2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
102 static int fips_ems_check = 0;
104 #define LOG_BUFFER_SIZE 2048
105 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t server_log_buffer_index = 0;
107 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
108 static size_t client_log_buffer_index = 0;
109 static int error_writing_log = 0;
111 #ifndef OPENSSL_NO_OCSP
112 static const unsigned char orespder[] = "Dummy OCSP Response";
113 static int ocsp_server_called = 0;
114 static int ocsp_client_called = 0;
116 static int cdummyarg = 1;
117 static X509 *ocspcert = NULL;
120 #define NUM_EXTRA_CERTS 40
121 #define CLIENT_VERSION_LEN 2
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
127 struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
130 unsigned int client_early_secret_count;
131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
135 unsigned int early_exporter_secret_count;
136 unsigned int exporter_secret_count;
140 static int hostname_cb(SSL *s, int *al, void *arg)
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
148 return SSL_TLSEXT_ERR_NOACK;
151 static void client_keylog_callback(const SSL *ssl, const char *line)
153 int line_length = strlen(line);
155 /* If the log doesn't fit, error out. */
156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
158 error_writing_log = 1;
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
164 client_log_buffer[client_log_buffer_index++] = '\n';
167 static void server_keylog_callback(const SSL *ssl, const char *line)
169 int line_length = strlen(line);
171 /* If the log doesn't fit, error out. */
172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173 TEST_info("Server log too full");
174 error_writing_log = 1;
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
180 server_log_buffer[server_log_buffer_index++] = '\n';
183 static int compare_hex_encoded_buffer(const char *hex_encoded,
191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195 sprintf(hexed, "%02x", raw[i]);
196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
204 static int test_keylog_output(char *buffer, const SSL *ssl,
205 const SSL_SESSION *session,
206 struct sslapitest_log_counts *expected)
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
215 unsigned int client_early_secret_count = 0;
216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
220 unsigned int early_exporter_secret_count = 0;
221 unsigned int exporter_secret_count = 0;
223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
225 if (strcmp(token, "RSA") == 0) {
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
228 * hex-encoded encrypted secret, then the hex-encoded pre-master
231 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 if (!TEST_size_t_eq(strlen(token), 16))
235 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
242 rsa_key_exchange_count++;
243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, then the hex-encoded master secret.
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
254 if (!TEST_ptr(token = strtok(NULL, " \n")))
256 if (!TEST_size_t_eq(strlen(token), 64))
258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 master_key_size = SSL_SESSION_get_master_key(session,
268 if (!TEST_size_t_ne(master_key_size, 0))
270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
274 master_secret_count++;
275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281 || strcmp(token, "EXPORTER_SECRET") == 0) {
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
309 if (!TEST_ptr(token = strtok(NULL, " \n")))
311 if (!TEST_size_t_eq(strlen(token), 64))
313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 TEST_info("Unexpected token %s\n", token);
326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
340 expected->server_application_secret_count)
341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
350 static int test_keylog(void)
352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
355 struct sslapitest_log_counts expected;
357 /* Clean up logging space */
358 memset(&expected, 0, sizeof(expected));
359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
368 &sctx, &cctx, cert, privkey)))
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
375 /* We also want to ensure that we use RSA-based key exchange. */
376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
402 * Now we want to test that our output data was vaguely sensible. We
403 * do that by using strtok and confirming that we have more or less the
404 * data we expect. For both client and server, we expect to see one master
405 * secret. The client should also see an RSA key exchange.
407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
413 expected.rsa_key_exchange_count = 0;
414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
430 #ifndef OSSL_NO_USABLE_TLS1_3
431 static int test_keylog_no_master_key(void)
433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
435 SSL_SESSION *sess = NULL;
437 struct sslapitest_log_counts expected;
438 unsigned char buf[1];
439 size_t readbytes, written;
441 /* Clean up logging space */
442 memset(&expected, 0, sizeof(expected));
443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453 SSL3_RT_MAX_PLAIN_LENGTH)))
456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_false(error_writing_log))
479 * Now we want to test that our output data was vaguely sensible. For this
480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481 * TLSv1.3, but we do expect both client and server to emit keys.
483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
487 expected.exporter_secret_count = 1;
488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
501 serverssl = clientssl = NULL;
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
521 || !TEST_true(SSL_session_reused(clientssl)))
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
526 expected.early_exporter_secret_count = 1;
527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
537 SSL_SESSION_free(sess);
547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
549 int res = X509_verify_cert(ctx);
550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
553 /* this should not happen but check anyway */
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
676 static const char pass[] = "testpass";
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
685 static int test_ssl_ctx_build_cert_chain(void)
689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
707 OPENSSL_free(leaf_chain);
712 #ifndef OPENSSL_NO_TLS1_2
713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
716 const unsigned char *p;
718 /* We only configure two ciphers, but the SCSV is added automatically. */
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
722 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
725 const int expected_extensions[] = {
726 #ifndef OPENSSL_NO_EC
732 /* Make sure we can defer processing and get called back. */
734 return SSL_CLIENT_HELLO_RETRY;
736 len = SSL_client_hello_get0_ciphers(s, &p);
737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
740 || !TEST_int_eq(*p, 0))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743 return SSL_CLIENT_HELLO_ERROR;
744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746 printf("ClientHello callback expected extensions mismatch\n");
748 return SSL_CLIENT_HELLO_ERROR;
751 return SSL_CLIENT_HELLO_SUCCESS;
754 static int test_client_hello_cb(void)
756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
762 &sctx, &cctx, cert, privkey)))
764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
770 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
772 &clientssl, NULL, NULL))
773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
774 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 * Passing a -1 literal is a hack since
777 * the real value was lost.
779 || !TEST_int_eq(SSL_get_error(serverssl, -1),
780 SSL_ERROR_WANT_CLIENT_HELLO_CB)
781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
796 static int test_no_ems(void)
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0, status;
802 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
803 TLS1_VERSION, TLS1_2_VERSION,
804 &sctx, &cctx, cert, privkey)) {
805 printf("Unable to create SSL_CTX pair\n");
809 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
812 printf("Unable to create SSL objects\n");
816 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
817 if (fips_ems_check) {
819 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
824 printf("Creating SSL connection failed\n");
827 if (SSL_get_extms_support(serverssl)) {
828 printf("Server reports Extended Master Secret support\n");
831 if (SSL_get_extms_support(clientssl)) {
832 printf("Client reports Extended Master Secret support\n");
848 * Very focused test to exercise a single case in the server-side state
849 * machine, when the ChangeCipherState message needs to actually change
850 * from one cipher to a different cipher (i.e., not changing from null
851 * encryption to real encryption).
853 static int test_ccs_change_cipher(void)
855 SSL_CTX *cctx = NULL, *sctx = NULL;
856 SSL *clientssl = NULL, *serverssl = NULL;
857 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
864 * Create a connection so we can resume and potentially (but not) use
865 * a different cipher in the second connection.
867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869 TLS1_VERSION, TLS1_2_VERSION,
870 &sctx, &cctx, cert, privkey))
871 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
875 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
878 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
884 /* Resume, preferring a different cipher. Our server will force the
885 * same cipher to be used as the initial handshake. */
886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888 || !TEST_true(SSL_set_session(clientssl, sess))
889 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 || !TEST_true(SSL_session_reused(clientssl))
893 || !TEST_true(SSL_session_reused(serverssl))
894 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
895 || !TEST_ptr_eq(sesspre, sesspost)
896 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
897 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899 shutdown_ssl_connection(serverssl, clientssl);
900 serverssl = clientssl = NULL;
903 * Now create a fresh connection and try to renegotiate a different
906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
911 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
913 || !TEST_true(SSL_renegotiate(clientssl))
914 || !TEST_true(SSL_renegotiate_pending(clientssl)))
916 /* Actually drive the renegotiation. */
917 for (i = 0; i < 3; i++) {
918 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
922 SSL_ERROR_WANT_READ)) {
925 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
926 if (!TEST_ulong_eq(readbytes, 0))
928 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
929 SSL_ERROR_WANT_READ)) {
933 /* sesspre and sesspost should be different since the cipher changed. */
934 if (!TEST_false(SSL_renegotiate_pending(clientssl))
935 || !TEST_false(SSL_session_reused(clientssl))
936 || !TEST_false(SSL_session_reused(serverssl))
937 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
938 || !TEST_ptr_ne(sesspre, sesspost)
939 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
940 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
943 shutdown_ssl_connection(serverssl, clientssl);
944 serverssl = clientssl = NULL;
953 SSL_SESSION_free(sess);
959 static int execute_test_large_message(const SSL_METHOD *smeth,
960 const SSL_METHOD *cmeth,
961 int min_version, int max_version,
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
969 X509 *chaincert = NULL;
972 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
975 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
978 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
983 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
984 max_version, &sctx, &cctx, cert,
988 #ifdef OPENSSL_NO_DTLS1_2
989 if (smeth == DTLS_server_method()) {
991 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
994 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
995 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
996 "DEFAULT:@SECLEVEL=0")))
1003 * Test that read_ahead works correctly when dealing with large
1006 SSL_CTX_set_read_ahead(cctx, 1);
1010 * We assume the supplied certificate is big enough so that if we add
1011 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1012 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1013 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1014 * test we need to have a message larger than that.
1016 certlen = i2d_X509(chaincert, NULL);
1017 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1018 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1019 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1020 if (!X509_up_ref(chaincert))
1022 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1023 X509_free(chaincert);
1028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1035 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1038 if (!TEST_true(SSL_clear(serverssl)))
1044 X509_free(chaincert);
1045 SSL_free(serverssl);
1046 SSL_free(clientssl);
1053 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1054 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1055 /* sock must be connected */
1056 static int ktls_chk_platform(int sock)
1058 if (!ktls_enable(sock))
1063 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1065 static char count = 1;
1066 unsigned char cbuf[16000] = {0};
1067 unsigned char sbuf[16000];
1069 char crec_wseq_before[SEQ_NUM_SIZE];
1070 char crec_wseq_after[SEQ_NUM_SIZE];
1071 char crec_rseq_before[SEQ_NUM_SIZE];
1072 char crec_rseq_after[SEQ_NUM_SIZE];
1073 char srec_wseq_before[SEQ_NUM_SIZE];
1074 char srec_wseq_after[SEQ_NUM_SIZE];
1075 char srec_rseq_before[SEQ_NUM_SIZE];
1076 char srec_rseq_after[SEQ_NUM_SIZE];
1077 SSL_CONNECTION *clientsc, *serversc;
1079 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1080 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1084 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1107 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1109 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1117 * If ktls is used then kernel sequences are used instead of
1120 if (!BIO_get_ktls_send(clientsc->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1130 if (!BIO_get_ktls_send(serversc->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1140 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1150 if (!BIO_get_ktls_recv(serversc->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1165 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1173 SSL_CONNECTION *clientsc, *serversc;
1175 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1178 /* Skip this test if the platform does not support ktls */
1179 if (!ktls_chk_platform(cfd)) {
1180 testresult = TEST_skip("Kernel does not support KTLS");
1184 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1185 testresult = TEST_skip("CHACHA is not supported in FIPS");
1189 /* Create a session based on SHA-256 */
1190 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1191 TLS_client_method(),
1192 tls_version, tls_version,
1193 &sctx, &cctx, cert, privkey)))
1196 if (tls_version == TLS1_3_VERSION) {
1197 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1198 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1201 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1206 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1207 &clientssl, sfd, cfd)))
1210 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1211 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1215 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1220 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1224 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1228 * The running kernel may not support a given cipher suite
1229 * or direction, so just check that KTLS isn't used when it
1233 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1236 if (BIO_get_ktls_send(clientsc->wbio))
1241 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1244 if (BIO_get_ktls_send(serversc->wbio))
1248 #if defined(OPENSSL_NO_KTLS_RX)
1253 if (!cis_ktls || !rx_supported) {
1254 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1257 if (BIO_get_ktls_send(clientsc->rbio))
1261 if (!sis_ktls || !rx_supported) {
1262 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1265 if (BIO_get_ktls_send(serversc->rbio))
1269 if ((cis_ktls || sis_ktls) && !ktls_used) {
1270 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1271 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1276 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1704 const SSL_METHOD *cmeth,
1705 int min_version, int max_version)
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1712 SSL_CONNECTION *serversc;
1715 static unsigned char cbuf[16000];
1716 static unsigned char sbuf[16000];
1718 if (!TEST_true(create_ssl_ctx_pair(libctx,
1720 min_version, max_version,
1725 #ifdef OPENSSL_NO_DTLS1_2
1726 if (smeth == DTLS_server_method()) {
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 static int test_cleanse_plaintext(void)
1813 #if !defined(OPENSSL_NO_TLS1_2)
1814 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1815 TLS_client_method(),
1822 #if !defined(OSSL_NO_USABLE_TLS1_3)
1823 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1824 TLS_client_method(),
1830 #if !defined(OPENSSL_NO_DTLS)
1832 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1833 DTLS_client_method(),
1841 #ifndef OPENSSL_NO_OCSP
1842 static int ocsp_server_cb(SSL *s, void *arg)
1844 int *argi = (int *)arg;
1845 unsigned char *copy = NULL;
1846 STACK_OF(OCSP_RESPID) *ids = NULL;
1847 OCSP_RESPID *id = NULL;
1850 /* In this test we are expecting exactly 1 OCSP_RESPID */
1851 SSL_get_tlsext_status_ids(s, &ids);
1852 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1853 return SSL_TLSEXT_ERR_ALERT_FATAL;
1855 id = sk_OCSP_RESPID_value(ids, 0);
1856 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858 } else if (*argi != 1) {
1859 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1865 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1866 sizeof(orespder)))) {
1868 return SSL_TLSEXT_ERR_ALERT_FATAL;
1870 ocsp_server_called = 1;
1871 return SSL_TLSEXT_ERR_OK;
1874 static int ocsp_client_cb(SSL *s, void *arg)
1876 int *argi = (int *)arg;
1877 const unsigned char *respderin;
1880 if (*argi != 1 && *argi != 2)
1883 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1884 if (!TEST_mem_eq(orespder, len, respderin, len))
1887 ocsp_client_called = 1;
1891 static int test_tlsext_status_type(void)
1893 SSL_CTX *cctx = NULL, *sctx = NULL;
1894 SSL *clientssl = NULL, *serverssl = NULL;
1896 STACK_OF(OCSP_RESPID) *ids = NULL;
1897 OCSP_RESPID *id = NULL;
1898 BIO *certbio = NULL;
1900 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1902 &sctx, &cctx, cert, privkey))
1905 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1908 /* First just do various checks getting and setting tlsext_status_type */
1910 clientssl = SSL_new(cctx);
1911 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1912 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1913 TLSEXT_STATUSTYPE_ocsp))
1914 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1915 TLSEXT_STATUSTYPE_ocsp))
1918 SSL_free(clientssl);
1921 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1922 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1925 clientssl = SSL_new(cctx);
1926 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1928 SSL_free(clientssl);
1932 * Now actually do a handshake and check OCSP information is exchanged and
1933 * the callbacks get called
1935 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1936 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1937 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1938 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1940 &clientssl, NULL, NULL))
1941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1943 || !TEST_true(ocsp_client_called)
1944 || !TEST_true(ocsp_server_called))
1946 SSL_free(serverssl);
1947 SSL_free(clientssl);
1951 /* Try again but this time force the server side callback to fail */
1952 ocsp_client_called = 0;
1953 ocsp_server_called = 0;
1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1956 &clientssl, NULL, NULL))
1957 /* This should fail because the callback will fail */
1958 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1960 || !TEST_false(ocsp_client_called)
1961 || !TEST_false(ocsp_server_called))
1963 SSL_free(serverssl);
1964 SSL_free(clientssl);
1969 * This time we'll get the client to send an OCSP_RESPID that it will
1972 ocsp_client_called = 0;
1973 ocsp_server_called = 0;
1975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1976 &clientssl, NULL, NULL)))
1980 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1981 * specific one. We'll use the server cert.
1983 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1984 || !TEST_ptr(id = OCSP_RESPID_new())
1985 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1986 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1987 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1988 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1989 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1992 SSL_set_tlsext_status_ids(clientssl, ids);
1993 /* Control has been transferred */
1999 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2001 || !TEST_true(ocsp_client_called)
2002 || !TEST_true(ocsp_server_called))
2008 SSL_free(serverssl);
2009 SSL_free(clientssl);
2012 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2013 OCSP_RESPID_free(id);
2015 X509_free(ocspcert);
2022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2023 static int new_called, remove_called, get_called;
2025 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2029 * sess has been up-refed for us, but we don't actually need it so free it
2032 SSL_SESSION_free(sess);
2036 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041 static SSL_SESSION *get_sess_val = NULL;
2043 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 return get_sess_val;
2051 static int execute_test_session(int maxprot, int use_int_cache,
2052 int use_ext_cache, long s_options)
2054 SSL_CTX *sctx = NULL, *cctx = NULL;
2055 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2056 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2057 # ifndef OPENSSL_NO_TLS1_1
2058 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2060 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2061 int testresult = 0, numnewsesstick = 1;
2063 new_called = remove_called = 0;
2065 /* TLSv1.3 sends 2 NewSessionTickets */
2066 if (maxprot == TLS1_3_VERSION)
2069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2070 TLS_client_method(), TLS1_VERSION, 0,
2071 &sctx, &cctx, cert, privkey)))
2075 * Only allow the max protocol version so we can force a connection failure
2078 SSL_CTX_set_min_proto_version(cctx, maxprot);
2079 SSL_CTX_set_max_proto_version(cctx, maxprot);
2081 /* Set up session cache */
2082 if (use_ext_cache) {
2083 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2084 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2086 if (use_int_cache) {
2087 /* Also covers instance where both are set */
2088 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2090 SSL_CTX_set_session_cache_mode(cctx,
2091 SSL_SESS_CACHE_CLIENT
2092 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2096 SSL_CTX_set_options(sctx, s_options);
2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2101 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2103 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2106 /* Should fail because it should already be in the cache */
2107 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2110 && (!TEST_int_eq(new_called, numnewsesstick)
2112 || !TEST_int_eq(remove_called, 0)))
2115 new_called = remove_called = 0;
2116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2117 &clientssl2, NULL, NULL))
2118 || !TEST_true(SSL_set_session(clientssl2, sess1))
2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2121 || !TEST_true(SSL_session_reused(clientssl2)))
2124 if (maxprot == TLS1_3_VERSION) {
2126 * In TLSv1.3 we should have created a new session even though we have
2127 * resumed. Since we attempted a resume we should also have removed the
2128 * old ticket from the cache so that we try to only use tickets once.
2131 && (!TEST_int_eq(new_called, 1)
2132 || !TEST_int_eq(remove_called, 1)))
2136 * In TLSv1.2 we expect to have resumed so no sessions added or
2140 && (!TEST_int_eq(new_called, 0)
2141 || !TEST_int_eq(remove_called, 0)))
2145 SSL_SESSION_free(sess1);
2146 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2148 shutdown_ssl_connection(serverssl2, clientssl2);
2149 serverssl2 = clientssl2 = NULL;
2151 new_called = remove_called = 0;
2152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2153 &clientssl2, NULL, NULL))
2154 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2158 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2162 && (!TEST_int_eq(new_called, numnewsesstick)
2163 || !TEST_int_eq(remove_called, 0)))
2166 new_called = remove_called = 0;
2168 * This should clear sess2 from the cache because it is a "bad" session.
2169 * See SSL_set_session() documentation.
2171 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2176 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2179 if (use_int_cache) {
2180 /* Should succeeded because it should not already be in the cache */
2181 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2182 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2186 new_called = remove_called = 0;
2187 /* This shouldn't be in the cache so should fail */
2188 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2192 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2195 # if !defined(OPENSSL_NO_TLS1_1)
2196 new_called = remove_called = 0;
2197 /* Force a connection failure */
2198 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2200 &clientssl3, NULL, NULL))
2201 || !TEST_true(SSL_set_session(clientssl3, sess1))
2202 /* This should fail because of the mismatched protocol versions */
2203 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2207 /* We should have automatically removed the session from the cache */
2209 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2212 /* Should succeed because it should not already be in the cache */
2213 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2217 /* Now do some tests for server side caching */
2218 if (use_ext_cache) {
2219 SSL_CTX_sess_set_new_cb(cctx, NULL);
2220 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2221 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2222 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2223 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2224 get_sess_val = NULL;
2227 SSL_CTX_set_session_cache_mode(cctx, 0);
2228 /* Internal caching is the default on the server side */
2230 SSL_CTX_set_session_cache_mode(sctx,
2231 SSL_SESS_CACHE_SERVER
2232 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2234 SSL_free(serverssl1);
2235 SSL_free(clientssl1);
2236 serverssl1 = clientssl1 = NULL;
2237 SSL_free(serverssl2);
2238 SSL_free(clientssl2);
2239 serverssl2 = clientssl2 = NULL;
2240 SSL_SESSION_free(sess1);
2242 SSL_SESSION_free(sess2);
2245 SSL_CTX_set_max_proto_version(sctx, maxprot);
2246 if (maxprot == TLS1_2_VERSION)
2247 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2248 new_called = remove_called = get_called = 0;
2249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2251 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2253 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2254 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2257 if (use_int_cache) {
2258 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2260 * In TLSv1.3 it should not have been added to the internal cache,
2261 * except in the case where we also have an external cache (in that
2262 * case it gets added to the cache in order to generate remove
2263 * events after timeout).
2265 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2268 /* Should fail because it should already be in the cache */
2269 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 if (use_ext_cache) {
2275 SSL_SESSION *tmp = sess2;
2277 if (!TEST_int_eq(new_called, numnewsesstick)
2278 || !TEST_int_eq(remove_called, 0)
2279 || !TEST_int_eq(get_called, 0))
2282 * Delete the session from the internal cache to force a lookup from
2283 * the external cache. We take a copy first because
2284 * SSL_CTX_remove_session() also marks the session as non-resumable.
2286 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2287 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2288 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2290 SSL_SESSION_free(sess2);
2295 new_called = remove_called = get_called = 0;
2296 get_sess_val = sess2;
2297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2298 &clientssl2, NULL, NULL))
2299 || !TEST_true(SSL_set_session(clientssl2, sess1))
2300 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2302 || !TEST_true(SSL_session_reused(clientssl2)))
2305 if (use_ext_cache) {
2306 if (!TEST_int_eq(remove_called, 0))
2309 if (maxprot == TLS1_3_VERSION) {
2310 if (!TEST_int_eq(new_called, 1)
2311 || !TEST_int_eq(get_called, 0))
2314 if (!TEST_int_eq(new_called, 0)
2315 || !TEST_int_eq(get_called, 1))
2320 * Make a small cache, force out all other sessions but
2321 * sess2, try to add sess1, which should succeed. Then
2322 * make sure it's there by checking the owners. Despite
2323 * the timeouts, sess1 should have kicked out sess2
2326 /* Make sess1 expire before sess2 */
2327 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2328 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2329 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2330 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2333 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2336 /* Don't care about results - cache should only be sess2 at end */
2337 SSL_CTX_add_session(sctx, sess1);
2338 SSL_CTX_add_session(sctx, sess2);
2340 /* Now add sess1, and make sure it remains, despite timeout */
2341 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2342 || !TEST_ptr(sess1->owner)
2343 || !TEST_ptr_null(sess2->owner))
2349 SSL_free(serverssl1);
2350 SSL_free(clientssl1);
2351 SSL_free(serverssl2);
2352 SSL_free(clientssl2);
2353 # ifndef OPENSSL_NO_TLS1_1
2354 SSL_free(serverssl3);
2355 SSL_free(clientssl3);
2357 SSL_SESSION_free(sess1);
2358 SSL_SESSION_free(sess2);
2364 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2366 static int test_session_with_only_int_cache(void)
2368 #ifndef OSSL_NO_USABLE_TLS1_3
2369 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2373 #ifndef OPENSSL_NO_TLS1_2
2374 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2380 static int test_session_with_only_ext_cache(void)
2382 #ifndef OSSL_NO_USABLE_TLS1_3
2383 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2387 #ifndef OPENSSL_NO_TLS1_2
2388 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2394 static int test_session_with_both_cache(void)
2396 #ifndef OSSL_NO_USABLE_TLS1_3
2397 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2401 #ifndef OPENSSL_NO_TLS1_2
2402 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2408 static int test_session_wo_ca_names(void)
2410 #ifndef OSSL_NO_USABLE_TLS1_3
2411 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2415 #ifndef OPENSSL_NO_TLS1_2
2416 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2423 #ifndef OSSL_NO_USABLE_TLS1_3
2424 static SSL_SESSION *sesscache[6];
2425 static int do_cache;
2427 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2430 sesscache[new_called] = sess;
2432 /* We don't need the reference to the session, so free it */
2433 SSL_SESSION_free(sess);
2440 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2442 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2443 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2446 /* Start handshake on the server and client */
2447 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2448 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2449 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2450 || !TEST_true(create_ssl_connection(sssl, cssl,
2457 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2460 int sess_id_ctx = 1;
2462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2463 TLS_client_method(), TLS1_VERSION, 0,
2464 sctx, cctx, cert, privkey))
2465 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2466 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2467 (void *)&sess_id_ctx,
2468 sizeof(sess_id_ctx))))
2472 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2474 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2475 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2476 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2481 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2483 SSL *serverssl = NULL, *clientssl = NULL;
2486 /* Test that we can resume with all the tickets we got given */
2487 for (i = 0; i < idx * 2; i++) {
2489 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2490 &clientssl, NULL, NULL))
2491 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2494 SSL_set_post_handshake_auth(clientssl, 1);
2496 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2501 * Following a successful resumption we only get 1 ticket. After a
2502 * failed one we should get idx tickets.
2505 if (!TEST_true(SSL_session_reused(clientssl))
2506 || !TEST_int_eq(new_called, 1))
2509 if (!TEST_false(SSL_session_reused(clientssl))
2510 || !TEST_int_eq(new_called, idx))
2515 /* After a post-handshake authentication we should get 1 new ticket */
2517 && (!post_handshake_verify(serverssl, clientssl)
2518 || !TEST_int_eq(new_called, 1)))
2521 SSL_shutdown(clientssl);
2522 SSL_shutdown(serverssl);
2523 SSL_free(serverssl);
2524 SSL_free(clientssl);
2525 serverssl = clientssl = NULL;
2526 SSL_SESSION_free(sesscache[i]);
2527 sesscache[i] = NULL;
2533 SSL_free(clientssl);
2534 SSL_free(serverssl);
2538 static int test_tickets(int stateful, int idx)
2540 SSL_CTX *sctx = NULL, *cctx = NULL;
2541 SSL *serverssl = NULL, *clientssl = NULL;
2545 /* idx is the test number, but also the number of tickets we want */
2550 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2553 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2554 &clientssl, NULL, NULL)))
2557 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2559 /* Check we got the number of tickets we were expecting */
2560 || !TEST_int_eq(idx, new_called))
2563 SSL_shutdown(clientssl);
2564 SSL_shutdown(serverssl);
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2569 clientssl = serverssl = NULL;
2573 * Now we try to resume with the tickets we previously created. The
2574 * resumption attempt is expected to fail (because we're now using a new
2575 * SSL_CTX). We should see idx number of tickets issued again.
2578 /* Stop caching sessions - just count them */
2581 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2584 if (!check_resumption(idx, sctx, cctx, 0))
2587 /* Start again with caching sessions */
2594 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2597 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2598 &clientssl, NULL, NULL)))
2601 SSL_set_post_handshake_auth(clientssl, 1);
2603 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2605 /* Check we got the number of tickets we were expecting */
2606 || !TEST_int_eq(idx, new_called))
2609 /* After a post-handshake authentication we should get new tickets issued */
2610 if (!post_handshake_verify(serverssl, clientssl)
2611 || !TEST_int_eq(idx * 2, new_called))
2614 SSL_shutdown(clientssl);
2615 SSL_shutdown(serverssl);
2616 SSL_free(serverssl);
2617 SSL_free(clientssl);
2618 serverssl = clientssl = NULL;
2620 /* Stop caching sessions - just count them */
2624 * Check we can resume with all the tickets we created. This time around the
2625 * resumptions should all be successful.
2627 if (!check_resumption(idx, sctx, cctx, 1))
2633 SSL_free(serverssl);
2634 SSL_free(clientssl);
2635 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2636 SSL_SESSION_free(sesscache[j]);
2637 sesscache[j] = NULL;
2645 static int test_stateless_tickets(int idx)
2647 return test_tickets(0, idx);
2650 static int test_stateful_tickets(int idx)
2652 return test_tickets(1, idx);
2655 static int test_psk_tickets(void)
2657 SSL_CTX *sctx = NULL, *cctx = NULL;
2658 SSL *serverssl = NULL, *clientssl = NULL;
2660 int sess_id_ctx = 1;
2662 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2663 TLS_client_method(), TLS1_VERSION, 0,
2664 &sctx, &cctx, NULL, NULL))
2665 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2666 (void *)&sess_id_ctx,
2667 sizeof(sess_id_ctx))))
2670 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2671 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2672 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2673 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2674 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2675 use_session_cb_cnt = 0;
2676 find_session_cb_cnt = 0;
2680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2683 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2684 if (!TEST_ptr(clientpsk))
2686 SSL_SESSION_up_ref(clientpsk);
2688 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2690 || !TEST_int_eq(1, find_session_cb_cnt)
2691 || !TEST_int_eq(1, use_session_cb_cnt)
2692 /* We should always get 1 ticket when using external PSK */
2693 || !TEST_int_eq(1, new_called))
2699 SSL_free(serverssl);
2700 SSL_free(clientssl);
2703 SSL_SESSION_free(clientpsk);
2704 SSL_SESSION_free(serverpsk);
2705 clientpsk = serverpsk = NULL;
2710 static int test_extra_tickets(int idx)
2712 SSL_CTX *sctx = NULL, *cctx = NULL;
2713 SSL *serverssl = NULL, *clientssl = NULL;
2714 BIO *bretry = BIO_new(bio_s_always_retry());
2719 unsigned char c, buf[1];
2729 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2731 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2732 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2733 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2736 &clientssl, NULL, NULL)))
2740 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2741 * incremented by both client and server.
2743 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2745 /* Check we got the number of tickets we were expecting */
2746 || !TEST_int_eq(idx * 2, new_called)
2747 || !TEST_true(SSL_new_session_ticket(serverssl))
2748 || !TEST_true(SSL_new_session_ticket(serverssl))
2749 || !TEST_int_eq(idx * 2, new_called))
2752 /* Now try a (real) write to actually send the tickets */
2754 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2755 || !TEST_size_t_eq(1, nbytes)
2756 || !TEST_int_eq(idx * 2 + 2, new_called)
2757 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2758 || !TEST_int_eq(idx * 2 + 4, new_called)
2759 || !TEST_int_eq(sizeof(buf), nbytes)
2760 || !TEST_int_eq(c, buf[0])
2761 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2764 /* Try with only requesting one new ticket, too */
2767 if (!TEST_true(SSL_new_session_ticket(serverssl))
2768 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2769 || !TEST_size_t_eq(sizeof(c), nbytes)
2770 || !TEST_int_eq(1, new_called)
2771 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2772 || !TEST_int_eq(2, new_called)
2773 || !TEST_size_t_eq(sizeof(buf), nbytes)
2774 || !TEST_int_eq(c, buf[0]))
2777 /* Do it again but use dummy writes to drive the ticket generation */
2780 if (!TEST_true(SSL_new_session_ticket(serverssl))
2781 || !TEST_true(SSL_new_session_ticket(serverssl))
2782 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2783 || !TEST_size_t_eq(0, nbytes)
2784 || !TEST_int_eq(2, new_called)
2785 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2786 || !TEST_int_eq(4, new_called))
2789 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2792 if (!TEST_true(SSL_new_session_ticket(serverssl))
2793 || !TEST_true(SSL_new_session_ticket(serverssl))
2794 || !TEST_true(SSL_do_handshake(serverssl))
2795 || !TEST_int_eq(2, new_called)
2796 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2797 || !TEST_int_eq(4, new_called))
2801 * Use the always-retry BIO to exercise the logic that forces ticket
2802 * generation to wait until a record boundary.
2806 tmp = SSL_get_wbio(serverssl);
2807 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2811 SSL_set0_wbio(serverssl, bretry);
2813 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2814 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2815 || !TEST_size_t_eq(nbytes, 0))
2817 /* Restore a BIO that will let the write succeed */
2818 SSL_set0_wbio(serverssl, tmp);
2821 * These calls should just queue the request and not send anything
2822 * even if we explicitly try to hit the state machine.
2824 if (!TEST_true(SSL_new_session_ticket(serverssl))
2825 || !TEST_true(SSL_new_session_ticket(serverssl))
2826 || !TEST_int_eq(0, new_called)
2827 || !TEST_true(SSL_do_handshake(serverssl))
2828 || !TEST_int_eq(0, new_called))
2830 /* Re-do the write; still no tickets sent */
2831 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2832 || !TEST_size_t_eq(1, nbytes)
2833 || !TEST_int_eq(0, new_called)
2834 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2835 || !TEST_int_eq(0, new_called)
2836 || !TEST_int_eq(sizeof(buf), nbytes)
2837 || !TEST_int_eq(c, buf[0])
2838 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2840 /* Even trying to hit the state machine now will still not send tickets */
2841 if (!TEST_true(SSL_do_handshake(serverssl))
2842 || !TEST_int_eq(0, new_called))
2844 /* Now the *next* write should send the tickets */
2846 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2847 || !TEST_size_t_eq(1, nbytes)
2848 || !TEST_int_eq(2, new_called)
2849 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2850 || !TEST_int_eq(4, new_called)
2851 || !TEST_int_eq(sizeof(buf), nbytes)
2852 || !TEST_int_eq(c, buf[0])
2853 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2856 SSL_shutdown(clientssl);
2857 SSL_shutdown(serverssl);
2863 SSL_free(serverssl);
2864 SSL_free(clientssl);
2867 clientssl = serverssl = NULL;
2876 #define USE_DEFAULT 3
2878 #define CONNTYPE_CONNECTION_SUCCESS 0
2879 #define CONNTYPE_CONNECTION_FAIL 1
2880 #define CONNTYPE_NO_CONNECTION 2
2882 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2883 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2884 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2885 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2887 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2890 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2891 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2892 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2894 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2911 * Tests calls to SSL_set_bio() under various conditions.
2913 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2914 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2915 * then do more tests where we create a successful connection first using our
2916 * standard connection setup functions, and then call SSL_set_bio() with
2917 * various combinations of valid BIOs or NULL. We then repeat these tests
2918 * following a failed connection. In this last case we are looking to check that
2919 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2921 static int test_ssl_set_bio(int idx)
2923 SSL_CTX *sctx = NULL, *cctx = NULL;
2926 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2927 SSL *serverssl = NULL, *clientssl = NULL;
2928 int initrbio, initwbio, newrbio, newwbio, conntype;
2931 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2939 conntype = CONNTYPE_NO_CONNECTION;
2941 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2942 initrbio = initwbio = USE_DEFAULT;
2950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2951 TLS_client_method(), TLS1_VERSION, 0,
2952 &sctx, &cctx, cert, privkey)))
2955 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2957 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2958 * because we reduced the number of tests in the definition of
2959 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2960 * mismatched protocol versions we will force a connection failure.
2962 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2963 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2970 if (initrbio == USE_BIO_1
2971 || initwbio == USE_BIO_1
2972 || newrbio == USE_BIO_1
2973 || newwbio == USE_BIO_1) {
2974 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2978 if (initrbio == USE_BIO_2
2979 || initwbio == USE_BIO_2
2980 || newrbio == USE_BIO_2
2981 || newwbio == USE_BIO_2) {
2982 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2986 if (initrbio != USE_DEFAULT) {
2987 setupbio(&irbio, bio1, bio2, initrbio);
2988 setupbio(&iwbio, bio1, bio2, initwbio);
2989 SSL_set_bio(clientssl, irbio, iwbio);
2992 * We want to maintain our own refs to these BIO, so do an up ref for
2993 * each BIO that will have ownership transferred in the SSL_set_bio()
2998 if (iwbio != NULL && iwbio != irbio)
3002 if (conntype != CONNTYPE_NO_CONNECTION
3003 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3005 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3008 setupbio(&nrbio, bio1, bio2, newrbio);
3009 setupbio(&nwbio, bio1, bio2, newwbio);
3012 * We will (maybe) transfer ownership again so do more up refs.
3013 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3018 && (nwbio != iwbio || nrbio != nwbio))
3022 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3025 SSL_set_bio(clientssl, nrbio, nwbio);
3034 * This test is checking that the ref counting for SSL_set_bio is correct.
3035 * If we get here and we did too many frees then we will fail in the above
3038 SSL_free(serverssl);
3039 SSL_free(clientssl);
3045 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3047 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3049 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3054 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3055 || !TEST_ptr(ssl = SSL_new(ctx))
3056 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3057 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3060 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3063 * If anything goes wrong here then we could leak memory.
3065 BIO_push(sslbio, membio1);
3067 /* Verify changing the rbio/wbio directly does not cause leaks */
3068 if (change_bio != NO_BIO_CHANGE) {
3069 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3073 if (change_bio == CHANGE_RBIO)
3074 SSL_set0_rbio(ssl, membio2);
3076 SSL_set0_wbio(ssl, membio2);
3095 static int test_ssl_bio_pop_next_bio(void)
3097 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3100 static int test_ssl_bio_pop_ssl_bio(void)
3102 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3105 static int test_ssl_bio_change_rbio(void)
3107 return execute_test_ssl_bio(0, CHANGE_RBIO);
3110 static int test_ssl_bio_change_wbio(void)
3112 return execute_test_ssl_bio(0, CHANGE_WBIO);
3115 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3117 /* The list of sig algs */
3119 /* The length of the list */
3121 /* A sigalgs list in string format */
3122 const char *liststr;
3123 /* Whether setting the list should succeed */
3125 /* Whether creating a connection with the list should succeed */
3129 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3130 # ifndef OPENSSL_NO_EC
3131 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3132 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3134 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3135 static const int invalidlist2[] = {NID_sha256, NID_undef};
3136 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3137 static const int invalidlist4[] = {NID_sha256};
3138 static const sigalgs_list testsigalgs[] = {
3139 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3140 # ifndef OPENSSL_NO_EC
3141 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3142 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3144 {NULL, 0, "RSA+SHA256", 1, 1},
3145 # ifndef OPENSSL_NO_EC
3146 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3147 {NULL, 0, "ECDSA+SHA512", 1, 0},
3149 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3150 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3151 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3152 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3153 {NULL, 0, "RSA", 0, 0},
3154 {NULL, 0, "SHA256", 0, 0},
3155 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3156 {NULL, 0, "Invalid", 0, 0}
3159 static int test_set_sigalgs(int idx)
3161 SSL_CTX *cctx = NULL, *sctx = NULL;
3162 SSL *clientssl = NULL, *serverssl = NULL;
3164 const sigalgs_list *curr;
3167 /* Should never happen */
3168 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3171 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3172 curr = testctx ? &testsigalgs[idx]
3173 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3176 TLS_client_method(), TLS1_VERSION, 0,
3177 &sctx, &cctx, cert, privkey)))
3180 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3185 if (curr->list != NULL)
3186 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3188 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3192 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3198 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3204 &clientssl, NULL, NULL)))
3210 if (curr->list != NULL)
3211 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3213 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3216 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3225 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3233 SSL_free(serverssl);
3234 SSL_free(clientssl);
3242 #ifndef OSSL_NO_USABLE_TLS1_3
3243 static int psk_client_cb_cnt = 0;
3244 static int psk_server_cb_cnt = 0;
3246 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3247 size_t *idlen, SSL_SESSION **sess)
3249 switch (++use_session_cb_cnt) {
3251 /* The first call should always have a NULL md */
3257 /* The second call should always have an md */
3263 /* We should only be called a maximum of twice */
3267 if (clientpsk != NULL)
3268 SSL_SESSION_up_ref(clientpsk);
3271 *id = (const unsigned char *)pskid;
3272 *idlen = strlen(pskid);
3277 #ifndef OPENSSL_NO_PSK
3278 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3279 unsigned int max_id_len,
3281 unsigned int max_psk_len)
3283 unsigned int psklen = 0;
3285 psk_client_cb_cnt++;
3287 if (strlen(pskid) + 1 > max_id_len)
3290 /* We should only ever be called a maximum of twice per connection */
3291 if (psk_client_cb_cnt > 2)
3294 if (clientpsk == NULL)
3297 /* We'll reuse the PSK we set up for TLSv1.3 */
3298 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3300 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3301 strncpy(id, pskid, max_id_len);
3305 #endif /* OPENSSL_NO_PSK */
3307 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3308 size_t identity_len, SSL_SESSION **sess)
3310 find_session_cb_cnt++;
3312 /* We should only ever be called a maximum of twice per connection */
3313 if (find_session_cb_cnt > 2)
3316 if (serverpsk == NULL)
3319 /* Identity should match that set by the client */
3320 if (strlen(srvid) != identity_len
3321 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3322 /* No PSK found, continue but without a PSK */
3327 SSL_SESSION_up_ref(serverpsk);
3333 #ifndef OPENSSL_NO_PSK
3334 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3335 unsigned char *psk, unsigned int max_psk_len)
3337 unsigned int psklen = 0;
3339 psk_server_cb_cnt++;
3341 /* We should only ever be called a maximum of twice per connection */
3342 if (find_session_cb_cnt > 2)
3345 if (serverpsk == NULL)
3348 /* Identity should match that set by the client */
3349 if (strcmp(srvid, identity) != 0) {
3353 /* We'll reuse the PSK we set up for TLSv1.3 */
3354 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3356 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3360 #endif /* OPENSSL_NO_PSK */
3362 #define MSG1 "Hello"
3363 #define MSG2 "World."
3368 #define MSG7 "message."
3370 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3371 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3372 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3373 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3374 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3377 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3379 const SSL_CIPHER *cipher = NULL;
3380 const unsigned char key[] = {
3381 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3382 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3383 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3384 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3385 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3387 SSL_SESSION *sess = NULL;
3389 if (mdsize == SHA384_DIGEST_LENGTH) {
3390 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3391 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3393 * Any ciphersuite using SHA256 will do - it will be compatible with
3394 * the actual ciphersuite selected as long as it too is based on SHA256
3396 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3398 /* Should not happen */
3401 sess = SSL_SESSION_new();
3403 || !TEST_ptr(cipher)
3404 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3405 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3407 SSL_SESSION_set_protocol_version(sess,
3409 SSL_SESSION_free(sess);
3415 static int artificial_ticket_time = 0;
3417 static int ed_gen_cb(SSL *s, void *arg)
3419 SSL_SESSION *sess = SSL_get0_session(s);
3425 * Artificially give the ticket some age. Just do it for the number of
3426 * tickets we've been told to do.
3428 if (artificial_ticket_time == 0)
3430 artificial_ticket_time--;
3432 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3439 * Helper method to setup objects for early data test. Caller frees objects on
3442 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3443 SSL **serverssl, SSL_SESSION **sess, int idx,
3446 int artificial = (artificial_ticket_time > 0);
3449 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3450 TLS_client_method(),
3452 sctx, cctx, cert, privkey)))
3456 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3458 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3462 /* When idx == 1 we repeat the tests with read_ahead set */
3463 SSL_CTX_set_read_ahead(*cctx, 1);
3464 SSL_CTX_set_read_ahead(*sctx, 1);
3465 } else if (idx == 2) {
3466 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3467 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3468 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3469 use_session_cb_cnt = 0;
3470 find_session_cb_cnt = 0;
3474 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3479 * For one of the run throughs (doesn't matter which one), we'll try sending
3480 * some SNI data in the initial ClientHello. This will be ignored (because
3481 * there is no SNI cb set up by the server), so it should not impact
3485 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3489 clientpsk = create_a_psk(*clientssl, mdsize);
3490 if (!TEST_ptr(clientpsk)
3492 * We just choose an arbitrary value for max_early_data which
3493 * should be big enough for testing purposes.
3495 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3497 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3498 SSL_SESSION_free(clientpsk);
3502 serverpsk = clientpsk;
3505 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3506 SSL_SESSION_free(clientpsk);
3507 SSL_SESSION_free(serverpsk);
3508 clientpsk = serverpsk = NULL;
3519 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3523 *sess = SSL_get1_session(*clientssl);
3524 SSL_shutdown(*clientssl);
3525 SSL_shutdown(*serverssl);
3526 SSL_free(*serverssl);
3527 SSL_free(*clientssl);
3528 *serverssl = *clientssl = NULL;
3531 * Artificially give the ticket some age to match the artificial age we
3532 * gave it on the server side
3535 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3536 SSL_SESSION_get_time(*sess) - 10), 0))
3539 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3540 clientssl, NULL, NULL))
3541 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3547 static int test_early_data_read_write(int idx)
3549 SSL_CTX *cctx = NULL, *sctx = NULL;
3550 SSL *clientssl = NULL, *serverssl = NULL;
3552 SSL_SESSION *sess = NULL;
3553 unsigned char buf[20], data[1024];
3554 size_t readbytes, written, eoedlen, rawread, rawwritten;
3557 /* Artificially give the next 2 tickets some age for non PSK sessions */
3559 artificial_ticket_time = 2;
3560 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3561 &serverssl, &sess, idx,
3562 SHA384_DIGEST_LENGTH))) {
3563 artificial_ticket_time = 0;
3566 artificial_ticket_time = 0;
3568 /* Write and read some early data */
3569 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3571 || !TEST_size_t_eq(written, strlen(MSG1))
3572 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3573 sizeof(buf), &readbytes),
3574 SSL_READ_EARLY_DATA_SUCCESS)
3575 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3576 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3577 SSL_EARLY_DATA_ACCEPTED))
3581 * Server should be able to write data, and client should be able to
3584 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3586 || !TEST_size_t_eq(written, strlen(MSG2))
3587 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3588 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3591 /* Even after reading normal data, client should be able write early data */
3592 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3594 || !TEST_size_t_eq(written, strlen(MSG3)))
3597 /* Server should still be able read early data after writing data */
3598 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3600 SSL_READ_EARLY_DATA_SUCCESS)
3601 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3604 /* Write more data from server and read it from client */
3605 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3607 || !TEST_size_t_eq(written, strlen(MSG4))
3608 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3609 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3613 * If client writes normal data it should mean writing early data is no
3616 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3617 || !TEST_size_t_eq(written, strlen(MSG5))
3618 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3619 SSL_EARLY_DATA_ACCEPTED))
3623 * At this point the client has written EndOfEarlyData, ClientFinished and
3624 * normal (fully protected) data. We are going to cause a delay between the
3625 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3626 * in the read BIO, and then just put back the EndOfEarlyData message.
3628 rbio = SSL_get_rbio(serverssl);
3629 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3630 || !TEST_size_t_lt(rawread, sizeof(data))
3631 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3634 /* Record length is in the 4th and 5th bytes of the record header */
3635 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3636 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3637 || !TEST_size_t_eq(rawwritten, eoedlen))
3640 /* Server should be told that there is no more early data */
3641 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3643 SSL_READ_EARLY_DATA_FINISH)
3644 || !TEST_size_t_eq(readbytes, 0))
3648 * Server has not finished init yet, so should still be able to write early
3651 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3653 || !TEST_size_t_eq(written, strlen(MSG6)))
3656 /* Push the ClientFinished and the normal data back into the server rbio */
3657 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3659 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3662 /* Server should be able to read normal data */
3663 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3664 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3667 /* Client and server should not be able to write/read early data now */
3668 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3674 SSL_READ_EARLY_DATA_ERROR))
3678 /* Client should be able to read the data sent by the server */
3679 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3680 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3684 * Make sure we process the two NewSessionTickets. These arrive
3685 * post-handshake. We attempt reads which we do not expect to return any
3688 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3689 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3693 /* Server should be able to write normal data */
3694 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3695 || !TEST_size_t_eq(written, strlen(MSG7))
3696 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3697 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3700 SSL_SESSION_free(sess);
3701 sess = SSL_get1_session(clientssl);
3702 use_session_cb_cnt = 0;
3703 find_session_cb_cnt = 0;
3705 SSL_shutdown(clientssl);
3706 SSL_shutdown(serverssl);
3707 SSL_free(serverssl);
3708 SSL_free(clientssl);
3709 serverssl = clientssl = NULL;
3710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3711 &clientssl, NULL, NULL))
3712 || !TEST_true(SSL_set_session(clientssl, sess)))
3715 /* Write and read some early data */
3716 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3718 || !TEST_size_t_eq(written, strlen(MSG1))
3719 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3721 SSL_READ_EARLY_DATA_SUCCESS)
3722 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3725 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3726 || !TEST_int_gt(SSL_accept(serverssl), 0))
3729 /* Client and server should not be able to write/read early data now */
3730 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3734 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3736 SSL_READ_EARLY_DATA_ERROR))
3740 /* Client and server should be able to write/read normal data */
3741 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3742 || !TEST_size_t_eq(written, strlen(MSG5))
3743 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3744 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3750 SSL_SESSION_free(sess);
3751 SSL_SESSION_free(clientpsk);
3752 SSL_SESSION_free(serverpsk);
3753 clientpsk = serverpsk = NULL;
3754 SSL_free(serverssl);
3755 SSL_free(clientssl);
3761 static int allow_ed_cb_called = 0;
3763 static int allow_early_data_cb(SSL *s, void *arg)
3765 int *usecb = (int *)arg;
3767 allow_ed_cb_called++;
3776 * idx == 0: Standard early_data setup
3777 * idx == 1: early_data setup using read_ahead
3778 * usecb == 0: Don't use a custom early data callback
3779 * usecb == 1: Use a custom early data callback and reject the early data
3780 * usecb == 2: Use a custom early data callback and accept the early data
3781 * confopt == 0: Configure anti-replay directly
3782 * confopt == 1: Configure anti-replay using SSL_CONF
3784 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3786 SSL_CTX *cctx = NULL, *sctx = NULL;
3787 SSL *clientssl = NULL, *serverssl = NULL;
3789 SSL_SESSION *sess = NULL;
3790 size_t readbytes, written;
3791 unsigned char buf[20];
3793 allow_ed_cb_called = 0;
3795 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3796 TLS_client_method(), TLS1_VERSION, 0,
3797 &sctx, &cctx, cert, privkey)))
3802 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3804 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3806 if (!TEST_ptr(confctx))
3808 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3809 | SSL_CONF_FLAG_SERVER);
3810 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3811 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3813 SSL_CONF_CTX_free(confctx);
3816 SSL_CONF_CTX_free(confctx);
3818 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3821 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3822 &serverssl, &sess, idx,
3823 SHA384_DIGEST_LENGTH)))
3827 * The server is configured to accept early data. Create a connection to
3828 * "use up" the ticket
3830 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3831 || !TEST_true(SSL_session_reused(clientssl)))
3834 SSL_shutdown(clientssl);
3835 SSL_shutdown(serverssl);
3836 SSL_free(serverssl);
3837 SSL_free(clientssl);
3838 serverssl = clientssl = NULL;
3840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3841 &clientssl, NULL, NULL))
3842 || !TEST_true(SSL_set_session(clientssl, sess)))
3845 /* Write and read some early data */
3846 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3848 || !TEST_size_t_eq(written, strlen(MSG1)))
3852 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3854 SSL_READ_EARLY_DATA_FINISH)
3856 * The ticket was reused, so the we should have rejected the
3859 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3860 SSL_EARLY_DATA_REJECTED))
3863 /* In this case the callback decides to accept the early data */
3864 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3866 SSL_READ_EARLY_DATA_SUCCESS)
3867 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3869 * Server will have sent its flight so client can now send
3870 * end of early data and complete its half of the handshake
3872 || !TEST_int_gt(SSL_connect(clientssl), 0)
3873 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3875 SSL_READ_EARLY_DATA_FINISH)
3876 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3877 SSL_EARLY_DATA_ACCEPTED))
3881 /* Complete the connection */
3882 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3883 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3884 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3890 SSL_SESSION_free(sess);
3891 SSL_SESSION_free(clientpsk);
3892 SSL_SESSION_free(serverpsk);
3893 clientpsk = serverpsk = NULL;
3894 SSL_free(serverssl);
3895 SSL_free(clientssl);
3901 static int test_early_data_replay(int idx)
3903 int ret = 1, usecb, confopt;
3905 for (usecb = 0; usecb < 3; usecb++) {
3906 for (confopt = 0; confopt < 2; confopt++)
3907 ret &= test_early_data_replay_int(idx, usecb, confopt);
3913 static const char *ciphersuites[] = {
3914 "TLS_AES_128_CCM_8_SHA256",
3915 "TLS_AES_128_GCM_SHA256",
3916 "TLS_AES_256_GCM_SHA384",
3917 "TLS_AES_128_CCM_SHA256",
3918 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3919 "TLS_CHACHA20_POLY1305_SHA256"
3924 * Helper function to test that a server attempting to read early data can
3925 * handle a connection from a client where the early data should be skipped.
3926 * testtype: 0 == No HRR
3927 * testtype: 1 == HRR
3928 * testtype: 2 == HRR, invalid early_data sent after HRR
3929 * testtype: 3 == recv_max_early_data set to 0
3931 static int early_data_skip_helper(int testtype, int cipher, int idx)
3933 SSL_CTX *cctx = NULL, *sctx = NULL;
3934 SSL *clientssl = NULL, *serverssl = NULL;
3936 SSL_SESSION *sess = NULL;
3937 unsigned char buf[20];
3938 size_t readbytes, written;
3940 if (is_fips && cipher == 4)
3943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3944 TLS_client_method(),
3946 &sctx, &cctx, cert, privkey)))
3950 SSL_CTX_set_security_level(sctx, 0);
3951 SSL_CTX_set_security_level(cctx, 0);
3954 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3955 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3959 &serverssl, &sess, idx,
3960 cipher == 2 ? SHA384_DIGEST_LENGTH
3961 : SHA256_DIGEST_LENGTH)))
3964 if (testtype == 1 || testtype == 2) {
3965 /* Force an HRR to occur */
3966 #if defined(OPENSSL_NO_EC)
3967 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3970 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3973 } else if (idx == 2) {
3975 * We force early_data rejection by ensuring the PSK identity is
3978 srvid = "Dummy Identity";
3981 * Deliberately corrupt the creation time. We take 20 seconds off the
3982 * time. It could be any value as long as it is not within tolerance.
3983 * This should mean the ticket is rejected.
3985 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3990 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3993 /* Write some early data */
3994 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3996 || !TEST_size_t_eq(written, strlen(MSG1)))
3999 /* Server should reject the early data */
4000 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4002 SSL_READ_EARLY_DATA_FINISH)
4003 || !TEST_size_t_eq(readbytes, 0)
4004 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4005 SSL_EARLY_DATA_REJECTED))
4015 * Finish off the handshake. We perform the same writes and reads as
4016 * further down but we expect them to fail due to the incomplete
4019 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4020 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4027 BIO *wbio = SSL_get_wbio(clientssl);
4028 /* A record that will appear as bad early_data */
4029 const unsigned char bad_early_data[] = {
4030 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4034 * We force the client to attempt a write. This will fail because
4035 * we're still in the handshake. It will cause the second
4036 * ClientHello to be sent.
4038 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4043 * Inject some early_data after the second ClientHello. This should
4044 * cause the server to fail
4046 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4047 sizeof(bad_early_data), &written)))
4054 * This client has sent more early_data than we are willing to skip
4055 * (case 3) or sent invalid early_data (case 2) so the connection should
4058 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4059 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4062 /* Connection has failed - nothing more to do */
4067 TEST_error("Invalid test type");
4073 * Should be able to send normal data despite rejection of early data. The
4074 * early_data should be skipped.
4076 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4077 || !TEST_size_t_eq(written, strlen(MSG2))
4078 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4079 SSL_EARLY_DATA_REJECTED)
4080 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4081 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4085 * Failure to decrypt early data records should not leave spurious errors
4086 * on the error stack
4088 if (!TEST_long_eq(ERR_peek_error(), 0))
4094 SSL_SESSION_free(clientpsk);
4095 SSL_SESSION_free(serverpsk);
4096 clientpsk = serverpsk = NULL;
4097 SSL_SESSION_free(sess);
4098 SSL_free(serverssl);
4099 SSL_free(clientssl);
4106 * Test that a server attempting to read early data can handle a connection
4107 * from a client where the early data is not acceptable.
4109 static int test_early_data_skip(int idx)
4111 return early_data_skip_helper(0,
4112 idx % OSSL_NELEM(ciphersuites),
4113 idx / OSSL_NELEM(ciphersuites));
4117 * Test that a server attempting to read early data can handle a connection
4118 * from a client where an HRR occurs.
4120 static int test_early_data_skip_hrr(int idx)
4122 return early_data_skip_helper(1,
4123 idx % OSSL_NELEM(ciphersuites),
4124 idx / OSSL_NELEM(ciphersuites));
4128 * Test that a server attempting to read early data can handle a connection
4129 * from a client where an HRR occurs and correctly fails if early_data is sent
4132 static int test_early_data_skip_hrr_fail(int idx)
4134 return early_data_skip_helper(2,
4135 idx % OSSL_NELEM(ciphersuites),
4136 idx / OSSL_NELEM(ciphersuites));
4140 * Test that a server attempting to read early data will abort if it tries to
4141 * skip over too much.
4143 static int test_early_data_skip_abort(int idx)
4145 return early_data_skip_helper(3,
4146 idx % OSSL_NELEM(ciphersuites),
4147 idx / OSSL_NELEM(ciphersuites));
4151 * Test that a server attempting to read early data can handle a connection
4152 * from a client that doesn't send any.
4154 static int test_early_data_not_sent(int idx)
4156 SSL_CTX *cctx = NULL, *sctx = NULL;
4157 SSL *clientssl = NULL, *serverssl = NULL;
4159 SSL_SESSION *sess = NULL;
4160 unsigned char buf[20];
4161 size_t readbytes, written;
4163 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4164 &serverssl, &sess, idx,
4165 SHA384_DIGEST_LENGTH)))
4168 /* Write some data - should block due to handshake with server */
4169 SSL_set_connect_state(clientssl);
4170 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4173 /* Server should detect that early data has not been sent */
4174 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4176 SSL_READ_EARLY_DATA_FINISH)
4177 || !TEST_size_t_eq(readbytes, 0)
4178 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4179 SSL_EARLY_DATA_NOT_SENT)
4180 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4181 SSL_EARLY_DATA_NOT_SENT))
4184 /* Continue writing the message we started earlier */
4185 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4186 || !TEST_size_t_eq(written, strlen(MSG1))
4187 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4188 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4189 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4190 || !TEST_size_t_eq(written, strlen(MSG2)))
4193 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4194 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4200 SSL_SESSION_free(sess);
4201 SSL_SESSION_free(clientpsk);
4202 SSL_SESSION_free(serverpsk);
4203 clientpsk = serverpsk = NULL;
4204 SSL_free(serverssl);
4205 SSL_free(clientssl);
4211 static const char *servalpn;
4213 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4214 unsigned char *outlen, const unsigned char *in,
4215 unsigned int inlen, void *arg)
4217 unsigned int protlen = 0;
4218 const unsigned char *prot;
4220 for (prot = in; prot < in + inlen; prot += protlen) {
4222 if (in + inlen < prot + protlen)
4223 return SSL_TLSEXT_ERR_NOACK;
4225 if (protlen == strlen(servalpn)
4226 && memcmp(prot, servalpn, protlen) == 0) {
4229 return SSL_TLSEXT_ERR_OK;
4233 return SSL_TLSEXT_ERR_NOACK;
4236 /* Test that a PSK can be used to send early_data */
4237 static int test_early_data_psk(int idx)
4239 SSL_CTX *cctx = NULL, *sctx = NULL;
4240 SSL *clientssl = NULL, *serverssl = NULL;
4242 SSL_SESSION *sess = NULL;
4243 unsigned char alpnlist[] = {
4244 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4247 #define GOODALPNLEN 9
4248 #define BADALPNLEN 8
4249 #define GOODALPN (alpnlist)
4250 #define BADALPN (alpnlist + GOODALPNLEN)
4252 unsigned char buf[20];
4253 size_t readbytes, written;
4254 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4255 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4257 /* We always set this up with a final parameter of "2" for PSK */
4258 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4259 &serverssl, &sess, 2,
4260 SHA384_DIGEST_LENGTH)))
4263 servalpn = "goodalpn";
4266 * Note: There is no test for inconsistent SNI with late client detection.
4267 * This is because servers do not acknowledge SNI even if they are using
4268 * it in a resumption handshake - so it is not actually possible for a
4269 * client to detect a problem.
4273 /* Set inconsistent SNI (early client detection) */
4274 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4275 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4276 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4281 /* Set inconsistent ALPN (early client detection) */
4282 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4283 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4284 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4286 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4293 * Set invalid protocol version. Technically this affects PSKs without
4294 * early_data too, but we test it here because it is similar to the
4295 * SNI/ALPN consistency tests.
4297 err = SSL_R_BAD_PSK;
4298 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4304 * Set inconsistent SNI (server side). In this case the connection
4305 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4306 * is associated with each handshake - not the session. Therefore it
4307 * should not matter that we used a different server name last time.
4309 SSL_SESSION_free(serverpsk);
4310 serverpsk = SSL_SESSION_dup(clientpsk);
4311 if (!TEST_ptr(serverpsk)
4312 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4316 /* Set consistent SNI */
4317 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4318 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4319 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4326 * Set inconsistent ALPN (server detected). In this case the connection
4327 * will succeed but reject early_data.
4329 servalpn = "badalpn";
4330 edstatus = SSL_EARLY_DATA_REJECTED;
4331 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4335 * Set consistent ALPN.
4336 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4337 * accepts a list of protos (each one length prefixed).
4338 * SSL_set1_alpn_selected accepts a single protocol (not length
4341 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4343 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4347 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4351 /* Set inconsistent ALPN (late client detection) */
4352 SSL_SESSION_free(serverpsk);
4353 serverpsk = SSL_SESSION_dup(clientpsk);
4354 if (!TEST_ptr(serverpsk)
4355 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4358 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4361 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4364 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4365 edstatus = SSL_EARLY_DATA_ACCEPTED;
4366 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4367 /* SSL_connect() call should fail */
4372 TEST_error("Bad test index");
4376 SSL_set_connect_state(clientssl);
4378 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4380 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4381 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4384 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4389 &readbytes), readearlyres)
4390 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4391 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4392 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4393 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4400 SSL_SESSION_free(sess);
4401 SSL_SESSION_free(clientpsk);
4402 SSL_SESSION_free(serverpsk);
4403 clientpsk = serverpsk = NULL;
4404 SSL_free(serverssl);
4405 SSL_free(clientssl);
4412 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4413 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4414 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4415 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4416 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4417 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4419 static int test_early_data_psk_with_all_ciphers(int idx)
4421 SSL_CTX *cctx = NULL, *sctx = NULL;
4422 SSL *clientssl = NULL, *serverssl = NULL;
4424 SSL_SESSION *sess = NULL;
4425 unsigned char buf[20];
4426 size_t readbytes, written;
4427 const SSL_CIPHER *cipher;
4428 const char *cipher_str[] = {
4429 TLS1_3_RFC_AES_128_GCM_SHA256,
4430 TLS1_3_RFC_AES_256_GCM_SHA384,
4431 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4432 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4436 TLS1_3_RFC_AES_128_CCM_SHA256,
4437 TLS1_3_RFC_AES_128_CCM_8_SHA256
4439 const unsigned char *cipher_bytes[] = {
4440 TLS13_AES_128_GCM_SHA256_BYTES,
4441 TLS13_AES_256_GCM_SHA384_BYTES,
4442 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4443 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4447 TLS13_AES_128_CCM_SHA256_BYTES,
4448 TLS13_AES_128_CCM_8_SHA256_BYTES
4451 if (cipher_str[idx] == NULL)
4453 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4454 if (idx == 2 && is_fips == 1)
4457 /* We always set this up with a final parameter of "2" for PSK */
4458 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4459 &serverssl, &sess, 2,
4460 SHA384_DIGEST_LENGTH)))
4464 /* CCM8 ciphers are considered low security due to their short tag */
4465 SSL_set_security_level(clientssl, 0);
4466 SSL_set_security_level(serverssl, 0);
4469 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4470 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4474 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4475 * and assigns to both client and server with incremented reference
4476 * and the same instance is updated in 'sess'.
4477 * So updating ciphersuite in 'sess' which will get reflected in
4478 * PSK handshake using psk use sess and find sess cb.
4480 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4481 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4484 SSL_set_connect_state(clientssl);
4485 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4489 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4491 SSL_READ_EARLY_DATA_SUCCESS)
4492 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4493 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4494 SSL_EARLY_DATA_ACCEPTED)
4495 || !TEST_int_eq(SSL_connect(clientssl), 1)
4496 || !TEST_int_eq(SSL_accept(serverssl), 1))
4499 /* Send some normal data from client to server */
4500 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4501 || !TEST_size_t_eq(written, strlen(MSG2)))
4504 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4505 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4510 SSL_SESSION_free(sess);
4511 SSL_SESSION_free(clientpsk);
4512 SSL_SESSION_free(serverpsk);
4513 clientpsk = serverpsk = NULL;
4514 if (clientssl != NULL)
4515 SSL_shutdown(clientssl);
4516 if (serverssl != NULL)
4517 SSL_shutdown(serverssl);
4518 SSL_free(serverssl);
4519 SSL_free(clientssl);
4526 * Test that a server that doesn't try to read early data can handle a
4527 * client sending some.
4529 static int test_early_data_not_expected(int idx)
4531 SSL_CTX *cctx = NULL, *sctx = NULL;
4532 SSL *clientssl = NULL, *serverssl = NULL;
4534 SSL_SESSION *sess = NULL;
4535 unsigned char buf[20];
4536 size_t readbytes, written;
4538 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4539 &serverssl, &sess, idx,
4540 SHA384_DIGEST_LENGTH)))
4543 /* Write some early data */
4544 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4549 * Server should skip over early data and then block waiting for client to
4550 * continue handshake
4552 if (!TEST_int_le(SSL_accept(serverssl), 0)
4553 || !TEST_int_gt(SSL_connect(clientssl), 0)
4554 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4555 SSL_EARLY_DATA_REJECTED)
4556 || !TEST_int_gt(SSL_accept(serverssl), 0)
4557 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4558 SSL_EARLY_DATA_REJECTED))
4561 /* Send some normal data from client to server */
4562 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4563 || !TEST_size_t_eq(written, strlen(MSG2)))
4566 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4567 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4573 SSL_SESSION_free(sess);
4574 SSL_SESSION_free(clientpsk);
4575 SSL_SESSION_free(serverpsk);
4576 clientpsk = serverpsk = NULL;
4577 SSL_free(serverssl);
4578 SSL_free(clientssl);
4585 # ifndef OPENSSL_NO_TLS1_2
4587 * Test that a server attempting to read early data can handle a connection
4588 * from a TLSv1.2 client.
4590 static int test_early_data_tls1_2(int idx)
4592 SSL_CTX *cctx = NULL, *sctx = NULL;
4593 SSL *clientssl = NULL, *serverssl = NULL;
4595 unsigned char buf[20];
4596 size_t readbytes, written;
4598 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4599 &serverssl, NULL, idx,
4600 SHA384_DIGEST_LENGTH)))
4603 /* Write some data - should block due to handshake with server */
4604 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4605 SSL_set_connect_state(clientssl);
4606 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4610 * Server should do TLSv1.2 handshake. First it will block waiting for more
4611 * messages from client after ServerDone. Then SSL_read_early_data should
4612 * finish and detect that early data has not been sent
4614 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4616 SSL_READ_EARLY_DATA_ERROR))
4620 * Continue writing the message we started earlier. Will still block waiting
4621 * for the CCS/Finished from server
4623 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4624 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4626 SSL_READ_EARLY_DATA_FINISH)
4627 || !TEST_size_t_eq(readbytes, 0)
4628 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4629 SSL_EARLY_DATA_NOT_SENT))
4632 /* Continue writing the message we started earlier */
4633 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4634 || !TEST_size_t_eq(written, strlen(MSG1))
4635 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4636 SSL_EARLY_DATA_NOT_SENT)
4637 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4638 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4639 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4640 || !TEST_size_t_eq(written, strlen(MSG2))
4641 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4642 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4648 SSL_SESSION_free(clientpsk);
4649 SSL_SESSION_free(serverpsk);
4650 clientpsk = serverpsk = NULL;
4651 SSL_free(serverssl);
4652 SSL_free(clientssl);
4658 # endif /* OPENSSL_NO_TLS1_2 */
4661 * Test configuring the TLSv1.3 ciphersuites
4663 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4664 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4665 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4666 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4667 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4668 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4669 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4670 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4671 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4672 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4674 static int test_set_ciphersuite(int idx)
4676 SSL_CTX *cctx = NULL, *sctx = NULL;
4677 SSL *clientssl = NULL, *serverssl = NULL;
4680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4681 TLS_client_method(), TLS1_VERSION, 0,
4682 &sctx, &cctx, cert, privkey))
4683 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4684 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4687 if (idx >=4 && idx <= 7) {
4688 /* SSL_CTX explicit cipher list */
4689 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4693 if (idx == 0 || idx == 4) {
4694 /* Default ciphersuite */
4695 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4696 "TLS_AES_128_GCM_SHA256")))
4698 } else if (idx == 1 || idx == 5) {
4699 /* Non default ciphersuite */
4700 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4701 "TLS_AES_128_CCM_SHA256")))
4705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4706 &clientssl, NULL, NULL)))
4709 if (idx == 8 || idx == 9) {
4710 /* SSL explicit cipher list */
4711 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4715 if (idx == 2 || idx == 6 || idx == 8) {
4716 /* Default ciphersuite */
4717 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4718 "TLS_AES_128_GCM_SHA256")))
4720 } else if (idx == 3 || idx == 7 || idx == 9) {
4721 /* Non default ciphersuite */
4722 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4723 "TLS_AES_128_CCM_SHA256")))
4727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4733 SSL_free(serverssl);
4734 SSL_free(clientssl);
4741 static int test_ciphersuite_change(void)
4743 SSL_CTX *cctx = NULL, *sctx = NULL;
4744 SSL *clientssl = NULL, *serverssl = NULL;
4745 SSL_SESSION *clntsess = NULL;
4747 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4749 /* Create a session based on SHA-256 */
4750 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4751 TLS_client_method(), TLS1_VERSION, 0,
4752 &sctx, &cctx, cert, privkey))
4753 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4754 "TLS_AES_128_GCM_SHA256:"
4755 "TLS_AES_256_GCM_SHA384:"
4756 "TLS_AES_128_CCM_SHA256"))
4757 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4758 "TLS_AES_128_GCM_SHA256")))
4761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4763 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4767 clntsess = SSL_get1_session(clientssl);
4768 /* Save for later */
4769 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4770 SSL_shutdown(clientssl);
4771 SSL_shutdown(serverssl);
4772 SSL_free(serverssl);
4773 SSL_free(clientssl);
4774 serverssl = clientssl = NULL;
4776 /* Check we can resume a session with a different SHA-256 ciphersuite */
4777 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4778 "TLS_AES_128_CCM_SHA256"))
4779 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4780 &clientssl, NULL, NULL))
4781 || !TEST_true(SSL_set_session(clientssl, clntsess))
4782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4784 || !TEST_true(SSL_session_reused(clientssl)))
4787 SSL_SESSION_free(clntsess);
4788 clntsess = SSL_get1_session(clientssl);
4789 SSL_shutdown(clientssl);
4790 SSL_shutdown(serverssl);
4791 SSL_free(serverssl);
4792 SSL_free(clientssl);
4793 serverssl = clientssl = NULL;
4796 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4797 * succeeds but does not resume.
4799 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4800 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4802 || !TEST_true(SSL_set_session(clientssl, clntsess))
4803 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4805 || !TEST_false(SSL_session_reused(clientssl)))
4808 SSL_SESSION_free(clntsess);
4810 SSL_shutdown(clientssl);
4811 SSL_shutdown(serverssl);
4812 SSL_free(serverssl);
4813 SSL_free(clientssl);
4814 serverssl = clientssl = NULL;
4816 /* Create a session based on SHA384 */
4817 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4818 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4819 &clientssl, NULL, NULL))
4820 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4824 clntsess = SSL_get1_session(clientssl);
4825 SSL_shutdown(clientssl);
4826 SSL_shutdown(serverssl);
4827 SSL_free(serverssl);
4828 SSL_free(clientssl);
4829 serverssl = clientssl = NULL;
4831 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4832 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4833 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4834 "TLS_AES_256_GCM_SHA384"))
4835 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4837 || !TEST_true(SSL_set_session(clientssl, clntsess))
4839 * We use SSL_ERROR_WANT_READ below so that we can pause the
4840 * connection after the initial ClientHello has been sent to
4841 * enable us to make some session changes.
4843 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4844 SSL_ERROR_WANT_READ)))
4847 /* Trick the client into thinking this session is for a different digest */
4848 clntsess->cipher = aes_128_gcm_sha256;
4849 clntsess->cipher_id = clntsess->cipher->id;
4852 * Continue the previously started connection. Server has selected a SHA-384
4853 * ciphersuite, but client thinks the session is for SHA-256, so it should
4856 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4858 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4859 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4865 SSL_SESSION_free(clntsess);
4866 SSL_free(serverssl);
4867 SSL_free(clientssl);
4875 * Test TLSv1.3 Key exchange
4876 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4877 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4878 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4879 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4880 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4881 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4882 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4883 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4884 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4885 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4886 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4887 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4888 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4889 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4891 # ifndef OPENSSL_NO_EC
4892 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4893 NID_secp521r1, NID_X25519, NID_X448};
4895 # ifndef OPENSSL_NO_DH
4896 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4897 NID_ffdhe6144, NID_ffdhe8192};
4899 static int test_key_exchange(int idx)
4901 SSL_CTX *sctx = NULL, *cctx = NULL;
4902 SSL *serverssl = NULL, *clientssl = NULL;
4905 int *kexch_groups = &kexch_alg;
4906 int kexch_groups_size = 1;
4907 int max_version = TLS1_3_VERSION;
4908 char *kexch_name0 = NULL;
4911 # ifndef OPENSSL_NO_EC
4912 # ifndef OPENSSL_NO_TLS1_2
4914 max_version = TLS1_2_VERSION;
4918 kexch_groups = ecdhe_kexch_groups;
4919 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4920 kexch_name0 = "secp256r1";
4923 kexch_alg = NID_X9_62_prime256v1;
4924 kexch_name0 = "secp256r1";
4927 kexch_alg = NID_secp384r1;
4928 kexch_name0 = "secp384r1";
4931 kexch_alg = NID_secp521r1;
4932 kexch_name0 = "secp521r1";
4935 kexch_alg = NID_X25519;
4936 kexch_name0 = "x25519";
4939 kexch_alg = NID_X448;
4940 kexch_name0 = "x448";
4943 # ifndef OPENSSL_NO_DH
4944 # ifndef OPENSSL_NO_TLS1_2
4946 max_version = TLS1_2_VERSION;
4947 kexch_name0 = "ffdhe2048";
4951 kexch_groups = ffdhe_kexch_groups;
4952 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4953 kexch_name0 = "ffdhe2048";
4956 kexch_alg = NID_ffdhe2048;
4957 kexch_name0 = "ffdhe2048";
4960 kexch_alg = NID_ffdhe3072;
4961 kexch_name0 = "ffdhe3072";
4964 kexch_alg = NID_ffdhe4096;
4965 kexch_name0 = "ffdhe4096";
4968 kexch_alg = NID_ffdhe6144;
4969 kexch_name0 = "ffdhe6144";
4972 kexch_alg = NID_ffdhe8192;
4973 kexch_name0 = "ffdhe8192";
4977 /* We're skipping this test */
4981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4982 TLS_client_method(), TLS1_VERSION,
4983 max_version, &sctx, &cctx, cert,
4987 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4988 TLS1_3_RFC_AES_128_GCM_SHA256)))
4991 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4992 TLS1_3_RFC_AES_128_GCM_SHA256)))
4995 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4996 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4997 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4998 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5002 * Must include an EC ciphersuite so that we send supported groups in
5005 # ifndef OPENSSL_NO_TLS1_2
5006 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5007 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5008 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5016 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5017 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5020 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5024 * If Handshake succeeds the negotiated kexch alg should be the first one in
5025 * configured, except in the case of FFDHE groups (idx 13), which are
5026 * TLSv1.3 only so we expect no shared group to exist.
5028 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5029 idx == 13 ? 0 : kexch_groups[0]))
5032 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5036 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5038 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5040 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5046 SSL_free(serverssl);
5047 SSL_free(clientssl);
5053 # if !defined(OPENSSL_NO_TLS1_2) \
5054 && !defined(OPENSSL_NO_EC) \
5055 && !defined(OPENSSL_NO_DH)
5056 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5057 int isecdhe, int idx)
5060 int *kexch_groups = &kexch_alg;
5063 numec = OSSL_NELEM(ecdhe_kexch_groups);
5064 numff = OSSL_NELEM(ffdhe_kexch_groups);
5066 kexch_alg = ecdhe_kexch_groups[idx];
5068 kexch_alg = ffdhe_kexch_groups[idx];
5071 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5074 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5078 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5083 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5086 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5090 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5099 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5100 * Run through both the ECDHE and FFDHE group lists used in the previous
5101 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5102 * confirming the expected result; then perform a resumption handshake
5103 * while offering the same group list, and another resumption handshake
5104 * offering a different group list. The returned value should be the
5105 * negotiated group for the initial handshake; for TLS 1.3 resumption
5106 * handshakes the returned value will be negotiated on the resumption
5107 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5108 * be cached in the session from the original handshake, regardless of what
5109 * was offered in the resumption ClientHello.
5111 * Using E for the number of EC groups and F for the number of FF groups:
5112 * E tests of ECDHE with TLS 1.3, server only has one group
5113 * F tests of FFDHE with TLS 1.3, server only has one group
5114 * E tests of ECDHE with TLS 1.2, server only has one group
5115 * F tests of FFDHE with TLS 1.2, server only has one group
5116 * E tests of ECDHE with TLS 1.3, client sends only one group
5117 * F tests of FFDHE with TLS 1.3, client sends only one group
5118 * E tests of ECDHE with TLS 1.2, client sends only one group
5119 * F tests of FFDHE with TLS 1.2, client sends only one group
5121 static int test_negotiated_group(int idx)
5123 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5125 SSL_CTX *sctx = NULL, *cctx = NULL;
5126 SSL *serverssl = NULL, *clientssl = NULL;
5127 SSL_SESSION *origsess = NULL;
5130 int max_version = TLS1_3_VERSION;
5132 numec = OSSL_NELEM(ecdhe_kexch_groups);
5133 numff = OSSL_NELEM(ffdhe_kexch_groups);
5134 numgroups = numec + numff;
5135 clientmulti = (idx < 2 * numgroups);
5136 idx = idx % (2 * numgroups);
5137 istls13 = (idx < numgroups);
5138 idx = idx % numgroups;
5139 isecdhe = (idx < numec);
5142 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5144 kexch_alg = ecdhe_kexch_groups[idx];
5146 kexch_alg = ffdhe_kexch_groups[idx];
5147 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5148 if (!istls13 && !isecdhe)
5149 expectednid = NID_undef;
5151 expectednid = kexch_alg;
5154 max_version = TLS1_2_VERSION;
5156 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5157 TLS_client_method(), TLS1_VERSION,
5158 max_version, &sctx, &cctx, cert,
5163 * Force (EC)DHE ciphers for TLS 1.2.
5164 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5166 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5167 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5168 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5169 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5171 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5172 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5173 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5176 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5180 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5184 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5187 /* Initial handshake; always the configured one */
5188 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5189 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5192 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5195 SSL_shutdown(clientssl);
5196 SSL_shutdown(serverssl);
5197 SSL_free(serverssl);
5198 SSL_free(clientssl);
5199 serverssl = clientssl = NULL;
5201 /* First resumption attempt; use the same config as initial handshake */
5202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5204 || !TEST_true(SSL_set_session(clientssl, origsess))
5205 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5209 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5210 || !TEST_true(SSL_session_reused(clientssl)))
5213 /* Still had better agree, since nothing changed... */
5214 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5215 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5218 SSL_shutdown(clientssl);
5219 SSL_shutdown(serverssl);
5220 SSL_free(serverssl);
5221 SSL_free(clientssl);
5222 serverssl = clientssl = NULL;
5225 * Second resumption attempt
5226 * The party that picks one group changes it, which we effectuate by
5227 * changing 'idx' and updating what we expect.
5235 expectednid = ecdhe_kexch_groups[idx];
5237 expectednid = ffdhe_kexch_groups[idx];
5238 /* Verify that we are changing what we expect. */
5239 if (!TEST_int_ne(expectednid, kexch_alg))
5242 /* TLS 1.2 only supports named groups for ECDHE. */
5244 expectednid = kexch_alg;
5248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5250 || !TEST_true(SSL_set_session(clientssl, origsess))
5251 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5255 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5256 || !TEST_true(SSL_session_reused(clientssl)))
5259 /* Check that we get what we expected */
5260 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5261 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5266 SSL_free(serverssl);
5267 SSL_free(clientssl);
5270 SSL_SESSION_free(origsess);
5273 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5276 * Test TLSv1.3 Cipher Suite
5277 * Test 0 = Set TLS1.3 cipher on context
5278 * Test 1 = Set TLS1.3 cipher on SSL
5279 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5280 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5282 static int test_tls13_ciphersuite(int idx)
5284 SSL_CTX *sctx = NULL, *cctx = NULL;
5285 SSL *serverssl = NULL, *clientssl = NULL;
5286 static const struct {
5287 const char *ciphername;
5291 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5292 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5293 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5294 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5295 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5296 { TLS1_3_RFC_AES_256_GCM_SHA384
5297 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5299 /* CCM8 ciphers are considered low security due to their short tag */
5300 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5301 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5303 const char *t13_cipher = NULL;
5304 const char *t12_cipher = NULL;
5305 const char *negotiated_scipher;
5306 const char *negotiated_ccipher;
5322 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5326 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5330 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5331 # ifdef OPENSSL_NO_TLS1_2
5332 if (max_ver == TLS1_2_VERSION)
5335 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5336 if (is_fips && !t13_ciphers[i].fipscapable)
5338 t13_cipher = t13_ciphers[i].ciphername;
5339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5340 TLS_client_method(),
5341 TLS1_VERSION, max_ver,
5342 &sctx, &cctx, cert, privkey)))
5345 if (t13_ciphers[i].low_security) {
5346 SSL_CTX_set_security_level(sctx, 0);
5347 SSL_CTX_set_security_level(cctx, 0);
5351 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5352 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5354 if (t12_cipher != NULL) {
5355 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5356 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5362 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5363 &clientssl, NULL, NULL)))
5367 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5368 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5370 if (t12_cipher != NULL) {
5371 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5372 || !TEST_true(SSL_set_cipher_list(clientssl,
5378 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5382 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5384 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5386 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5390 * TEST_strn_eq is used below because t13_cipher can contain
5391 * multiple ciphersuites
5393 if (max_ver == TLS1_3_VERSION
5394 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5395 strlen(negotiated_scipher)))
5398 # ifndef OPENSSL_NO_TLS1_2
5399 /* Below validation is not done when t12_cipher is NULL */
5400 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5401 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5405 SSL_free(serverssl);
5407 SSL_free(clientssl);
5418 SSL_free(serverssl);
5419 SSL_free(clientssl);
5427 * Test 0 = Test new style callbacks
5428 * Test 1 = Test both new and old style callbacks
5429 * Test 2 = Test old style callbacks
5430 * Test 3 = Test old style callbacks with no certificate
5432 static int test_tls13_psk(int idx)
5434 SSL_CTX *sctx = NULL, *cctx = NULL;
5435 SSL *serverssl = NULL, *clientssl = NULL;
5436 const SSL_CIPHER *cipher = NULL;
5437 const unsigned char key[] = {
5438 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5439 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5440 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5441 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5445 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5446 TLS_client_method(), TLS1_VERSION, 0,
5447 &sctx, &cctx, idx == 3 ? NULL : cert,
5448 idx == 3 ? NULL : privkey)))
5453 * We use a ciphersuite with SHA256 to ease testing old style PSK
5454 * callbacks which will always default to SHA256. This should not be
5455 * necessary if we have no cert/priv key. In that case the server should
5456 * prefer SHA256 automatically.
5458 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5459 "TLS_AES_128_GCM_SHA256")))
5463 * As noted above the server should prefer SHA256 automatically. However
5464 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5465 * code works even if we are testing with only the FIPS provider loaded.
5467 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5468 "TLS_AES_256_GCM_SHA384:"
5469 "TLS_AES_128_GCM_SHA256")))
5474 * Test 0: New style callbacks only
5475 * Test 1: New and old style callbacks (only the new ones should be used)
5476 * Test 2: Old style callbacks only
5478 if (idx == 0 || idx == 1) {
5479 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5480 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5482 #ifndef OPENSSL_NO_PSK
5484 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5485 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5489 use_session_cb_cnt = 0;
5490 find_session_cb_cnt = 0;
5491 psk_client_cb_cnt = 0;
5492 psk_server_cb_cnt = 0;
5496 * Check we can create a connection if callback decides not to send a
5499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5501 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5503 || !TEST_false(SSL_session_reused(clientssl))
5504 || !TEST_false(SSL_session_reused(serverssl)))
5507 if (idx == 0 || idx == 1) {
5508 if (!TEST_true(use_session_cb_cnt == 1)
5509 || !TEST_true(find_session_cb_cnt == 0)
5511 * If no old style callback then below should be 0
5514 || !TEST_true(psk_client_cb_cnt == idx)
5515 || !TEST_true(psk_server_cb_cnt == 0))
5518 if (!TEST_true(use_session_cb_cnt == 0)
5519 || !TEST_true(find_session_cb_cnt == 0)
5520 || !TEST_true(psk_client_cb_cnt == 1)
5521 || !TEST_true(psk_server_cb_cnt == 0))
5525 shutdown_ssl_connection(serverssl, clientssl);
5526 serverssl = clientssl = NULL;
5527 use_session_cb_cnt = psk_client_cb_cnt = 0;
5530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5534 /* Create the PSK */
5535 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5536 clientpsk = SSL_SESSION_new();
5537 if (!TEST_ptr(clientpsk)
5538 || !TEST_ptr(cipher)
5539 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5541 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5542 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5544 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5546 serverpsk = clientpsk;
5548 /* Check we can create a connection and the PSK is used */
5549 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5550 || !TEST_true(SSL_session_reused(clientssl))
5551 || !TEST_true(SSL_session_reused(serverssl)))
5554 if (idx == 0 || idx == 1) {
5555 if (!TEST_true(use_session_cb_cnt == 1)
5556 || !TEST_true(find_session_cb_cnt == 1)
5557 || !TEST_true(psk_client_cb_cnt == 0)
5558 || !TEST_true(psk_server_cb_cnt == 0))
5561 if (!TEST_true(use_session_cb_cnt == 0)
5562 || !TEST_true(find_session_cb_cnt == 0)
5563 || !TEST_true(psk_client_cb_cnt == 1)
5564 || !TEST_true(psk_server_cb_cnt == 1))
5568 shutdown_ssl_connection(serverssl, clientssl);
5569 serverssl = clientssl = NULL;
5570 use_session_cb_cnt = find_session_cb_cnt = 0;
5571 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5578 #if defined(OPENSSL_NO_EC)
5579 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5582 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5587 * Check we can create a connection, the PSK is used and the callbacks are
5590 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5591 || !TEST_true(SSL_session_reused(clientssl))
5592 || !TEST_true(SSL_session_reused(serverssl)))
5595 if (idx == 0 || idx == 1) {
5596 if (!TEST_true(use_session_cb_cnt == 2)
5597 || !TEST_true(find_session_cb_cnt == 2)
5598 || !TEST_true(psk_client_cb_cnt == 0)
5599 || !TEST_true(psk_server_cb_cnt == 0))
5602 if (!TEST_true(use_session_cb_cnt == 0)
5603 || !TEST_true(find_session_cb_cnt == 0)
5604 || !TEST_true(psk_client_cb_cnt == 2)
5605 || !TEST_true(psk_server_cb_cnt == 2))
5609 shutdown_ssl_connection(serverssl, clientssl);
5610 serverssl = clientssl = NULL;
5611 use_session_cb_cnt = find_session_cb_cnt = 0;
5612 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5616 * Check that if the server rejects the PSK we can still connect, but with
5619 srvid = "Dummy Identity";
5620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5622 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5624 || !TEST_false(SSL_session_reused(clientssl))
5625 || !TEST_false(SSL_session_reused(serverssl)))
5628 if (idx == 0 || idx == 1) {
5629 if (!TEST_true(use_session_cb_cnt == 1)
5630 || !TEST_true(find_session_cb_cnt == 1)
5631 || !TEST_true(psk_client_cb_cnt == 0)
5633 * If no old style callback then below should be 0
5636 || !TEST_true(psk_server_cb_cnt == idx))
5639 if (!TEST_true(use_session_cb_cnt == 0)
5640 || !TEST_true(find_session_cb_cnt == 0)
5641 || !TEST_true(psk_client_cb_cnt == 1)
5642 || !TEST_true(psk_server_cb_cnt == 1))
5646 shutdown_ssl_connection(serverssl, clientssl);
5647 serverssl = clientssl = NULL;
5652 SSL_SESSION_free(clientpsk);
5653 SSL_SESSION_free(serverpsk);
5654 clientpsk = serverpsk = NULL;
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5662 static unsigned char cookie_magic_value[] = "cookie magic";
5664 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5665 unsigned int *cookie_len)
5668 * Not suitable as a real cookie generation function but good enough for
5671 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5672 *cookie_len = sizeof(cookie_magic_value) - 1;
5677 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5678 unsigned int cookie_len)
5680 if (cookie_len == sizeof(cookie_magic_value) - 1
5681 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5687 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5691 int res = generate_cookie_callback(ssl, cookie, &temp);
5696 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5699 return verify_cookie_callback(ssl, cookie, cookie_len);
5702 static int test_stateless(void)
5704 SSL_CTX *sctx = NULL, *cctx = NULL;
5705 SSL *serverssl = NULL, *clientssl = NULL;
5708 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5709 TLS_client_method(), TLS1_VERSION, 0,
5710 &sctx, &cctx, cert, privkey)))
5713 /* The arrival of CCS messages can confuse the test */
5714 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5718 /* Send the first ClientHello */
5719 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5720 SSL_ERROR_WANT_READ))
5722 * This should fail with a -1 return because we have no callbacks
5725 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5728 /* Fatal error so abandon the connection from this client */
5729 SSL_free(clientssl);
5732 /* Set up the cookie generation and verification callbacks */
5733 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5734 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5737 * Create a new connection from the client (we can reuse the server SSL
5740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5742 /* Send the first ClientHello */
5743 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5744 SSL_ERROR_WANT_READ))
5745 /* This should fail because there is no cookie */
5746 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5749 /* Abandon the connection from this client */
5750 SSL_free(clientssl);
5754 * Now create a connection from a new client but with the same server SSL
5757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5759 /* Send the first ClientHello */
5760 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5761 SSL_ERROR_WANT_READ))
5762 /* This should fail because there is no cookie */
5763 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5764 /* Send the second ClientHello */
5765 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5766 SSL_ERROR_WANT_READ))
5767 /* This should succeed because a cookie is now present */
5768 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5769 /* Complete the connection */
5770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5774 shutdown_ssl_connection(serverssl, clientssl);
5775 serverssl = clientssl = NULL;
5779 SSL_free(serverssl);
5780 SSL_free(clientssl);
5786 #endif /* OSSL_NO_USABLE_TLS1_3 */
5788 static int clntaddoldcb = 0;
5789 static int clntparseoldcb = 0;
5790 static int srvaddoldcb = 0;
5791 static int srvparseoldcb = 0;
5792 static int clntaddnewcb = 0;
5793 static int clntparsenewcb = 0;
5794 static int srvaddnewcb = 0;
5795 static int srvparsenewcb = 0;
5796 static int snicb = 0;
5798 #define TEST_EXT_TYPE1 0xff00
5800 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5801 size_t *outlen, int *al, void *add_arg)
5803 int *server = (int *)add_arg;
5804 unsigned char *data;
5806 if (SSL_is_server(s))
5811 if (*server != SSL_is_server(s)
5812 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5817 *outlen = sizeof(char);
5821 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5824 OPENSSL_free((unsigned char *)out);
5827 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5828 size_t inlen, int *al, void *parse_arg)
5830 int *server = (int *)parse_arg;
5832 if (SSL_is_server(s))
5837 if (*server != SSL_is_server(s)
5838 || inlen != sizeof(char)
5845 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5846 const unsigned char **out, size_t *outlen, X509 *x,
5847 size_t chainidx, int *al, void *add_arg)
5849 int *server = (int *)add_arg;
5850 unsigned char *data;
5852 if (SSL_is_server(s))
5857 if (*server != SSL_is_server(s)
5858 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5863 *outlen = sizeof(*data);
5867 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5868 const unsigned char *out, void *add_arg)
5870 OPENSSL_free((unsigned char *)out);
5873 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5874 const unsigned char *in, size_t inlen, X509 *x,
5875 size_t chainidx, int *al, void *parse_arg)
5877 int *server = (int *)parse_arg;
5879 if (SSL_is_server(s))
5884 if (*server != SSL_is_server(s)
5885 || inlen != sizeof(char) || *in != 1)
5891 static int sni_cb(SSL *s, int *al, void *arg)
5893 SSL_CTX *ctx = (SSL_CTX *)arg;
5895 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5896 *al = SSL_AD_INTERNAL_ERROR;
5897 return SSL_TLSEXT_ERR_ALERT_FATAL;
5900 return SSL_TLSEXT_ERR_OK;
5903 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5909 * Custom call back tests.
5910 * Test 0: Old style callbacks in TLSv1.2
5911 * Test 1: New style callbacks in TLSv1.2
5912 * Test 2: New style callbacks in TLSv1.2 with SNI
5913 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5914 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5915 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5917 static int test_custom_exts(int tst)
5919 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5920 SSL *clientssl = NULL, *serverssl = NULL;
5922 static int server = 1;
5923 static int client = 0;
5924 SSL_SESSION *sess = NULL;
5925 unsigned int context;
5927 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5928 /* Skip tests for TLSv1.2 and below in this case */
5933 /* Reset callback counters */
5934 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5935 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5938 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5939 TLS_client_method(), TLS1_VERSION, 0,
5940 &sctx, &cctx, cert, privkey)))
5944 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5946 &sctx2, NULL, cert, privkey)))
5951 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5952 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5954 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5958 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5959 | SSL_EXT_TLS1_3_CERTIFICATE;
5960 SSL_CTX_set_verify(sctx,
5961 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5963 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5964 SSL_FILETYPE_PEM), 1)
5965 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5966 SSL_FILETYPE_PEM), 1)
5967 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5969 } else if (tst == 4) {
5970 context = SSL_EXT_CLIENT_HELLO
5971 | SSL_EXT_TLS1_2_SERVER_HELLO
5972 | SSL_EXT_TLS1_3_SERVER_HELLO
5973 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5974 | SSL_EXT_TLS1_3_CERTIFICATE
5975 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5977 context = SSL_EXT_CLIENT_HELLO
5978 | SSL_EXT_TLS1_2_SERVER_HELLO
5979 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5982 /* Create a client side custom extension */
5984 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5985 old_add_cb, old_free_cb,
5986 &client, old_parse_cb,
5990 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5991 new_add_cb, new_free_cb,
5992 &client, new_parse_cb, &client)))
5996 /* Should not be able to add duplicates */
5997 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5998 old_add_cb, old_free_cb,
5999 &client, old_parse_cb,
6001 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6002 context, new_add_cb,
6003 new_free_cb, &client,
6004 new_parse_cb, &client)))
6007 /* Create a server side custom extension */
6009 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6010 old_add_cb, old_free_cb,
6011 &server, old_parse_cb,
6015 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6016 new_add_cb, new_free_cb,
6017 &server, new_parse_cb, &server)))
6020 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6021 context, new_add_cb,
6022 new_free_cb, &server,
6023 new_parse_cb, &server)))
6027 /* Should not be able to add duplicates */
6028 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6029 old_add_cb, old_free_cb,
6030 &server, old_parse_cb,
6032 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6033 context, new_add_cb,
6034 new_free_cb, &server,
6035 new_parse_cb, &server)))
6040 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6041 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6046 &clientssl, NULL, NULL))
6047 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6052 if (clntaddoldcb != 1
6053 || clntparseoldcb != 1
6055 || srvparseoldcb != 1)
6057 } else if (tst == 1 || tst == 2 || tst == 3) {
6058 if (clntaddnewcb != 1
6059 || clntparsenewcb != 1
6061 || srvparsenewcb != 1
6062 || (tst != 2 && snicb != 0)
6063 || (tst == 2 && snicb != 1))
6065 } else if (tst == 5) {
6066 if (clntaddnewcb != 1
6067 || clntparsenewcb != 1
6069 || srvparsenewcb != 1)
6072 /* In this case there 2 NewSessionTicket messages created */
6073 if (clntaddnewcb != 1
6074 || clntparsenewcb != 5
6076 || srvparsenewcb != 1)
6080 sess = SSL_get1_session(clientssl);
6081 SSL_shutdown(clientssl);
6082 SSL_shutdown(serverssl);
6083 SSL_free(serverssl);
6084 SSL_free(clientssl);
6085 serverssl = clientssl = NULL;
6087 if (tst == 3 || tst == 5) {
6088 /* We don't bother with the resumption aspects for these tests */
6093 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6095 || !TEST_true(SSL_set_session(clientssl, sess))
6096 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6101 * For a resumed session we expect to add the ClientHello extension. For the
6102 * old style callbacks we ignore it on the server side because they set
6103 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6107 if (clntaddoldcb != 2
6108 || clntparseoldcb != 1
6110 || srvparseoldcb != 1)
6112 } else if (tst == 1 || tst == 2 || tst == 3) {
6113 if (clntaddnewcb != 2
6114 || clntparsenewcb != 2
6116 || srvparsenewcb != 2)
6120 * No Certificate message extensions in the resumption handshake,
6121 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6123 if (clntaddnewcb != 2
6124 || clntparsenewcb != 8
6126 || srvparsenewcb != 2)
6133 SSL_SESSION_free(sess);
6134 SSL_free(serverssl);
6135 SSL_free(clientssl);
6136 SSL_CTX_free(sctx2);
6142 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6144 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6145 | SSL_EXT_CLIENT_HELLO \
6146 | SSL_EXT_TLS1_2_SERVER_HELLO \
6147 | SSL_EXT_IGNORE_ON_RESUMPTION)
6149 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6150 | SSL_EXT_TLS1_2_SERVER_HELLO \
6151 | SSL_EXT_CLIENT_HELLO)
6153 #define SERVERINFO_CUSTOM \
6154 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6158 static const unsigned char serverinfo_custom_tls13[] = {
6159 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6162 static const unsigned char serverinfo_custom_v2[] = {
6163 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6166 static const unsigned char serverinfo_custom_v1[] = {
6169 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6170 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6171 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6173 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6174 unsigned int context,
6175 const unsigned char *in,
6176 size_t inlen, X509 *x,
6177 size_t chainidx, int *al,
6180 const size_t len = serverinfo_custom_v1_len;
6181 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6182 int *p_cb_result = (int*)parse_arg;
6183 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6187 static int test_serverinfo_custom(const int idx)
6189 SSL_CTX *sctx = NULL, *cctx = NULL;
6190 SSL *clientssl = NULL, *serverssl = NULL;
6195 * Following variables are set in the switch statement
6196 * according to the test iteration.
6197 * Default values do not make much sense: test would fail with them.
6199 int serverinfo_version = 0;
6200 int protocol_version = 0;
6201 unsigned int extension_context = 0;
6202 const unsigned char *si = NULL;
6205 const int call_use_serverinfo_ex = idx > 0;
6207 case 0: /* FALLTHROUGH */
6209 serverinfo_version = SSL_SERVERINFOV1;
6210 protocol_version = TLS1_2_VERSION;
6211 extension_context = SYNTHV1CONTEXT;
6212 si = serverinfo_custom_v1;
6213 si_len = serverinfo_custom_v1_len;
6216 serverinfo_version = SSL_SERVERINFOV2;
6217 protocol_version = TLS1_2_VERSION;
6218 extension_context = SYNTHV1CONTEXT;
6219 si = serverinfo_custom_v2;
6220 si_len = serverinfo_custom_v2_len;
6223 serverinfo_version = SSL_SERVERINFOV2;
6224 protocol_version = TLS1_3_VERSION;
6225 extension_context = TLS13CONTEXT;
6226 si = serverinfo_custom_tls13;
6227 si_len = serverinfo_custom_tls13_len;
6231 if (!TEST_true(create_ssl_ctx_pair(libctx,
6236 &sctx, &cctx, cert, privkey)))
6239 if (call_use_serverinfo_ex) {
6240 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6244 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6248 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6251 serverinfo_custom_parse_cb,
6253 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6255 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6257 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6260 if (!TEST_true(cb_result))
6266 SSL_free(serverssl);
6267 SSL_free(clientssl);
6276 * Test that SSL_export_keying_material() produces expected results. There are
6277 * no test vectors so all we do is test that both sides of the communication
6278 * produce the same results for different protocol versions.
6280 #define SMALL_LABEL_LEN 10
6281 #define LONG_LABEL_LEN 249
6282 static int test_export_key_mat(int tst)
6285 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6286 SSL *clientssl = NULL, *serverssl = NULL;
6287 const char label[LONG_LABEL_LEN + 1] = "test label";
6288 const unsigned char context[] = "context";
6289 const unsigned char *emptycontext = NULL;
6290 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6291 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6293 const int protocols[] = {
6302 #ifdef OPENSSL_NO_TLS1
6306 #ifdef OPENSSL_NO_TLS1_1
6310 if (is_fips && (tst == 0 || tst == 1))
6312 #ifdef OPENSSL_NO_TLS1_2
6316 #ifdef OSSL_NO_USABLE_TLS1_3
6320 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6321 TLS_client_method(), TLS1_VERSION, 0,
6322 &sctx, &cctx, cert, privkey)))
6325 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6326 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6327 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6328 if ((protocols[tst] < TLS1_2_VERSION) &&
6329 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6330 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6338 * Premature call of SSL_export_keying_material should just fail.
6340 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6341 sizeof(ckeymat1), label,
6342 SMALL_LABEL_LEN + 1, context,
6343 sizeof(context) - 1, 1), 0))
6346 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6352 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6355 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6356 sizeof(ckeymat1), label,
6357 LONG_LABEL_LEN + 1, context,
6358 sizeof(context) - 1, 1), 0))
6363 } else if (tst == 4) {
6364 labellen = LONG_LABEL_LEN;
6366 labellen = SMALL_LABEL_LEN;
6369 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6370 sizeof(ckeymat1), label,
6372 sizeof(context) - 1, 1), 1)
6373 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6374 sizeof(ckeymat2), label,
6378 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6379 sizeof(ckeymat3), label,
6382 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6383 sizeof(skeymat1), label,
6386 sizeof(context) -1, 1),
6388 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6389 sizeof(skeymat2), label,
6393 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6394 sizeof(skeymat3), label,
6398 * Check that both sides created the same key material with the
6401 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6404 * Check that both sides created the same key material with an
6407 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6410 * Check that both sides created the same key material without a
6413 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6415 /* Different contexts should produce different results */
6416 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6421 * Check that an empty context and no context produce different results in
6422 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6424 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6426 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6433 SSL_free(serverssl);
6434 SSL_free(clientssl);
6435 SSL_CTX_free(sctx2);
6442 #ifndef OSSL_NO_USABLE_TLS1_3
6444 * Test that SSL_export_keying_material_early() produces expected
6445 * results. There are no test vectors so all we do is test that both
6446 * sides of the communication produce the same results for different
6447 * protocol versions.
6449 static int test_export_key_mat_early(int idx)
6451 static const char label[] = "test label";
6452 static const unsigned char context[] = "context";
6454 SSL_CTX *cctx = NULL, *sctx = NULL;
6455 SSL *clientssl = NULL, *serverssl = NULL;
6456 SSL_SESSION *sess = NULL;
6457 const unsigned char *emptycontext = NULL;
6458 unsigned char ckeymat1[80], ckeymat2[80];
6459 unsigned char skeymat1[80], skeymat2[80];
6460 unsigned char buf[1];
6461 size_t readbytes, written;
6463 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6464 &sess, idx, SHA384_DIGEST_LENGTH)))
6467 /* Here writing 0 length early data is enough. */
6468 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6469 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6471 SSL_READ_EARLY_DATA_ERROR)
6472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6473 SSL_EARLY_DATA_ACCEPTED))
6476 if (!TEST_int_eq(SSL_export_keying_material_early(
6477 clientssl, ckeymat1, sizeof(ckeymat1), label,
6478 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6479 || !TEST_int_eq(SSL_export_keying_material_early(
6480 clientssl, ckeymat2, sizeof(ckeymat2), label,
6481 sizeof(label) - 1, emptycontext, 0), 1)
6482 || !TEST_int_eq(SSL_export_keying_material_early(
6483 serverssl, skeymat1, sizeof(skeymat1), label,
6484 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6485 || !TEST_int_eq(SSL_export_keying_material_early(
6486 serverssl, skeymat2, sizeof(skeymat2), label,
6487 sizeof(label) - 1, emptycontext, 0), 1)
6489 * Check that both sides created the same key material with the
6492 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6495 * Check that both sides created the same key material with an
6498 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6500 /* Different contexts should produce different results */
6501 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6508 SSL_SESSION_free(sess);
6509 SSL_SESSION_free(clientpsk);
6510 SSL_SESSION_free(serverpsk);
6511 clientpsk = serverpsk = NULL;
6512 SSL_free(serverssl);
6513 SSL_free(clientssl);
6520 #define NUM_KEY_UPDATE_MESSAGES 40
6524 static int test_key_update(void)
6526 SSL_CTX *cctx = NULL, *sctx = NULL;
6527 SSL *clientssl = NULL, *serverssl = NULL;
6528 int testresult = 0, i, j;
6530 static char *mess = "A test message";
6532 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6533 TLS_client_method(),
6536 &sctx, &cctx, cert, privkey))
6537 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6539 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6543 for (j = 0; j < 2; j++) {
6544 /* Send lots of KeyUpdate messages */
6545 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6546 if (!TEST_true(SSL_key_update(clientssl,
6548 ? SSL_KEY_UPDATE_NOT_REQUESTED
6549 : SSL_KEY_UPDATE_REQUESTED))
6550 || !TEST_true(SSL_do_handshake(clientssl)))
6554 /* Check that sending and receiving app data is ok */
6555 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6556 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6560 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6561 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6569 SSL_free(serverssl);
6570 SSL_free(clientssl);
6578 * Test we can handle a KeyUpdate (update requested) message while
6579 * write data is pending in peer.
6580 * Test 0: Client sends KeyUpdate while Server is writing
6581 * Test 1: Server sends KeyUpdate while Client is writing
6583 static int test_key_update_peer_in_write(int tst)
6585 SSL_CTX *cctx = NULL, *sctx = NULL;
6586 SSL *clientssl = NULL, *serverssl = NULL;
6589 static char *mess = "A test message";
6590 BIO *bretry = BIO_new(bio_s_always_retry());
6592 SSL *peerupdate = NULL, *peerwrite = NULL;
6594 if (!TEST_ptr(bretry)
6595 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6596 TLS_client_method(),
6599 &sctx, &cctx, cert, privkey))
6600 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6602 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6606 peerupdate = tst == 0 ? clientssl : serverssl;
6607 peerwrite = tst == 0 ? serverssl : clientssl;
6609 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6610 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6613 /* Swap the writing endpoint's write BIO to force a retry */
6614 tmp = SSL_get_wbio(peerwrite);
6615 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6619 SSL_set0_wbio(peerwrite, bretry);
6622 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6623 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6624 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6627 /* Reinstate the original writing endpoint's write BIO */
6628 SSL_set0_wbio(peerwrite, tmp);
6631 /* Now read some data - we will read the key update */
6632 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6633 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6637 * Complete the write we started previously and read it from the other
6640 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6641 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6644 /* Write more data to ensure we send the KeyUpdate message back */
6645 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6646 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6652 SSL_free(serverssl);
6653 SSL_free(clientssl);
6663 * Test we can handle a KeyUpdate (update requested) message while
6664 * peer read data is pending after peer accepted keyupdate(the msg header
6665 * had been read 5 bytes).
6666 * Test 0: Client sends KeyUpdate while Server is reading
6667 * Test 1: Server sends KeyUpdate while Client is reading
6669 static int test_key_update_peer_in_read(int tst)
6671 SSL_CTX *cctx = NULL, *sctx = NULL;
6672 SSL *clientssl = NULL, *serverssl = NULL;
6674 char prbuf[515], lwbuf[515] = {0};
6675 static char *mess = "A test message";
6676 BIO *lbio = NULL, *pbio = NULL;
6677 SSL *local = NULL, *peer = NULL;
6679 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6680 TLS_client_method(),
6683 &sctx, &cctx, cert, privkey))
6684 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6686 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6690 local = tst == 0 ? clientssl : serverssl;
6691 peer = tst == 0 ? serverssl : clientssl;
6693 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6696 SSL_set_bio(local, lbio, lbio);
6697 SSL_set_bio(peer, pbio, pbio);
6700 * we first write keyupdate msg then appdata in local
6701 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6702 * lwbuf app data msg size + key updata msg size > 512(the size of
6703 * the bio pair buffer)
6705 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6706 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6707 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6711 * first read keyupdate msg in peer in peer
6712 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6714 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6715 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6718 /* Now write some data in peer - we will write the key update */
6719 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6723 * write data in local previously that we will complete
6724 * read data in peer previously that we will complete
6726 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6727 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6730 /* check that sending and receiving appdata ok */
6731 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6732 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6738 SSL_free(serverssl);
6739 SSL_free(clientssl);
6747 * Test we can't send a KeyUpdate (update requested) message while
6748 * local write data is pending.
6749 * Test 0: Client sends KeyUpdate while Client is writing
6750 * Test 1: Server sends KeyUpdate while Server is writing
6752 static int test_key_update_local_in_write(int tst)
6754 SSL_CTX *cctx = NULL, *sctx = NULL;
6755 SSL *clientssl = NULL, *serverssl = NULL;
6758 static char *mess = "A test message";
6759 BIO *bretry = BIO_new(bio_s_always_retry());
6761 SSL *local = NULL, *peer = NULL;
6763 if (!TEST_ptr(bretry)
6764 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6765 TLS_client_method(),
6768 &sctx, &cctx, cert, privkey))
6769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6771 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6775 local = tst == 0 ? clientssl : serverssl;
6776 peer = tst == 0 ? serverssl : clientssl;
6778 /* Swap the writing endpoint's write BIO to force a retry */
6779 tmp = SSL_get_wbio(local);
6780 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6784 SSL_set0_wbio(local, bretry);
6787 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6788 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6789 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6792 /* Reinstate the original writing endpoint's write BIO */
6793 SSL_set0_wbio(local, tmp);
6796 /* SSL_key_update will fail, because writing in local*/
6797 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6798 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6802 /* write data in local previously that we will complete */
6803 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6806 /* SSL_key_update will succeed because there is no pending write data */
6807 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6808 || !TEST_int_eq(SSL_do_handshake(local), 1))
6812 * we write some appdata in local
6813 * read data in peer - we will read the keyupdate msg
6815 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6816 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6819 /* Write more peer more data to ensure we send the keyupdate message back */
6820 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6821 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6827 SSL_free(serverssl);
6828 SSL_free(clientssl);
6838 * Test we can handle a KeyUpdate (update requested) message while
6839 * local read data is pending(the msg header had been read 5 bytes).
6840 * Test 0: Client sends KeyUpdate while Client is reading
6841 * Test 1: Server sends KeyUpdate while Server is reading
6843 static int test_key_update_local_in_read(int tst)
6845 SSL_CTX *cctx = NULL, *sctx = NULL;
6846 SSL *clientssl = NULL, *serverssl = NULL;
6848 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6849 static char *mess = "A test message";
6850 BIO *lbio = NULL, *pbio = NULL;
6851 SSL *local = NULL, *peer = NULL;
6853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6854 TLS_client_method(),
6857 &sctx, &cctx, cert, privkey))
6858 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6860 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6864 local = tst == 0 ? clientssl : serverssl;
6865 peer = tst == 0 ? serverssl : clientssl;
6867 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6870 SSL_set_bio(local, lbio, lbio);
6871 SSL_set_bio(peer, pbio, pbio);
6873 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6874 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6875 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6878 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6879 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6880 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6883 /* SSL_do_handshake will send keyupdate msg */
6884 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6885 || !TEST_int_eq(SSL_do_handshake(local), 1))
6889 * write data in peer previously that we will complete
6890 * read data in local previously that we will complete
6892 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6893 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6897 * write data in local
6898 * read data in peer - we will read the key update
6900 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6901 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6904 /* Write more peer data to ensure we send the keyupdate message back */
6905 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6906 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6912 SSL_free(serverssl);
6913 SSL_free(clientssl);
6919 #endif /* OSSL_NO_USABLE_TLS1_3 */
6921 static int test_ssl_clear(int idx)
6923 SSL_CTX *cctx = NULL, *sctx = NULL;
6924 SSL *clientssl = NULL, *serverssl = NULL;
6927 #ifdef OPENSSL_NO_TLS1_2
6932 /* Create an initial connection */
6933 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6934 TLS_client_method(), TLS1_VERSION, 0,
6935 &sctx, &cctx, cert, privkey))
6937 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6939 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6940 &clientssl, NULL, NULL))
6941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6945 SSL_shutdown(clientssl);
6946 SSL_shutdown(serverssl);
6947 SSL_free(serverssl);
6950 /* Clear clientssl - we're going to reuse the object */
6951 if (!TEST_true(SSL_clear(clientssl)))
6954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6956 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6958 || !TEST_true(SSL_session_reused(clientssl)))
6961 SSL_shutdown(clientssl);
6962 SSL_shutdown(serverssl);
6967 SSL_free(serverssl);
6968 SSL_free(clientssl);
6975 /* Parse CH and retrieve any MFL extension value if present */
6976 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6979 unsigned char *data;
6980 PACKET pkt, pkt2, pkt3;
6981 unsigned int MFL_code = 0, type = 0;
6983 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6986 memset(&pkt, 0, sizeof(pkt));
6987 memset(&pkt2, 0, sizeof(pkt2));
6988 memset(&pkt3, 0, sizeof(pkt3));
6990 if (!TEST_long_gt(len, 0)
6991 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6992 /* Skip the record header */
6993 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6994 /* Skip the handshake message header */
6995 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6996 /* Skip client version and random */
6997 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6998 + SSL3_RANDOM_SIZE))
6999 /* Skip session id */
7000 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7002 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7003 /* Skip compression */
7004 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7005 /* Extensions len */
7006 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7009 /* Loop through all extensions */
7010 while (PACKET_remaining(&pkt2)) {
7011 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7012 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7015 if (type == TLSEXT_TYPE_max_fragment_length) {
7016 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7017 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7020 *mfl_codemfl_code = MFL_code;
7029 /* Maximum-Fragment-Length TLS extension mode to test */
7030 static const unsigned char max_fragment_len_test[] = {
7031 TLSEXT_max_fragment_length_512,
7032 TLSEXT_max_fragment_length_1024,
7033 TLSEXT_max_fragment_length_2048,
7034 TLSEXT_max_fragment_length_4096
7037 static int test_max_fragment_len_ext(int idx_tst)
7039 SSL_CTX *ctx = NULL;
7041 int testresult = 0, MFL_mode = 0;
7044 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7045 TLS1_VERSION, 0, NULL, &ctx, NULL,
7049 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7050 ctx, max_fragment_len_test[idx_tst])))
7057 rbio = BIO_new(BIO_s_mem());
7058 wbio = BIO_new(BIO_s_mem());
7059 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7065 SSL_set_bio(con, rbio, wbio);
7067 if (!TEST_int_le(SSL_connect(con), 0)) {
7068 /* This shouldn't succeed because we don't have a server! */
7072 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7073 /* no MFL in client hello */
7075 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7087 #ifndef OSSL_NO_USABLE_TLS1_3
7088 static int test_pha_key_update(void)
7090 SSL_CTX *cctx = NULL, *sctx = NULL;
7091 SSL *clientssl = NULL, *serverssl = NULL;
7094 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7095 TLS_client_method(), TLS1_VERSION, 0,
7096 &sctx, &cctx, cert, privkey)))
7099 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7100 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7101 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7102 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7105 SSL_CTX_set_post_handshake_auth(cctx, 1);
7107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7111 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7115 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7116 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7119 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7122 /* Start handshake on the server */
7123 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7126 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7127 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7131 SSL_shutdown(clientssl);
7132 SSL_shutdown(serverssl);
7137 SSL_free(serverssl);
7138 SSL_free(clientssl);
7145 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7147 static SRP_VBASE *vbase = NULL;
7149 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7151 int ret = SSL3_AL_FATAL;
7153 SRP_user_pwd *user = NULL;
7155 username = SSL_get_srp_username(s);
7156 if (username == NULL) {
7157 *ad = SSL_AD_INTERNAL_ERROR;
7161 user = SRP_VBASE_get1_by_user(vbase, username);
7163 *ad = SSL_AD_INTERNAL_ERROR;
7167 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7169 *ad = SSL_AD_INTERNAL_ERROR;
7176 SRP_user_pwd_free(user);
7180 static int create_new_vfile(char *userid, char *password, const char *filename)
7183 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7186 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7189 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7192 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7193 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7194 if (!TEST_ptr(gNid))
7198 * The only way to create an empty TXT_DB is to provide a BIO with no data
7201 db = TXT_DB_read(dummy, DB_NUMBER);
7205 out = BIO_new_file(filename, "w");
7209 row[DB_srpid] = OPENSSL_strdup(userid);
7210 row[DB_srptype] = OPENSSL_strdup("V");
7211 row[DB_srpgN] = OPENSSL_strdup(gNid);
7213 if (!TEST_ptr(row[DB_srpid])
7214 || !TEST_ptr(row[DB_srptype])
7215 || !TEST_ptr(row[DB_srpgN])
7216 || !TEST_true(TXT_DB_insert(db, row)))
7221 if (TXT_DB_write(out, db) <= 0)
7227 for (i = 0; i < DB_NUMBER; i++)
7228 OPENSSL_free(row[i]);
7238 static int create_new_vbase(char *userid, char *password)
7240 BIGNUM *verifier = NULL, *salt = NULL;
7241 const SRP_gN *lgN = NULL;
7242 SRP_user_pwd *user_pwd = NULL;
7245 lgN = SRP_get_default_gN(NULL);
7249 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7250 lgN->N, lgN->g, libctx, NULL)))
7253 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7254 if (!TEST_ptr(user_pwd))
7257 user_pwd->N = lgN->N;
7258 user_pwd->g = lgN->g;
7259 user_pwd->id = OPENSSL_strdup(userid);
7260 if (!TEST_ptr(user_pwd->id))
7263 user_pwd->v = verifier;
7265 verifier = salt = NULL;
7267 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7273 SRP_user_pwd_free(user_pwd);
7283 * Test 0: Simple successful SRP connection, new vbase
7284 * Test 1: Connection failure due to bad password, new vbase
7285 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7286 * Test 3: Connection failure due to bad password, vbase loaded from existing
7288 * Test 4: Simple successful SRP connection, vbase loaded from new file
7289 * Test 5: Connection failure due to bad password, vbase loaded from new file
7291 static int test_srp(int tst)
7293 char *userid = "test", *password = "password", *tstsrpfile;
7294 SSL_CTX *cctx = NULL, *sctx = NULL;
7295 SSL *clientssl = NULL, *serverssl = NULL;
7296 int ret, testresult = 0;
7298 vbase = SRP_VBASE_new(NULL);
7299 if (!TEST_ptr(vbase))
7302 if (tst == 0 || tst == 1) {
7303 if (!TEST_true(create_new_vbase(userid, password)))
7306 if (tst == 4 || tst == 5) {
7307 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7309 tstsrpfile = tmpfilename;
7311 tstsrpfile = srpvfile;
7313 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7318 TLS_client_method(), TLS1_VERSION, 0,
7319 &sctx, &cctx, cert, privkey)))
7322 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7323 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7324 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7325 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7326 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7330 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7333 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7337 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7341 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7343 if (!TEST_true(tst % 2 == 0))
7346 if (!TEST_true(tst % 2 == 1))
7353 SRP_VBASE_free(vbase);
7355 SSL_free(serverssl);
7356 SSL_free(clientssl);
7364 static int info_cb_failed = 0;
7365 static int info_cb_offset = 0;
7366 static int info_cb_this_state = -1;
7368 static struct info_cb_states_st {
7370 const char *statestr;
7371 } info_cb_states[][60] = {
7373 /* TLSv1.2 server followed by resumption */
7374 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7375 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7376 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7377 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7378 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7379 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7380 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7381 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7382 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7383 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7384 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7385 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7386 {SSL_CB_EXIT, NULL}, {0, NULL},
7388 /* TLSv1.2 client followed by resumption */
7389 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7390 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7391 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7392 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7393 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7394 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7395 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7396 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7397 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7398 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7399 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7400 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7402 /* TLSv1.3 server followed by resumption */
7403 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7404 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7405 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7406 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7407 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7408 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7409 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7410 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7411 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7412 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7413 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7414 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7415 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7417 /* TLSv1.3 client followed by resumption */
7418 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7419 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7420 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7421 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7422 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7423 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7424 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7425 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7426 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7427 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7428 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7429 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7430 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7431 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7432 {SSL_CB_EXIT, NULL}, {0, NULL},
7434 /* TLSv1.3 server, early_data */
7435 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7436 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7437 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7438 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7439 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7440 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7441 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7442 {SSL_CB_EXIT, NULL}, {0, NULL},
7444 /* TLSv1.3 client, early_data */
7445 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7446 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7447 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7448 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7449 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7450 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7451 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7452 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7453 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7455 /* TLSv1.3 server, certificate compression, followed by resumption */
7456 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7457 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7458 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7459 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7460 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7461 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7462 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7463 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7464 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7465 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7466 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7467 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7468 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7470 /* TLSv1.3 client, certificate compression, followed by resumption */
7471 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7472 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7473 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7474 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7475 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7476 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7477 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7478 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7479 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7480 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7481 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7482 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7483 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7484 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7485 {SSL_CB_EXIT, NULL}, {0, NULL},
7491 static void sslapi_info_callback(const SSL *s, int where, int ret)
7493 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7495 /* We do not ever expect a connection to fail in this test */
7496 if (!TEST_false(ret == 0)) {
7502 * Do some sanity checks. We never expect these things to happen in this
7505 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7506 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7507 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7512 /* Now check we're in the right state */
7513 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7517 if ((where & SSL_CB_LOOP) != 0
7518 && !TEST_int_eq(strcmp(SSL_state_string(s),
7519 state[info_cb_this_state].statestr), 0)) {
7525 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7527 if ((where & SSL_CB_HANDSHAKE_DONE)
7528 && SSL_in_init((SSL *)s) != 0) {
7535 * Test the info callback gets called when we expect it to.
7537 * Test 0: TLSv1.2, server
7538 * Test 1: TLSv1.2, client
7539 * Test 2: TLSv1.3, server
7540 * Test 3: TLSv1.3, client
7541 * Test 4: TLSv1.3, server, early_data
7542 * Test 5: TLSv1.3, client, early_data
7543 * Test 6: TLSv1.3, server, compressed certificate
7544 * Test 7: TLSv1.3, client, compressed certificate
7546 static int test_info_callback(int tst)
7548 SSL_CTX *cctx = NULL, *sctx = NULL;
7549 SSL *clientssl = NULL, *serverssl = NULL;
7550 SSL_SESSION *clntsess = NULL;
7555 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7556 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7557 || !defined(OPENSSL_NO_DH))
7558 tlsvers = TLS1_2_VERSION;
7563 #ifndef OSSL_NO_USABLE_TLS1_3
7564 tlsvers = TLS1_3_VERSION;
7572 info_cb_this_state = -1;
7573 info_cb_offset = tst;
7575 #ifndef OSSL_NO_USABLE_TLS1_3
7576 if (tst >= 4 && tst < 6) {
7577 SSL_SESSION *sess = NULL;
7578 size_t written, readbytes;
7579 unsigned char buf[80];
7581 /* early_data tests */
7582 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7583 &serverssl, &sess, 0,
7584 SHA384_DIGEST_LENGTH)))
7587 /* We don't actually need this reference */
7588 SSL_SESSION_free(sess);
7590 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7591 sslapi_info_callback);
7593 /* Write and read some early data and then complete the connection */
7594 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7596 || !TEST_size_t_eq(written, strlen(MSG1))
7597 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7598 sizeof(buf), &readbytes),
7599 SSL_READ_EARLY_DATA_SUCCESS)
7600 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7601 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7602 SSL_EARLY_DATA_ACCEPTED)
7603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7605 || !TEST_false(info_cb_failed))
7613 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7614 TLS_client_method(),
7615 tlsvers, tlsvers, &sctx, &cctx, cert,
7619 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7623 * For even numbered tests we check the server callbacks. For odd numbers we
7626 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7627 sslapi_info_callback);
7629 if (!SSL_CTX_compress_certs(sctx, 0))
7633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7634 &clientssl, NULL, NULL))
7635 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7637 || !TEST_false(info_cb_failed))
7642 clntsess = SSL_get1_session(clientssl);
7643 SSL_shutdown(clientssl);
7644 SSL_shutdown(serverssl);
7645 SSL_free(serverssl);
7646 SSL_free(clientssl);
7647 serverssl = clientssl = NULL;
7649 /* Now do a resumption */
7650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7652 || !TEST_true(SSL_set_session(clientssl, clntsess))
7653 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7655 || !TEST_true(SSL_session_reused(clientssl))
7656 || !TEST_false(info_cb_failed))
7662 SSL_free(serverssl);
7663 SSL_free(clientssl);
7664 SSL_SESSION_free(clntsess);
7670 static int test_ssl_pending(int tst)
7672 SSL_CTX *cctx = NULL, *sctx = NULL;
7673 SSL *clientssl = NULL, *serverssl = NULL;
7675 char msg[] = "A test message";
7677 size_t written, readbytes;
7680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7681 TLS_client_method(),
7683 &sctx, &cctx, cert, privkey)))
7686 #ifndef OPENSSL_NO_DTLS
7687 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7688 DTLS_client_method(),
7690 &sctx, &cctx, cert, privkey)))
7693 # ifdef OPENSSL_NO_DTLS1_2
7694 /* Not supported in the FIPS provider */
7700 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7703 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7704 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7705 "DEFAULT:@SECLEVEL=0")))
7713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7715 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7719 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7720 || !TEST_false(SSL_has_pending(clientssl))
7721 || !TEST_int_eq(SSL_pending(serverssl), 0)
7722 || !TEST_false(SSL_has_pending(serverssl))
7723 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7724 || !TEST_size_t_eq(written, sizeof(msg))
7725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7726 || !TEST_size_t_eq(readbytes, sizeof(buf))
7727 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7728 || !TEST_true(SSL_has_pending(clientssl)))
7734 SSL_free(serverssl);
7735 SSL_free(clientssl);
7743 unsigned int maxprot;
7744 const char *clntciphers;
7745 const char *clnttls13ciphers;
7746 const char *srvrciphers;
7747 const char *srvrtls13ciphers;
7749 const char *fipsshared;
7750 } shared_ciphers_data[] = {
7752 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7753 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7755 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7758 "AES128-SHA:AES256-SHA",
7760 "AES256-SHA:DHE-RSA-AES128-SHA",
7765 # if !defined(OPENSSL_NO_CHACHA) \
7766 && !defined(OPENSSL_NO_POLY1305) \
7767 && !defined(OPENSSL_NO_EC)
7770 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7772 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7774 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7780 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7782 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7784 "AES128-SHA:AES256-SHA",
7785 "AES128-SHA:AES256-SHA"
7789 "AES128-SHA:AES256-SHA",
7791 "AES128-SHA:DHE-RSA-AES128-SHA",
7798 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7801 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7802 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7805 "AES128-SHA:AES256-SHA",
7807 "AES256-SHA:AES128-SHA256",
7809 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7810 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7811 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7814 #ifndef OSSL_NO_USABLE_TLS1_3
7818 "TLS_AES_256_GCM_SHA384",
7820 "TLS_AES_256_GCM_SHA384",
7821 "TLS_AES_256_GCM_SHA384",
7822 "TLS_AES_256_GCM_SHA384"
7827 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7829 SSL_CTX *cctx = NULL, *sctx = NULL;
7830 SSL *clientssl = NULL, *serverssl = NULL;
7833 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7835 if (!TEST_ptr(tmplibctx))
7839 * Regardless of whether we're testing with the FIPS provider loaded into
7840 * libctx, we want one peer to always use the full set of ciphersuites
7841 * available. Therefore we use a separate libctx with the default provider
7842 * loaded into it. We run the same tests twice - once with the client side
7843 * having the full set of ciphersuites and once with the server side.
7846 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7847 if (!TEST_ptr(cctx))
7850 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7851 if (!TEST_ptr(sctx))
7855 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7856 TLS_client_method(),
7858 shared_ciphers_data[tst].maxprot,
7859 &sctx, &cctx, cert, privkey)))
7862 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7863 shared_ciphers_data[tst].clntciphers))
7864 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7865 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7866 shared_ciphers_data[tst].clnttls13ciphers)))
7867 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7868 shared_ciphers_data[tst].srvrciphers))
7869 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7870 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7871 shared_ciphers_data[tst].srvrtls13ciphers))))
7875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7877 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7881 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7882 || !TEST_int_eq(strcmp(buf,
7884 ? shared_ciphers_data[tst].fipsshared
7885 : shared_ciphers_data[tst].shared),
7887 TEST_info("Shared ciphers are: %s\n", buf);
7894 SSL_free(serverssl);
7895 SSL_free(clientssl);
7898 OSSL_LIB_CTX_free(tmplibctx);
7903 static int test_ssl_get_shared_ciphers(int tst)
7905 return int_test_ssl_get_shared_ciphers(tst, 0)
7906 && int_test_ssl_get_shared_ciphers(tst, 1);
7910 static const char *appdata = "Hello World";
7911 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7912 static int tick_key_renew = 0;
7913 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7915 static int gen_tick_cb(SSL *s, void *arg)
7917 gen_tick_called = 1;
7919 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7923 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7924 const unsigned char *keyname,
7925 size_t keyname_length,
7926 SSL_TICKET_STATUS status,
7932 dec_tick_called = 1;
7934 if (status == SSL_TICKET_EMPTY)
7935 return SSL_TICKET_RETURN_IGNORE_RENEW;
7937 if (!TEST_true(status == SSL_TICKET_SUCCESS
7938 || status == SSL_TICKET_SUCCESS_RENEW))
7939 return SSL_TICKET_RETURN_ABORT;
7941 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7943 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7944 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7945 return SSL_TICKET_RETURN_ABORT;
7947 if (tick_key_cb_called) {
7948 /* Don't change what the ticket key callback wanted to do */
7950 case SSL_TICKET_NO_DECRYPT:
7951 return SSL_TICKET_RETURN_IGNORE_RENEW;
7953 case SSL_TICKET_SUCCESS:
7954 return SSL_TICKET_RETURN_USE;
7956 case SSL_TICKET_SUCCESS_RENEW:
7957 return SSL_TICKET_RETURN_USE_RENEW;
7960 return SSL_TICKET_RETURN_ABORT;
7963 return tick_dec_ret;
7967 #ifndef OPENSSL_NO_DEPRECATED_3_0
7968 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7969 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7970 HMAC_CTX *hctx, int enc)
7972 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7973 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7974 EVP_CIPHER *aes128cbc;
7978 tick_key_cb_called = 1;
7980 if (tick_key_renew == -1)
7983 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7984 if (!TEST_ptr(aes128cbc))
7986 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7987 if (!TEST_ptr(sha256)) {
7988 EVP_CIPHER_free(aes128cbc);
7992 memset(iv, 0, AES_BLOCK_SIZE);
7993 memset(key_name, 0, 16);
7994 if (aes128cbc == NULL
7996 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7997 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8001 ret = tick_key_renew ? 2 : 1;
8003 EVP_CIPHER_free(aes128cbc);
8004 EVP_MD_free(sha256);
8010 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8011 unsigned char iv[EVP_MAX_IV_LENGTH],
8012 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8014 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8015 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8016 OSSL_PARAM params[2];
8017 EVP_CIPHER *aes128cbc;
8020 tick_key_cb_called = 1;
8022 if (tick_key_renew == -1)
8025 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8026 if (!TEST_ptr(aes128cbc))
8029 memset(iv, 0, AES_BLOCK_SIZE);
8030 memset(key_name, 0, 16);
8031 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8033 params[1] = OSSL_PARAM_construct_end();
8034 if (aes128cbc == NULL
8035 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8036 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8040 ret = tick_key_renew ? 2 : 1;
8042 EVP_CIPHER_free(aes128cbc);
8048 * Test the various ticket callbacks
8049 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8050 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8051 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8052 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8053 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8054 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8055 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8056 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8057 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8058 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8059 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8060 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8061 * Test 12: TLSv1.2, old ticket key callback, no ticket
8062 * Test 13: TLSv1.3, old ticket key callback, no ticket
8063 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8064 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8065 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8066 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8067 * Test 18: TLSv1.2, ticket key callback, no ticket
8068 * Test 19: TLSv1.3, ticket key callback, no ticket
8070 static int test_ticket_callbacks(int tst)
8072 SSL_CTX *cctx = NULL, *sctx = NULL;
8073 SSL *clientssl = NULL, *serverssl = NULL;
8074 SSL_SESSION *clntsess = NULL;
8077 #ifdef OPENSSL_NO_TLS1_2
8081 #ifdef OSSL_NO_USABLE_TLS1_3
8085 #ifdef OPENSSL_NO_DEPRECATED_3_0
8086 if (tst >= 8 && tst <= 13)
8090 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8092 /* Which tests the ticket key callback should request renewal for */
8094 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8096 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8097 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8101 /* Which tests the decrypt ticket callback should request renewal for */
8105 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8110 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8115 tick_dec_ret = SSL_TICKET_RETURN_USE;
8120 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8124 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8128 TLS_client_method(),
8130 ((tst % 2) == 0) ? TLS1_2_VERSION
8132 &sctx, &cctx, cert, privkey)))
8136 * We only want sessions to resume from tickets - not the session cache. So
8137 * switch the cache off.
8139 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8142 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8147 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8149 #ifndef OPENSSL_NO_DEPRECATED_3_0
8150 } else if (tst >= 8) {
8151 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8158 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8163 * The decrypt ticket key callback in TLSv1.2 should be called even though
8164 * we have no ticket yet, because it gets called with a status of
8165 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8166 * actually send any ticket data). This does not happen in TLSv1.3 because
8167 * it is not valid to send empty ticket data in TLSv1.3.
8169 if (!TEST_int_eq(gen_tick_called, 1)
8170 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8173 gen_tick_called = dec_tick_called = 0;
8175 clntsess = SSL_get1_session(clientssl);
8176 SSL_shutdown(clientssl);
8177 SSL_shutdown(serverssl);
8178 SSL_free(serverssl);
8179 SSL_free(clientssl);
8180 serverssl = clientssl = NULL;
8182 /* Now do a resumption */
8183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8185 || !TEST_true(SSL_set_session(clientssl, clntsess))
8186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8190 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8191 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8192 || tick_key_renew == -1) {
8193 if (!TEST_false(SSL_session_reused(clientssl)))
8196 if (!TEST_true(SSL_session_reused(clientssl)))
8200 if (!TEST_int_eq(gen_tick_called,
8202 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8203 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8205 /* There is no ticket to decrypt in tests 13 and 19 */
8206 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8212 SSL_SESSION_free(clntsess);
8213 SSL_free(serverssl);
8214 SSL_free(clientssl);
8222 * Test incorrect shutdown.
8223 * Test 0: client does not shutdown properly,
8224 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8225 * server should get SSL_ERROR_SSL
8226 * Test 1: client does not shutdown properly,
8227 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8228 * server should get SSL_ERROR_ZERO_RETURN
8230 static int test_incorrect_shutdown(int tst)
8232 SSL_CTX *cctx = NULL, *sctx = NULL;
8233 SSL *clientssl = NULL, *serverssl = NULL;
8238 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8239 TLS_client_method(), 0, 0,
8240 &sctx, &cctx, cert, privkey)))
8244 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8246 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8250 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8254 c2s = SSL_get_rbio(serverssl);
8255 BIO_set_mem_eof_return(c2s, 0);
8257 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8260 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8262 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8268 SSL_free(serverssl);
8269 SSL_free(clientssl);
8277 * Test bi-directional shutdown.
8279 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8280 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8281 * Test 3: TLSv1.3, pending NewSessionTicket messages
8282 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8283 * sends key update, client reads it
8284 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8285 * sends CertificateRequest, client reads and ignores it
8286 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8289 static int test_shutdown(int tst)
8291 SSL_CTX *cctx = NULL, *sctx = NULL;
8292 SSL *clientssl = NULL, *serverssl = NULL;
8294 char msg[] = "A test message";
8296 size_t written, readbytes;
8299 #ifdef OPENSSL_NO_TLS1_2
8303 #ifdef OSSL_NO_USABLE_TLS1_3
8308 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8309 TLS_client_method(),
8311 (tst <= 1) ? TLS1_2_VERSION
8313 &sctx, &cctx, cert, privkey)))
8317 SSL_CTX_set_post_handshake_auth(cctx, 1);
8319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8324 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8325 SSL_ERROR_NONE, 1, 0))
8326 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8327 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8329 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8331 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8332 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8336 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8341 * Reading on the server after the client has sent close_notify should
8342 * fail and provide SSL_ERROR_ZERO_RETURN
8344 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8345 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8346 SSL_ERROR_ZERO_RETURN)
8347 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8348 SSL_RECEIVED_SHUTDOWN)
8350 * Even though we're shutdown on receive we should still be
8353 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8356 && !TEST_true(SSL_key_update(serverssl,
8357 SSL_KEY_UPDATE_REQUESTED)))
8360 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8361 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8364 if ((tst == 4 || tst == 5)
8365 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8367 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8369 if (tst == 4 || tst == 5) {
8370 /* Should still be able to read data from server */
8371 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8373 || !TEST_size_t_eq(readbytes, sizeof(msg))
8374 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8375 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8377 || !TEST_size_t_eq(readbytes, sizeof(msg))
8378 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8383 /* Writing on the client after sending close_notify shouldn't be possible */
8384 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8389 * For these tests the client has sent close_notify but it has not yet
8390 * been received by the server. The server has not sent close_notify
8393 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8395 * Writing on the server after sending close_notify shouldn't
8398 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8399 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8400 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8401 || !TEST_true(SSL_SESSION_is_resumable(sess))
8402 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8404 } else if (tst == 4 || tst == 5) {
8406 * In this test the client has sent close_notify and it has been
8407 * received by the server which has responded with a close_notify. The
8408 * client needs to read the close_notify sent by the server.
8410 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8411 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8412 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8418 * The client has sent close_notify and is expecting a close_notify
8419 * back, but instead there is application data first. The shutdown
8420 * should fail with a fatal error.
8422 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8423 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8430 SSL_free(serverssl);
8431 SSL_free(clientssl);
8439 * Test that sending close_notify alerts works correctly in the case of a
8440 * retryable write failure.
8442 static int test_async_shutdown(void)
8444 SSL_CTX *cctx = NULL, *sctx = NULL;
8445 SSL *clientssl = NULL, *serverssl = NULL;
8447 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8449 if (!TEST_ptr(bretry))
8452 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8453 TLS_client_method(),
8455 &sctx, &cctx, cert, privkey)))
8458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8462 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8465 /* Close write side of clientssl */
8466 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8469 tmp = SSL_get_wbio(serverssl);
8470 if (!TEST_true(BIO_up_ref(tmp))) {
8474 SSL_set0_wbio(serverssl, bretry);
8477 /* First server shutdown should fail because of a retrable write failure */
8478 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8479 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8482 /* Second server shutdown should fail for the same reason */
8483 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8484 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8487 SSL_set0_wbio(serverssl, tmp);
8490 /* Third server shutdown should send close_notify */
8491 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8494 /* Fourth server shutdown should read close_notify from client and finish */
8495 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8498 /* Client should also successfully fully shutdown */
8499 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8504 SSL_free(serverssl);
8505 SSL_free(clientssl);
8514 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8515 static int cert_cb_cnt;
8517 static int cert_cb(SSL *s, void *arg)
8519 SSL_CTX *ctx = (SSL_CTX *)arg;
8521 EVP_PKEY *pkey = NULL;
8522 X509 *x509 = NULL, *rootx = NULL;
8523 STACK_OF(X509) *chain = NULL;
8524 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8527 if (cert_cb_cnt == 0) {
8528 /* Suspend the handshake */
8531 } else if (cert_cb_cnt == 1) {
8533 * Update the SSL_CTX, set the certificate and private key and then
8534 * continue the handshake normally.
8536 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8539 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8540 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8542 || !TEST_true(SSL_check_private_key(s)))
8546 } else if (cert_cb_cnt == 3) {
8549 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8550 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8551 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8552 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8554 chain = sk_X509_new_null();
8555 if (!TEST_ptr(chain))
8557 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8558 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8559 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8560 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8561 || !TEST_true(sk_X509_push(chain, rootx)))
8565 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8566 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8567 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8568 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8571 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8572 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8573 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8577 rv = SSL_check_chain(s, x509, pkey, chain);
8579 * If the cert doesn't show as valid here (e.g., because we don't
8580 * have any shared sigalgs), then we will not set it, and there will
8581 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8582 * will cause tls_choose_sigalgs() to fail the connection.
8584 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8585 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8586 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8593 /* Abort the handshake */
8595 OPENSSL_free(ecdsacert);
8596 OPENSSL_free(ecdsakey);
8597 OPENSSL_free(rootfile);
8599 EVP_PKEY_free(pkey);
8602 OSSL_STACK_OF_X509_free(chain);
8607 * Test the certificate callback.
8608 * Test 0: Callback fails
8609 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8610 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8611 * Test 3: Success - Call SSL_check_chain from the callback
8612 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8614 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8616 static int test_cert_cb_int(int prot, int tst)
8618 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8619 SSL *clientssl = NULL, *serverssl = NULL;
8620 int testresult = 0, ret;
8622 #ifdef OPENSSL_NO_EC
8623 /* We use an EC cert in these tests, so we skip in a no-ec build */
8628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8629 TLS_client_method(),
8632 &sctx, &cctx, NULL, NULL)))
8643 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8644 if (!TEST_ptr(snictx))
8648 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8656 * We cause SSL_check_chain() to fail by specifying sig_algs that
8657 * the chain doesn't meet (the root uses an RSA cert)
8659 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8660 "ecdsa_secp256r1_sha256")))
8662 } else if (tst == 5) {
8664 * We cause SSL_check_chain() to fail by specifying sig_algs that
8665 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8667 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8668 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8672 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8673 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8675 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8682 SSL_free(serverssl);
8683 SSL_free(clientssl);
8686 SSL_CTX_free(snictx);
8692 static int test_cert_cb(int tst)
8696 #ifndef OPENSSL_NO_TLS1_2
8697 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8699 #ifndef OSSL_NO_USABLE_TLS1_3
8700 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8706 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8711 BIO *priv_in = NULL;
8713 /* Check that SSL_get0_peer_certificate() returns something sensible */
8714 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8717 in = BIO_new_file(cert, "r");
8721 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8722 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8723 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8724 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8742 static int test_client_cert_cb(int tst)
8744 SSL_CTX *cctx = NULL, *sctx = NULL;
8745 SSL *clientssl = NULL, *serverssl = NULL;
8748 #ifdef OPENSSL_NO_TLS1_2
8752 #ifdef OSSL_NO_USABLE_TLS1_3
8757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8758 TLS_client_method(),
8760 tst == 0 ? TLS1_2_VERSION
8762 &sctx, &cctx, cert, privkey)))
8766 * Test that setting a client_cert_cb results in a client certificate being
8769 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8770 SSL_CTX_set_verify(sctx,
8771 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8774 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8776 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8783 SSL_free(serverssl);
8784 SSL_free(clientssl);
8791 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8793 * Test setting certificate authorities on both client and server.
8795 * Test 0: SSL_CTX_set0_CA_list() only
8796 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8797 * Test 2: Only SSL_CTX_set_client_CA_list()
8799 static int test_ca_names_int(int prot, int tst)
8801 SSL_CTX *cctx = NULL, *sctx = NULL;
8802 SSL *clientssl = NULL, *serverssl = NULL;
8805 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8806 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8807 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8808 const STACK_OF(X509_NAME) *sktmp = NULL;
8810 for (i = 0; i < OSSL_NELEM(name); i++) {
8811 name[i] = X509_NAME_new();
8812 if (!TEST_ptr(name[i])
8813 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8821 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8822 TLS_client_method(),
8825 &sctx, &cctx, cert, privkey)))
8828 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8830 if (tst == 0 || tst == 1) {
8831 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8832 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8833 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8834 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8835 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8836 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8839 SSL_CTX_set0_CA_list(sctx, sk1);
8840 SSL_CTX_set0_CA_list(cctx, sk2);
8843 if (tst == 1 || tst == 2) {
8844 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8845 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8846 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8847 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8848 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8849 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8852 SSL_CTX_set_client_CA_list(sctx, sk1);
8853 SSL_CTX_set_client_CA_list(cctx, sk2);
8857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8859 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8864 * We only expect certificate authorities to have been sent to the server
8865 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8867 sktmp = SSL_get0_peer_CA_list(serverssl);
8868 if (prot == TLS1_3_VERSION
8869 && (tst == 0 || tst == 1)) {
8870 if (!TEST_ptr(sktmp)
8871 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8872 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8874 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8877 } else if (!TEST_ptr_null(sktmp)) {
8882 * In all tests we expect certificate authorities to have been sent to the
8883 * client. However, SSL_set_client_CA_list() should override
8884 * SSL_set0_CA_list()
8886 sktmp = SSL_get0_peer_CA_list(clientssl);
8887 if (!TEST_ptr(sktmp)
8888 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8889 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8890 name[tst == 0 ? 0 : 2]), 0)
8891 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8892 name[tst == 0 ? 1 : 3]), 0))
8898 SSL_free(serverssl);
8899 SSL_free(clientssl);
8902 for (i = 0; i < OSSL_NELEM(name); i++)
8903 X509_NAME_free(name[i]);
8904 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8905 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8911 static int test_ca_names(int tst)
8915 #ifndef OPENSSL_NO_TLS1_2
8916 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8918 #ifndef OSSL_NO_USABLE_TLS1_3
8919 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8925 #ifndef OPENSSL_NO_TLS1_2
8926 static const char *multiblock_cipherlist_data[]=
8934 /* Reduce the fragment size - so the multiblock test buffer can be small */
8935 # define MULTIBLOCK_FRAGSIZE 512
8937 static int test_multiblock_write(int test_index)
8939 static const char *fetchable_ciphers[]=
8941 "AES-128-CBC-HMAC-SHA1",
8942 "AES-128-CBC-HMAC-SHA256",
8943 "AES-256-CBC-HMAC-SHA1",
8944 "AES-256-CBC-HMAC-SHA256"
8946 const char *cipherlist = multiblock_cipherlist_data[test_index];
8947 const SSL_METHOD *smeth = TLS_server_method();
8948 const SSL_METHOD *cmeth = TLS_client_method();
8949 int min_version = TLS1_VERSION;
8950 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8951 SSL_CTX *cctx = NULL, *sctx = NULL;
8952 SSL *clientssl = NULL, *serverssl = NULL;
8956 * Choose a buffer large enough to perform a multi-block operation
8957 * i.e: write_len >= 4 * frag_size
8958 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8960 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8961 unsigned char buf[sizeof(msg)], *p = buf;
8962 size_t readbytes, written, len;
8963 EVP_CIPHER *ciph = NULL;
8966 * Check if the cipher exists before attempting to use it since it only has
8967 * a hardware specific implementation.
8969 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8971 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8974 EVP_CIPHER_free(ciph);
8976 /* Set up a buffer with some data that will be sent to the client */
8977 RAND_bytes(msg, sizeof(msg));
8979 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8980 max_version, &sctx, &cctx, cert,
8984 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8987 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8991 /* settings to force it to use AES-CBC-HMAC_SHA */
8992 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8993 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8996 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8999 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9000 || !TEST_size_t_eq(written, sizeof(msg)))
9005 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9010 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9015 SSL_free(serverssl);
9016 SSL_free(clientssl);
9022 #endif /* OPENSSL_NO_TLS1_2 */
9024 static int test_session_timeout(int test)
9027 * Test session ordering and timeout
9028 * Can't explicitly test performance of the new code,
9029 * but can test to see if the ordering of the sessions
9030 * are correct, and they they are removed as expected
9032 SSL_SESSION *early = NULL;
9033 SSL_SESSION *middle = NULL;
9034 SSL_SESSION *late = NULL;
9037 long now = (long)time(NULL);
9040 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9041 || !TEST_ptr(early = SSL_SESSION_new())
9042 || !TEST_ptr(middle = SSL_SESSION_new())
9043 || !TEST_ptr(late = SSL_SESSION_new()))
9046 /* assign unique session ids */
9047 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9048 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9049 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9050 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9051 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9052 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9054 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9055 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9056 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9059 /* Make sure they are all added */
9060 if (!TEST_ptr(early->prev)
9061 || !TEST_ptr(middle->prev)
9062 || !TEST_ptr(late->prev))
9065 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9066 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9067 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9070 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9071 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9072 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9075 /* Make sure they are all still there */
9076 if (!TEST_ptr(early->prev)
9077 || !TEST_ptr(middle->prev)
9078 || !TEST_ptr(late->prev))
9081 /* Make sure they are in the expected order */
9082 if (!TEST_ptr_eq(late->next, middle)
9083 || !TEST_ptr_eq(middle->next, early)
9084 || !TEST_ptr_eq(early->prev, middle)
9085 || !TEST_ptr_eq(middle->prev, late))
9088 /* This should remove "early" */
9089 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9090 if (!TEST_ptr_null(early->prev)
9091 || !TEST_ptr(middle->prev)
9092 || !TEST_ptr(late->prev))
9095 /* This should remove "middle" */
9096 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9097 if (!TEST_ptr_null(early->prev)
9098 || !TEST_ptr_null(middle->prev)
9099 || !TEST_ptr(late->prev))
9102 /* This should remove "late" */
9103 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9104 if (!TEST_ptr_null(early->prev)
9105 || !TEST_ptr_null(middle->prev)
9106 || !TEST_ptr_null(late->prev))
9109 /* Add them back in again */
9110 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9111 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9112 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9115 /* Make sure they are all added */
9116 if (!TEST_ptr(early->prev)
9117 || !TEST_ptr(middle->prev)
9118 || !TEST_ptr(late->prev))
9121 /* This should remove all of them */
9122 SSL_CTX_flush_sessions(ctx, 0);
9123 if (!TEST_ptr_null(early->prev)
9124 || !TEST_ptr_null(middle->prev)
9125 || !TEST_ptr_null(late->prev))
9128 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9129 | SSL_CTX_get_session_cache_mode(ctx));
9131 /* make sure |now| is NOT equal to the current time */
9133 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9134 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9135 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9141 SSL_SESSION_free(early);
9142 SSL_SESSION_free(middle);
9143 SSL_SESSION_free(late);
9148 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9149 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9150 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9151 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9152 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9153 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9154 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9155 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9156 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9157 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9159 static int test_servername(int tst)
9161 SSL_CTX *cctx = NULL, *sctx = NULL;
9162 SSL *clientssl = NULL, *serverssl = NULL;
9164 SSL_SESSION *sess = NULL;
9165 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9167 #ifdef OPENSSL_NO_TLS1_2
9171 #ifdef OSSL_NO_USABLE_TLS1_3
9176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9177 TLS_client_method(),
9179 (tst <= 4) ? TLS1_2_VERSION
9181 &sctx, &cctx, cert, privkey))
9182 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9186 if (tst != 1 && tst != 6) {
9187 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9192 if (tst != 3 && tst != 8) {
9193 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9195 sexpectedhost = cexpectedhost = "goodhost";
9198 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9201 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9203 || !TEST_str_eq(SSL_get_servername(serverssl,
9204 TLSEXT_NAMETYPE_host_name),
9208 /* Now repeat with a resumption handshake */
9210 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9211 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9212 || !TEST_true(SSL_SESSION_is_resumable(sess))
9213 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9216 SSL_free(clientssl);
9217 SSL_free(serverssl);
9218 clientssl = serverssl = NULL;
9220 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9224 if (!TEST_true(SSL_set_session(clientssl, sess)))
9227 sexpectedhost = cexpectedhost = "goodhost";
9228 if (tst == 2 || tst == 7) {
9229 /* Set an inconsistent hostname */
9230 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9233 * In TLSv1.2 we expect the hostname from the original handshake, in
9234 * TLSv1.3 we expect the hostname from this handshake
9237 sexpectedhost = cexpectedhost = "altgoodhost";
9239 if (!TEST_str_eq(SSL_get_servername(clientssl,
9240 TLSEXT_NAMETYPE_host_name),
9243 } else if (tst == 4 || tst == 9) {
9245 * A TLSv1.3 session does not associate a session with a servername,
9246 * but a TLSv1.2 session does.
9249 sexpectedhost = cexpectedhost = NULL;
9251 if (!TEST_str_eq(SSL_get_servername(clientssl,
9252 TLSEXT_NAMETYPE_host_name),
9256 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9259 * In a TLSv1.2 resumption where the hostname was not acknowledged
9260 * we expect the hostname on the server to be empty. On the client we
9261 * return what was requested in this case.
9263 * Similarly if the client didn't set a hostname on an original TLSv1.2
9264 * session but is now, the server hostname will be empty, but the client
9267 if (tst == 1 || tst == 3)
9268 sexpectedhost = NULL;
9270 if (!TEST_str_eq(SSL_get_servername(clientssl,
9271 TLSEXT_NAMETYPE_host_name),
9276 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9279 if (!TEST_true(SSL_session_reused(clientssl))
9280 || !TEST_true(SSL_session_reused(serverssl))
9281 || !TEST_str_eq(SSL_get_servername(clientssl,
9282 TLSEXT_NAMETYPE_host_name),
9284 || !TEST_str_eq(SSL_get_servername(serverssl,
9285 TLSEXT_NAMETYPE_host_name),
9292 SSL_SESSION_free(sess);
9293 SSL_free(serverssl);
9294 SSL_free(clientssl);
9301 #if !defined(OPENSSL_NO_EC) \
9302 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9304 * Test that if signature algorithms are not available, then we do not offer or
9306 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9307 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9308 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9309 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9310 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9311 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9313 static int test_sigalgs_available(int idx)
9315 SSL_CTX *cctx = NULL, *sctx = NULL;
9316 SSL *clientssl = NULL, *serverssl = NULL;
9318 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9319 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9320 OSSL_PROVIDER *filterprov = NULL;
9323 if (!TEST_ptr(tmpctx))
9326 if (idx != 0 && idx != 3) {
9327 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9328 filter_provider_init)))
9331 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9332 if (!TEST_ptr(filterprov))
9337 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9338 * or accepted for the peer that uses this libctx. Note that libssl
9339 * *requires* SHA2-256 to be available so we cannot disable that. We
9340 * also need SHA1 for our certificate.
9342 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9346 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9348 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9353 if (idx == 1 || idx == 4)
9359 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9360 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9361 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9366 TLS_client_method(),
9369 &sctx, &cctx, cert, privkey)))
9372 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9373 TLS_client_method(),
9376 &sctx, &cctx, cert2, privkey2)))
9380 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9382 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9383 "ECDHE-RSA-AES128-GCM-SHA256")))
9386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9387 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9392 if (!SSL_CTX_set1_sigalgs_list(cctx,
9393 "rsa_pss_rsae_sha384"
9394 ":rsa_pss_rsae_sha256")
9395 || !SSL_CTX_set1_sigalgs_list(sctx,
9396 "rsa_pss_rsae_sha384"
9397 ":rsa_pss_rsae_sha256"))
9400 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9401 || !SSL_CTX_set1_sigalgs_list(sctx,
9402 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9407 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9408 SSL_FILETYPE_PEM), 1)
9409 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9411 SSL_FILETYPE_PEM), 1)
9412 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9419 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9422 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9423 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9425 (idx == 0 || idx == 3) ? 2 : 1))
9428 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9431 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9435 testresult = filter_provider_check_clean_finish();
9438 SSL_free(serverssl);
9439 SSL_free(clientssl);
9442 OSSL_PROVIDER_unload(filterprov);
9443 OSSL_LIB_CTX_free(tmpctx);
9448 * !defined(OPENSSL_NO_EC) \
9449 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9452 #ifndef OPENSSL_NO_TLS1_3
9453 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9454 static int test_pluggable_group(int idx)
9456 SSL_CTX *cctx = NULL, *sctx = NULL;
9457 SSL *clientssl = NULL, *serverssl = NULL;
9459 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9460 /* Check that we are not impacted by a provider without any groups */
9461 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9462 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9464 if (!TEST_ptr(tlsprov))
9467 if (legacyprov == NULL) {
9469 * In this case we assume we've been built with "no-legacy" and skip
9470 * this test (there is no OPENSSL_NO_LEGACY)
9476 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9477 TLS_client_method(),
9480 &sctx, &cctx, cert, privkey))
9481 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9485 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9486 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9489 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9492 if (!TEST_str_eq(group_name,
9493 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9499 SSL_free(serverssl);
9500 SSL_free(clientssl);
9503 OSSL_PROVIDER_unload(tlsprov);
9504 OSSL_PROVIDER_unload(legacyprov);
9510 * This function triggers encode, decode and sign functions
9511 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9512 * creating private key and certificate files for use in TLS testing.
9514 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9516 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9517 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9518 EVP_PKEY *pkey = NULL;
9519 X509 *x509 = X509_new();
9520 X509_NAME *name = NULL;
9521 BIO *keybio = NULL, *certbio = NULL;
9524 if (!TEST_ptr(evpctx)
9525 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9526 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9529 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9530 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9531 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9532 || !TEST_true(X509_set_pubkey(x509, pkey))
9533 || !TEST_ptr(name = X509_get_subject_name(x509))
9534 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9535 (unsigned char *)"CH", -1, -1, 0))
9536 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9537 (unsigned char *)"test.org", -1, -1, 0))
9538 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9539 (unsigned char *)"localhost", -1, -1, 0))
9540 || !TEST_true(X509_set_issuer_name(x509, name))
9541 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9542 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9543 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9544 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9545 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9548 EVP_PKEY_free(pkey);
9550 EVP_PKEY_CTX_free(evpctx);
9557 * Test that signature algorithms loaded via the provider interface can
9558 * correctly establish a TLS (1.3) connection.
9559 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9560 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9561 * Test 2: Test 0 using RPK
9562 * Test 3: Test 1 using RPK
9564 static int test_pluggable_signature(int idx)
9566 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9567 SSL_CTX *cctx = NULL, *sctx = NULL;
9568 SSL *clientssl = NULL, *serverssl = NULL;
9570 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9571 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9572 char *certfilename = "tls-prov-cert.pem";
9573 char *privkeyfilename = "tls-prov-key.pem";
9574 int sigidx = idx % 2;
9575 int rpkidx = idx / 2;
9577 /* create key and certificate for the different algorithm types */
9578 if (!TEST_ptr(tlsprov)
9579 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9583 TLS_client_method(),
9586 &sctx, &cctx, certfilename, privkeyfilename))
9587 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9591 /* Enable RPK for server cert */
9593 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9594 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9598 /* This is necessary to pass minimal setup w/o other groups configured */
9599 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9600 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9604 * If this connection gets established, it must have been completed
9605 * via the tls-provider-implemented "hmacsig" algorithm, testing
9606 * both sign and verify functions during handshake.
9608 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9611 /* If using RPK, make sure we got one */
9612 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9618 SSL_free(serverssl);
9619 SSL_free(clientssl);
9622 OSSL_PROVIDER_unload(tlsprov);
9623 OSSL_PROVIDER_unload(defaultprov);
9629 #ifndef OPENSSL_NO_TLS1_2
9630 static int test_ssl_dup(void)
9632 SSL_CTX *cctx = NULL, *sctx = NULL;
9633 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9635 BIO *rbio = NULL, *wbio = NULL;
9637 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9638 TLS_client_method(),
9641 &sctx, &cctx, cert, privkey)))
9644 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9648 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9649 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9652 client2ssl = SSL_dup(clientssl);
9653 rbio = SSL_get_rbio(clientssl);
9655 || !TEST_true(BIO_up_ref(rbio)))
9657 SSL_set0_rbio(client2ssl, rbio);
9660 wbio = SSL_get_wbio(clientssl);
9661 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9663 SSL_set0_wbio(client2ssl, wbio);
9666 if (!TEST_ptr(client2ssl)
9667 /* Handshake not started so pointers should be different */
9668 || !TEST_ptr_ne(clientssl, client2ssl))
9671 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9672 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9675 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9678 SSL_free(clientssl);
9679 clientssl = SSL_dup(client2ssl);
9680 if (!TEST_ptr(clientssl)
9681 /* Handshake has finished so pointers should be the same */
9682 || !TEST_ptr_eq(clientssl, client2ssl))
9688 SSL_free(serverssl);
9689 SSL_free(clientssl);
9690 SSL_free(client2ssl);
9697 # ifndef OPENSSL_NO_DH
9699 static EVP_PKEY *tmp_dh_params = NULL;
9701 /* Helper function for the test_set_tmp_dh() tests */
9702 static EVP_PKEY *get_tmp_dh_params(void)
9704 if (tmp_dh_params == NULL) {
9706 OSSL_PARAM_BLD *tmpl = NULL;
9707 EVP_PKEY_CTX *pctx = NULL;
9708 OSSL_PARAM *params = NULL;
9709 EVP_PKEY *dhpkey = NULL;
9711 p = BN_get_rfc3526_prime_2048(NULL);
9715 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9717 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9720 tmpl = OSSL_PARAM_BLD_new();
9722 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9723 OSSL_PKEY_PARAM_FFC_P,
9725 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9726 OSSL_PKEY_PARAM_FFC_G,
9730 params = OSSL_PARAM_BLD_to_param(tmpl);
9731 if (!TEST_ptr(params)
9732 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9733 EVP_PKEY_KEY_PARAMETERS,
9737 tmp_dh_params = dhpkey;
9740 EVP_PKEY_CTX_free(pctx);
9741 OSSL_PARAM_BLD_free(tmpl);
9742 OSSL_PARAM_free(params);
9745 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9748 return tmp_dh_params;
9751 # ifndef OPENSSL_NO_DEPRECATED_3_0
9752 /* Callback used by test_set_tmp_dh() */
9753 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9755 EVP_PKEY *dhpkey = get_tmp_dh_params();
9758 if (!TEST_ptr(dhpkey))
9762 * libssl does not free the returned DH, so we free it now knowing that even
9763 * after we free dhpkey, there will still be a reference to the owning
9764 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9765 * of time we need it for.
9767 ret = EVP_PKEY_get1_DH(dhpkey);
9770 EVP_PKEY_free(dhpkey);
9777 * Test the various methods for setting temporary DH parameters
9779 * Test 0: Default (no auto) setting
9780 * Test 1: Explicit SSL_CTX auto off
9781 * Test 2: Explicit SSL auto off
9782 * Test 3: Explicit SSL_CTX auto on
9783 * Test 4: Explicit SSL auto on
9784 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9785 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9787 * The following are testing deprecated APIs, so we only run them if available
9788 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9789 * Test 8: Explicit SSL auto off, custom DH params via DH
9790 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9791 * Test 10: Explicit SSL auto off, custom DH params via callback
9793 static int test_set_tmp_dh(int idx)
9795 SSL_CTX *cctx = NULL, *sctx = NULL;
9796 SSL *clientssl = NULL, *serverssl = NULL;
9798 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9799 int expected = (idx <= 2) ? 0 : 1;
9800 EVP_PKEY *dhpkey = NULL;
9801 # ifndef OPENSSL_NO_DEPRECATED_3_0
9809 if (idx >= 5 && idx <= 8) {
9810 dhpkey = get_tmp_dh_params();
9811 if (!TEST_ptr(dhpkey))
9814 # ifndef OPENSSL_NO_DEPRECATED_3_0
9815 if (idx == 7 || idx == 8) {
9816 dh = EVP_PKEY_get1_DH(dhpkey);
9822 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9823 TLS_client_method(),
9826 &sctx, &cctx, cert, privkey)))
9829 if ((idx & 1) == 1) {
9830 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9835 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9839 # ifndef OPENSSL_NO_DEPRECATED_3_0
9840 else if (idx == 7) {
9841 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9843 } else if (idx == 9) {
9844 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9848 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9852 if ((idx & 1) == 0 && idx != 0) {
9853 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9857 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9861 # ifndef OPENSSL_NO_DEPRECATED_3_0
9862 else if (idx == 8) {
9863 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9865 } else if (idx == 10) {
9866 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9870 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9871 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9872 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9876 * If autoon then we should succeed. Otherwise we expect failure because
9877 * there are no parameters
9879 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9880 SSL_ERROR_NONE), expected))
9886 # ifndef OPENSSL_NO_DEPRECATED_3_0
9889 SSL_free(serverssl);
9890 SSL_free(clientssl);
9893 EVP_PKEY_free(dhpkey);
9899 * Test the auto DH keys are appropriately sized
9901 static int test_dh_auto(int idx)
9903 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9904 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9905 SSL *clientssl = NULL, *serverssl = NULL;
9907 EVP_PKEY *tmpkey = NULL;
9908 char *thiscert = NULL, *thiskey = NULL;
9909 size_t expdhsize = 0;
9910 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9912 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9917 /* The FIPS provider doesn't support this DH size - so we ignore it */
9922 thiscert = cert1024;
9923 thiskey = privkey1024;
9925 SSL_CTX_set_security_level(sctx, 1);
9926 SSL_CTX_set_security_level(cctx, 1);
9929 /* 2048 bit prime */
9935 thiscert = cert3072;
9936 thiskey = privkey3072;
9940 thiscert = cert4096;
9941 thiskey = privkey4096;
9945 thiscert = cert8192;
9946 thiskey = privkey8192;
9949 /* No certificate cases */
9951 /* The FIPS provider doesn't support this DH size - so we ignore it */
9956 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9960 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9964 TEST_error("Invalid text index");
9968 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9972 &sctx, &cctx, thiscert, thiskey)))
9975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9979 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9980 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9981 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9982 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9983 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9987 * Send the server's first flight. At this point the server has created the
9988 * temporary DH key but hasn't finished using it yet. Once used it is
9989 * removed, so we cannot test it.
9991 if (!TEST_int_le(SSL_connect(clientssl), 0)
9992 || !TEST_int_le(SSL_accept(serverssl), 0))
9995 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9997 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10000 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10006 SSL_free(serverssl);
10007 SSL_free(clientssl);
10008 SSL_CTX_free(sctx);
10009 SSL_CTX_free(cctx);
10010 EVP_PKEY_free(tmpkey);
10015 # endif /* OPENSSL_NO_DH */
10016 #endif /* OPENSSL_NO_TLS1_2 */
10018 #ifndef OSSL_NO_USABLE_TLS1_3
10020 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10021 * that it works even without a certificate configured for the original
10024 static int test_sni_tls13(void)
10026 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10027 SSL *clientssl = NULL, *serverssl = NULL;
10028 int testresult = 0;
10030 /* Reset callback counter */
10033 /* Create an initial SSL_CTX with no certificate configured */
10034 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10035 if (!TEST_ptr(sctx))
10037 /* Require TLSv1.3 as a minimum */
10038 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10039 TLS_client_method(), TLS1_3_VERSION, 0,
10040 &sctx2, &cctx, cert, privkey)))
10044 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10045 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10049 * Connection should still succeed because the final SSL_CTX has the right
10050 * certificates configured.
10052 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10053 &clientssl, NULL, NULL))
10054 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10058 /* We should have had the SNI callback called exactly once */
10059 if (!TEST_int_eq(snicb, 1))
10065 SSL_free(serverssl);
10066 SSL_free(clientssl);
10067 SSL_CTX_free(sctx2);
10068 SSL_CTX_free(sctx);
10069 SSL_CTX_free(cctx);
10074 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10078 static int test_ticket_lifetime(int idx)
10080 SSL_CTX *cctx = NULL, *sctx = NULL;
10081 SSL *clientssl = NULL, *serverssl = NULL;
10082 int testresult = 0;
10083 int version = TLS1_3_VERSION;
10085 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10086 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10089 #ifdef OPENSSL_NO_TLS1_2
10090 return TEST_skip("TLS 1.2 is disabled.");
10092 version = TLS1_2_VERSION;
10096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10097 TLS_client_method(), version, version,
10098 &sctx, &cctx, cert, privkey)))
10101 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10102 &clientssl, NULL, NULL)))
10106 * Set the timeout to be more than 1 week
10107 * make sure the returned value is the default
10109 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10110 SSL_get_default_timeout(serverssl)))
10113 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10117 /* TLSv1.2 uses the set value */
10118 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10121 /* TLSv1.3 uses the limited value */
10122 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10128 SSL_free(serverssl);
10129 SSL_free(clientssl);
10130 SSL_CTX_free(sctx);
10131 SSL_CTX_free(cctx);
10136 * Test that setting an ALPN does not violate RFC
10138 static int test_set_alpn(void)
10140 SSL_CTX *ctx = NULL;
10142 int testresult = 0;
10144 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10145 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10146 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10147 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10148 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10149 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10151 /* Create an initial SSL_CTX with no certificate configured */
10152 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10153 if (!TEST_ptr(ctx))
10156 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10157 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10159 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10161 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10163 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10165 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10167 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10169 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10171 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10173 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10176 ssl = SSL_new(ctx);
10177 if (!TEST_ptr(ssl))
10180 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10182 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10184 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10186 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10188 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10190 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10192 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10194 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10196 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10208 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10210 static int test_set_verify_cert_store_ssl_ctx(void)
10212 SSL_CTX *ctx = NULL;
10213 int testresult = 0;
10214 X509_STORE *store = NULL, *new_store = NULL,
10215 *cstore = NULL, *new_cstore = NULL;
10217 /* Create an initial SSL_CTX. */
10218 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10219 if (!TEST_ptr(ctx))
10222 /* Retrieve verify store pointer. */
10223 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10226 /* Retrieve chain store pointer. */
10227 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10230 /* We haven't set any yet, so this should be NULL. */
10231 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10234 /* Create stores. We use separate stores so pointers are different. */
10235 new_store = X509_STORE_new();
10236 if (!TEST_ptr(new_store))
10239 new_cstore = X509_STORE_new();
10240 if (!TEST_ptr(new_cstore))
10244 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10247 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10250 /* Should be able to retrieve the same pointer. */
10251 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10254 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10257 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10260 /* Should be able to unset again. */
10261 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10264 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10267 /* Should now be NULL. */
10268 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10271 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10274 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10280 X509_STORE_free(new_store);
10281 X509_STORE_free(new_cstore);
10287 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10289 static int test_set_verify_cert_store_ssl(void)
10291 SSL_CTX *ctx = NULL;
10293 int testresult = 0;
10294 X509_STORE *store = NULL, *new_store = NULL,
10295 *cstore = NULL, *new_cstore = NULL;
10297 /* Create an initial SSL_CTX. */
10298 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10299 if (!TEST_ptr(ctx))
10302 /* Create an SSL object. */
10303 ssl = SSL_new(ctx);
10304 if (!TEST_ptr(ssl))
10307 /* Retrieve verify store pointer. */
10308 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10311 /* Retrieve chain store pointer. */
10312 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10315 /* We haven't set any yet, so this should be NULL. */
10316 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10319 /* Create stores. We use separate stores so pointers are different. */
10320 new_store = X509_STORE_new();
10321 if (!TEST_ptr(new_store))
10324 new_cstore = X509_STORE_new();
10325 if (!TEST_ptr(new_cstore))
10329 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10332 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10335 /* Should be able to retrieve the same pointer. */
10336 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10339 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10342 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10345 /* Should be able to unset again. */
10346 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10349 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10352 /* Should now be NULL. */
10353 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10356 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10359 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10365 X509_STORE_free(new_store);
10366 X509_STORE_free(new_cstore);
10373 static int test_inherit_verify_param(void)
10375 int testresult = 0;
10377 SSL_CTX *ctx = NULL;
10378 X509_VERIFY_PARAM *cp = NULL;
10380 X509_VERIFY_PARAM *sp = NULL;
10381 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10383 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10384 if (!TEST_ptr(ctx))
10387 cp = SSL_CTX_get0_param(ctx);
10390 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10393 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10395 ssl = SSL_new(ctx);
10396 if (!TEST_ptr(ssl))
10399 sp = SSL_get0_param(ssl);
10402 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10414 static int test_load_dhfile(void)
10416 #ifndef OPENSSL_NO_DH
10417 int testresult = 0;
10419 SSL_CTX *ctx = NULL;
10420 SSL_CONF_CTX *cctx = NULL;
10422 if (dhfile == NULL)
10425 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10426 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10429 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10430 SSL_CONF_CTX_set_flags(cctx,
10431 SSL_CONF_FLAG_CERTIFICATE
10432 | SSL_CONF_FLAG_SERVER
10433 | SSL_CONF_FLAG_FILE);
10435 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10440 SSL_CONF_CTX_free(cctx);
10445 return TEST_skip("DH not supported by this build");
10449 #ifndef OSSL_NO_USABLE_TLS1_3
10450 /* Test that read_ahead works across a key change */
10451 static int test_read_ahead_key_change(void)
10453 SSL_CTX *cctx = NULL, *sctx = NULL;
10454 SSL *clientssl = NULL, *serverssl = NULL;
10455 int testresult = 0;
10456 char *msg = "Hello World";
10457 size_t written, readbytes;
10461 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10462 TLS_client_method(), TLS1_3_VERSION, 0,
10463 &sctx, &cctx, cert, privkey)))
10466 SSL_CTX_set_read_ahead(sctx, 1);
10468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10469 &clientssl, NULL, NULL)))
10472 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10475 /* Write some data, send a key update, write more data */
10476 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10477 || !TEST_size_t_eq(written, strlen(msg)))
10480 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10483 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10484 || !TEST_size_t_eq(written, strlen(msg)))
10488 * Since read_ahead is on the first read below should read the record with
10489 * the first app data, the second record with the key update message, and
10490 * the third record with the app data all in one go. We should be able to
10491 * still process the read_ahead data correctly even though it crosses
10494 for (i = 0; i < 2; i++) {
10495 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10499 buf[readbytes] = '\0';
10500 if (!TEST_str_eq(buf, msg))
10507 SSL_free(serverssl);
10508 SSL_free(clientssl);
10509 SSL_CTX_free(sctx);
10510 SSL_CTX_free(cctx);
10514 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10518 switch ((*called)++) {
10520 /* Add some padding to first record */
10523 /* Maximally pad the second record */
10524 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10527 * Exceeding the maximum padding should be fine. It should just pad to
10528 * the maximum anyway
10530 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10533 * Very large padding should also be ok. Should just pad to the maximum
10543 * Test that setting record padding in TLSv1.3 works as expected
10544 * Test 0: Record padding callback on the SSL_CTX
10545 * Test 1: Record padding callback on the SSL
10546 * Test 2: Record block padding on the SSL_CTX
10547 * Test 3: Record block padding on the SSL
10549 static int test_tls13_record_padding(int idx)
10551 SSL_CTX *cctx = NULL, *sctx = NULL;
10552 SSL *clientssl = NULL, *serverssl = NULL;
10553 int testresult = 0;
10554 char *msg = "Hello World";
10555 size_t written, readbytes;
10560 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10561 TLS_client_method(), TLS1_3_VERSION, 0,
10562 &sctx, &cctx, cert, privkey)))
10566 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10567 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10568 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10570 } else if (idx == 2) {
10571 /* Exceeding the max plain length should fail */
10572 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10573 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10575 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10580 &clientssl, NULL, NULL)))
10584 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10585 SSL_set_record_padding_callback_arg(clientssl, &called);
10586 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10588 } else if (idx == 3) {
10589 /* Exceeding the max plain length should fail */
10590 if (!TEST_false(SSL_set_block_padding(clientssl,
10591 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10593 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10597 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10602 * Write some data, then check we can read it. Do this four times to check
10603 * we can continue to write and read padded data after the initial record
10604 * padding has been added. We don't actually check that the padding has
10605 * been applied to the record - just that we can continue to communicate
10606 * normally and that the callback has been called (if appropriate).
10608 for (i = 0; i < 4; i++) {
10609 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10610 || !TEST_size_t_eq(written, strlen(msg)))
10613 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10615 || !TEST_size_t_eq(written, readbytes))
10618 buf[readbytes] = '\0';
10619 if (!TEST_str_eq(buf, msg))
10623 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10628 SSL_free(serverssl);
10629 SSL_free(clientssl);
10630 SSL_CTX_free(sctx);
10631 SSL_CTX_free(cctx);
10634 #endif /* OSSL_NO_USABLE_TLS1_3 */
10636 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10638 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10639 * support this yet. The only pipeline capable cipher that we have is in the
10640 * dasync engine (providers don't support this yet), so we have to use
10641 * deprecated APIs for this test.
10643 * Test 0: Client has pipelining enabled, server does not
10644 * Test 1: Server has pipelining enabled, client does not
10645 * Test 2: Client has pipelining enabled, server does not: not enough data to
10646 * fill all the pipelines
10647 * Test 3: Client has pipelining enabled, server does not: not enough data to
10648 * fill all the pipelines by more than a full pipeline's worth
10649 * Test 4: Client has pipelining enabled, server does not: more data than all
10650 * the available pipelines can take
10651 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10653 static int test_pipelining(int idx)
10655 SSL_CTX *cctx = NULL, *sctx = NULL;
10656 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10657 int testresult = 0, numreads;
10658 /* A 55 byte message */
10659 unsigned char *msg = (unsigned char *)
10660 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10661 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10662 size_t expectedreads;
10663 unsigned char *buf = NULL;
10666 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10669 if (!TEST_true(ENGINE_init(e))) {
10674 if (!TEST_true(ENGINE_register_ciphers(e)))
10677 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10678 TLS_client_method(), 0,
10679 TLS1_2_VERSION, &sctx, &cctx, cert,
10683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10684 &clientssl, NULL, NULL)))
10687 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10690 /* peera is always configured for pipelining, while peerb is not. */
10702 /* Maximum allowed fragment size */
10703 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10704 msglen = fragsize * numpipes;
10705 msg = OPENSSL_malloc(msglen);
10706 if (!TEST_ptr(msg))
10708 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10710 } else if (idx == 4) {
10716 msglen -= 2; /* Send 2 less bytes */
10718 msglen -= 12; /* Send 12 less bytes */
10720 buf = OPENSSL_malloc(msglen);
10721 if (!TEST_ptr(buf))
10726 * Test that setting a split send fragment longer than the maximum
10729 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10734 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10735 * (50 bytes in total). This is a ridiculously small number of bytes -
10736 * but sufficient for our purposes
10738 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10739 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10742 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10745 /* Write some data from peera to peerb */
10746 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10747 || !TEST_size_t_eq(written, msglen))
10751 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10752 * have been used - except in test 3 where only |numpipes - 1| pipelines
10753 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10754 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10755 * expect this to be read in |numpipes| or |numpipes - 1| separate
10756 * SSL_read_ex calls. In the case of test 4, there is then one additional
10757 * read for left over data that couldn't fit in the previous pipelines
10759 for (offset = 0, numreads = 0;
10761 offset += readbytes, numreads++) {
10762 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10763 msglen - offset, &readbytes)))
10767 expectedreads = idx == 4 ? numpipes + 1
10768 : (idx == 3 ? numpipes - 1 : numpipes);
10769 if (!TEST_mem_eq(msg, msglen, buf, offset)
10770 || !TEST_int_eq(numreads, expectedreads))
10774 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10775 * chunks to exercise the read pipelining code on peera.
10777 for (offset = 0; offset < msglen; offset += fragsize) {
10778 size_t sendlen = msglen - offset;
10780 if (sendlen > fragsize)
10781 sendlen = fragsize;
10782 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10783 || !TEST_size_t_eq(written, sendlen))
10788 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10789 * separate chunks (depending on which test we are running). If the
10790 * pipelining is working then we expect peera to read up to numpipes chunks
10791 * and process them in parallel, giving back the complete result in a single
10792 * call to SSL_read_ex
10794 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10795 || !TEST_size_t_le(readbytes, msglen))
10801 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10802 msglen - readbytes, &readbytes2)))
10804 readbytes += readbytes2;
10805 if (!TEST_size_t_le(readbytes, msglen))
10809 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10814 SSL_free(serverssl);
10815 SSL_free(clientssl);
10816 SSL_CTX_free(sctx);
10817 SSL_CTX_free(cctx);
10818 ENGINE_unregister_ciphers(e);
10826 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10828 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10830 int setup_tests(void)
10835 libctx = OSSL_LIB_CTX_new();
10836 if (!TEST_ptr(libctx))
10839 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10842 * Verify that the default and fips providers in the default libctx are not
10845 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10846 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10849 if (!test_skip_common_options()) {
10850 TEST_error("Error parsing test options\n");
10854 if (!TEST_ptr(certsdir = test_get_argument(0))
10855 || !TEST_ptr(srpvfile = test_get_argument(1))
10856 || !TEST_ptr(tmpfilename = test_get_argument(2))
10857 || !TEST_ptr(modulename = test_get_argument(3))
10858 || !TEST_ptr(configfile = test_get_argument(4))
10859 || !TEST_ptr(dhfile = test_get_argument(5)))
10862 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10865 /* Check we have the expected provider available */
10866 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10869 /* Check the default provider is not available */
10870 if (strcmp(modulename, "default") != 0
10871 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10874 if (strcmp(modulename, "fips") == 0) {
10875 OSSL_PROVIDER *prov = NULL;
10876 OSSL_PARAM params[2];
10880 prov = OSSL_PROVIDER_load(libctx, "fips");
10881 if (prov != NULL) {
10882 /* Query the fips provider to check if the check ems option is enabled */
10884 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
10886 params[1] = OSSL_PARAM_construct_end();
10887 OSSL_PROVIDER_get_params(prov, params);
10888 OSSL_PROVIDER_unload(prov);
10893 * We add, but don't load the test "tls-provider". We'll load it when we
10896 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10897 tls_provider_init)))
10901 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10902 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10903 TEST_error("not supported in this build");
10906 int i, mcount, rcount, fcount;
10908 for (i = 0; i < 4; i++)
10909 test_export_key_mat(i);
10910 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10911 test_printf_stdout("malloc %d realloc %d free %d\n",
10912 mcount, rcount, fcount);
10917 cert = test_mk_file_path(certsdir, "servercert.pem");
10921 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10922 if (privkey == NULL)
10925 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10929 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10930 if (privkey2 == NULL)
10933 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10934 if (cert1024 == NULL)
10937 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10938 if (privkey1024 == NULL)
10941 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10942 if (cert3072 == NULL)
10945 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10946 if (privkey3072 == NULL)
10949 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10950 if (cert4096 == NULL)
10953 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10954 if (privkey4096 == NULL)
10957 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10958 if (cert8192 == NULL)
10961 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10962 if (privkey8192 == NULL)
10965 if (fips_ems_check) {
10966 #ifndef OPENSSL_NO_TLS1_2
10967 ADD_TEST(test_no_ems);
10971 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10972 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10973 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10974 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
10977 ADD_TEST(test_large_message_tls);
10978 ADD_TEST(test_large_message_tls_read_ahead);
10979 #ifndef OPENSSL_NO_DTLS
10980 ADD_TEST(test_large_message_dtls);
10982 ADD_ALL_TESTS(test_large_app_data, 28);
10983 ADD_TEST(test_cleanse_plaintext);
10984 #ifndef OPENSSL_NO_OCSP
10985 ADD_TEST(test_tlsext_status_type);
10987 ADD_TEST(test_session_with_only_int_cache);
10988 ADD_TEST(test_session_with_only_ext_cache);
10989 ADD_TEST(test_session_with_both_cache);
10990 ADD_TEST(test_session_wo_ca_names);
10991 #ifndef OSSL_NO_USABLE_TLS1_3
10992 ADD_ALL_TESTS(test_stateful_tickets, 3);
10993 ADD_ALL_TESTS(test_stateless_tickets, 3);
10994 ADD_TEST(test_psk_tickets);
10995 ADD_ALL_TESTS(test_extra_tickets, 6);
10997 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10998 ADD_TEST(test_ssl_bio_pop_next_bio);
10999 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11000 ADD_TEST(test_ssl_bio_change_rbio);
11001 ADD_TEST(test_ssl_bio_change_wbio);
11002 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11003 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11004 ADD_TEST(test_keylog);
11006 #ifndef OSSL_NO_USABLE_TLS1_3
11007 ADD_TEST(test_keylog_no_master_key);
11009 ADD_TEST(test_client_cert_verify_cb);
11010 ADD_TEST(test_ssl_build_cert_chain);
11011 ADD_TEST(test_ssl_ctx_build_cert_chain);
11012 #ifndef OPENSSL_NO_TLS1_2
11013 ADD_TEST(test_client_hello_cb);
11014 ADD_TEST(test_no_ems);
11015 ADD_TEST(test_ccs_change_cipher);
11017 #ifndef OSSL_NO_USABLE_TLS1_3
11018 ADD_ALL_TESTS(test_early_data_read_write, 6);
11020 * We don't do replay tests for external PSK. Replay protection isn't used
11021 * in that scenario.
11023 ADD_ALL_TESTS(test_early_data_replay, 2);
11024 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11025 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11026 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11027 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11028 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11029 ADD_ALL_TESTS(test_early_data_psk, 8);
11030 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11031 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11032 # ifndef OPENSSL_NO_TLS1_2
11033 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11036 #ifndef OSSL_NO_USABLE_TLS1_3
11037 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11038 ADD_TEST(test_ciphersuite_change);
11039 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11040 # ifdef OPENSSL_NO_PSK
11041 ADD_ALL_TESTS(test_tls13_psk, 1);
11043 ADD_ALL_TESTS(test_tls13_psk, 4);
11044 # endif /* OPENSSL_NO_PSK */
11045 # ifndef OPENSSL_NO_TLS1_2
11046 /* Test with both TLSv1.3 and 1.2 versions */
11047 ADD_ALL_TESTS(test_key_exchange, 14);
11048 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11049 ADD_ALL_TESTS(test_negotiated_group,
11050 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11051 + OSSL_NELEM(ffdhe_kexch_groups)));
11054 /* Test with only TLSv1.3 versions */
11055 ADD_ALL_TESTS(test_key_exchange, 12);
11057 ADD_ALL_TESTS(test_custom_exts, 6);
11058 ADD_TEST(test_stateless);
11059 ADD_TEST(test_pha_key_update);
11061 ADD_ALL_TESTS(test_custom_exts, 3);
11063 ADD_ALL_TESTS(test_export_key_mat, 6);
11064 #ifndef OSSL_NO_USABLE_TLS1_3
11065 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11066 ADD_TEST(test_key_update);
11067 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11068 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11069 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11070 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11072 ADD_ALL_TESTS(test_ssl_clear, 2);
11073 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11074 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11075 ADD_ALL_TESTS(test_srp, 6);
11077 #if !defined(OPENSSL_NO_COMP_ALG)
11078 /* Add compression case */
11079 ADD_ALL_TESTS(test_info_callback, 8);
11081 ADD_ALL_TESTS(test_info_callback, 6);
11083 ADD_ALL_TESTS(test_ssl_pending, 2);
11084 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11085 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11086 ADD_ALL_TESTS(test_shutdown, 7);
11087 ADD_TEST(test_async_shutdown);
11088 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11089 ADD_ALL_TESTS(test_cert_cb, 6);
11090 ADD_ALL_TESTS(test_client_cert_cb, 2);
11091 ADD_ALL_TESTS(test_ca_names, 3);
11092 #ifndef OPENSSL_NO_TLS1_2
11093 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11095 ADD_ALL_TESTS(test_servername, 10);
11096 #if !defined(OPENSSL_NO_EC) \
11097 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11098 ADD_ALL_TESTS(test_sigalgs_available, 6);
11100 #ifndef OPENSSL_NO_TLS1_3
11101 ADD_ALL_TESTS(test_pluggable_group, 2);
11102 ADD_ALL_TESTS(test_pluggable_signature, 4);
11104 #ifndef OPENSSL_NO_TLS1_2
11105 ADD_TEST(test_ssl_dup);
11106 # ifndef OPENSSL_NO_DH
11107 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11108 ADD_ALL_TESTS(test_dh_auto, 7);
11111 #ifndef OSSL_NO_USABLE_TLS1_3
11112 ADD_TEST(test_sni_tls13);
11113 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11115 ADD_TEST(test_inherit_verify_param);
11116 ADD_TEST(test_set_alpn);
11117 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11118 ADD_TEST(test_set_verify_cert_store_ssl);
11119 ADD_ALL_TESTS(test_session_timeout, 1);
11120 ADD_TEST(test_load_dhfile);
11121 #ifndef OSSL_NO_USABLE_TLS1_3
11122 ADD_TEST(test_read_ahead_key_change);
11123 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11125 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11126 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11128 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11129 ADD_ALL_TESTS(test_pipelining, 6);
11134 OPENSSL_free(cert);
11135 OPENSSL_free(privkey);
11136 OPENSSL_free(cert2);
11137 OPENSSL_free(privkey2);
11141 void cleanup_tests(void)
11143 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11144 EVP_PKEY_free(tmp_dh_params);
11146 OPENSSL_free(cert);
11147 OPENSSL_free(privkey);
11148 OPENSSL_free(cert2);
11149 OPENSSL_free(privkey2);
11150 OPENSSL_free(cert1024);
11151 OPENSSL_free(privkey1024);
11152 OPENSSL_free(cert3072);
11153 OPENSSL_free(privkey3072);
11154 OPENSSL_free(cert4096);
11155 OPENSSL_free(privkey4096);
11156 OPENSSL_free(cert8192);
11157 OPENSSL_free(privkey8192);
11158 bio_s_mempacket_test_free();
11159 bio_s_always_retry_free();
11160 OSSL_PROVIDER_unload(defctxnull);
11161 OSSL_LIB_CTX_free(libctx);
projects / openssl.git / blob