2_VERSION;
10972 dummyheader[2] = version & 0xff;
10975 * Send a dummy header. If we continued to read the body as well this
10976 * would fail with a bad record mac, but we're not going to go that far.
10978 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
10979 sizeof(dummyheader), &written))
10980 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
10983 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
10986 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
10987 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
10992 SSL_free(serverssl);
10993 SSL_free(clientssl);
10994 SSL_CTX_free(sctx);
10995 SSL_CTX_free(cctx);
11000 * Force a write retry during handshaking. We test various combinations of
11001 * scenarios. We test a large certificate message which will fill the buffering
11002 * BIO used in the handshake. We try with client auth on and off. Finally we
11003 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11004 * to indicate retry via -1 - but sometimes BIOs don't do that.
11006 * Test 0: Standard certificate message
11007 * Test 1: Large certificate message
11008 * Test 2: Standard cert, verify peer
11009 * Test 3: Large cert, verify peer
11010 * Test 4: Standard cert, BIO returns 0 on retry
11011 * Test 5: Large cert, BIO returns 0 on retry
11012 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11013 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11014 * Test 8-15: Repeat of above with TLSv1.2
11016 static int test_handshake_retry(int idx)
11018 SSL_CTX *cctx = NULL, *sctx = NULL;
11019 SSL *clientssl = NULL, *serverssl = NULL;
11020 int testresult = 0;
11021 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11022 int maxversion = 0;
11024 if (!TEST_ptr(bretry))
11027 #ifndef OPENSSL_NO_TLS1_2
11028 if ((idx & 8) == 8)
11029 maxversion = TLS1_2_VERSION;
11031 if ((idx & 8) == 8)
11032 return TEST_skip("No TLSv1.2");
11035 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11036 TLS_client_method(), 0, maxversion,
11037 &sctx, &cctx, cert, privkey)))
11041 * Add a large amount of data to fill the buffering BIO used by the SSL
11044 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11048 * We don't actually configure a client cert, but neither do we fail if one
11051 if ((idx & 2) == 2)
11052 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11054 if ((idx & 4) == 4)
11055 set_always_retry_err_val(0);
11057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11058 &clientssl, NULL, NULL)))
11061 tmp = SSL_get_wbio(serverssl);
11062 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11066 SSL_set0_wbio(serverssl, bretry);
11069 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11072 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11073 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11076 /* Restore a BIO that will let the write succeed */
11077 SSL_set0_wbio(serverssl, tmp);
11080 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11085 SSL_free(serverssl);
11086 SSL_free(clientssl);
11087 SSL_CTX_free(sctx);
11088 SSL_CTX_free(cctx);
11091 set_always_retry_err_val(-1);
11096 * Test that receiving retries when writing application data works as expected
11098 static int test_data_retry(void)
11100 SSL_CTX *cctx = NULL, *sctx = NULL;
11101 SSL *clientssl = NULL, *serverssl = NULL;
11102 int testresult = 0;
11103 unsigned char inbuf[1200], outbuf[1200];
11106 BIO *bretry = BIO_new(bio_s_maybe_retry());
11107 size_t written, readbytes, totread = 0;
11109 if (!TEST_ptr(bretry))
11112 for (i = 0; i < sizeof(inbuf); i++)
11113 inbuf[i] = (unsigned char)(0xff & i);
11114 memset(outbuf, 0, sizeof(outbuf));
11116 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11117 TLS_client_method(), 0, 0, &sctx, &cctx,
11121 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11128 /* Smallest possible max send fragment is 512 */
11129 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11132 tmp = SSL_get_wbio(clientssl);
11133 if (!TEST_ptr(tmp))
11135 if (!TEST_true(BIO_up_ref(tmp)))
11137 BIO_push(bretry, tmp);
11139 SSL_set0_wbio(clientssl, bretry);
11140 if (!BIO_up_ref(bretry)) {
11145 for (i = 0; i < 3; i++) {
11146 /* We expect this call to make no progress and indicate retry */
11147 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11149 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11152 /* Allow one write to progess, but the next one to signal retry */
11153 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11161 * This call will hopefully make progress but will still indicate retry
11162 * because there is more data than will fit into a single record.
11164 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11166 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11170 /* The final call should write the last chunk of data and succeed */
11171 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11173 /* Read all the data available */
11174 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11176 totread += readbytes;
11177 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11182 SSL_free(serverssl);
11183 SSL_free(clientssl);
11184 SSL_CTX_free(sctx);
11185 SSL_CTX_free(cctx);
11186 BIO_free_all(bretry);
11191 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11193 int setup_tests(void)
11198 libctx = OSSL_LIB_CTX_new();
11199 if (!TEST_ptr(libctx))
11202 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11205 * Verify that the default and fips providers in the default libctx are not
11208 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11209 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11212 if (!test_skip_common_options()) {
11213 TEST_error("Error parsing test options\n");
11217 if (!TEST_ptr(certsdir = test_get_argument(0))
11218 || !TEST_ptr(srpvfile = test_get_argument(1))
11219 || !TEST_ptr(tmpfilename = test_get_argument(2))
11220 || !TEST_ptr(modulename = test_get_argument(3))
11221 || !TEST_ptr(configfile = test_get_argument(4))
11222 || !TEST_ptr(dhfile = test_get_argument(5)))
11225 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11228 /* Check we have the expected provider available */
11229 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11232 /* Check the default provider is not available */
11233 if (strcmp(modulename, "default") != 0
11234 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11237 if (strcmp(modulename, "fips") == 0) {
11238 OSSL_PROVIDER *prov = NULL;
11239 OSSL_PARAM params[2];
11243 prov = OSSL_PROVIDER_load(libctx, "fips");
11244 if (prov != NULL) {
11245 /* Query the fips provider to check if the check ems option is enabled */
11247 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11249 params[1] = OSSL_PARAM_construct_end();
11250 OSSL_PROVIDER_get_params(prov, params);
11251 OSSL_PROVIDER_unload(prov);
11256 * We add, but don't load the test "tls-provider". We'll load it when we
11259 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11260 tls_provider_init)))
11264 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11265 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11266 TEST_error("not supported in this build");
11269 int i, mcount, rcount, fcount;
11271 for (i = 0; i < 4; i++)
11272 test_export_key_mat(i);
11273 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11274 test_printf_stdout("malloc %d realloc %d free %d\n",
11275 mcount, rcount, fcount);
11280 cert = test_mk_file_path(certsdir, "servercert.pem");
11284 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11285 if (privkey == NULL)
11288 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11292 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11293 if (privkey2 == NULL)
11296 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11297 if (cert1024 == NULL)
11300 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11301 if (privkey1024 == NULL)
11304 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11305 if (cert3072 == NULL)
11308 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11309 if (privkey3072 == NULL)
11312 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11313 if (cert4096 == NULL)
11316 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11317 if (privkey4096 == NULL)
11320 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11321 if (cert8192 == NULL)
11324 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11325 if (privkey8192 == NULL)
11328 if (fips_ems_check) {
11329 #ifndef OPENSSL_NO_TLS1_2
11330 ADD_TEST(test_no_ems);
11334 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11335 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11336 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11337 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11340 ADD_TEST(test_large_message_tls);
11341 ADD_TEST(test_large_message_tls_read_ahead);
11342 #ifndef OPENSSL_NO_DTLS
11343 ADD_TEST(test_large_message_dtls);
11345 ADD_ALL_TESTS(test_large_app_data, 28);
11346 ADD_TEST(test_cleanse_plaintext);
11347 #ifndef OPENSSL_NO_OCSP
11348 ADD_TEST(test_tlsext_status_type);
11350 ADD_TEST(test_session_with_only_int_cache);
11351 ADD_TEST(test_session_with_only_ext_cache);
11352 ADD_TEST(test_session_with_both_cache);
11353 ADD_TEST(test_session_wo_ca_names);
11354 #ifndef OSSL_NO_USABLE_TLS1_3
11355 ADD_ALL_TESTS(test_stateful_tickets, 3);
11356 ADD_ALL_TESTS(test_stateless_tickets, 3);
11357 ADD_TEST(test_psk_tickets);
11358 ADD_ALL_TESTS(test_extra_tickets, 6);
11360 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11361 ADD_TEST(test_ssl_bio_pop_next_bio);
11362 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11363 ADD_TEST(test_ssl_bio_change_rbio);
11364 ADD_TEST(test_ssl_bio_change_wbio);
11365 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11366 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11367 ADD_TEST(test_keylog);
11369 #ifndef OSSL_NO_USABLE_TLS1_3
11370 ADD_TEST(test_keylog_no_master_key);
11372 ADD_TEST(test_client_cert_verify_cb);
11373 ADD_TEST(test_ssl_build_cert_chain);
11374 ADD_TEST(test_ssl_ctx_build_cert_chain);
11375 #ifndef OPENSSL_NO_TLS1_2
11376 ADD_TEST(test_client_hello_cb);
11377 ADD_TEST(test_no_ems);
11378 ADD_TEST(test_ccs_change_cipher);
11380 #ifndef OSSL_NO_USABLE_TLS1_3
11381 ADD_ALL_TESTS(test_early_data_read_write, 6);
11383 * We don't do replay tests for external PSK. Replay protection isn't used
11384 * in that scenario.
11386 ADD_ALL_TESTS(test_early_data_replay, 2);
11387 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11388 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11389 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11390 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11391 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11392 ADD_ALL_TESTS(test_early_data_psk, 8);
11393 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11394 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11395 # ifndef OPENSSL_NO_TLS1_2
11396 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11399 #ifndef OSSL_NO_USABLE_TLS1_3
11400 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11401 ADD_TEST(test_ciphersuite_change);
11402 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11403 # ifdef OPENSSL_NO_PSK
11404 ADD_ALL_TESTS(test_tls13_psk, 1);
11406 ADD_ALL_TESTS(test_tls13_psk, 4);
11407 # endif /* OPENSSL_NO_PSK */
11408 # ifndef OPENSSL_NO_TLS1_2
11409 /* Test with both TLSv1.3 and 1.2 versions */
11410 ADD_ALL_TESTS(test_key_exchange, 14);
11411 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11412 ADD_ALL_TESTS(test_negotiated_group,
11413 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11414 + OSSL_NELEM(ffdhe_kexch_groups)));
11417 /* Test with only TLSv1.3 versions */
11418 ADD_ALL_TESTS(test_key_exchange, 12);
11420 ADD_ALL_TESTS(test_custom_exts, 6);
11421 ADD_TEST(test_stateless);
11422 ADD_TEST(test_pha_key_update);
11424 ADD_ALL_TESTS(test_custom_exts, 3);
11426 ADD_ALL_TESTS(test_export_key_mat, 6);
11427 #ifndef OSSL_NO_USABLE_TLS1_3
11428 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11429 ADD_TEST(test_key_update);
11430 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11431 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11432 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11433 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11435 ADD_ALL_TESTS(test_ssl_clear, 2);
11436 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11437 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11438 ADD_ALL_TESTS(test_srp, 6);
11440 #if !defined(OPENSSL_NO_COMP_ALG)
11441 /* Add compression case */
11442 ADD_ALL_TESTS(test_info_callback, 8);
11444 ADD_ALL_TESTS(test_info_callback, 6);
11446 ADD_ALL_TESTS(test_ssl_pending, 2);
11447 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11448 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11449 ADD_ALL_TESTS(test_shutdown, 7);
11450 ADD_TEST(test_async_shutdown);
11451 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11452 ADD_ALL_TESTS(test_cert_cb, 6);
11453 ADD_ALL_TESTS(test_client_cert_cb, 2);
11454 ADD_ALL_TESTS(test_ca_names, 3);
11455 #ifndef OPENSSL_NO_TLS1_2
11456 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11458 ADD_ALL_TESTS(test_servername, 10);
11459 #if !defined(OPENSSL_NO_EC) \
11460 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11461 ADD_ALL_TESTS(test_sigalgs_available, 6);
11463 #ifndef OPENSSL_NO_TLS1_3
11464 ADD_ALL_TESTS(test_pluggable_group, 2);
11465 ADD_ALL_TESTS(test_pluggable_signature, 4);
11467 #ifndef OPENSSL_NO_TLS1_2
11468 ADD_TEST(test_ssl_dup);
11469 # ifndef OPENSSL_NO_DH
11470 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11471 ADD_ALL_TESTS(test_dh_auto, 7);
11474 #ifndef OSSL_NO_USABLE_TLS1_3
11475 ADD_TEST(test_sni_tls13);
11476 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11478 ADD_TEST(test_inherit_verify_param);
11479 ADD_TEST(test_set_alpn);
11480 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11481 ADD_TEST(test_set_verify_cert_store_ssl);
11482 ADD_ALL_TESTS(test_session_timeout, 1);
11483 ADD_TEST(test_load_dhfile);
11484 #ifndef OSSL_NO_USABLE_TLS1_3
11485 ADD_TEST(test_read_ahead_key_change);
11486 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11488 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11489 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11491 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11492 ADD_ALL_TESTS(test_pipelining, 6);
11494 ADD_ALL_TESTS(test_version, 6);
11495 ADD_TEST(test_rstate_string);
11496 ADD_ALL_TESTS(test_handshake_retry, 16);
11497 ADD_TEST(test_data_retry);
11501 OPENSSL_free(cert);
11502 OPENSSL_free(privkey);
11503 OPENSSL_free(cert2);
11504 OPENSSL_free(privkey2);
11508 void cleanup_tests(void)
11510 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11511 EVP_PKEY_free(tmp_dh_params);
11513 OPENSSL_free(cert);
11514 OPENSSL_free(privkey);
11515 OPENSSL_free(cert2);
11516 OPENSSL_free(privkey2);
11517 OPENSSL_free(cert1024);
11518 OPENSSL_free(privkey1024);
11519 OPENSSL_free(cert3072);
11520 OPENSSL_free(privkey3072);
11521 OPENSSL_free(cert4096);
11522 OPENSSL_free(privkey4096);
11523 OPENSSL_free(cert8192);
11524 OPENSSL_free(privkey8192);
11525 bio_s_mempacket_test_free();
11526 bio_s_always_retry_free();
11527 bio_s_maybe_retry_free();
11528 OSSL_PROVIDER_unload(defctxnull);
11529 OSSL_LIB_CTX_free(libctx);