2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "../ssl/ssl_local.h"
45 #include "../ssl/record/methods/recmethod_local.h"
46 #include "filterprov.h"
48 #undef OSSL_NO_USABLE_TLS1_3
49 #if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 * If we don't have ec or dh then there are no built-in groups that are usable
55 # define OSSL_NO_USABLE_TLS1_3
58 /* Defined in tls-provider.c */
59 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
64 static OSSL_LIB_CTX *libctx = NULL;
65 static OSSL_PROVIDER *defctxnull = NULL;
67 #ifndef OSSL_NO_USABLE_TLS1_3
69 static SSL_SESSION *clientpsk = NULL;
70 static SSL_SESSION *serverpsk = NULL;
71 static const char *pskid = "Identity";
72 static const char *srvid;
74 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76 static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
79 static int use_session_cb_cnt = 0;
80 static int find_session_cb_cnt = 0;
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
100 static int is_fips = 0;
101 static int fips_ems_check = 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
119 #define CLIENT_VERSION_LEN 2
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
138 static int hostname_cb(SSL *s, int *al, void *arg)
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
146 return SSL_TLSEXT_ERR_NOACK;
149 static void client_keylog_callback(const SSL *ssl, const char *line)
151 int line_length = strlen(line);
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
165 static void server_keylog_callback(const SSL *ssl, const char *line)
167 int line_length = strlen(line);
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
181 static int compare_hex_encoded_buffer(const char *hex_encoded,
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 if (!TEST_size_t_eq(strlen(token), 16))
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 if (!TEST_size_t_eq(strlen(token), 64))
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 master_key_size = SSL_SESSION_get_master_key(session,
266 if (!TEST_size_t_ne(master_key_size, 0))
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 if (!TEST_size_t_eq(strlen(token), 64))
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
319 TEST_info("Unexpected token %s\n", token);
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
353 struct sslapitest_log_counts expected;
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
366 &sctx, &cctx, cert, privkey)))
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 || !TEST_false(error_writing_log))
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
499 serverssl = clientssl = NULL;
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 || !TEST_true(SSL_session_reused(clientssl)))
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
535 SSL_SESSION_free(sess);
545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551 /* this should not happen but check anyway */
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
564 static int test_client_cert_verify_cb(void)
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
643 static int test_ssl_build_cert_chain(void)
646 SSL_CTX *ssl_ctx = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674 static const char pass[] = "testpass";
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
683 static int test_ssl_ctx_build_cert_chain(void)
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
705 OPENSSL_free(leaf_chain);
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
714 const unsigned char *p;
717 const unsigned char expected_ciphers[] = {0x00, 0x9d};
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
730 /* Make sure we can defer processing and get called back. */
732 return SSL_CLIENT_HELLO_RETRY;
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
746 return SSL_CLIENT_HELLO_ERROR;
749 return SSL_CLIENT_HELLO_SUCCESS;
752 static int test_client_hello_cb(void)
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
794 static int test_no_ems(void)
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0, status;
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
822 printf("Creating SSL connection failed\n");
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
849 * encryption to real encryption).
851 static int test_ccs_change_cipher(void)
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
862 * Create a connection so we can resume and potentially (but not) use
863 * a different cipher in the second connection.
865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
901 * Now create a fresh connection and try to renegotiate a different
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
951 SSL_SESSION_free(sess);
957 static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
986 * Test that read_ahead works correctly when dealing with large
989 SSL_CTX_set_read_ahead(cctx, 1);
992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1005 if (!TEST_true(SSL_clear(serverssl)))
1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1018 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1020 /* sock must be connected */
1021 static int ktls_chk_platform(int sock)
1023 if (!ktls_enable(sock))
1028 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
1042 SSL_CONNECTION *clientsc, *serversc;
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1082 * If ktls is used then kernel sequences are used instead of
1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
1095 if (!BIO_get_ktls_send(serversc->wbio)) {
1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
1130 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1131 int tls_version, const char *cipher)
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1138 SSL_CONNECTION *clientsc, *serversc;
1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1142 size_t offset = 0, i;
1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1147 /* Skip this test if the platform does not support ktls */
1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1158 /* Create a session based on SHA-256 */
1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1160 TLS_client_method(),
1161 tls_version, tls_version,
1162 &sctx, &cctx, cert, privkey)))
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1205 if (BIO_get_ktls_send(clientsc->wbio))
1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1213 if (BIO_get_ktls_send(serversc->wbio))
1217 #if defined(OPENSSL_NO_KTLS_RX)
1222 if (!cis_ktls || !rx_supported) {
1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1226 if (BIO_get_ktls_send(clientsc->rbio))
1230 if (!sis_ktls || !rx_supported) {
1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1234 if (BIO_get_ktls_send(serversc->rbio))
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1248 buf = OPENSSL_zalloc(bufsz);
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1261 /* Now check that we can read all the data we wrote */
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1270 } while (offset < bufsz);
1272 if (!TEST_true(offset == bufsz))
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
1705 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1713 const unsigned char *zbuf;
1714 SSL_CONNECTION *serversc;
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1722 min_version, max_version,
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 if (smeth == DTLS_server_method()) {
1729 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1815 static int test_cleanse_plaintext(void)
1817 #if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1826 #if !defined(OSSL_NO_USABLE_TLS1_3)
1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1834 #if !defined(OPENSSL_NO_DTLS)
1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1845 #ifndef OPENSSL_NO_OCSP
1846 static int ocsp_server_cb(SSL *s, void *arg)
1848 int *argi = (int *)arg;
1849 unsigned char *copy = NULL;
1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1859 id = sk_OCSP_RESPID_value(ids, 0);
1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1874 ocsp_server_called = 1;
1875 return SSL_TLSEXT_ERR_OK;
1878 static int ocsp_client_cb(SSL *s, void *arg)
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1884 if (*argi != 1 && *argi != 2)
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1888 if (!TEST_mem_eq(orespder, len, respderin, len))
1891 ocsp_client_called = 1;
1895 static int test_tlsext_status_type(void)
1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1906 &sctx, &cctx, cert, privkey))
1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1912 /* First just do various checks getting and setting tlsext_status_type */
1914 clientssl = SSL_new(cctx);
1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
1922 SSL_free(clientssl);
1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1929 clientssl = SSL_new(cctx);
1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1932 SSL_free(clientssl);
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1985 * specific one. We'll use the server cert.
1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2019 X509_free(ocspcert);
2026 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2027 static int new_called, remove_called, get_called;
2029 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2033 * sess has been up-refed for us, but we don't actually need it so free it
2036 SSL_SESSION_free(sess);
2040 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2045 static SSL_SESSION *get_sess_val = NULL;
2047 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2052 return get_sess_val;
2055 static int execute_test_session(int maxprot, int use_int_cache,
2056 int use_ext_cache, long s_options)
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2061 # ifndef OPENSSL_NO_TLS1_1
2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2065 int testresult = 0, numnewsesstick = 1;
2067 new_called = remove_called = 0;
2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
2075 &sctx, &cctx, cert, privkey)))
2079 * Only allow the max protocol version so we can force a connection failure
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
2085 /* Set up session cache */
2086 if (use_ext_cache) {
2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2090 if (use_int_cache) {
2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2100 SSL_CTX_set_options(sctx, s_options);
2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2110 /* Should fail because it should already be in the cache */
2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2114 && (!TEST_int_eq(new_called, numnewsesstick)
2116 || !TEST_int_eq(remove_called, 0)))
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2128 if (maxprot == TLS1_3_VERSION) {
2130 * In TLSv1.3 we should have created a new session even though we have
2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
2135 && (!TEST_int_eq(new_called, 1)
2136 || !TEST_int_eq(remove_called, 1)))
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
2155 new_called = remove_called = 0;
2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
2170 new_called = remove_called = 0;
2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2183 if (use_int_cache) {
2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2190 new_called = remove_called = 0;
2191 /* This shouldn't be in the cache so should fail */
2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2199 # if !defined(OPENSSL_NO_TLS1_1)
2200 new_called = remove_called = 0;
2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
2206 /* This should fail because of the mismatched protocol versions */
2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2211 /* We should have automatically removed the session from the cache */
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2216 /* Should succeed because it should not already be in the cache */
2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2246 SSL_SESSION_free(sess2);
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2252 new_called = remove_called = get_called = 0;
2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2281 if (!TEST_int_eq(new_called, numnewsesstick)
2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2296 SSL_SESSION_free(sess2);
2301 new_called = remove_called = get_called = 0;
2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2311 if (use_ext_cache) {
2312 if (!TEST_int_eq(remove_called, 0))
2315 if (maxprot == TLS1_3_VERSION) {
2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
2359 # ifndef OPENSSL_NO_TLS1_1
2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2370 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2372 static int test_session_with_only_int_cache(void)
2374 #ifndef OSSL_NO_USABLE_TLS1_3
2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2379 #ifndef OPENSSL_NO_TLS1_2
2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2386 static int test_session_with_only_ext_cache(void)
2388 #ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2393 #ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2400 static int test_session_with_both_cache(void)
2402 #ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2407 #ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2414 static int test_session_wo_ca_names(void)
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2421 #ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2428 #ifndef OSSL_NO_USABLE_TLS1_3
2429 static SSL_SESSION *sesscache[6];
2430 static int do_cache;
2432 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2435 sesscache[new_called] = sess;
2437 /* We don't need the reference to the session, so free it */
2438 SSL_SESSION_free(sess);
2445 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2447 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2448 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2451 /* Start handshake on the server and client */
2452 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2453 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2454 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2455 || !TEST_true(create_ssl_connection(sssl, cssl,
2462 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2465 int sess_id_ctx = 1;
2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 sctx, cctx, cert, privkey))
2470 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2471 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2472 (void *)&sess_id_ctx,
2473 sizeof(sess_id_ctx))))
2477 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2479 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2480 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2481 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2486 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2488 SSL *serverssl = NULL, *clientssl = NULL;
2491 /* Test that we can resume with all the tickets we got given */
2492 for (i = 0; i < idx * 2; i++) {
2494 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2495 &clientssl, NULL, NULL))
2496 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2499 SSL_set_post_handshake_auth(clientssl, 1);
2501 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2506 * Following a successful resumption we only get 1 ticket. After a
2507 * failed one we should get idx tickets.
2510 if (!TEST_true(SSL_session_reused(clientssl))
2511 || !TEST_int_eq(new_called, 1))
2514 if (!TEST_false(SSL_session_reused(clientssl))
2515 || !TEST_int_eq(new_called, idx))
2520 /* After a post-handshake authentication we should get 1 new ticket */
2522 && (!post_handshake_verify(serverssl, clientssl)
2523 || !TEST_int_eq(new_called, 1)))
2526 SSL_shutdown(clientssl);
2527 SSL_shutdown(serverssl);
2528 SSL_free(serverssl);
2529 SSL_free(clientssl);
2530 serverssl = clientssl = NULL;
2531 SSL_SESSION_free(sesscache[i]);
2532 sesscache[i] = NULL;
2538 SSL_free(clientssl);
2539 SSL_free(serverssl);
2543 static int test_tickets(int stateful, int idx)
2545 SSL_CTX *sctx = NULL, *cctx = NULL;
2546 SSL *serverssl = NULL, *clientssl = NULL;
2550 /* idx is the test number, but also the number of tickets we want */
2555 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2559 &clientssl, NULL, NULL)))
2562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2564 /* Check we got the number of tickets we were expecting */
2565 || !TEST_int_eq(idx, new_called))
2568 SSL_shutdown(clientssl);
2569 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2574 clientssl = serverssl = NULL;
2578 * Now we try to resume with the tickets we previously created. The
2579 * resumption attempt is expected to fail (because we're now using a new
2580 * SSL_CTX). We should see idx number of tickets issued again.
2583 /* Stop caching sessions - just count them */
2586 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2589 if (!check_resumption(idx, sctx, cctx, 0))
2592 /* Start again with caching sessions */
2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2603 &clientssl, NULL, NULL)))
2606 SSL_set_post_handshake_auth(clientssl, 1);
2608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2610 /* Check we got the number of tickets we were expecting */
2611 || !TEST_int_eq(idx, new_called))
2614 /* After a post-handshake authentication we should get new tickets issued */
2615 if (!post_handshake_verify(serverssl, clientssl)
2616 || !TEST_int_eq(idx * 2, new_called))
2619 SSL_shutdown(clientssl);
2620 SSL_shutdown(serverssl);
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 serverssl = clientssl = NULL;
2625 /* Stop caching sessions - just count them */
2629 * Check we can resume with all the tickets we created. This time around the
2630 * resumptions should all be successful.
2632 if (!check_resumption(idx, sctx, cctx, 1))
2638 SSL_free(serverssl);
2639 SSL_free(clientssl);
2640 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2641 SSL_SESSION_free(sesscache[j]);
2642 sesscache[j] = NULL;
2650 static int test_stateless_tickets(int idx)
2652 return test_tickets(0, idx);
2655 static int test_stateful_tickets(int idx)
2657 return test_tickets(1, idx);
2660 static int test_psk_tickets(void)
2662 SSL_CTX *sctx = NULL, *cctx = NULL;
2663 SSL *serverssl = NULL, *clientssl = NULL;
2665 int sess_id_ctx = 1;
2667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2668 TLS_client_method(), TLS1_VERSION, 0,
2669 &sctx, &cctx, NULL, NULL))
2670 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2671 (void *)&sess_id_ctx,
2672 sizeof(sess_id_ctx))))
2675 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2676 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2677 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2678 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2679 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2680 use_session_cb_cnt = 0;
2681 find_session_cb_cnt = 0;
2685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2688 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2689 if (!TEST_ptr(clientpsk))
2691 SSL_SESSION_up_ref(clientpsk);
2693 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2695 || !TEST_int_eq(1, find_session_cb_cnt)
2696 || !TEST_int_eq(1, use_session_cb_cnt)
2697 /* We should always get 1 ticket when using external PSK */
2698 || !TEST_int_eq(1, new_called))
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2708 SSL_SESSION_free(clientpsk);
2709 SSL_SESSION_free(serverpsk);
2710 clientpsk = serverpsk = NULL;
2715 static int test_extra_tickets(int idx)
2717 SSL_CTX *sctx = NULL, *cctx = NULL;
2718 SSL *serverssl = NULL, *clientssl = NULL;
2719 BIO *bretry = BIO_new(bio_s_always_retry());
2724 unsigned char c, buf[1];
2734 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2736 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2737 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2738 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2741 &clientssl, NULL, NULL)))
2745 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2746 * incremented by both client and server.
2748 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2750 /* Check we got the number of tickets we were expecting */
2751 || !TEST_int_eq(idx * 2, new_called)
2752 || !TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_int_eq(idx * 2, new_called))
2757 /* Now try a (real) write to actually send the tickets */
2759 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2760 || !TEST_size_t_eq(1, nbytes)
2761 || !TEST_int_eq(idx * 2 + 2, new_called)
2762 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2763 || !TEST_int_eq(idx * 2 + 4, new_called)
2764 || !TEST_int_eq(sizeof(buf), nbytes)
2765 || !TEST_int_eq(c, buf[0])
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2769 /* Try with only requesting one new ticket, too */
2772 if (!TEST_true(SSL_new_session_ticket(serverssl))
2773 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2774 || !TEST_size_t_eq(sizeof(c), nbytes)
2775 || !TEST_int_eq(1, new_called)
2776 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_size_t_eq(sizeof(buf), nbytes)
2779 || !TEST_int_eq(c, buf[0]))
2782 /* Do it again but use dummy writes to drive the ticket generation */
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2788 || !TEST_size_t_eq(0, nbytes)
2789 || !TEST_int_eq(2, new_called)
2790 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2791 || !TEST_int_eq(4, new_called))
2794 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2797 if (!TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2806 * Use the always-retry BIO to exercise the logic that forces ticket
2807 * generation to wait until a record boundary.
2811 tmp = SSL_get_wbio(serverssl);
2812 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2816 SSL_set0_wbio(serverssl, bretry);
2818 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2820 || !TEST_size_t_eq(nbytes, 0))
2822 /* Restore a BIO that will let the write succeed */
2823 SSL_set0_wbio(serverssl, tmp);
2826 * These calls should just queue the request and not send anything
2827 * even if we explicitly try to hit the state machine.
2829 if (!TEST_true(SSL_new_session_ticket(serverssl))
2830 || !TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_int_eq(0, new_called)
2832 || !TEST_true(SSL_do_handshake(serverssl))
2833 || !TEST_int_eq(0, new_called))
2835 /* Re-do the write; still no tickets sent */
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(0, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2845 /* Even trying to hit the state machine now will still not send tickets */
2846 if (!TEST_true(SSL_do_handshake(serverssl))
2847 || !TEST_int_eq(0, new_called))
2849 /* Now the *next* write should send the tickets */
2851 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2852 || !TEST_size_t_eq(1, nbytes)
2853 || !TEST_int_eq(2, new_called)
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2855 || !TEST_int_eq(4, new_called)
2856 || !TEST_int_eq(sizeof(buf), nbytes)
2857 || !TEST_int_eq(c, buf[0])
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2872 clientssl = serverssl = NULL;
2881 #define USE_DEFAULT 3
2883 #define CONNTYPE_CONNECTION_SUCCESS 0
2884 #define CONNTYPE_CONNECTION_FAIL 1
2885 #define CONNTYPE_NO_CONNECTION 2
2887 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2888 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2889 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2890 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2892 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2895 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2896 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2899 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2916 * Tests calls to SSL_set_bio() under various conditions.
2918 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2920 * then do more tests where we create a successful connection first using our
2921 * standard connection setup functions, and then call SSL_set_bio() with
2922 * various combinations of valid BIOs or NULL. We then repeat these tests
2923 * following a failed connection. In this last case we are looking to check that
2924 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2926 static int test_ssl_set_bio(int idx)
2928 SSL_CTX *sctx = NULL, *cctx = NULL;
2931 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2932 SSL *serverssl = NULL, *clientssl = NULL;
2933 int initrbio, initwbio, newrbio, newwbio, conntype;
2936 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2944 conntype = CONNTYPE_NO_CONNECTION;
2946 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2947 initrbio = initwbio = USE_DEFAULT;
2955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2956 TLS_client_method(), TLS1_VERSION, 0,
2957 &sctx, &cctx, cert, privkey)))
2960 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2962 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2963 * because we reduced the number of tests in the definition of
2964 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2965 * mismatched protocol versions we will force a connection failure.
2967 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2975 if (initrbio == USE_BIO_1
2976 || initwbio == USE_BIO_1
2977 || newrbio == USE_BIO_1
2978 || newwbio == USE_BIO_1) {
2979 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2983 if (initrbio == USE_BIO_2
2984 || initwbio == USE_BIO_2
2985 || newrbio == USE_BIO_2
2986 || newwbio == USE_BIO_2) {
2987 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2991 if (initrbio != USE_DEFAULT) {
2992 setupbio(&irbio, bio1, bio2, initrbio);
2993 setupbio(&iwbio, bio1, bio2, initwbio);
2994 SSL_set_bio(clientssl, irbio, iwbio);
2997 * We want to maintain our own refs to these BIO, so do an up ref for
2998 * each BIO that will have ownership transferred in the SSL_set_bio()
3003 if (iwbio != NULL && iwbio != irbio)
3007 if (conntype != CONNTYPE_NO_CONNECTION
3008 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3010 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3013 setupbio(&nrbio, bio1, bio2, newrbio);
3014 setupbio(&nwbio, bio1, bio2, newwbio);
3017 * We will (maybe) transfer ownership again so do more up refs.
3018 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3023 && (nwbio != iwbio || nrbio != nwbio))
3027 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3030 SSL_set_bio(clientssl, nrbio, nwbio);
3039 * This test is checking that the ref counting for SSL_set_bio is correct.
3040 * If we get here and we did too many frees then we will fail in the above
3043 SSL_free(serverssl);
3044 SSL_free(clientssl);
3050 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3052 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3054 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3059 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3060 || !TEST_ptr(ssl = SSL_new(ctx))
3061 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3062 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3065 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3068 * If anything goes wrong here then we could leak memory.
3070 BIO_push(sslbio, membio1);
3072 /* Verify changing the rbio/wbio directly does not cause leaks */
3073 if (change_bio != NO_BIO_CHANGE) {
3074 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3078 if (change_bio == CHANGE_RBIO)
3079 SSL_set0_rbio(ssl, membio2);
3081 SSL_set0_wbio(ssl, membio2);
3100 static int test_ssl_bio_pop_next_bio(void)
3102 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3105 static int test_ssl_bio_pop_ssl_bio(void)
3107 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3110 static int test_ssl_bio_change_rbio(void)
3112 return execute_test_ssl_bio(0, CHANGE_RBIO);
3115 static int test_ssl_bio_change_wbio(void)
3117 return execute_test_ssl_bio(0, CHANGE_WBIO);
3120 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3122 /* The list of sig algs */
3124 /* The length of the list */
3126 /* A sigalgs list in string format */
3127 const char *liststr;
3128 /* Whether setting the list should succeed */
3130 /* Whether creating a connection with the list should succeed */
3134 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3135 # ifndef OPENSSL_NO_EC
3136 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3137 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3139 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3140 static const int invalidlist2[] = {NID_sha256, NID_undef};
3141 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3142 static const int invalidlist4[] = {NID_sha256};
3143 static const sigalgs_list testsigalgs[] = {
3144 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3145 # ifndef OPENSSL_NO_EC
3146 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3147 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3149 {NULL, 0, "RSA+SHA256", 1, 1},
3150 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3151 # ifndef OPENSSL_NO_EC
3152 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3153 {NULL, 0, "ECDSA+SHA512", 1, 0},
3155 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3156 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3157 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3158 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3159 {NULL, 0, "RSA", 0, 0},
3160 {NULL, 0, "SHA256", 0, 0},
3161 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3162 {NULL, 0, "Invalid", 0, 0}
3165 static int test_set_sigalgs(int idx)
3167 SSL_CTX *cctx = NULL, *sctx = NULL;
3168 SSL *clientssl = NULL, *serverssl = NULL;
3170 const sigalgs_list *curr;
3173 /* Should never happen */
3174 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3177 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3178 curr = testctx ? &testsigalgs[idx]
3179 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3182 TLS_client_method(), TLS1_VERSION, 0,
3183 &sctx, &cctx, cert, privkey)))
3186 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3191 if (curr->list != NULL)
3192 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3194 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3198 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3204 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3210 &clientssl, NULL, NULL)))
3216 if (curr->list != NULL)
3217 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3219 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3222 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3231 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3239 SSL_free(serverssl);
3240 SSL_free(clientssl);
3248 #ifndef OSSL_NO_USABLE_TLS1_3
3249 static int psk_client_cb_cnt = 0;
3250 static int psk_server_cb_cnt = 0;
3252 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3253 size_t *idlen, SSL_SESSION **sess)
3255 switch (++use_session_cb_cnt) {
3257 /* The first call should always have a NULL md */
3263 /* The second call should always have an md */
3269 /* We should only be called a maximum of twice */
3273 if (clientpsk != NULL)
3274 SSL_SESSION_up_ref(clientpsk);
3277 *id = (const unsigned char *)pskid;
3278 *idlen = strlen(pskid);
3283 #ifndef OPENSSL_NO_PSK
3284 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3285 unsigned int max_id_len,
3287 unsigned int max_psk_len)
3289 unsigned int psklen = 0;
3291 psk_client_cb_cnt++;
3293 if (strlen(pskid) + 1 > max_id_len)
3296 /* We should only ever be called a maximum of twice per connection */
3297 if (psk_client_cb_cnt > 2)
3300 if (clientpsk == NULL)
3303 /* We'll reuse the PSK we set up for TLSv1.3 */
3304 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3306 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3307 strncpy(id, pskid, max_id_len);
3311 #endif /* OPENSSL_NO_PSK */
3313 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3314 size_t identity_len, SSL_SESSION **sess)
3316 find_session_cb_cnt++;
3318 /* We should only ever be called a maximum of twice per connection */
3319 if (find_session_cb_cnt > 2)
3322 if (serverpsk == NULL)
3325 /* Identity should match that set by the client */
3326 if (strlen(srvid) != identity_len
3327 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3328 /* No PSK found, continue but without a PSK */
3333 SSL_SESSION_up_ref(serverpsk);
3339 #ifndef OPENSSL_NO_PSK
3340 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3341 unsigned char *psk, unsigned int max_psk_len)
3343 unsigned int psklen = 0;
3345 psk_server_cb_cnt++;
3347 /* We should only ever be called a maximum of twice per connection */
3348 if (find_session_cb_cnt > 2)
3351 if (serverpsk == NULL)
3354 /* Identity should match that set by the client */
3355 if (strcmp(srvid, identity) != 0) {
3359 /* We'll reuse the PSK we set up for TLSv1.3 */
3360 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3362 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3366 #endif /* OPENSSL_NO_PSK */
3368 #define MSG1 "Hello"
3369 #define MSG2 "World."
3374 #define MSG7 "message."
3376 static int artificial_ticket_time = 0;
3378 static int sub_session_time(SSL_SESSION *sess)
3380 OSSL_TIME tick_time;
3382 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3383 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3385 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3388 static int ed_gen_cb(SSL *s, void *arg)
3390 SSL_SESSION *sess = SSL_get0_session(s);
3396 * Artificially give the ticket some age. Just do it for the number of
3397 * tickets we've been told to do.
3399 if (artificial_ticket_time == 0)
3401 artificial_ticket_time--;
3403 return sub_session_time(sess);
3407 * Helper method to setup objects for early data test. Caller frees objects on
3410 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3411 SSL **serverssl, SSL_SESSION **sess, int idx,
3414 int artificial = (artificial_ticket_time > 0);
3417 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3418 TLS_client_method(),
3420 sctx, cctx, cert, privkey)))
3424 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3426 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3430 /* When idx == 1 we repeat the tests with read_ahead set */
3431 SSL_CTX_set_read_ahead(*cctx, 1);
3432 SSL_CTX_set_read_ahead(*sctx, 1);
3433 } else if (idx == 2) {
3434 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3435 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3436 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3437 use_session_cb_cnt = 0;
3438 find_session_cb_cnt = 0;
3442 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3447 * For one of the run throughs (doesn't matter which one), we'll try sending
3448 * some SNI data in the initial ClientHello. This will be ignored (because
3449 * there is no SNI cb set up by the server), so it should not impact
3453 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3457 clientpsk = create_a_psk(*clientssl, mdsize);
3458 if (!TEST_ptr(clientpsk)
3460 * We just choose an arbitrary value for max_early_data which
3461 * should be big enough for testing purposes.
3463 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3465 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3466 SSL_SESSION_free(clientpsk);
3470 serverpsk = clientpsk;
3473 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3474 SSL_SESSION_free(clientpsk);
3475 SSL_SESSION_free(serverpsk);
3476 clientpsk = serverpsk = NULL;
3487 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3491 *sess = SSL_get1_session(*clientssl);
3492 SSL_shutdown(*clientssl);
3493 SSL_shutdown(*serverssl);
3494 SSL_free(*serverssl);
3495 SSL_free(*clientssl);
3496 *serverssl = *clientssl = NULL;
3499 * Artificially give the ticket some age to match the artificial age we
3500 * gave it on the server side
3503 && !TEST_true(sub_session_time(*sess)))
3506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3507 clientssl, NULL, NULL))
3508 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3514 static int check_early_data_timeout(OSSL_TIME timer)
3519 * Early data is time sensitive. We have an approx 8 second allowance
3520 * between writing the early data and reading it. If we exceed that time
3521 * then this test will fail. This can sometimes (rarely) occur in normal CI
3522 * operation. We can try and detect this and just ignore the result of this
3523 * test if it has taken too long. We assume anything over 7 seconds is too
3526 timer = ossl_time_subtract(ossl_time_now(), timer);
3527 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3528 res = TEST_skip("Test took too long, ignoring result");
3533 static int test_early_data_read_write(int idx)
3535 SSL_CTX *cctx = NULL, *sctx = NULL;
3536 SSL *clientssl = NULL, *serverssl = NULL;
3538 SSL_SESSION *sess = NULL;
3539 unsigned char buf[20], data[1024];
3540 size_t readbytes, written, eoedlen, rawread, rawwritten;
3544 /* Artificially give the next 2 tickets some age for non PSK sessions */
3546 artificial_ticket_time = 2;
3547 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3548 &serverssl, &sess, idx,
3549 SHA384_DIGEST_LENGTH))) {
3550 artificial_ticket_time = 0;
3553 artificial_ticket_time = 0;
3555 /* Write and read some early data */
3556 timer = ossl_time_now();
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3562 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3564 SSL_READ_EARLY_DATA_SUCCESS)) {
3565 testresult = check_early_data_timeout(timer);
3569 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_ACCEPTED))
3575 * Server should be able to write data, and client should be able to
3578 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3580 || !TEST_size_t_eq(written, strlen(MSG2))
3581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3582 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3585 /* Even after reading normal data, client should be able write early data */
3586 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3588 || !TEST_size_t_eq(written, strlen(MSG3)))
3591 /* Server should still be able read early data after writing data */
3592 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3594 SSL_READ_EARLY_DATA_SUCCESS)
3595 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3598 /* Write more data from server and read it from client */
3599 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3601 || !TEST_size_t_eq(written, strlen(MSG4))
3602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3603 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3607 * If client writes normal data it should mean writing early data is no
3610 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG5))
3612 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3613 SSL_EARLY_DATA_ACCEPTED))
3617 * At this point the client has written EndOfEarlyData, ClientFinished and
3618 * normal (fully protected) data. We are going to cause a delay between the
3619 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3620 * in the read BIO, and then just put back the EndOfEarlyData message.
3622 rbio = SSL_get_rbio(serverssl);
3623 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3624 || !TEST_size_t_lt(rawread, sizeof(data))
3625 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3628 /* Record length is in the 4th and 5th bytes of the record header */
3629 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3630 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3631 || !TEST_size_t_eq(rawwritten, eoedlen))
3634 /* Server should be told that there is no more early data */
3635 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3637 SSL_READ_EARLY_DATA_FINISH)
3638 || !TEST_size_t_eq(readbytes, 0))
3642 * Server has not finished init yet, so should still be able to write early
3645 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3647 || !TEST_size_t_eq(written, strlen(MSG6)))
3650 /* Push the ClientFinished and the normal data back into the server rbio */
3651 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3653 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3656 /* Server should be able to read normal data */
3657 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3658 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3661 /* Client and server should not be able to write/read early data now */
3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3666 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3668 SSL_READ_EARLY_DATA_ERROR))
3672 /* Client should be able to read the data sent by the server */
3673 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3674 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3678 * Make sure we process the two NewSessionTickets. These arrive
3679 * post-handshake. We attempt reads which we do not expect to return any
3682 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3687 /* Server should be able to write normal data */
3688 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3689 || !TEST_size_t_eq(written, strlen(MSG7))
3690 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3694 SSL_SESSION_free(sess);
3695 sess = SSL_get1_session(clientssl);
3696 use_session_cb_cnt = 0;
3697 find_session_cb_cnt = 0;
3699 SSL_shutdown(clientssl);
3700 SSL_shutdown(serverssl);
3701 SSL_free(serverssl);
3702 SSL_free(clientssl);
3703 serverssl = clientssl = NULL;
3704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3705 &clientssl, NULL, NULL))
3706 || !TEST_true(SSL_set_session(clientssl, sess)))
3709 /* Write and read some early data */
3710 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3712 || !TEST_size_t_eq(written, strlen(MSG1))
3713 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3715 SSL_READ_EARLY_DATA_SUCCESS)
3716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3719 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3720 || !TEST_int_gt(SSL_accept(serverssl), 0))
3723 /* Client and server should not be able to write/read early data now */
3724 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3728 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3730 SSL_READ_EARLY_DATA_ERROR))
3734 /* Client and server should be able to write/read normal data */
3735 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3736 || !TEST_size_t_eq(written, strlen(MSG5))
3737 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3738 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3744 SSL_SESSION_free(sess);
3745 SSL_SESSION_free(clientpsk);
3746 SSL_SESSION_free(serverpsk);
3747 clientpsk = serverpsk = NULL;
3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
3755 static int allow_ed_cb_called = 0;
3757 static int allow_early_data_cb(SSL *s, void *arg)
3759 int *usecb = (int *)arg;
3761 allow_ed_cb_called++;
3770 * idx == 0: Standard early_data setup
3771 * idx == 1: early_data setup using read_ahead
3772 * usecb == 0: Don't use a custom early data callback
3773 * usecb == 1: Use a custom early data callback and reject the early data
3774 * usecb == 2: Use a custom early data callback and accept the early data
3775 * confopt == 0: Configure anti-replay directly
3776 * confopt == 1: Configure anti-replay using SSL_CONF
3778 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3780 SSL_CTX *cctx = NULL, *sctx = NULL;
3781 SSL *clientssl = NULL, *serverssl = NULL;
3783 SSL_SESSION *sess = NULL;
3784 size_t readbytes, written;
3785 unsigned char buf[20];
3788 allow_ed_cb_called = 0;
3790 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3791 TLS_client_method(), TLS1_VERSION, 0,
3792 &sctx, &cctx, cert, privkey)))
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3799 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3801 if (!TEST_ptr(confctx))
3803 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3804 | SSL_CONF_FLAG_SERVER);
3805 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3806 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3808 SSL_CONF_CTX_free(confctx);
3811 SSL_CONF_CTX_free(confctx);
3813 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3817 &serverssl, &sess, idx,
3818 SHA384_DIGEST_LENGTH)))
3822 * The server is configured to accept early data. Create a connection to
3823 * "use up" the ticket
3825 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3826 || !TEST_true(SSL_session_reused(clientssl)))
3829 SSL_shutdown(clientssl);
3830 SSL_shutdown(serverssl);
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 serverssl = clientssl = NULL;
3835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3836 &clientssl, NULL, NULL))
3837 || !TEST_true(SSL_set_session(clientssl, sess)))
3840 /* Write and read some early data */
3841 timer = ossl_time_now();
3842 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3844 || !TEST_size_t_eq(written, strlen(MSG1)))
3848 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3850 SSL_READ_EARLY_DATA_FINISH)
3852 * The ticket was reused, so the we should have rejected the
3855 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3856 SSL_EARLY_DATA_REJECTED))
3859 /* In this case the callback decides to accept the early data */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3862 SSL_READ_EARLY_DATA_SUCCESS)) {
3863 testresult = check_early_data_timeout(timer);
3866 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3868 * Server will have sent its flight so client can now send
3869 * end of early data and complete its half of the handshake
3871 || !TEST_int_gt(SSL_connect(clientssl), 0)
3872 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3874 SSL_READ_EARLY_DATA_FINISH)
3875 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3876 SSL_EARLY_DATA_ACCEPTED))
3880 /* Complete the connection */
3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3882 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3883 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3889 SSL_SESSION_free(sess);
3890 SSL_SESSION_free(clientpsk);
3891 SSL_SESSION_free(serverpsk);
3892 clientpsk = serverpsk = NULL;
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3900 static int test_early_data_replay(int idx)
3902 int ret = 1, usecb, confopt;
3904 for (usecb = 0; usecb < 3; usecb++) {
3905 for (confopt = 0; confopt < 2; confopt++)
3906 ret &= test_early_data_replay_int(idx, usecb, confopt);
3912 static const char *ciphersuites[] = {
3913 "TLS_AES_128_CCM_8_SHA256",
3914 "TLS_AES_128_GCM_SHA256",
3915 "TLS_AES_256_GCM_SHA384",
3916 "TLS_AES_128_CCM_SHA256",
3917 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3918 "TLS_CHACHA20_POLY1305_SHA256"
3923 * Helper function to test that a server attempting to read early data can
3924 * handle a connection from a client where the early data should be skipped.
3925 * testtype: 0 == No HRR
3926 * testtype: 1 == HRR
3927 * testtype: 2 == HRR, invalid early_data sent after HRR
3928 * testtype: 3 == recv_max_early_data set to 0
3930 static int early_data_skip_helper(int testtype, int cipher, int idx)
3932 SSL_CTX *cctx = NULL, *sctx = NULL;
3933 SSL *clientssl = NULL, *serverssl = NULL;
3935 SSL_SESSION *sess = NULL;
3936 unsigned char buf[20];
3937 size_t readbytes, written;
3939 if (is_fips && cipher == 4)
3942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3943 TLS_client_method(),
3945 &sctx, &cctx, cert, privkey)))
3949 SSL_CTX_set_security_level(sctx, 0);
3950 SSL_CTX_set_security_level(cctx, 0);
3953 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3954 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3957 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3958 &serverssl, &sess, idx,
3959 cipher == 2 ? SHA384_DIGEST_LENGTH
3960 : SHA256_DIGEST_LENGTH)))
3963 if (testtype == 1 || testtype == 2) {
3964 /* Force an HRR to occur */
3965 #if defined(OPENSSL_NO_EC)
3966 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3969 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3972 } else if (idx == 2) {
3974 * We force early_data rejection by ensuring the PSK identity is
3977 srvid = "Dummy Identity";
3980 * Deliberately corrupt the creation time. We take 20 seconds off the
3981 * time. It could be any value as long as it is not within tolerance.
3982 * This should mean the ticket is rejected.
3984 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3989 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3992 /* Write some early data */
3993 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3995 || !TEST_size_t_eq(written, strlen(MSG1)))
3998 /* Server should reject the early data */
3999 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4001 SSL_READ_EARLY_DATA_FINISH)
4002 || !TEST_size_t_eq(readbytes, 0)
4003 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4004 SSL_EARLY_DATA_REJECTED))
4014 * Finish off the handshake. We perform the same writes and reads as
4015 * further down but we expect them to fail due to the incomplete
4018 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4019 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4026 BIO *wbio = SSL_get_wbio(clientssl);
4027 /* A record that will appear as bad early_data */
4028 const unsigned char bad_early_data[] = {
4029 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4033 * We force the client to attempt a write. This will fail because
4034 * we're still in the handshake. It will cause the second
4035 * ClientHello to be sent.
4037 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4042 * Inject some early_data after the second ClientHello. This should
4043 * cause the server to fail
4045 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4046 sizeof(bad_early_data), &written)))
4053 * This client has sent more early_data than we are willing to skip
4054 * (case 3) or sent invalid early_data (case 2) so the connection should
4057 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4058 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4061 /* Connection has failed - nothing more to do */
4066 TEST_error("Invalid test type");
4072 * Should be able to send normal data despite rejection of early data. The
4073 * early_data should be skipped.
4075 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4076 || !TEST_size_t_eq(written, strlen(MSG2))
4077 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4078 SSL_EARLY_DATA_REJECTED)
4079 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4080 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4084 * Failure to decrypt early data records should not leave spurious errors
4085 * on the error stack
4087 if (!TEST_long_eq(ERR_peek_error(), 0))
4093 SSL_SESSION_free(clientpsk);
4094 SSL_SESSION_free(serverpsk);
4095 clientpsk = serverpsk = NULL;
4096 SSL_SESSION_free(sess);
4097 SSL_free(serverssl);
4098 SSL_free(clientssl);
4105 * Test that a server attempting to read early data can handle a connection
4106 * from a client where the early data is not acceptable.
4108 static int test_early_data_skip(int idx)
4110 return early_data_skip_helper(0,
4111 idx % OSSL_NELEM(ciphersuites),
4112 idx / OSSL_NELEM(ciphersuites));
4116 * Test that a server attempting to read early data can handle a connection
4117 * from a client where an HRR occurs.
4119 static int test_early_data_skip_hrr(int idx)
4121 return early_data_skip_helper(1,
4122 idx % OSSL_NELEM(ciphersuites),
4123 idx / OSSL_NELEM(ciphersuites));
4127 * Test that a server attempting to read early data can handle a connection
4128 * from a client where an HRR occurs and correctly fails if early_data is sent
4131 static int test_early_data_skip_hrr_fail(int idx)
4133 return early_data_skip_helper(2,
4134 idx % OSSL_NELEM(ciphersuites),
4135 idx / OSSL_NELEM(ciphersuites));
4139 * Test that a server attempting to read early data will abort if it tries to
4140 * skip over too much.
4142 static int test_early_data_skip_abort(int idx)
4144 return early_data_skip_helper(3,
4145 idx % OSSL_NELEM(ciphersuites),
4146 idx / OSSL_NELEM(ciphersuites));
4150 * Test that a server attempting to read early data can handle a connection
4151 * from a client that doesn't send any.
4153 static int test_early_data_not_sent(int idx)
4155 SSL_CTX *cctx = NULL, *sctx = NULL;
4156 SSL *clientssl = NULL, *serverssl = NULL;
4158 SSL_SESSION *sess = NULL;
4159 unsigned char buf[20];
4160 size_t readbytes, written;
4162 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4163 &serverssl, &sess, idx,
4164 SHA384_DIGEST_LENGTH)))
4167 /* Write some data - should block due to handshake with server */
4168 SSL_set_connect_state(clientssl);
4169 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4172 /* Server should detect that early data has not been sent */
4173 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4175 SSL_READ_EARLY_DATA_FINISH)
4176 || !TEST_size_t_eq(readbytes, 0)
4177 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4178 SSL_EARLY_DATA_NOT_SENT)
4179 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4180 SSL_EARLY_DATA_NOT_SENT))
4183 /* Continue writing the message we started earlier */
4184 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4185 || !TEST_size_t_eq(written, strlen(MSG1))
4186 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4187 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4188 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4189 || !TEST_size_t_eq(written, strlen(MSG2)))
4192 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4193 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4199 SSL_SESSION_free(sess);
4200 SSL_SESSION_free(clientpsk);
4201 SSL_SESSION_free(serverpsk);
4202 clientpsk = serverpsk = NULL;
4203 SSL_free(serverssl);
4204 SSL_free(clientssl);
4210 static const char *servalpn;
4212 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4213 unsigned char *outlen, const unsigned char *in,
4214 unsigned int inlen, void *arg)
4216 unsigned int protlen = 0;
4217 const unsigned char *prot;
4219 for (prot = in; prot < in + inlen; prot += protlen) {
4221 if (in + inlen < prot + protlen)
4222 return SSL_TLSEXT_ERR_NOACK;
4224 if (protlen == strlen(servalpn)
4225 && memcmp(prot, servalpn, protlen) == 0) {
4228 return SSL_TLSEXT_ERR_OK;
4232 return SSL_TLSEXT_ERR_NOACK;
4235 /* Test that a PSK can be used to send early_data */
4236 static int test_early_data_psk(int idx)
4238 SSL_CTX *cctx = NULL, *sctx = NULL;
4239 SSL *clientssl = NULL, *serverssl = NULL;
4241 SSL_SESSION *sess = NULL;
4242 unsigned char alpnlist[] = {
4243 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4246 #define GOODALPNLEN 9
4247 #define BADALPNLEN 8
4248 #define GOODALPN (alpnlist)
4249 #define BADALPN (alpnlist + GOODALPNLEN)
4251 unsigned char buf[20];
4252 size_t readbytes, written;
4253 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4254 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4256 /* We always set this up with a final parameter of "2" for PSK */
4257 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4258 &serverssl, &sess, 2,
4259 SHA384_DIGEST_LENGTH)))
4262 servalpn = "goodalpn";
4265 * Note: There is no test for inconsistent SNI with late client detection.
4266 * This is because servers do not acknowledge SNI even if they are using
4267 * it in a resumption handshake - so it is not actually possible for a
4268 * client to detect a problem.
4272 /* Set inconsistent SNI (early client detection) */
4273 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4274 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4275 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4280 /* Set inconsistent ALPN (early client detection) */
4281 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4282 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4283 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4285 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4292 * Set invalid protocol version. Technically this affects PSKs without
4293 * early_data too, but we test it here because it is similar to the
4294 * SNI/ALPN consistency tests.
4296 err = SSL_R_BAD_PSK;
4297 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4303 * Set inconsistent SNI (server side). In this case the connection
4304 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4305 * is associated with each handshake - not the session. Therefore it
4306 * should not matter that we used a different server name last time.
4308 SSL_SESSION_free(serverpsk);
4309 serverpsk = SSL_SESSION_dup(clientpsk);
4310 if (!TEST_ptr(serverpsk)
4311 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4315 /* Set consistent SNI */
4316 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4317 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4318 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4325 * Set inconsistent ALPN (server detected). In this case the connection
4326 * will succeed but reject early_data.
4328 servalpn = "badalpn";
4329 edstatus = SSL_EARLY_DATA_REJECTED;
4330 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4334 * Set consistent ALPN.
4335 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4336 * accepts a list of protos (each one length prefixed).
4337 * SSL_set1_alpn_selected accepts a single protocol (not length
4340 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4342 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4346 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4350 /* Set inconsistent ALPN (late client detection) */
4351 SSL_SESSION_free(serverpsk);
4352 serverpsk = SSL_SESSION_dup(clientpsk);
4353 if (!TEST_ptr(serverpsk)
4354 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4357 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4360 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4363 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4364 edstatus = SSL_EARLY_DATA_ACCEPTED;
4365 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4366 /* SSL_connect() call should fail */
4371 TEST_error("Bad test index");
4375 SSL_set_connect_state(clientssl);
4377 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4379 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4380 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4383 OSSL_TIME timer = ossl_time_now();
4385 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4389 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4390 &readbytes), readearlyres)) {
4391 testresult = check_early_data_timeout(timer);
4395 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4396 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4397 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4398 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4405 SSL_SESSION_free(sess);
4406 SSL_SESSION_free(clientpsk);
4407 SSL_SESSION_free(serverpsk);
4408 clientpsk = serverpsk = NULL;
4409 SSL_free(serverssl);
4410 SSL_free(clientssl);
4417 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4418 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4419 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4420 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4421 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4422 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4424 static int test_early_data_psk_with_all_ciphers(int idx)
4426 SSL_CTX *cctx = NULL, *sctx = NULL;
4427 SSL *clientssl = NULL, *serverssl = NULL;
4429 SSL_SESSION *sess = NULL;
4430 unsigned char buf[20];
4431 size_t readbytes, written;
4432 const SSL_CIPHER *cipher;
4434 const char *cipher_str[] = {
4435 TLS1_3_RFC_AES_128_GCM_SHA256,
4436 TLS1_3_RFC_AES_256_GCM_SHA384,
4437 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4438 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4442 TLS1_3_RFC_AES_128_CCM_SHA256,
4443 TLS1_3_RFC_AES_128_CCM_8_SHA256
4445 const unsigned char *cipher_bytes[] = {
4446 TLS13_AES_128_GCM_SHA256_BYTES,
4447 TLS13_AES_256_GCM_SHA384_BYTES,
4448 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4449 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4453 TLS13_AES_128_CCM_SHA256_BYTES,
4454 TLS13_AES_128_CCM_8_SHA256_BYTES
4457 if (cipher_str[idx] == NULL)
4459 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4460 if (idx == 2 && is_fips == 1)
4463 /* We always set this up with a final parameter of "2" for PSK */
4464 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4465 &serverssl, &sess, 2,
4466 SHA384_DIGEST_LENGTH)))
4470 /* CCM8 ciphers are considered low security due to their short tag */
4471 SSL_set_security_level(clientssl, 0);
4472 SSL_set_security_level(serverssl, 0);
4475 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4476 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4480 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4481 * and assigns to both client and server with incremented reference
4482 * and the same instance is updated in 'sess'.
4483 * So updating ciphersuite in 'sess' which will get reflected in
4484 * PSK handshake using psk use sess and find sess cb.
4486 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4487 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4490 SSL_set_connect_state(clientssl);
4491 timer = ossl_time_now();
4492 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4496 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4498 SSL_READ_EARLY_DATA_SUCCESS)) {
4499 testresult = check_early_data_timeout(timer);
4503 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4505 SSL_EARLY_DATA_ACCEPTED)
4506 || !TEST_int_eq(SSL_connect(clientssl), 1)
4507 || !TEST_int_eq(SSL_accept(serverssl), 1))
4510 /* Send some normal data from client to server */
4511 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4512 || !TEST_size_t_eq(written, strlen(MSG2)))
4515 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4521 SSL_SESSION_free(sess);
4522 SSL_SESSION_free(clientpsk);
4523 SSL_SESSION_free(serverpsk);
4524 clientpsk = serverpsk = NULL;
4525 if (clientssl != NULL)
4526 SSL_shutdown(clientssl);
4527 if (serverssl != NULL)
4528 SSL_shutdown(serverssl);
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4537 * Test that a server that doesn't try to read early data can handle a
4538 * client sending some.
4540 static int test_early_data_not_expected(int idx)
4542 SSL_CTX *cctx = NULL, *sctx = NULL;
4543 SSL *clientssl = NULL, *serverssl = NULL;
4545 SSL_SESSION *sess = NULL;
4546 unsigned char buf[20];
4547 size_t readbytes, written;
4549 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4550 &serverssl, &sess, idx,
4551 SHA384_DIGEST_LENGTH)))
4554 /* Write some early data */
4555 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4560 * Server should skip over early data and then block waiting for client to
4561 * continue handshake
4563 if (!TEST_int_le(SSL_accept(serverssl), 0)
4564 || !TEST_int_gt(SSL_connect(clientssl), 0)
4565 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4566 SSL_EARLY_DATA_REJECTED)
4567 || !TEST_int_gt(SSL_accept(serverssl), 0)
4568 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4569 SSL_EARLY_DATA_REJECTED))
4572 /* Send some normal data from client to server */
4573 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4574 || !TEST_size_t_eq(written, strlen(MSG2)))
4577 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4578 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4584 SSL_SESSION_free(sess);
4585 SSL_SESSION_free(clientpsk);
4586 SSL_SESSION_free(serverpsk);
4587 clientpsk = serverpsk = NULL;
4588 SSL_free(serverssl);
4589 SSL_free(clientssl);
4596 # ifndef OPENSSL_NO_TLS1_2
4598 * Test that a server attempting to read early data can handle a connection
4599 * from a TLSv1.2 client.
4601 static int test_early_data_tls1_2(int idx)
4603 SSL_CTX *cctx = NULL, *sctx = NULL;
4604 SSL *clientssl = NULL, *serverssl = NULL;
4606 unsigned char buf[20];
4607 size_t readbytes, written;
4609 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4610 &serverssl, NULL, idx,
4611 SHA384_DIGEST_LENGTH)))
4614 /* Write some data - should block due to handshake with server */
4615 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4616 SSL_set_connect_state(clientssl);
4617 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4621 * Server should do TLSv1.2 handshake. First it will block waiting for more
4622 * messages from client after ServerDone. Then SSL_read_early_data should
4623 * finish and detect that early data has not been sent
4625 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4627 SSL_READ_EARLY_DATA_ERROR))
4631 * Continue writing the message we started earlier. Will still block waiting
4632 * for the CCS/Finished from server
4634 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4635 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4637 SSL_READ_EARLY_DATA_FINISH)
4638 || !TEST_size_t_eq(readbytes, 0)
4639 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4640 SSL_EARLY_DATA_NOT_SENT))
4643 /* Continue writing the message we started earlier */
4644 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4645 || !TEST_size_t_eq(written, strlen(MSG1))
4646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4647 SSL_EARLY_DATA_NOT_SENT)
4648 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4649 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4650 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4651 || !TEST_size_t_eq(written, strlen(MSG2))
4652 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4653 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4659 SSL_SESSION_free(clientpsk);
4660 SSL_SESSION_free(serverpsk);
4661 clientpsk = serverpsk = NULL;
4662 SSL_free(serverssl);
4663 SSL_free(clientssl);
4669 # endif /* OPENSSL_NO_TLS1_2 */
4672 * Test configuring the TLSv1.3 ciphersuites
4674 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4675 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4676 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4677 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4678 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4679 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4680 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4681 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4682 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4683 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4685 static int test_set_ciphersuite(int idx)
4687 SSL_CTX *cctx = NULL, *sctx = NULL;
4688 SSL *clientssl = NULL, *serverssl = NULL;
4691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4692 TLS_client_method(), TLS1_VERSION, 0,
4693 &sctx, &cctx, cert, privkey))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4695 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4698 if (idx >=4 && idx <= 7) {
4699 /* SSL_CTX explicit cipher list */
4700 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4704 if (idx == 0 || idx == 4) {
4705 /* Default ciphersuite */
4706 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4707 "TLS_AES_128_GCM_SHA256")))
4709 } else if (idx == 1 || idx == 5) {
4710 /* Non default ciphersuite */
4711 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4712 "TLS_AES_128_CCM_SHA256")))
4716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4717 &clientssl, NULL, NULL)))
4720 if (idx == 8 || idx == 9) {
4721 /* SSL explicit cipher list */
4722 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4726 if (idx == 2 || idx == 6 || idx == 8) {
4727 /* Default ciphersuite */
4728 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4729 "TLS_AES_128_GCM_SHA256")))
4731 } else if (idx == 3 || idx == 7 || idx == 9) {
4732 /* Non default ciphersuite */
4733 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4734 "TLS_AES_128_CCM_SHA256")))
4738 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4744 SSL_free(serverssl);
4745 SSL_free(clientssl);
4752 static int test_ciphersuite_change(void)
4754 SSL_CTX *cctx = NULL, *sctx = NULL;
4755 SSL *clientssl = NULL, *serverssl = NULL;
4756 SSL_SESSION *clntsess = NULL;
4758 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4760 /* Create a session based on SHA-256 */
4761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4762 TLS_client_method(), TLS1_VERSION, 0,
4763 &sctx, &cctx, cert, privkey))
4764 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4765 "TLS_AES_128_GCM_SHA256:"
4766 "TLS_AES_256_GCM_SHA384:"
4767 "TLS_AES_128_CCM_SHA256"))
4768 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4769 "TLS_AES_128_GCM_SHA256")))
4772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4778 clntsess = SSL_get1_session(clientssl);
4779 /* Save for later */
4780 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4787 /* Check we can resume a session with a different SHA-256 ciphersuite */
4788 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4789 "TLS_AES_128_CCM_SHA256"))
4790 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4791 &clientssl, NULL, NULL))
4792 || !TEST_true(SSL_set_session(clientssl, clntsess))
4793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4795 || !TEST_true(SSL_session_reused(clientssl)))
4798 SSL_SESSION_free(clntsess);
4799 clntsess = SSL_get1_session(clientssl);
4800 SSL_shutdown(clientssl);
4801 SSL_shutdown(serverssl);
4802 SSL_free(serverssl);
4803 SSL_free(clientssl);
4804 serverssl = clientssl = NULL;
4807 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4808 * succeeds but does not resume.
4810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4811 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4813 || !TEST_true(SSL_set_session(clientssl, clntsess))
4814 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4816 || !TEST_false(SSL_session_reused(clientssl)))
4819 SSL_SESSION_free(clntsess);
4821 SSL_shutdown(clientssl);
4822 SSL_shutdown(serverssl);
4823 SSL_free(serverssl);
4824 SSL_free(clientssl);
4825 serverssl = clientssl = NULL;
4827 /* Create a session based on SHA384 */
4828 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4829 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4830 &clientssl, NULL, NULL))
4831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4835 clntsess = SSL_get1_session(clientssl);
4836 SSL_shutdown(clientssl);
4837 SSL_shutdown(serverssl);
4838 SSL_free(serverssl);
4839 SSL_free(clientssl);
4840 serverssl = clientssl = NULL;
4842 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4843 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4844 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4845 "TLS_AES_256_GCM_SHA384"))
4846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4848 || !TEST_true(SSL_set_session(clientssl, clntsess))
4850 * We use SSL_ERROR_WANT_READ below so that we can pause the
4851 * connection after the initial ClientHello has been sent to
4852 * enable us to make some session changes.
4854 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4855 SSL_ERROR_WANT_READ)))
4858 /* Trick the client into thinking this session is for a different digest */
4859 clntsess->cipher = aes_128_gcm_sha256;
4860 clntsess->cipher_id = clntsess->cipher->id;
4863 * Continue the previously started connection. Server has selected a SHA-384
4864 * ciphersuite, but client thinks the session is for SHA-256, so it should
4867 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4869 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4870 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4876 SSL_SESSION_free(clntsess);
4877 SSL_free(serverssl);
4878 SSL_free(clientssl);
4886 * Test TLSv1.3 Key exchange
4887 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4888 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4889 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4890 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4891 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4892 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4893 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4894 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4895 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4896 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4897 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4898 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4899 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4900 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4902 # ifndef OPENSSL_NO_EC
4903 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4905 # ifndef OPENSSL_NO_ECX
4906 NID_X25519, NID_X448
4910 # ifndef OPENSSL_NO_DH
4911 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4912 NID_ffdhe6144, NID_ffdhe8192};
4914 static int test_key_exchange(int idx)
4916 SSL_CTX *sctx = NULL, *cctx = NULL;
4917 SSL *serverssl = NULL, *clientssl = NULL;
4920 int *kexch_groups = &kexch_alg;
4921 int kexch_groups_size = 1;
4922 int max_version = TLS1_3_VERSION;
4923 char *kexch_name0 = NULL;
4926 # ifndef OPENSSL_NO_EC
4927 # ifndef OPENSSL_NO_TLS1_2
4929 max_version = TLS1_2_VERSION;
4933 kexch_groups = ecdhe_kexch_groups;
4934 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4935 kexch_name0 = "secp256r1";
4938 kexch_alg = NID_X9_62_prime256v1;
4939 kexch_name0 = "secp256r1";
4942 kexch_alg = NID_secp384r1;
4943 kexch_name0 = "secp384r1";
4946 kexch_alg = NID_secp521r1;
4947 kexch_name0 = "secp521r1";
4949 # ifndef OPENSSL_NO_ECX
4951 kexch_alg = NID_X25519;
4952 kexch_name0 = "x25519";
4955 kexch_alg = NID_X448;
4956 kexch_name0 = "x448";
4960 # ifndef OPENSSL_NO_DH
4961 # ifndef OPENSSL_NO_TLS1_2
4963 max_version = TLS1_2_VERSION;
4964 kexch_name0 = "ffdhe2048";
4968 kexch_groups = ffdhe_kexch_groups;
4969 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4970 kexch_name0 = "ffdhe2048";
4973 kexch_alg = NID_ffdhe2048;
4974 kexch_name0 = "ffdhe2048";
4977 kexch_alg = NID_ffdhe3072;
4978 kexch_name0 = "ffdhe3072";
4981 kexch_alg = NID_ffdhe4096;
4982 kexch_name0 = "ffdhe4096";
4985 kexch_alg = NID_ffdhe6144;
4986 kexch_name0 = "ffdhe6144";
4989 kexch_alg = NID_ffdhe8192;
4990 kexch_name0 = "ffdhe8192";
4994 /* We're skipping this test */
4998 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4999 TLS_client_method(), TLS1_VERSION,
5000 max_version, &sctx, &cctx, cert,
5004 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5005 TLS1_3_RFC_AES_128_GCM_SHA256)))
5008 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5009 TLS1_3_RFC_AES_128_GCM_SHA256)))
5012 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5013 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5014 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5015 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5019 * Must include an EC ciphersuite so that we send supported groups in
5022 # ifndef OPENSSL_NO_TLS1_2
5023 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5024 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5025 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5033 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5034 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5037 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5041 * If Handshake succeeds the negotiated kexch alg should be the first one in
5042 * configured, except in the case of FFDHE groups (idx 13), which are
5043 * TLSv1.3 only so we expect no shared group to exist.
5045 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5046 idx == 13 ? 0 : kexch_groups[0]))
5049 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5053 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5055 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5056 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5058 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5060 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5066 SSL_free(serverssl);
5067 SSL_free(clientssl);
5073 # if !defined(OPENSSL_NO_TLS1_2) \
5074 && !defined(OPENSSL_NO_EC) \
5075 && !defined(OPENSSL_NO_DH)
5076 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5077 int isecdhe, int idx)
5080 int *kexch_groups = &kexch_alg;
5083 numec = OSSL_NELEM(ecdhe_kexch_groups);
5084 numff = OSSL_NELEM(ffdhe_kexch_groups);
5086 kexch_alg = ecdhe_kexch_groups[idx];
5088 kexch_alg = ffdhe_kexch_groups[idx];
5091 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5094 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5098 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5103 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5106 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5110 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5119 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5120 * Run through both the ECDHE and FFDHE group lists used in the previous
5121 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5122 * confirming the expected result; then perform a resumption handshake
5123 * while offering the same group list, and another resumption handshake
5124 * offering a different group list. The returned value should be the
5125 * negotiated group for the initial handshake; for TLS 1.3 resumption
5126 * handshakes the returned value will be negotiated on the resumption
5127 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5128 * be cached in the session from the original handshake, regardless of what
5129 * was offered in the resumption ClientHello.
5131 * Using E for the number of EC groups and F for the number of FF groups:
5132 * E tests of ECDHE with TLS 1.3, server only has one group
5133 * F tests of FFDHE with TLS 1.3, server only has one group
5134 * E tests of ECDHE with TLS 1.2, server only has one group
5135 * F tests of FFDHE with TLS 1.2, server only has one group
5136 * E tests of ECDHE with TLS 1.3, client sends only one group
5137 * F tests of FFDHE with TLS 1.3, client sends only one group
5138 * E tests of ECDHE with TLS 1.2, client sends only one group
5139 * F tests of FFDHE with TLS 1.2, client sends only one group
5141 static int test_negotiated_group(int idx)
5143 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5145 SSL_CTX *sctx = NULL, *cctx = NULL;
5146 SSL *serverssl = NULL, *clientssl = NULL;
5147 SSL_SESSION *origsess = NULL;
5150 int max_version = TLS1_3_VERSION;
5152 numec = OSSL_NELEM(ecdhe_kexch_groups);
5153 numff = OSSL_NELEM(ffdhe_kexch_groups);
5154 numgroups = numec + numff;
5155 clientmulti = (idx < 2 * numgroups);
5156 idx = idx % (2 * numgroups);
5157 istls13 = (idx < numgroups);
5158 idx = idx % numgroups;
5159 isecdhe = (idx < numec);
5162 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5164 kexch_alg = ecdhe_kexch_groups[idx];
5166 kexch_alg = ffdhe_kexch_groups[idx];
5167 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5168 if (!istls13 && !isecdhe)
5169 expectednid = NID_undef;
5171 expectednid = kexch_alg;
5174 max_version = TLS1_2_VERSION;
5176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5177 TLS_client_method(), TLS1_VERSION,
5178 max_version, &sctx, &cctx, cert,
5183 * Force (EC)DHE ciphers for TLS 1.2.
5184 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5186 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5187 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5188 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5189 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5191 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5192 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5193 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5200 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5204 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5207 /* Initial handshake; always the configured one */
5208 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5209 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5212 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5215 SSL_shutdown(clientssl);
5216 SSL_shutdown(serverssl);
5217 SSL_free(serverssl);
5218 SSL_free(clientssl);
5219 serverssl = clientssl = NULL;
5221 /* First resumption attempt; use the same config as initial handshake */
5222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5224 || !TEST_true(SSL_set_session(clientssl, origsess))
5225 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5229 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5230 || !TEST_true(SSL_session_reused(clientssl)))
5233 /* Still had better agree, since nothing changed... */
5234 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5235 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5238 SSL_shutdown(clientssl);
5239 SSL_shutdown(serverssl);
5240 SSL_free(serverssl);
5241 SSL_free(clientssl);
5242 serverssl = clientssl = NULL;
5245 * Second resumption attempt
5246 * The party that picks one group changes it, which we effectuate by
5247 * changing 'idx' and updating what we expect.
5255 expectednid = ecdhe_kexch_groups[idx];
5257 expectednid = ffdhe_kexch_groups[idx];
5258 /* Verify that we are changing what we expect. */
5259 if (!TEST_int_ne(expectednid, kexch_alg))
5262 /* TLS 1.2 only supports named groups for ECDHE. */
5264 expectednid = kexch_alg;
5268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5270 || !TEST_true(SSL_set_session(clientssl, origsess))
5271 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5275 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5276 || !TEST_true(SSL_session_reused(clientssl)))
5279 /* Check that we get what we expected */
5280 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5281 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5286 SSL_free(serverssl);
5287 SSL_free(clientssl);
5290 SSL_SESSION_free(origsess);
5293 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5296 * Test TLSv1.3 Cipher Suite
5297 * Test 0 = Set TLS1.3 cipher on context
5298 * Test 1 = Set TLS1.3 cipher on SSL
5299 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5300 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5302 static int test_tls13_ciphersuite(int idx)
5304 SSL_CTX *sctx = NULL, *cctx = NULL;
5305 SSL *serverssl = NULL, *clientssl = NULL;
5306 static const struct {
5307 const char *ciphername;
5311 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5312 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5313 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5314 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5315 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5316 { TLS1_3_RFC_AES_256_GCM_SHA384
5317 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5319 /* CCM8 ciphers are considered low security due to their short tag */
5320 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5321 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5323 const char *t13_cipher = NULL;
5324 const char *t12_cipher = NULL;
5325 const char *negotiated_scipher;
5326 const char *negotiated_ccipher;
5342 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5346 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5350 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5351 # ifdef OPENSSL_NO_TLS1_2
5352 if (max_ver == TLS1_2_VERSION)
5355 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5356 if (is_fips && !t13_ciphers[i].fipscapable)
5358 t13_cipher = t13_ciphers[i].ciphername;
5359 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5360 TLS_client_method(),
5361 TLS1_VERSION, max_ver,
5362 &sctx, &cctx, cert, privkey)))
5365 if (t13_ciphers[i].low_security) {
5366 SSL_CTX_set_security_level(sctx, 0);
5367 SSL_CTX_set_security_level(cctx, 0);
5371 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5372 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5374 if (t12_cipher != NULL) {
5375 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5376 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5383 &clientssl, NULL, NULL)))
5387 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5388 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5390 if (t12_cipher != NULL) {
5391 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5392 || !TEST_true(SSL_set_cipher_list(clientssl,
5398 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5402 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5404 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5406 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5410 * TEST_strn_eq is used below because t13_cipher can contain
5411 * multiple ciphersuites
5413 if (max_ver == TLS1_3_VERSION
5414 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5415 strlen(negotiated_scipher)))
5418 # ifndef OPENSSL_NO_TLS1_2
5419 /* Below validation is not done when t12_cipher is NULL */
5420 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5421 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5425 SSL_free(serverssl);
5427 SSL_free(clientssl);
5438 SSL_free(serverssl);
5439 SSL_free(clientssl);
5447 * Test 0 = Test new style callbacks
5448 * Test 1 = Test both new and old style callbacks
5449 * Test 2 = Test old style callbacks
5450 * Test 3 = Test old style callbacks with no certificate
5452 static int test_tls13_psk(int idx)
5454 SSL_CTX *sctx = NULL, *cctx = NULL;
5455 SSL *serverssl = NULL, *clientssl = NULL;
5456 const SSL_CIPHER *cipher = NULL;
5457 const unsigned char key[] = {
5458 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5459 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5460 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5461 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5465 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5466 TLS_client_method(), TLS1_VERSION, 0,
5467 &sctx, &cctx, idx == 3 ? NULL : cert,
5468 idx == 3 ? NULL : privkey)))
5473 * We use a ciphersuite with SHA256 to ease testing old style PSK
5474 * callbacks which will always default to SHA256. This should not be
5475 * necessary if we have no cert/priv key. In that case the server should
5476 * prefer SHA256 automatically.
5478 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5479 "TLS_AES_128_GCM_SHA256")))
5483 * As noted above the server should prefer SHA256 automatically. However
5484 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5485 * code works even if we are testing with only the FIPS provider loaded.
5487 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5488 "TLS_AES_256_GCM_SHA384:"
5489 "TLS_AES_128_GCM_SHA256")))
5494 * Test 0: New style callbacks only
5495 * Test 1: New and old style callbacks (only the new ones should be used)
5496 * Test 2: Old style callbacks only
5498 if (idx == 0 || idx == 1) {
5499 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5500 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5502 #ifndef OPENSSL_NO_PSK
5504 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5505 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5509 use_session_cb_cnt = 0;
5510 find_session_cb_cnt = 0;
5511 psk_client_cb_cnt = 0;
5512 psk_server_cb_cnt = 0;
5516 * Check we can create a connection if callback decides not to send a
5519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5521 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5523 || !TEST_false(SSL_session_reused(clientssl))
5524 || !TEST_false(SSL_session_reused(serverssl)))
5527 if (idx == 0 || idx == 1) {
5528 if (!TEST_true(use_session_cb_cnt == 1)
5529 || !TEST_true(find_session_cb_cnt == 0)
5531 * If no old style callback then below should be 0
5534 || !TEST_true(psk_client_cb_cnt == idx)
5535 || !TEST_true(psk_server_cb_cnt == 0))
5538 if (!TEST_true(use_session_cb_cnt == 0)
5539 || !TEST_true(find_session_cb_cnt == 0)
5540 || !TEST_true(psk_client_cb_cnt == 1)
5541 || !TEST_true(psk_server_cb_cnt == 0))
5545 shutdown_ssl_connection(serverssl, clientssl);
5546 serverssl = clientssl = NULL;
5547 use_session_cb_cnt = psk_client_cb_cnt = 0;
5550 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5554 /* Create the PSK */
5555 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5556 clientpsk = SSL_SESSION_new();
5557 if (!TEST_ptr(clientpsk)
5558 || !TEST_ptr(cipher)
5559 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5561 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5562 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5564 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5566 serverpsk = clientpsk;
5568 /* Check we can create a connection and the PSK is used */
5569 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5570 || !TEST_true(SSL_session_reused(clientssl))
5571 || !TEST_true(SSL_session_reused(serverssl)))
5574 if (idx == 0 || idx == 1) {
5575 if (!TEST_true(use_session_cb_cnt == 1)
5576 || !TEST_true(find_session_cb_cnt == 1)
5577 || !TEST_true(psk_client_cb_cnt == 0)
5578 || !TEST_true(psk_server_cb_cnt == 0))
5581 if (!TEST_true(use_session_cb_cnt == 0)
5582 || !TEST_true(find_session_cb_cnt == 0)
5583 || !TEST_true(psk_client_cb_cnt == 1)
5584 || !TEST_true(psk_server_cb_cnt == 1))
5588 shutdown_ssl_connection(serverssl, clientssl);
5589 serverssl = clientssl = NULL;
5590 use_session_cb_cnt = find_session_cb_cnt = 0;
5591 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5598 #if defined(OPENSSL_NO_EC)
5599 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5602 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5607 * Check we can create a connection, the PSK is used and the callbacks are
5610 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5611 || !TEST_true(SSL_session_reused(clientssl))
5612 || !TEST_true(SSL_session_reused(serverssl)))
5615 if (idx == 0 || idx == 1) {
5616 if (!TEST_true(use_session_cb_cnt == 2)
5617 || !TEST_true(find_session_cb_cnt == 2)
5618 || !TEST_true(psk_client_cb_cnt == 0)
5619 || !TEST_true(psk_server_cb_cnt == 0))
5622 if (!TEST_true(use_session_cb_cnt == 0)
5623 || !TEST_true(find_session_cb_cnt == 0)
5624 || !TEST_true(psk_client_cb_cnt == 2)
5625 || !TEST_true(psk_server_cb_cnt == 2))
5629 shutdown_ssl_connection(serverssl, clientssl);
5630 serverssl = clientssl = NULL;
5631 use_session_cb_cnt = find_session_cb_cnt = 0;
5632 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5636 * Check that if the server rejects the PSK we can still connect, but with
5639 srvid = "Dummy Identity";
5640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5642 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5644 || !TEST_false(SSL_session_reused(clientssl))
5645 || !TEST_false(SSL_session_reused(serverssl)))
5648 if (idx == 0 || idx == 1) {
5649 if (!TEST_true(use_session_cb_cnt == 1)
5650 || !TEST_true(find_session_cb_cnt == 1)
5651 || !TEST_true(psk_client_cb_cnt == 0)
5653 * If no old style callback then below should be 0
5656 || !TEST_true(psk_server_cb_cnt == idx))
5659 if (!TEST_true(use_session_cb_cnt == 0)
5660 || !TEST_true(find_session_cb_cnt == 0)
5661 || !TEST_true(psk_client_cb_cnt == 1)
5662 || !TEST_true(psk_server_cb_cnt == 1))
5666 shutdown_ssl_connection(serverssl, clientssl);
5667 serverssl = clientssl = NULL;
5672 SSL_SESSION_free(clientpsk);
5673 SSL_SESSION_free(serverpsk);
5674 clientpsk = serverpsk = NULL;
5675 SSL_free(serverssl);
5676 SSL_free(clientssl);
5682 #ifndef OSSL_NO_USABLE_TLS1_3
5684 * Test TLS1.3 connection establishment succeeds with various configurations of
5685 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5686 * The verification of whether the right KEX mode is chosen is not covered by
5687 * this test but by `test_tls13kexmodes`.
5689 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5690 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5691 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5693 static int test_tls13_no_dhe_kex(const int idx)
5695 SSL_CTX *sctx = NULL, *cctx = NULL;
5696 SSL *serverssl = NULL, *clientssl = NULL;
5699 SSL_SESSION *saved_session;
5701 int server_allow_no_dhe = (idx & 1) != 0;
5702 int server_prefer_no_dhe = (idx & 2) != 0;
5703 int client_allow_no_dhe = (idx & 4) != 0;
5705 uint64_t server_options = 0
5706 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5707 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5709 uint64_t client_options = 0
5710 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5715 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5716 TLS_client_method(), TLS1_3_VERSION, 0,
5717 &sctx, &cctx, cert, privkey)))
5720 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5721 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5723 SSL_CTX_set_options(sctx, server_options);
5724 SSL_CTX_set_options(cctx, client_options);
5726 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5729 &clientssl, NULL, NULL)))
5732 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5734 /* Check we got the number of tickets we were expecting */
5735 || !TEST_int_eq(2, new_called))
5738 /* We'll reuse the last ticket. */
5739 saved_session = sesscache[new_called - 1];
5741 SSL_shutdown(clientssl);
5742 SSL_shutdown(serverssl);
5743 SSL_free(serverssl);
5744 SSL_free(clientssl);
5746 clientssl = serverssl = NULL;
5750 * Now we resume with the last ticket we created.
5753 /* The server context already exists, so we only create the client. */
5754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5755 TLS_client_method(), TLS1_3_VERSION, 0,
5756 NULL, &cctx, cert, privkey)))
5759 SSL_CTX_set_options(cctx, client_options);
5761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5762 &clientssl, NULL, NULL))
5763 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5766 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5771 * Make sure, the session was resumed.
5773 if (!TEST_true(SSL_session_reused(clientssl)))
5776 SSL_shutdown(clientssl);
5777 SSL_shutdown(serverssl);
5782 SSL_free(serverssl);
5783 SSL_free(clientssl);
5784 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5785 SSL_SESSION_free(sesscache[j]);
5786 sesscache[j] = NULL;
5793 #endif /* OSSL_NO_USABLE_TLS1_3 */
5795 static unsigned char cookie_magic_value[] = "cookie magic";
5797 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5798 unsigned int *cookie_len)
5801 * Not suitable as a real cookie generation function but good enough for
5804 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5805 *cookie_len = sizeof(cookie_magic_value) - 1;
5810 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5811 unsigned int cookie_len)
5813 if (cookie_len == sizeof(cookie_magic_value) - 1
5814 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5820 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5824 int res = generate_cookie_callback(ssl, cookie, &temp);
5829 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5832 return verify_cookie_callback(ssl, cookie, cookie_len);
5835 static int test_stateless(void)
5837 SSL_CTX *sctx = NULL, *cctx = NULL;
5838 SSL *serverssl = NULL, *clientssl = NULL;
5841 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5842 TLS_client_method(), TLS1_VERSION, 0,
5843 &sctx, &cctx, cert, privkey)))
5846 /* The arrival of CCS messages can confuse the test */
5847 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5851 /* Send the first ClientHello */
5852 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5853 SSL_ERROR_WANT_READ))
5855 * This should fail with a -1 return because we have no callbacks
5858 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5861 /* Fatal error so abandon the connection from this client */
5862 SSL_free(clientssl);
5865 /* Set up the cookie generation and verification callbacks */
5866 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5867 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5870 * Create a new connection from the client (we can reuse the server SSL
5873 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5875 /* Send the first ClientHello */
5876 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5877 SSL_ERROR_WANT_READ))
5878 /* This should fail because there is no cookie */
5879 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5882 /* Abandon the connection from this client */
5883 SSL_free(clientssl);
5887 * Now create a connection from a new client but with the same server SSL
5890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5892 /* Send the first ClientHello */
5893 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5894 SSL_ERROR_WANT_READ))
5895 /* This should fail because there is no cookie */
5896 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5897 /* Send the second ClientHello */
5898 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5899 SSL_ERROR_WANT_READ))
5900 /* This should succeed because a cookie is now present */
5901 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5902 /* Complete the connection */
5903 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5907 shutdown_ssl_connection(serverssl, clientssl);
5908 serverssl = clientssl = NULL;
5912 SSL_free(serverssl);
5913 SSL_free(clientssl);
5919 #endif /* OSSL_NO_USABLE_TLS1_3 */
5921 static int clntaddoldcb = 0;
5922 static int clntparseoldcb = 0;
5923 static int srvaddoldcb = 0;
5924 static int srvparseoldcb = 0;
5925 static int clntaddnewcb = 0;
5926 static int clntparsenewcb = 0;
5927 static int srvaddnewcb = 0;
5928 static int srvparsenewcb = 0;
5929 static int snicb = 0;
5931 #define TEST_EXT_TYPE1 0xff00
5933 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5934 size_t *outlen, int *al, void *add_arg)
5936 int *server = (int *)add_arg;
5937 unsigned char *data;
5939 if (SSL_is_server(s))
5944 if (*server != SSL_is_server(s)
5945 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5950 *outlen = sizeof(char);
5954 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5957 OPENSSL_free((unsigned char *)out);
5960 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5961 size_t inlen, int *al, void *parse_arg)
5963 int *server = (int *)parse_arg;
5965 if (SSL_is_server(s))
5970 if (*server != SSL_is_server(s)
5971 || inlen != sizeof(char)
5978 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5979 const unsigned char **out, size_t *outlen, X509 *x,
5980 size_t chainidx, int *al, void *add_arg)
5982 int *server = (int *)add_arg;
5983 unsigned char *data;
5985 if (SSL_is_server(s))
5990 if (*server != SSL_is_server(s)
5991 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5996 *outlen = sizeof(*data);
6000 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6001 const unsigned char *out, void *add_arg)
6003 OPENSSL_free((unsigned char *)out);
6006 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6007 const unsigned char *in, size_t inlen, X509 *x,
6008 size_t chainidx, int *al, void *parse_arg)
6010 int *server = (int *)parse_arg;
6012 if (SSL_is_server(s))
6017 if (*server != SSL_is_server(s)
6018 || inlen != sizeof(char) || *in != 1)
6024 static int sni_cb(SSL *s, int *al, void *arg)
6026 SSL_CTX *ctx = (SSL_CTX *)arg;
6028 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6029 *al = SSL_AD_INTERNAL_ERROR;
6030 return SSL_TLSEXT_ERR_ALERT_FATAL;
6033 return SSL_TLSEXT_ERR_OK;
6036 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6042 * Custom call back tests.
6043 * Test 0: Old style callbacks in TLSv1.2
6044 * Test 1: New style callbacks in TLSv1.2
6045 * Test 2: New style callbacks in TLSv1.2 with SNI
6046 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6047 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6048 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6050 static int test_custom_exts(int tst)
6052 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6053 SSL *clientssl = NULL, *serverssl = NULL;
6055 static int server = 1;
6056 static int client = 0;
6057 SSL_SESSION *sess = NULL;
6058 unsigned int context;
6060 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6061 /* Skip tests for TLSv1.2 and below in this case */
6066 /* Reset callback counters */
6067 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6068 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6072 TLS_client_method(), TLS1_VERSION, 0,
6073 &sctx, &cctx, cert, privkey)))
6077 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6079 &sctx2, NULL, cert, privkey)))
6084 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6085 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6087 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6091 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6092 | SSL_EXT_TLS1_3_CERTIFICATE;
6093 SSL_CTX_set_verify(sctx,
6094 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6096 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6097 SSL_FILETYPE_PEM), 1)
6098 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6099 SSL_FILETYPE_PEM), 1)
6100 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6102 } else if (tst == 4) {
6103 context = SSL_EXT_CLIENT_HELLO
6104 | SSL_EXT_TLS1_2_SERVER_HELLO
6105 | SSL_EXT_TLS1_3_SERVER_HELLO
6106 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6107 | SSL_EXT_TLS1_3_CERTIFICATE
6108 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6110 context = SSL_EXT_CLIENT_HELLO
6111 | SSL_EXT_TLS1_2_SERVER_HELLO
6112 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6115 /* Create a client side custom extension */
6117 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6118 old_add_cb, old_free_cb,
6119 &client, old_parse_cb,
6123 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6124 new_add_cb, new_free_cb,
6125 &client, new_parse_cb, &client)))
6129 /* Should not be able to add duplicates */
6130 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6131 old_add_cb, old_free_cb,
6132 &client, old_parse_cb,
6134 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6135 context, new_add_cb,
6136 new_free_cb, &client,
6137 new_parse_cb, &client)))
6140 /* Create a server side custom extension */
6142 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6143 old_add_cb, old_free_cb,
6144 &server, old_parse_cb,
6148 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6149 new_add_cb, new_free_cb,
6150 &server, new_parse_cb, &server)))
6153 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6154 context, new_add_cb,
6155 new_free_cb, &server,
6156 new_parse_cb, &server)))
6160 /* Should not be able to add duplicates */
6161 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6162 old_add_cb, old_free_cb,
6163 &server, old_parse_cb,
6165 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6166 context, new_add_cb,
6167 new_free_cb, &server,
6168 new_parse_cb, &server)))
6173 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6174 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6179 &clientssl, NULL, NULL))
6180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6185 if (clntaddoldcb != 1
6186 || clntparseoldcb != 1
6188 || srvparseoldcb != 1)
6190 } else if (tst == 1 || tst == 2 || tst == 3) {
6191 if (clntaddnewcb != 1
6192 || clntparsenewcb != 1
6194 || srvparsenewcb != 1
6195 || (tst != 2 && snicb != 0)
6196 || (tst == 2 && snicb != 1))
6198 } else if (tst == 5) {
6199 if (clntaddnewcb != 1
6200 || clntparsenewcb != 1
6202 || srvparsenewcb != 1)
6205 /* In this case there 2 NewSessionTicket messages created */
6206 if (clntaddnewcb != 1
6207 || clntparsenewcb != 5
6209 || srvparsenewcb != 1)
6213 sess = SSL_get1_session(clientssl);
6214 SSL_shutdown(clientssl);
6215 SSL_shutdown(serverssl);
6216 SSL_free(serverssl);
6217 SSL_free(clientssl);
6218 serverssl = clientssl = NULL;
6220 if (tst == 3 || tst == 5) {
6221 /* We don't bother with the resumption aspects for these tests */
6226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6228 || !TEST_true(SSL_set_session(clientssl, sess))
6229 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6234 * For a resumed session we expect to add the ClientHello extension. For the
6235 * old style callbacks we ignore it on the server side because they set
6236 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6240 if (clntaddoldcb != 2
6241 || clntparseoldcb != 1
6243 || srvparseoldcb != 1)
6245 } else if (tst == 1 || tst == 2 || tst == 3) {
6246 if (clntaddnewcb != 2
6247 || clntparsenewcb != 2
6249 || srvparsenewcb != 2)
6253 * No Certificate message extensions in the resumption handshake,
6254 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6256 if (clntaddnewcb != 2
6257 || clntparsenewcb != 8
6259 || srvparsenewcb != 2)
6266 SSL_SESSION_free(sess);
6267 SSL_free(serverssl);
6268 SSL_free(clientssl);
6269 SSL_CTX_free(sctx2);
6275 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6277 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6278 | SSL_EXT_CLIENT_HELLO \
6279 | SSL_EXT_TLS1_2_SERVER_HELLO \
6280 | SSL_EXT_IGNORE_ON_RESUMPTION)
6282 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6283 | SSL_EXT_TLS1_2_SERVER_HELLO \
6284 | SSL_EXT_CLIENT_HELLO)
6286 #define SERVERINFO_CUSTOM \
6287 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6291 static const unsigned char serverinfo_custom_tls13[] = {
6292 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6295 static const unsigned char serverinfo_custom_v2[] = {
6296 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6299 static const unsigned char serverinfo_custom_v1[] = {
6302 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6303 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6304 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6306 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6307 unsigned int context,
6308 const unsigned char *in,
6309 size_t inlen, X509 *x,
6310 size_t chainidx, int *al,
6313 const size_t len = serverinfo_custom_v1_len;
6314 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6315 int *p_cb_result = (int*)parse_arg;
6316 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6320 static int test_serverinfo_custom(const int idx)
6322 SSL_CTX *sctx = NULL, *cctx = NULL;
6323 SSL *clientssl = NULL, *serverssl = NULL;
6328 * Following variables are set in the switch statement
6329 * according to the test iteration.
6330 * Default values do not make much sense: test would fail with them.
6332 int serverinfo_version = 0;
6333 int protocol_version = 0;
6334 unsigned int extension_context = 0;
6335 const unsigned char *si = NULL;
6338 const int call_use_serverinfo_ex = idx > 0;
6340 case 0: /* FALLTHROUGH */
6342 serverinfo_version = SSL_SERVERINFOV1;
6343 protocol_version = TLS1_2_VERSION;
6344 extension_context = SYNTHV1CONTEXT;
6345 si = serverinfo_custom_v1;
6346 si_len = serverinfo_custom_v1_len;
6349 serverinfo_version = SSL_SERVERINFOV2;
6350 protocol_version = TLS1_2_VERSION;
6351 extension_context = SYNTHV1CONTEXT;
6352 si = serverinfo_custom_v2;
6353 si_len = serverinfo_custom_v2_len;
6356 serverinfo_version = SSL_SERVERINFOV2;
6357 protocol_version = TLS1_3_VERSION;
6358 extension_context = TLS13CONTEXT;
6359 si = serverinfo_custom_tls13;
6360 si_len = serverinfo_custom_tls13_len;
6364 if (!TEST_true(create_ssl_ctx_pair(libctx,
6369 &sctx, &cctx, cert, privkey)))
6372 if (call_use_serverinfo_ex) {
6373 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6377 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6381 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6384 serverinfo_custom_parse_cb,
6386 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6390 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6393 if (!TEST_true(cb_result))
6399 SSL_free(serverssl);
6400 SSL_free(clientssl);
6409 * Test that SSL_export_keying_material() produces expected results. There are
6410 * no test vectors so all we do is test that both sides of the communication
6411 * produce the same results for different protocol versions.
6413 #define SMALL_LABEL_LEN 10
6414 #define LONG_LABEL_LEN 249
6415 static int test_export_key_mat(int tst)
6418 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6419 SSL *clientssl = NULL, *serverssl = NULL;
6420 const char label[LONG_LABEL_LEN + 1] = "test label";
6421 const unsigned char context[] = "context";
6422 const unsigned char *emptycontext = NULL;
6423 unsigned char longcontext[1280];
6424 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6425 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6426 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6428 const int protocols[] = {
6437 #ifdef OPENSSL_NO_TLS1
6441 #ifdef OPENSSL_NO_TLS1_1
6445 if (is_fips && (tst == 0 || tst == 1))
6447 #ifdef OPENSSL_NO_TLS1_2
6451 #ifdef OSSL_NO_USABLE_TLS1_3
6455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6456 TLS_client_method(), TLS1_VERSION, 0,
6457 &sctx, &cctx, cert, privkey)))
6460 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6461 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6462 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6463 if ((protocols[tst] < TLS1_2_VERSION) &&
6464 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6465 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6473 * Premature call of SSL_export_keying_material should just fail.
6475 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6476 sizeof(ckeymat1), label,
6477 SMALL_LABEL_LEN + 1, context,
6478 sizeof(context) - 1, 1), 0))
6481 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6487 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6490 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6491 sizeof(ckeymat1), label,
6492 LONG_LABEL_LEN + 1, context,
6493 sizeof(context) - 1, 1), 0))
6498 } else if (tst == 4) {
6499 labellen = LONG_LABEL_LEN;
6501 labellen = SMALL_LABEL_LEN;
6504 memset(longcontext, 1, sizeof(longcontext));
6506 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6507 sizeof(ckeymat1), label,
6509 sizeof(context) - 1, 1), 1)
6510 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6511 sizeof(ckeymat2), label,
6515 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6516 sizeof(ckeymat3), label,
6519 || (test_longcontext
6520 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6522 sizeof(ckeymat4), label,
6525 sizeof(longcontext), 1),
6527 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6528 sizeof(skeymat1), label,
6531 sizeof(context) -1, 1),
6533 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6534 sizeof(skeymat2), label,
6538 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6539 sizeof(skeymat3), label,
6542 || (test_longcontext
6543 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6544 sizeof(skeymat4), label,
6547 sizeof(longcontext), 1),
6550 * Check that both sides created the same key material with the
6553 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6556 * Check that both sides created the same key material with an
6559 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6562 * Check that both sides created the same key material without a
6565 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6568 * Check that both sides created the same key material with a
6571 || (test_longcontext
6572 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6574 /* Different contexts should produce different results */
6575 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6580 * Check that an empty context and no context produce different results in
6581 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6583 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6585 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6592 SSL_free(serverssl);
6593 SSL_free(clientssl);
6594 SSL_CTX_free(sctx2);
6601 #ifndef OSSL_NO_USABLE_TLS1_3
6603 * Test that SSL_export_keying_material_early() produces expected
6604 * results. There are no test vectors so all we do is test that both
6605 * sides of the communication produce the same results for different
6606 * protocol versions.
6608 static int test_export_key_mat_early(int idx)
6610 static const char label[] = "test label";
6611 static const unsigned char context[] = "context";
6613 SSL_CTX *cctx = NULL, *sctx = NULL;
6614 SSL *clientssl = NULL, *serverssl = NULL;
6615 SSL_SESSION *sess = NULL;
6616 const unsigned char *emptycontext = NULL;
6617 unsigned char ckeymat1[80], ckeymat2[80];
6618 unsigned char skeymat1[80], skeymat2[80];
6619 unsigned char buf[1];
6620 size_t readbytes, written;
6622 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6623 &sess, idx, SHA384_DIGEST_LENGTH)))
6626 /* Here writing 0 length early data is enough. */
6627 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6628 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6630 SSL_READ_EARLY_DATA_ERROR)
6631 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6632 SSL_EARLY_DATA_ACCEPTED))
6635 if (!TEST_int_eq(SSL_export_keying_material_early(
6636 clientssl, ckeymat1, sizeof(ckeymat1), label,
6637 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6638 || !TEST_int_eq(SSL_export_keying_material_early(
6639 clientssl, ckeymat2, sizeof(ckeymat2), label,
6640 sizeof(label) - 1, emptycontext, 0), 1)
6641 || !TEST_int_eq(SSL_export_keying_material_early(
6642 serverssl, skeymat1, sizeof(skeymat1), label,
6643 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6644 || !TEST_int_eq(SSL_export_keying_material_early(
6645 serverssl, skeymat2, sizeof(skeymat2), label,
6646 sizeof(label) - 1, emptycontext, 0), 1)
6648 * Check that both sides created the same key material with the
6651 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6654 * Check that both sides created the same key material with an
6657 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6659 /* Different contexts should produce different results */
6660 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6667 SSL_SESSION_free(sess);
6668 SSL_SESSION_free(clientpsk);
6669 SSL_SESSION_free(serverpsk);
6670 clientpsk = serverpsk = NULL;
6671 SSL_free(serverssl);
6672 SSL_free(clientssl);
6679 #define NUM_KEY_UPDATE_MESSAGES 40
6683 static int test_key_update(void)
6685 SSL_CTX *cctx = NULL, *sctx = NULL;
6686 SSL *clientssl = NULL, *serverssl = NULL;
6687 int testresult = 0, i, j;
6689 static char *mess = "A test message";
6691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6692 TLS_client_method(),
6695 &sctx, &cctx, cert, privkey))
6696 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6702 for (j = 0; j < 2; j++) {
6703 /* Send lots of KeyUpdate messages */
6704 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6705 if (!TEST_true(SSL_key_update(clientssl,
6707 ? SSL_KEY_UPDATE_NOT_REQUESTED
6708 : SSL_KEY_UPDATE_REQUESTED))
6709 || !TEST_true(SSL_do_handshake(clientssl)))
6713 /* Check that sending and receiving app data is ok */
6714 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6715 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6719 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6720 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6728 SSL_free(serverssl);
6729 SSL_free(clientssl);
6737 * Test we can handle a KeyUpdate (update requested) message while
6738 * write data is pending in peer.
6739 * Test 0: Client sends KeyUpdate while Server is writing
6740 * Test 1: Server sends KeyUpdate while Client is writing
6742 static int test_key_update_peer_in_write(int tst)
6744 SSL_CTX *cctx = NULL, *sctx = NULL;
6745 SSL *clientssl = NULL, *serverssl = NULL;
6748 static char *mess = "A test message";
6749 BIO *bretry = BIO_new(bio_s_always_retry());
6751 SSL *peerupdate = NULL, *peerwrite = NULL;
6753 if (!TEST_ptr(bretry)
6754 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6755 TLS_client_method(),
6758 &sctx, &cctx, cert, privkey))
6759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6765 peerupdate = tst == 0 ? clientssl : serverssl;
6766 peerwrite = tst == 0 ? serverssl : clientssl;
6768 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6769 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6772 /* Swap the writing endpoint's write BIO to force a retry */
6773 tmp = SSL_get_wbio(peerwrite);
6774 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6778 SSL_set0_wbio(peerwrite, bretry);
6781 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6782 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6783 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6784 || !TEST_true(SSL_want_write(peerwrite))
6785 || !TEST_true(SSL_net_write_desired(peerwrite)))
6788 /* Reinstate the original writing endpoint's write BIO */
6789 SSL_set0_wbio(peerwrite, tmp);
6792 /* Now read some data - we will read the key update */
6793 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6794 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6795 || !TEST_true(SSL_want_read(peerwrite))
6796 || !TEST_true(SSL_net_read_desired(peerwrite)))
6800 * Complete the write we started previously and read it from the other
6803 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6804 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6807 /* Write more data to ensure we send the KeyUpdate message back */
6808 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6809 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6812 if (!TEST_false(SSL_net_read_desired(peerwrite))
6813 || !TEST_false(SSL_net_write_desired(peerwrite))
6814 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6820 SSL_free(serverssl);
6821 SSL_free(clientssl);
6831 * Test we can handle a KeyUpdate (update requested) message while
6832 * peer read data is pending after peer accepted keyupdate(the msg header
6833 * had been read 5 bytes).
6834 * Test 0: Client sends KeyUpdate while Server is reading
6835 * Test 1: Server sends KeyUpdate while Client is reading
6837 static int test_key_update_peer_in_read(int tst)
6839 SSL_CTX *cctx = NULL, *sctx = NULL;
6840 SSL *clientssl = NULL, *serverssl = NULL;
6842 char prbuf[515], lwbuf[515] = {0};
6843 static char *mess = "A test message";
6844 BIO *lbio = NULL, *pbio = NULL;
6845 SSL *local = NULL, *peer = NULL;
6847 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6848 TLS_client_method(),
6851 &sctx, &cctx, cert, privkey))
6852 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6854 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6858 local = tst == 0 ? clientssl : serverssl;
6859 peer = tst == 0 ? serverssl : clientssl;
6861 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6864 SSL_set_bio(local, lbio, lbio);
6865 SSL_set_bio(peer, pbio, pbio);
6868 * we first write keyupdate msg then appdata in local
6869 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6870 * lwbuf app data msg size + key updata msg size > 512(the size of
6871 * the bio pair buffer)
6873 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6874 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6875 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6879 * first read keyupdate msg in peer in peer
6880 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6882 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6883 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6886 /* Now write some data in peer - we will write the key update */
6887 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6891 * write data in local previously that we will complete
6892 * read data in peer previously that we will complete
6894 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6895 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6898 /* check that sending and receiving appdata ok */
6899 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6900 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6906 SSL_free(serverssl);
6907 SSL_free(clientssl);
6915 * Test we can't send a KeyUpdate (update requested) message while
6916 * local write data is pending.
6917 * Test 0: Client sends KeyUpdate while Client is writing
6918 * Test 1: Server sends KeyUpdate while Server is writing
6920 static int test_key_update_local_in_write(int tst)
6922 SSL_CTX *cctx = NULL, *sctx = NULL;
6923 SSL *clientssl = NULL, *serverssl = NULL;
6926 static char *mess = "A test message";
6927 BIO *bretry = BIO_new(bio_s_always_retry());
6929 SSL *local = NULL, *peer = NULL;
6931 if (!TEST_ptr(bretry)
6932 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6933 TLS_client_method(),
6936 &sctx, &cctx, cert, privkey))
6937 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6939 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6943 local = tst == 0 ? clientssl : serverssl;
6944 peer = tst == 0 ? serverssl : clientssl;
6946 /* Swap the writing endpoint's write BIO to force a retry */
6947 tmp = SSL_get_wbio(local);
6948 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6952 SSL_set0_wbio(local, bretry);
6955 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6956 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6957 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6960 /* Reinstate the original writing endpoint's write BIO */
6961 SSL_set0_wbio(local, tmp);
6964 /* SSL_key_update will fail, because writing in local*/
6965 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6966 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6970 /* write data in local previously that we will complete */
6971 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6974 /* SSL_key_update will succeed because there is no pending write data */
6975 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6976 || !TEST_int_eq(SSL_do_handshake(local), 1))
6980 * we write some appdata in local
6981 * read data in peer - we will read the keyupdate msg
6983 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6984 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6987 /* Write more peer more data to ensure we send the keyupdate message back */
6988 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6989 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6995 SSL_free(serverssl);
6996 SSL_free(clientssl);
7006 * Test we can handle a KeyUpdate (update requested) message while
7007 * local read data is pending(the msg header had been read 5 bytes).
7008 * Test 0: Client sends KeyUpdate while Client is reading
7009 * Test 1: Server sends KeyUpdate while Server is reading
7011 static int test_key_update_local_in_read(int tst)
7013 SSL_CTX *cctx = NULL, *sctx = NULL;
7014 SSL *clientssl = NULL, *serverssl = NULL;
7016 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7017 static char *mess = "A test message";
7018 BIO *lbio = NULL, *pbio = NULL;
7019 SSL *local = NULL, *peer = NULL;
7021 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7022 TLS_client_method(),
7025 &sctx, &cctx, cert, privkey))
7026 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7028 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7032 local = tst == 0 ? clientssl : serverssl;
7033 peer = tst == 0 ? serverssl : clientssl;
7035 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7038 SSL_set_bio(local, lbio, lbio);
7039 SSL_set_bio(peer, pbio, pbio);
7041 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7042 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7043 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7046 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7047 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7048 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7051 /* SSL_do_handshake will send keyupdate msg */
7052 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7053 || !TEST_int_eq(SSL_do_handshake(local), 1))
7057 * write data in peer previously that we will complete
7058 * read data in local previously that we will complete
7060 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7061 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7065 * write data in local
7066 * read data in peer - we will read the key update
7068 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7069 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7072 /* Write more peer data to ensure we send the keyupdate message back */
7073 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7074 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7080 SSL_free(serverssl);
7081 SSL_free(clientssl);
7087 #endif /* OSSL_NO_USABLE_TLS1_3 */
7090 * Test clearing a connection via SSL_clear(), or resetting it via
7091 * SSL_set_connect_state()/SSL_set_accept_state()
7092 * Test 0: SSL_set_connect_state, TLSv1.3
7093 * Test 1: SSL_set_connect_state, TLSv1.2
7094 * Test 2: SSL_set_accept_state, TLSv1.3
7095 * Test 3: SSL_set_accept_state, TLSv1.2
7096 * Test 4: SSL_clear (client), TLSv1.3
7097 * Test 5: SSL_clear (client), TLSv1.2
7098 * Test 6: SSL_clear (server), TLSv1.3
7099 * Test 7: SSL_clear (server), TLSv1.2
7101 static int test_ssl_clear(int idx)
7103 SSL_CTX *cctx = NULL, *sctx = NULL;
7104 SSL *clientssl = NULL, *serverssl = NULL;
7105 SSL *writer, *reader;
7107 int tls12test, servertest, cleartest;
7108 size_t written, readbytes;
7109 const char *msg = "Hello World";
7110 unsigned char buf[5];
7112 tls12test = idx & 1;
7114 servertest = idx & 1;
7116 cleartest = idx & 1;
7118 #ifdef OPENSSL_NO_TLS1_2
7120 return TEST_skip("No TLSv1.2 in this build");
7123 /* Create an initial connection */
7124 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7125 TLS_client_method(), TLS1_VERSION, 0,
7126 &sctx, &cctx, cert, privkey))
7128 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7130 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7131 &clientssl, NULL, NULL))
7132 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7144 /* Write some data */
7145 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7146 || written != strlen(msg))
7150 * Read a partial record. The remaining buffered data should be cleared by
7151 * the subsequent clear/reset
7153 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7154 || readbytes != sizeof(buf))
7157 SSL_shutdown(clientssl);
7158 SSL_shutdown(serverssl);
7160 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7163 if (!TEST_true(SSL_clear(serverssl)))
7166 SSL_set_accept_state(serverssl);
7169 * A peculiarity of SSL_clear() is that it does not clear the session.
7170 * This is intended behaviour so that a client can create a new
7171 * connection and reuse the session. But this doesn't make much sense
7172 * on the server side - and causes incorrect behaviour due to the
7173 * handshake failing (even though the documentation does say SSL_clear()
7174 * is supposed to work on the server side). We clear the session
7175 * explicitly - although note that the documentation for
7176 * SSL_set_session() says that its only useful for clients!
7178 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7180 SSL_free(clientssl);
7184 if (!TEST_true(SSL_clear(clientssl)))
7187 SSL_set_connect_state(clientssl);
7189 SSL_free(serverssl);
7193 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7197 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7200 SSL_shutdown(clientssl);
7201 SSL_shutdown(serverssl);
7206 SSL_free(serverssl);
7207 SSL_free(clientssl);
7214 /* Parse CH and retrieve any MFL extension value if present */
7215 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7218 unsigned char *data;
7219 PACKET pkt, pkt2, pkt3;
7220 unsigned int MFL_code = 0, type = 0;
7222 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7225 memset(&pkt, 0, sizeof(pkt));
7226 memset(&pkt2, 0, sizeof(pkt2));
7227 memset(&pkt3, 0, sizeof(pkt3));
7229 if (!TEST_long_gt(len, 0)
7230 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7231 /* Skip the record header */
7232 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7233 /* Skip the handshake message header */
7234 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7235 /* Skip client version and random */
7236 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7237 + SSL3_RANDOM_SIZE))
7238 /* Skip session id */
7239 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7241 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7242 /* Skip compression */
7243 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7244 /* Extensions len */
7245 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7248 /* Loop through all extensions */
7249 while (PACKET_remaining(&pkt2)) {
7250 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7251 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7254 if (type == TLSEXT_TYPE_max_fragment_length) {
7255 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7256 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7259 *mfl_codemfl_code = MFL_code;
7268 /* Maximum-Fragment-Length TLS extension mode to test */
7269 static const unsigned char max_fragment_len_test[] = {
7270 TLSEXT_max_fragment_length_512,
7271 TLSEXT_max_fragment_length_1024,
7272 TLSEXT_max_fragment_length_2048,
7273 TLSEXT_max_fragment_length_4096
7276 static int test_max_fragment_len_ext(int idx_tst)
7278 SSL_CTX *ctx = NULL;
7280 int testresult = 0, MFL_mode = 0;
7283 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7284 TLS1_VERSION, 0, NULL, &ctx, NULL,
7288 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7289 ctx, max_fragment_len_test[idx_tst])))
7296 rbio = BIO_new(BIO_s_mem());
7297 wbio = BIO_new(BIO_s_mem());
7298 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7304 SSL_set_bio(con, rbio, wbio);
7306 if (!TEST_int_le(SSL_connect(con), 0)) {
7307 /* This shouldn't succeed because we don't have a server! */
7311 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7312 /* no MFL in client hello */
7314 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7326 #ifndef OSSL_NO_USABLE_TLS1_3
7327 static int test_pha_key_update(void)
7329 SSL_CTX *cctx = NULL, *sctx = NULL;
7330 SSL *clientssl = NULL, *serverssl = NULL;
7333 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7334 TLS_client_method(), TLS1_VERSION, 0,
7335 &sctx, &cctx, cert, privkey)))
7338 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7339 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7340 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7341 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7344 SSL_CTX_set_post_handshake_auth(cctx, 1);
7346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7354 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7355 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7358 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7361 /* Start handshake on the server */
7362 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7365 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7366 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7370 SSL_shutdown(clientssl);
7371 SSL_shutdown(serverssl);
7376 SSL_free(serverssl);
7377 SSL_free(clientssl);
7384 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7386 static SRP_VBASE *vbase = NULL;
7388 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7390 int ret = SSL3_AL_FATAL;
7392 SRP_user_pwd *user = NULL;
7394 username = SSL_get_srp_username(s);
7395 if (username == NULL) {
7396 *ad = SSL_AD_INTERNAL_ERROR;
7400 user = SRP_VBASE_get1_by_user(vbase, username);
7402 *ad = SSL_AD_INTERNAL_ERROR;
7406 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7408 *ad = SSL_AD_INTERNAL_ERROR;
7415 SRP_user_pwd_free(user);
7419 static int create_new_vfile(char *userid, char *password, const char *filename)
7422 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7425 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7428 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7431 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7432 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7433 if (!TEST_ptr(gNid))
7437 * The only way to create an empty TXT_DB is to provide a BIO with no data
7440 db = TXT_DB_read(dummy, DB_NUMBER);
7444 out = BIO_new_file(filename, "w");
7448 row[DB_srpid] = OPENSSL_strdup(userid);
7449 row[DB_srptype] = OPENSSL_strdup("V");
7450 row[DB_srpgN] = OPENSSL_strdup(gNid);
7452 if (!TEST_ptr(row[DB_srpid])
7453 || !TEST_ptr(row[DB_srptype])
7454 || !TEST_ptr(row[DB_srpgN])
7455 || !TEST_true(TXT_DB_insert(db, row)))
7460 if (TXT_DB_write(out, db) <= 0)
7466 for (i = 0; i < DB_NUMBER; i++)
7467 OPENSSL_free(row[i]);
7477 static int create_new_vbase(char *userid, char *password)
7479 BIGNUM *verifier = NULL, *salt = NULL;
7480 const SRP_gN *lgN = NULL;
7481 SRP_user_pwd *user_pwd = NULL;
7484 lgN = SRP_get_default_gN(NULL);
7488 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7489 lgN->N, lgN->g, libctx, NULL)))
7492 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7493 if (!TEST_ptr(user_pwd))
7496 user_pwd->N = lgN->N;
7497 user_pwd->g = lgN->g;
7498 user_pwd->id = OPENSSL_strdup(userid);
7499 if (!TEST_ptr(user_pwd->id))
7502 user_pwd->v = verifier;
7504 verifier = salt = NULL;
7506 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7512 SRP_user_pwd_free(user_pwd);
7522 * Test 0: Simple successful SRP connection, new vbase
7523 * Test 1: Connection failure due to bad password, new vbase
7524 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7525 * Test 3: Connection failure due to bad password, vbase loaded from existing
7527 * Test 4: Simple successful SRP connection, vbase loaded from new file
7528 * Test 5: Connection failure due to bad password, vbase loaded from new file
7530 static int test_srp(int tst)
7532 char *userid = "test", *password = "password", *tstsrpfile;
7533 SSL_CTX *cctx = NULL, *sctx = NULL;
7534 SSL *clientssl = NULL, *serverssl = NULL;
7535 int ret, testresult = 0;
7537 vbase = SRP_VBASE_new(NULL);
7538 if (!TEST_ptr(vbase))
7541 if (tst == 0 || tst == 1) {
7542 if (!TEST_true(create_new_vbase(userid, password)))
7545 if (tst == 4 || tst == 5) {
7546 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7548 tstsrpfile = tmpfilename;
7550 tstsrpfile = srpvfile;
7552 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7557 TLS_client_method(), TLS1_VERSION, 0,
7558 &sctx, &cctx, cert, privkey)))
7561 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7562 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7563 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7564 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7565 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7569 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7572 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7580 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7582 if (!TEST_true(tst % 2 == 0))
7585 if (!TEST_true(tst % 2 == 1))
7592 SRP_VBASE_free(vbase);
7594 SSL_free(serverssl);
7595 SSL_free(clientssl);
7603 static int info_cb_failed = 0;
7604 static int info_cb_offset = 0;
7605 static int info_cb_this_state = -1;
7607 static struct info_cb_states_st {
7609 const char *statestr;
7610 } info_cb_states[][60] = {
7612 /* TLSv1.2 server followed by resumption */
7613 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7614 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7615 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7616 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7617 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7618 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7619 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7620 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7621 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7622 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7623 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7624 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7625 {SSL_CB_EXIT, NULL}, {0, NULL},
7627 /* TLSv1.2 client followed by resumption */
7628 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7629 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7630 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7631 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7632 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7633 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7634 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7636 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7637 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7638 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7639 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7641 /* TLSv1.3 server followed by resumption */
7642 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7643 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7644 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7645 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7646 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7647 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7648 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7649 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7650 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7651 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7652 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7653 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7654 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7656 /* TLSv1.3 client followed by resumption */
7657 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7658 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7659 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7660 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7661 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7662 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7663 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7664 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7665 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7666 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7667 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7668 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7669 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7670 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7671 {SSL_CB_EXIT, NULL}, {0, NULL},
7673 /* TLSv1.3 server, early_data */
7674 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7675 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7676 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7677 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7678 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7679 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7680 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7681 {SSL_CB_EXIT, NULL}, {0, NULL},
7683 /* TLSv1.3 client, early_data */
7684 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7685 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7686 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7687 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7688 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7689 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7690 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7691 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7692 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7694 /* TLSv1.3 server, certificate compression, followed by resumption */
7695 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7696 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7697 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7698 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7699 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7700 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7701 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7702 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7703 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7704 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7705 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7706 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7707 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7709 /* TLSv1.3 client, certificate compression, followed by resumption */
7710 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7711 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7712 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7713 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7714 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7715 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7716 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7717 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7718 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7719 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7720 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7721 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7722 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7723 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7724 {SSL_CB_EXIT, NULL}, {0, NULL},
7730 static void sslapi_info_callback(const SSL *s, int where, int ret)
7732 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7734 /* We do not ever expect a connection to fail in this test */
7735 if (!TEST_false(ret == 0)) {
7741 * Do some sanity checks. We never expect these things to happen in this
7744 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7745 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7746 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7751 /* Now check we're in the right state */
7752 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7756 if ((where & SSL_CB_LOOP) != 0
7757 && !TEST_int_eq(strcmp(SSL_state_string(s),
7758 state[info_cb_this_state].statestr), 0)) {
7764 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7766 if ((where & SSL_CB_HANDSHAKE_DONE)
7767 && SSL_in_init((SSL *)s) != 0) {
7774 * Test the info callback gets called when we expect it to.
7776 * Test 0: TLSv1.2, server
7777 * Test 1: TLSv1.2, client
7778 * Test 2: TLSv1.3, server
7779 * Test 3: TLSv1.3, client
7780 * Test 4: TLSv1.3, server, early_data
7781 * Test 5: TLSv1.3, client, early_data
7782 * Test 6: TLSv1.3, server, compressed certificate
7783 * Test 7: TLSv1.3, client, compressed certificate
7785 static int test_info_callback(int tst)
7787 SSL_CTX *cctx = NULL, *sctx = NULL;
7788 SSL *clientssl = NULL, *serverssl = NULL;
7789 SSL_SESSION *clntsess = NULL;
7794 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7795 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7796 || !defined(OPENSSL_NO_DH))
7797 tlsvers = TLS1_2_VERSION;
7802 #ifndef OSSL_NO_USABLE_TLS1_3
7803 tlsvers = TLS1_3_VERSION;
7811 info_cb_this_state = -1;
7812 info_cb_offset = tst;
7814 #ifndef OSSL_NO_USABLE_TLS1_3
7815 if (tst >= 4 && tst < 6) {
7816 SSL_SESSION *sess = NULL;
7817 size_t written, readbytes;
7818 unsigned char buf[80];
7821 /* early_data tests */
7822 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7823 &serverssl, &sess, 0,
7824 SHA384_DIGEST_LENGTH)))
7827 /* We don't actually need this reference */
7828 SSL_SESSION_free(sess);
7830 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7831 sslapi_info_callback);
7833 /* Write and read some early data and then complete the connection */
7834 timer = ossl_time_now();
7835 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7837 || !TEST_size_t_eq(written, strlen(MSG1)))
7840 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7841 sizeof(buf), &readbytes),
7842 SSL_READ_EARLY_DATA_SUCCESS)) {
7843 testresult = check_early_data_timeout(timer);
7847 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7848 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7849 SSL_EARLY_DATA_ACCEPTED)
7850 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7852 || !TEST_false(info_cb_failed))
7860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7861 TLS_client_method(),
7862 tlsvers, tlsvers, &sctx, &cctx, cert,
7866 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7870 * For even numbered tests we check the server callbacks. For odd numbers we
7873 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7874 sslapi_info_callback);
7876 if (!SSL_CTX_compress_certs(sctx, 0))
7880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7881 &clientssl, NULL, NULL))
7882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7884 || !TEST_false(info_cb_failed))
7889 clntsess = SSL_get1_session(clientssl);
7890 SSL_shutdown(clientssl);
7891 SSL_shutdown(serverssl);
7892 SSL_free(serverssl);
7893 SSL_free(clientssl);
7894 serverssl = clientssl = NULL;
7896 /* Now do a resumption */
7897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7899 || !TEST_true(SSL_set_session(clientssl, clntsess))
7900 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7902 || !TEST_true(SSL_session_reused(clientssl))
7903 || !TEST_false(info_cb_failed))
7909 SSL_free(serverssl);
7910 SSL_free(clientssl);
7911 SSL_SESSION_free(clntsess);
7917 static int test_ssl_pending(int tst)
7919 SSL_CTX *cctx = NULL, *sctx = NULL;
7920 SSL *clientssl = NULL, *serverssl = NULL;
7922 char msg[] = "A test message";
7924 size_t written, readbytes;
7927 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7928 TLS_client_method(),
7930 &sctx, &cctx, cert, privkey)))
7933 #ifndef OPENSSL_NO_DTLS
7934 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7935 DTLS_client_method(),
7937 &sctx, &cctx, cert, privkey)))
7940 # ifdef OPENSSL_NO_DTLS1_2
7941 /* Not supported in the FIPS provider */
7947 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7950 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7951 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7952 "DEFAULT:@SECLEVEL=0")))
7960 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7962 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7966 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7967 || !TEST_false(SSL_has_pending(clientssl))
7968 || !TEST_int_eq(SSL_pending(serverssl), 0)
7969 || !TEST_false(SSL_has_pending(serverssl))
7970 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7971 || !TEST_size_t_eq(written, sizeof(msg))
7972 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7973 || !TEST_size_t_eq(readbytes, sizeof(buf))
7974 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7975 || !TEST_true(SSL_has_pending(clientssl)))
7981 SSL_free(serverssl);
7982 SSL_free(clientssl);
7990 unsigned int maxprot;
7991 const char *clntciphers;
7992 const char *clnttls13ciphers;
7993 const char *srvrciphers;
7994 const char *srvrtls13ciphers;
7996 const char *fipsshared;
7997 } shared_ciphers_data[] = {
7999 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8000 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8002 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8005 "AES128-SHA:AES256-SHA",
8007 "AES256-SHA:DHE-RSA-AES128-SHA",
8012 # if !defined(OPENSSL_NO_CHACHA) \
8013 && !defined(OPENSSL_NO_POLY1305) \
8014 && !defined(OPENSSL_NO_EC)
8017 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8019 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8021 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8027 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8029 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8031 "AES128-SHA:AES256-SHA",
8032 "AES128-SHA:AES256-SHA"
8036 "AES128-SHA:AES256-SHA",
8038 "AES128-SHA:DHE-RSA-AES128-SHA",
8045 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8048 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8049 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8052 "AES128-SHA:AES256-SHA",
8054 "AES256-SHA:AES128-SHA256",
8056 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8057 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8058 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8061 #ifndef OSSL_NO_USABLE_TLS1_3
8065 "TLS_AES_256_GCM_SHA384",
8067 "TLS_AES_256_GCM_SHA384",
8068 "TLS_AES_256_GCM_SHA384",
8069 "TLS_AES_256_GCM_SHA384"
8074 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8076 SSL_CTX *cctx = NULL, *sctx = NULL;
8077 SSL *clientssl = NULL, *serverssl = NULL;
8080 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8082 if (!TEST_ptr(tmplibctx))
8086 * Regardless of whether we're testing with the FIPS provider loaded into
8087 * libctx, we want one peer to always use the full set of ciphersuites
8088 * available. Therefore we use a separate libctx with the default provider
8089 * loaded into it. We run the same tests twice - once with the client side
8090 * having the full set of ciphersuites and once with the server side.
8093 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8094 if (!TEST_ptr(cctx))
8097 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8098 if (!TEST_ptr(sctx))
8102 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8103 TLS_client_method(),
8105 shared_ciphers_data[tst].maxprot,
8106 &sctx, &cctx, cert, privkey)))
8109 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8110 shared_ciphers_data[tst].clntciphers))
8111 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8112 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8113 shared_ciphers_data[tst].clnttls13ciphers)))
8114 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8115 shared_ciphers_data[tst].srvrciphers))
8116 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8117 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8118 shared_ciphers_data[tst].srvrtls13ciphers))))
8122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8124 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8128 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8129 || !TEST_int_eq(strcmp(buf,
8131 ? shared_ciphers_data[tst].fipsshared
8132 : shared_ciphers_data[tst].shared),
8134 TEST_info("Shared ciphers are: %s\n", buf);
8141 SSL_free(serverssl);
8142 SSL_free(clientssl);
8145 OSSL_LIB_CTX_free(tmplibctx);
8150 static int test_ssl_get_shared_ciphers(int tst)
8152 return int_test_ssl_get_shared_ciphers(tst, 0)
8153 && int_test_ssl_get_shared_ciphers(tst, 1);
8157 static const char *appdata = "Hello World";
8158 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8159 static int tick_key_renew = 0;
8160 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8162 static int gen_tick_cb(SSL *s, void *arg)
8164 gen_tick_called = 1;
8166 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8170 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8171 const unsigned char *keyname,
8172 size_t keyname_length,
8173 SSL_TICKET_STATUS status,
8179 dec_tick_called = 1;
8181 if (status == SSL_TICKET_EMPTY)
8182 return SSL_TICKET_RETURN_IGNORE_RENEW;
8184 if (!TEST_true(status == SSL_TICKET_SUCCESS
8185 || status == SSL_TICKET_SUCCESS_RENEW))
8186 return SSL_TICKET_RETURN_ABORT;
8188 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8190 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8191 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8192 return SSL_TICKET_RETURN_ABORT;
8194 if (tick_key_cb_called) {
8195 /* Don't change what the ticket key callback wanted to do */
8197 case SSL_TICKET_NO_DECRYPT:
8198 return SSL_TICKET_RETURN_IGNORE_RENEW;
8200 case SSL_TICKET_SUCCESS:
8201 return SSL_TICKET_RETURN_USE;
8203 case SSL_TICKET_SUCCESS_RENEW:
8204 return SSL_TICKET_RETURN_USE_RENEW;
8207 return SSL_TICKET_RETURN_ABORT;
8210 return tick_dec_ret;
8214 #ifndef OPENSSL_NO_DEPRECATED_3_0
8215 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8216 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8217 HMAC_CTX *hctx, int enc)
8219 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8220 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8221 EVP_CIPHER *aes128cbc;
8225 tick_key_cb_called = 1;
8227 if (tick_key_renew == -1)
8230 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8231 if (!TEST_ptr(aes128cbc))
8233 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8234 if (!TEST_ptr(sha256)) {
8235 EVP_CIPHER_free(aes128cbc);
8239 memset(iv, 0, AES_BLOCK_SIZE);
8240 memset(key_name, 0, 16);
8241 if (aes128cbc == NULL
8243 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8244 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8248 ret = tick_key_renew ? 2 : 1;
8250 EVP_CIPHER_free(aes128cbc);
8251 EVP_MD_free(sha256);
8257 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8258 unsigned char iv[EVP_MAX_IV_LENGTH],
8259 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8261 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8262 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8263 OSSL_PARAM params[2];
8264 EVP_CIPHER *aes128cbc;
8267 tick_key_cb_called = 1;
8269 if (tick_key_renew == -1)
8272 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8273 if (!TEST_ptr(aes128cbc))
8276 memset(iv, 0, AES_BLOCK_SIZE);
8277 memset(key_name, 0, 16);
8278 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8280 params[1] = OSSL_PARAM_construct_end();
8281 if (aes128cbc == NULL
8282 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8283 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8287 ret = tick_key_renew ? 2 : 1;
8289 EVP_CIPHER_free(aes128cbc);
8295 * Test the various ticket callbacks
8296 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8297 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8298 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8299 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8300 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8301 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8302 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8303 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8304 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8305 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8306 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8307 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8308 * Test 12: TLSv1.2, old ticket key callback, no ticket
8309 * Test 13: TLSv1.3, old ticket key callback, no ticket
8310 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8311 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8312 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8313 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8314 * Test 18: TLSv1.2, ticket key callback, no ticket
8315 * Test 19: TLSv1.3, ticket key callback, no ticket
8317 static int test_ticket_callbacks(int tst)
8319 SSL_CTX *cctx = NULL, *sctx = NULL;
8320 SSL *clientssl = NULL, *serverssl = NULL;
8321 SSL_SESSION *clntsess = NULL;
8324 #ifdef OPENSSL_NO_TLS1_2
8328 #ifdef OSSL_NO_USABLE_TLS1_3
8332 #ifdef OPENSSL_NO_DEPRECATED_3_0
8333 if (tst >= 8 && tst <= 13)
8337 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8339 /* Which tests the ticket key callback should request renewal for */
8341 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8343 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8344 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8348 /* Which tests the decrypt ticket callback should request renewal for */
8352 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8357 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8362 tick_dec_ret = SSL_TICKET_RETURN_USE;
8367 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8371 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8375 TLS_client_method(),
8377 ((tst % 2) == 0) ? TLS1_2_VERSION
8379 &sctx, &cctx, cert, privkey)))
8383 * We only want sessions to resume from tickets - not the session cache. So
8384 * switch the cache off.
8386 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8389 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8394 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8396 #ifndef OPENSSL_NO_DEPRECATED_3_0
8397 } else if (tst >= 8) {
8398 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8410 * The decrypt ticket key callback in TLSv1.2 should be called even though
8411 * we have no ticket yet, because it gets called with a status of
8412 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8413 * actually send any ticket data). This does not happen in TLSv1.3 because
8414 * it is not valid to send empty ticket data in TLSv1.3.
8416 if (!TEST_int_eq(gen_tick_called, 1)
8417 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8420 gen_tick_called = dec_tick_called = 0;
8422 clntsess = SSL_get1_session(clientssl);
8423 SSL_shutdown(clientssl);
8424 SSL_shutdown(serverssl);
8425 SSL_free(serverssl);
8426 SSL_free(clientssl);
8427 serverssl = clientssl = NULL;
8429 /* Now do a resumption */
8430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8432 || !TEST_true(SSL_set_session(clientssl, clntsess))
8433 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8437 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8438 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8439 || tick_key_renew == -1) {
8440 if (!TEST_false(SSL_session_reused(clientssl)))
8443 if (!TEST_true(SSL_session_reused(clientssl)))
8447 if (!TEST_int_eq(gen_tick_called,
8449 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8450 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8452 /* There is no ticket to decrypt in tests 13 and 19 */
8453 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8459 SSL_SESSION_free(clntsess);
8460 SSL_free(serverssl);
8461 SSL_free(clientssl);
8469 * Test incorrect shutdown.
8470 * Test 0: client does not shutdown properly,
8471 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8472 * server should get SSL_ERROR_SSL
8473 * Test 1: client does not shutdown properly,
8474 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8475 * server should get SSL_ERROR_ZERO_RETURN
8477 static int test_incorrect_shutdown(int tst)
8479 SSL_CTX *cctx = NULL, *sctx = NULL;
8480 SSL *clientssl = NULL, *serverssl = NULL;
8485 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8486 TLS_client_method(), 0, 0,
8487 &sctx, &cctx, cert, privkey)))
8491 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8493 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8497 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8501 c2s = SSL_get_rbio(serverssl);
8502 BIO_set_mem_eof_return(c2s, 0);
8504 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8507 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8509 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8515 SSL_free(serverssl);
8516 SSL_free(clientssl);
8524 * Test bi-directional shutdown.
8526 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8527 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8528 * Test 3: TLSv1.3, pending NewSessionTicket messages
8529 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8530 * sends key update, client reads it
8531 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8532 * sends CertificateRequest, client reads and ignores it
8533 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8536 static int test_shutdown(int tst)
8538 SSL_CTX *cctx = NULL, *sctx = NULL;
8539 SSL *clientssl = NULL, *serverssl = NULL;
8541 char msg[] = "A test message";
8543 size_t written, readbytes;
8546 #ifdef OPENSSL_NO_TLS1_2
8550 #ifdef OSSL_NO_USABLE_TLS1_3
8555 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8556 TLS_client_method(),
8558 (tst <= 1) ? TLS1_2_VERSION
8560 &sctx, &cctx, cert, privkey)))
8564 SSL_CTX_set_post_handshake_auth(cctx, 1);
8566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8571 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8572 SSL_ERROR_NONE, 1, 0))
8573 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8574 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8576 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8578 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8579 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8583 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8588 * Reading on the server after the client has sent close_notify should
8589 * fail and provide SSL_ERROR_ZERO_RETURN
8591 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8592 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8593 SSL_ERROR_ZERO_RETURN)
8594 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8595 SSL_RECEIVED_SHUTDOWN)
8597 * Even though we're shutdown on receive we should still be
8600 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8603 && !TEST_true(SSL_key_update(serverssl,
8604 SSL_KEY_UPDATE_REQUESTED)))
8607 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8608 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8611 if ((tst == 4 || tst == 5)
8612 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8614 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8616 if (tst == 4 || tst == 5) {
8617 /* Should still be able to read data from server */
8618 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8620 || !TEST_size_t_eq(readbytes, sizeof(msg))
8621 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8622 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8624 || !TEST_size_t_eq(readbytes, sizeof(msg))
8625 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8630 /* Writing on the client after sending close_notify shouldn't be possible */
8631 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8636 * For these tests the client has sent close_notify but it has not yet
8637 * been received by the server. The server has not sent close_notify
8640 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8642 * Writing on the server after sending close_notify shouldn't
8645 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8646 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8647 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8648 || !TEST_true(SSL_SESSION_is_resumable(sess))
8649 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8651 } else if (tst == 4 || tst == 5) {
8653 * In this test the client has sent close_notify and it has been
8654 * received by the server which has responded with a close_notify. The
8655 * client needs to read the close_notify sent by the server.
8657 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8658 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8659 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8665 * The client has sent close_notify and is expecting a close_notify
8666 * back, but instead there is application data first. The shutdown
8667 * should fail with a fatal error.
8669 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8670 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8677 SSL_free(serverssl);
8678 SSL_free(clientssl);
8686 * Test that sending close_notify alerts works correctly in the case of a
8687 * retryable write failure.
8689 static int test_async_shutdown(void)
8691 SSL_CTX *cctx = NULL, *sctx = NULL;
8692 SSL *clientssl = NULL, *serverssl = NULL;
8694 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8696 if (!TEST_ptr(bretry))
8699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8700 TLS_client_method(),
8702 &sctx, &cctx, cert, privkey)))
8705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8709 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8712 /* Close write side of clientssl */
8713 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8716 tmp = SSL_get_wbio(serverssl);
8717 if (!TEST_true(BIO_up_ref(tmp))) {
8721 SSL_set0_wbio(serverssl, bretry);
8724 /* First server shutdown should fail because of a retrable write failure */
8725 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8726 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8729 /* Second server shutdown should fail for the same reason */
8730 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8731 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8734 SSL_set0_wbio(serverssl, tmp);
8737 /* Third server shutdown should send close_notify */
8738 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8741 /* Fourth server shutdown should read close_notify from client and finish */
8742 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8745 /* Client should also successfully fully shutdown */
8746 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8751 SSL_free(serverssl);
8752 SSL_free(clientssl);
8761 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8762 static int cert_cb_cnt;
8764 static int cert_cb(SSL *s, void *arg)
8766 SSL_CTX *ctx = (SSL_CTX *)arg;
8768 EVP_PKEY *pkey = NULL;
8769 X509 *x509 = NULL, *rootx = NULL;
8770 STACK_OF(X509) *chain = NULL;
8771 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8774 if (cert_cb_cnt == 0) {
8775 /* Suspend the handshake */
8778 } else if (cert_cb_cnt == 1) {
8780 * Update the SSL_CTX, set the certificate and private key and then
8781 * continue the handshake normally.
8783 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8786 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8787 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8789 || !TEST_true(SSL_check_private_key(s)))
8793 } else if (cert_cb_cnt == 3) {
8796 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8797 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8798 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8799 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8801 chain = sk_X509_new_null();
8802 if (!TEST_ptr(chain))
8804 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8805 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8806 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8807 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8808 || !TEST_true(sk_X509_push(chain, rootx)))
8812 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8813 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8814 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8815 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8818 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8819 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8820 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8824 rv = SSL_check_chain(s, x509, pkey, chain);
8826 * If the cert doesn't show as valid here (e.g., because we don't
8827 * have any shared sigalgs), then we will not set it, and there will
8828 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8829 * will cause tls_choose_sigalgs() to fail the connection.
8831 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8832 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8833 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8840 /* Abort the handshake */
8842 OPENSSL_free(ecdsacert);
8843 OPENSSL_free(ecdsakey);
8844 OPENSSL_free(rootfile);
8846 EVP_PKEY_free(pkey);
8849 OSSL_STACK_OF_X509_free(chain);
8854 * Test the certificate callback.
8855 * Test 0: Callback fails
8856 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8857 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8858 * Test 3: Success - Call SSL_check_chain from the callback
8859 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8861 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8863 static int test_cert_cb_int(int prot, int tst)
8865 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8866 SSL *clientssl = NULL, *serverssl = NULL;
8867 int testresult = 0, ret;
8869 #ifdef OPENSSL_NO_EC
8870 /* We use an EC cert in these tests, so we skip in a no-ec build */
8875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8876 TLS_client_method(),
8879 &sctx, &cctx, NULL, NULL)))
8890 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8891 if (!TEST_ptr(snictx))
8895 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8903 * We cause SSL_check_chain() to fail by specifying sig_algs that
8904 * the chain doesn't meet (the root uses an RSA cert)
8906 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8907 "ecdsa_secp256r1_sha256")))
8909 } else if (tst == 5) {
8911 * We cause SSL_check_chain() to fail by specifying sig_algs that
8912 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8914 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8915 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8919 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8920 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8922 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8929 SSL_free(serverssl);
8930 SSL_free(clientssl);
8933 SSL_CTX_free(snictx);
8939 static int test_cert_cb(int tst)
8943 #ifndef OPENSSL_NO_TLS1_2
8944 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8946 #ifndef OSSL_NO_USABLE_TLS1_3
8947 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8953 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8958 BIO *priv_in = NULL;
8960 /* Check that SSL_get0_peer_certificate() returns something sensible */
8961 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8964 in = BIO_new_file(cert, "r");
8968 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8969 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8970 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8971 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8989 static int test_client_cert_cb(int tst)
8991 SSL_CTX *cctx = NULL, *sctx = NULL;
8992 SSL *clientssl = NULL, *serverssl = NULL;
8995 #ifdef OPENSSL_NO_TLS1_2
8999 #ifdef OSSL_NO_USABLE_TLS1_3
9004 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9005 TLS_client_method(),
9007 tst == 0 ? TLS1_2_VERSION
9009 &sctx, &cctx, cert, privkey)))
9013 * Test that setting a client_cert_cb results in a client certificate being
9016 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9017 SSL_CTX_set_verify(sctx,
9018 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9030 SSL_free(serverssl);
9031 SSL_free(clientssl);
9038 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9040 * Test setting certificate authorities on both client and server.
9042 * Test 0: SSL_CTX_set0_CA_list() only
9043 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9044 * Test 2: Only SSL_CTX_set_client_CA_list()
9046 static int test_ca_names_int(int prot, int tst)
9048 SSL_CTX *cctx = NULL, *sctx = NULL;
9049 SSL *clientssl = NULL, *serverssl = NULL;
9052 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9053 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9054 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9055 const STACK_OF(X509_NAME) *sktmp = NULL;
9057 for (i = 0; i < OSSL_NELEM(name); i++) {
9058 name[i] = X509_NAME_new();
9059 if (!TEST_ptr(name[i])
9060 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9069 TLS_client_method(),
9072 &sctx, &cctx, cert, privkey)))
9075 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9077 if (tst == 0 || tst == 1) {
9078 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9079 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9080 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9081 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9082 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9083 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9086 SSL_CTX_set0_CA_list(sctx, sk1);
9087 SSL_CTX_set0_CA_list(cctx, sk2);
9090 if (tst == 1 || tst == 2) {
9091 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9092 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9093 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9094 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9095 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9096 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9099 SSL_CTX_set_client_CA_list(sctx, sk1);
9100 SSL_CTX_set_client_CA_list(cctx, sk2);
9104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9106 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9111 * We only expect certificate authorities to have been sent to the server
9112 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9114 sktmp = SSL_get0_peer_CA_list(serverssl);
9115 if (prot == TLS1_3_VERSION
9116 && (tst == 0 || tst == 1)) {
9117 if (!TEST_ptr(sktmp)
9118 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9119 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9121 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9124 } else if (!TEST_ptr_null(sktmp)) {
9129 * In all tests we expect certificate authorities to have been sent to the
9130 * client. However, SSL_set_client_CA_list() should override
9131 * SSL_set0_CA_list()
9133 sktmp = SSL_get0_peer_CA_list(clientssl);
9134 if (!TEST_ptr(sktmp)
9135 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9136 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9137 name[tst == 0 ? 0 : 2]), 0)
9138 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9139 name[tst == 0 ? 1 : 3]), 0))
9145 SSL_free(serverssl);
9146 SSL_free(clientssl);
9149 for (i = 0; i < OSSL_NELEM(name); i++)
9150 X509_NAME_free(name[i]);
9151 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9152 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9158 static int test_ca_names(int tst)
9162 #ifndef OPENSSL_NO_TLS1_2
9163 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9165 #ifndef OSSL_NO_USABLE_TLS1_3
9166 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9172 #ifndef OPENSSL_NO_TLS1_2
9173 static const char *multiblock_cipherlist_data[]=
9181 /* Reduce the fragment size - so the multiblock test buffer can be small */
9182 # define MULTIBLOCK_FRAGSIZE 512
9184 static int test_multiblock_write(int test_index)
9186 static const char *fetchable_ciphers[]=
9188 "AES-128-CBC-HMAC-SHA1",
9189 "AES-128-CBC-HMAC-SHA256",
9190 "AES-256-CBC-HMAC-SHA1",
9191 "AES-256-CBC-HMAC-SHA256"
9193 const char *cipherlist = multiblock_cipherlist_data[test_index];
9194 const SSL_METHOD *smeth = TLS_server_method();
9195 const SSL_METHOD *cmeth = TLS_client_method();
9196 int min_version = TLS1_VERSION;
9197 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9198 SSL_CTX *cctx = NULL, *sctx = NULL;
9199 SSL *clientssl = NULL, *serverssl = NULL;
9203 * Choose a buffer large enough to perform a multi-block operation
9204 * i.e: write_len >= 4 * frag_size
9205 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9207 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9208 unsigned char buf[sizeof(msg)], *p = buf;
9209 size_t readbytes, written, len;
9210 EVP_CIPHER *ciph = NULL;
9213 * Check if the cipher exists before attempting to use it since it only has
9214 * a hardware specific implementation.
9216 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9218 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9221 EVP_CIPHER_free(ciph);
9223 /* Set up a buffer with some data that will be sent to the client */
9224 RAND_bytes(msg, sizeof(msg));
9226 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9227 max_version, &sctx, &cctx, cert,
9231 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9234 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9238 /* settings to force it to use AES-CBC-HMAC_SHA */
9239 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9240 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9243 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9246 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9247 || !TEST_size_t_eq(written, sizeof(msg)))
9252 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9257 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9262 SSL_free(serverssl);
9263 SSL_free(clientssl);
9269 #endif /* OPENSSL_NO_TLS1_2 */
9271 static int test_session_timeout(int test)
9274 * Test session ordering and timeout
9275 * Can't explicitly test performance of the new code,
9276 * but can test to see if the ordering of the sessions
9277 * are correct, and they are removed as expected
9279 SSL_SESSION *early = NULL;
9280 SSL_SESSION *middle = NULL;
9281 SSL_SESSION *late = NULL;
9284 long now = (long)time(NULL);
9287 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9288 || !TEST_ptr(early = SSL_SESSION_new())
9289 || !TEST_ptr(middle = SSL_SESSION_new())
9290 || !TEST_ptr(late = SSL_SESSION_new()))
9293 /* assign unique session ids */
9294 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9295 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9296 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9297 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9298 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9299 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9301 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9302 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9303 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9306 /* Make sure they are all added */
9307 if (!TEST_ptr(early->prev)
9308 || !TEST_ptr(middle->prev)
9309 || !TEST_ptr(late->prev))
9312 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9313 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9314 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9317 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9318 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9319 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9322 /* Make sure they are all still there */
9323 if (!TEST_ptr(early->prev)
9324 || !TEST_ptr(middle->prev)
9325 || !TEST_ptr(late->prev))
9328 /* Make sure they are in the expected order */
9329 if (!TEST_ptr_eq(late->next, middle)
9330 || !TEST_ptr_eq(middle->next, early)
9331 || !TEST_ptr_eq(early->prev, middle)
9332 || !TEST_ptr_eq(middle->prev, late))
9335 /* This should remove "early" */
9336 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9337 if (!TEST_ptr_null(early->prev)
9338 || !TEST_ptr(middle->prev)
9339 || !TEST_ptr(late->prev))
9342 /* This should remove "middle" */
9343 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9344 if (!TEST_ptr_null(early->prev)
9345 || !TEST_ptr_null(middle->prev)
9346 || !TEST_ptr(late->prev))
9349 /* This should remove "late" */
9350 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9351 if (!TEST_ptr_null(early->prev)
9352 || !TEST_ptr_null(middle->prev)
9353 || !TEST_ptr_null(late->prev))
9356 /* Add them back in again */
9357 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9358 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9359 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9362 /* Make sure they are all added */
9363 if (!TEST_ptr(early->prev)
9364 || !TEST_ptr(middle->prev)
9365 || !TEST_ptr(late->prev))
9368 /* This should remove all of them */
9369 SSL_CTX_flush_sessions(ctx, 0);
9370 if (!TEST_ptr_null(early->prev)
9371 || !TEST_ptr_null(middle->prev)
9372 || !TEST_ptr_null(late->prev))
9375 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9376 | SSL_CTX_get_session_cache_mode(ctx));
9378 /* make sure |now| is NOT equal to the current time */
9380 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9381 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9382 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9388 SSL_SESSION_free(early);
9389 SSL_SESSION_free(middle);
9390 SSL_SESSION_free(late);
9395 * Test that a session cache overflow works as expected
9396 * Test 0: TLSv1.3, timeout on new session later than old session
9397 * Test 1: TLSv1.2, timeout on new session later than old session
9398 * Test 2: TLSv1.3, timeout on new session earlier than old session
9399 * Test 3: TLSv1.2, timeout on new session earlier than old session
9401 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9402 static int test_session_cache_overflow(int idx)
9404 SSL_CTX *sctx = NULL, *cctx = NULL;
9405 SSL *serverssl = NULL, *clientssl = NULL;
9407 SSL_SESSION *sess = NULL;
9409 #ifdef OSSL_NO_USABLE_TLS1_3
9410 /* If no TLSv1.3 available then do nothing in this case */
9412 return TEST_skip("No TLSv1.3 available");
9414 #ifdef OPENSSL_NO_TLS1_2
9415 /* If no TLSv1.2 available then do nothing in this case */
9417 return TEST_skip("No TLSv1.2 available");
9420 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9421 TLS_client_method(), TLS1_VERSION,
9422 (idx % 2 == 0) ? TLS1_3_VERSION
9424 &sctx, &cctx, cert, privkey))
9425 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9428 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9429 get_sess_val = NULL;
9431 SSL_CTX_sess_set_cache_size(sctx, 1);
9433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9437 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9441 sess = SSL_get_session(serverssl);
9442 if (!TEST_ptr(sess))
9446 * Cause this session to have a longer timeout than the next session to
9449 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9456 SSL_shutdown(serverssl);
9457 SSL_shutdown(clientssl);
9458 SSL_free(serverssl);
9459 SSL_free(clientssl);
9460 serverssl = clientssl = NULL;
9463 * Session cache size is 1 and we already populated the cache with a session
9464 * so the next connection should cause an overflow.
9467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9471 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9475 * The session we just negotiated may have been already removed from the
9476 * internal cache - but we will return it anyway from our external cache.
9478 get_sess_val = SSL_get_session(serverssl);
9479 if (!TEST_ptr(get_sess_val))
9481 sess = SSL_get1_session(clientssl);
9482 if (!TEST_ptr(sess))
9485 SSL_shutdown(serverssl);
9486 SSL_shutdown(clientssl);
9487 SSL_free(serverssl);
9488 SSL_free(clientssl);
9489 serverssl = clientssl = NULL;
9491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9495 if (!TEST_true(SSL_set_session(clientssl, sess)))
9498 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9504 SSL_free(serverssl);
9505 SSL_free(clientssl);
9508 SSL_SESSION_free(sess);
9512 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9515 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9516 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9517 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9518 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9519 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9520 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9521 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9522 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9523 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9524 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9526 static int test_servername(int tst)
9528 SSL_CTX *cctx = NULL, *sctx = NULL;
9529 SSL *clientssl = NULL, *serverssl = NULL;
9531 SSL_SESSION *sess = NULL;
9532 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9534 #ifdef OPENSSL_NO_TLS1_2
9538 #ifdef OSSL_NO_USABLE_TLS1_3
9543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9544 TLS_client_method(),
9546 (tst <= 4) ? TLS1_2_VERSION
9548 &sctx, &cctx, cert, privkey))
9549 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9553 if (tst != 1 && tst != 6) {
9554 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9559 if (tst != 3 && tst != 8) {
9560 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9562 sexpectedhost = cexpectedhost = "goodhost";
9565 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9568 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9570 || !TEST_str_eq(SSL_get_servername(serverssl,
9571 TLSEXT_NAMETYPE_host_name),
9575 /* Now repeat with a resumption handshake */
9577 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9578 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9579 || !TEST_true(SSL_SESSION_is_resumable(sess))
9580 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9583 SSL_free(clientssl);
9584 SSL_free(serverssl);
9585 clientssl = serverssl = NULL;
9587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9591 if (!TEST_true(SSL_set_session(clientssl, sess)))
9594 sexpectedhost = cexpectedhost = "goodhost";
9595 if (tst == 2 || tst == 7) {
9596 /* Set an inconsistent hostname */
9597 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9600 * In TLSv1.2 we expect the hostname from the original handshake, in
9601 * TLSv1.3 we expect the hostname from this handshake
9604 sexpectedhost = cexpectedhost = "altgoodhost";
9606 if (!TEST_str_eq(SSL_get_servername(clientssl,
9607 TLSEXT_NAMETYPE_host_name),
9610 } else if (tst == 4 || tst == 9) {
9612 * A TLSv1.3 session does not associate a session with a servername,
9613 * but a TLSv1.2 session does.
9616 sexpectedhost = cexpectedhost = NULL;
9618 if (!TEST_str_eq(SSL_get_servername(clientssl,
9619 TLSEXT_NAMETYPE_host_name),
9623 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9626 * In a TLSv1.2 resumption where the hostname was not acknowledged
9627 * we expect the hostname on the server to be empty. On the client we
9628 * return what was requested in this case.
9630 * Similarly if the client didn't set a hostname on an original TLSv1.2
9631 * session but is now, the server hostname will be empty, but the client
9634 if (tst == 1 || tst == 3)
9635 sexpectedhost = NULL;
9637 if (!TEST_str_eq(SSL_get_servername(clientssl,
9638 TLSEXT_NAMETYPE_host_name),
9643 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9646 if (!TEST_true(SSL_session_reused(clientssl))
9647 || !TEST_true(SSL_session_reused(serverssl))
9648 || !TEST_str_eq(SSL_get_servername(clientssl,
9649 TLSEXT_NAMETYPE_host_name),
9651 || !TEST_str_eq(SSL_get_servername(serverssl,
9652 TLSEXT_NAMETYPE_host_name),
9659 SSL_SESSION_free(sess);
9660 SSL_free(serverssl);
9661 SSL_free(clientssl);
9668 static int test_unknown_sigalgs_groups(void)
9671 SSL_CTX *ctx = NULL;
9673 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9676 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9677 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9680 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9681 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9682 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9685 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9686 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9689 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9690 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9691 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9694 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9699 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9700 "?nonexistent1:?nonexistent2:?nonexistent3"),
9704 #ifndef OPENSSL_NO_EC
9705 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9706 "P-256:nonexistent"),
9710 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9711 "P-384:?nonexistent:?P-521"),
9714 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9715 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9716 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9726 #if !defined(OPENSSL_NO_EC) \
9727 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9729 * Test that if signature algorithms are not available, then we do not offer or
9731 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9732 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9733 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9734 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9735 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9736 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9738 static int test_sigalgs_available(int idx)
9740 SSL_CTX *cctx = NULL, *sctx = NULL;
9741 SSL *clientssl = NULL, *serverssl = NULL;
9743 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9744 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9745 OSSL_PROVIDER *filterprov = NULL;
9748 if (!TEST_ptr(tmpctx))
9751 if (idx != 0 && idx != 3) {
9752 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9753 filter_provider_init)))
9756 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9757 if (!TEST_ptr(filterprov))
9762 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9763 * or accepted for the peer that uses this libctx. Note that libssl
9764 * *requires* SHA2-256 to be available so we cannot disable that. We
9765 * also need SHA1 for our certificate.
9767 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9771 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9773 # ifdef OPENSSL_NO_ECX
9774 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9776 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9783 if (idx == 1 || idx == 4)
9789 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9790 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9791 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9795 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9796 TLS_client_method(),
9799 &sctx, &cctx, cert, privkey)))
9802 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9803 TLS_client_method(),
9806 &sctx, &cctx, cert2, privkey2)))
9810 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9812 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9813 "ECDHE-RSA-AES128-GCM-SHA256")))
9816 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9817 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9822 if (!SSL_CTX_set1_sigalgs_list(cctx,
9823 "rsa_pss_rsae_sha384"
9824 ":rsa_pss_rsae_sha256")
9825 || !SSL_CTX_set1_sigalgs_list(sctx,
9826 "rsa_pss_rsae_sha384"
9827 ":rsa_pss_rsae_sha256"))
9830 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9831 || !SSL_CTX_set1_sigalgs_list(sctx,
9832 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9837 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9838 SSL_FILETYPE_PEM), 1)
9839 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9841 SSL_FILETYPE_PEM), 1)
9842 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9849 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9852 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9853 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9855 (idx == 0 || idx == 3) ? 2 : 1))
9858 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9861 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9865 testresult = filter_provider_check_clean_finish();
9868 SSL_free(serverssl);
9869 SSL_free(clientssl);
9872 OSSL_PROVIDER_unload(filterprov);
9873 OSSL_LIB_CTX_free(tmpctx);
9878 * !defined(OPENSSL_NO_EC) \
9879 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9882 #ifndef OPENSSL_NO_TLS1_3
9883 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9884 static int test_pluggable_group(int idx)
9886 SSL_CTX *cctx = NULL, *sctx = NULL;
9887 SSL *clientssl = NULL, *serverssl = NULL;
9889 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9890 /* Check that we are not impacted by a provider without any groups */
9891 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9892 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9894 if (!TEST_ptr(tlsprov))
9897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9898 TLS_client_method(),
9901 &sctx, &cctx, cert, privkey))
9902 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9906 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9907 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9908 /* removing a single algorithm from the list makes the test pass */
9909 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9912 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9915 if (!TEST_str_eq(group_name,
9916 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9919 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9920 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9926 SSL_free(serverssl);
9927 SSL_free(clientssl);
9930 OSSL_PROVIDER_unload(tlsprov);
9931 OSSL_PROVIDER_unload(legacyprov);
9937 * This function triggers encode, decode and sign functions
9938 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9939 * creating private key and certificate files for use in TLS testing.
9941 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9943 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9944 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9945 EVP_PKEY *pkey = NULL;
9946 X509 *x509 = X509_new();
9947 X509_NAME *name = NULL;
9948 BIO *keybio = NULL, *certbio = NULL;
9951 if (!TEST_ptr(evpctx)
9952 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9953 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9956 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9957 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9958 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9959 || !TEST_true(X509_set_pubkey(x509, pkey))
9960 || !TEST_ptr(name = X509_get_subject_name(x509))
9961 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9962 (unsigned char *)"CH", -1, -1, 0))
9963 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9964 (unsigned char *)"test.org", -1, -1, 0))
9965 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9966 (unsigned char *)"localhost", -1, -1, 0))
9967 || !TEST_true(X509_set_issuer_name(x509, name))
9968 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9969 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9970 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9971 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9972 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9975 EVP_PKEY_free(pkey);
9977 EVP_PKEY_CTX_free(evpctx);
9984 * Test that signature algorithms loaded via the provider interface can
9985 * correctly establish a TLS (1.3) connection.
9986 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9987 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9988 * Test 2: Test 0 using RPK
9989 * Test 3: Test 1 using RPK
9991 static int test_pluggable_signature(int idx)
9993 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9994 SSL_CTX *cctx = NULL, *sctx = NULL;
9995 SSL *clientssl = NULL, *serverssl = NULL;
9997 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9998 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9999 char *certfilename = "tls-prov-cert.pem";
10000 char *privkeyfilename = "tls-prov-key.pem";
10001 int sigidx = idx % 2;
10002 int rpkidx = idx / 2;
10004 /* create key and certificate for the different algorithm types */
10005 if (!TEST_ptr(tlsprov)
10006 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10009 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10010 TLS_client_method(),
10013 &sctx, &cctx, certfilename, privkeyfilename))
10014 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10018 /* Enable RPK for server cert */
10020 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10021 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10025 /* This is necessary to pass minimal setup w/o other groups configured */
10026 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10027 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10031 * If this connection gets established, it must have been completed
10032 * via the tls-provider-implemented "hmacsig" algorithm, testing
10033 * both sign and verify functions during handshake.
10035 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10038 /* If using RPK, make sure we got one */
10039 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10045 SSL_free(serverssl);
10046 SSL_free(clientssl);
10047 SSL_CTX_free(sctx);
10048 SSL_CTX_free(cctx);
10049 OSSL_PROVIDER_unload(tlsprov);
10050 OSSL_PROVIDER_unload(defaultprov);
10056 #ifndef OPENSSL_NO_TLS1_2
10057 static int test_ssl_dup(void)
10059 SSL_CTX *cctx = NULL, *sctx = NULL;
10060 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10061 int testresult = 0;
10062 BIO *rbio = NULL, *wbio = NULL;
10064 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10065 TLS_client_method(),
10068 &sctx, &cctx, cert, privkey)))
10071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10075 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10076 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10079 client2ssl = SSL_dup(clientssl);
10080 rbio = SSL_get_rbio(clientssl);
10081 if (!TEST_ptr(rbio)
10082 || !TEST_true(BIO_up_ref(rbio)))
10084 SSL_set0_rbio(client2ssl, rbio);
10087 wbio = SSL_get_wbio(clientssl);
10088 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10090 SSL_set0_wbio(client2ssl, wbio);
10093 if (!TEST_ptr(client2ssl)
10094 /* Handshake not started so pointers should be different */
10095 || !TEST_ptr_ne(clientssl, client2ssl))
10098 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10099 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10102 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10105 SSL_free(clientssl);
10106 clientssl = SSL_dup(client2ssl);
10107 if (!TEST_ptr(clientssl)
10108 /* Handshake has finished so pointers should be the same */
10109 || !TEST_ptr_eq(clientssl, client2ssl))
10115 SSL_free(serverssl);
10116 SSL_free(clientssl);
10117 SSL_free(client2ssl);
10118 SSL_CTX_free(sctx);
10119 SSL_CTX_free(cctx);
10124 # ifndef OPENSSL_NO_DH
10126 static EVP_PKEY *tmp_dh_params = NULL;
10128 /* Helper function for the test_set_tmp_dh() tests */
10129 static EVP_PKEY *get_tmp_dh_params(void)
10131 if (tmp_dh_params == NULL) {
10133 OSSL_PARAM_BLD *tmpl = NULL;
10134 EVP_PKEY_CTX *pctx = NULL;
10135 OSSL_PARAM *params = NULL;
10136 EVP_PKEY *dhpkey = NULL;
10138 p = BN_get_rfc3526_prime_2048(NULL);
10142 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10143 if (!TEST_ptr(pctx)
10144 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10147 tmpl = OSSL_PARAM_BLD_new();
10148 if (!TEST_ptr(tmpl)
10149 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10150 OSSL_PKEY_PARAM_FFC_P,
10152 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10153 OSSL_PKEY_PARAM_FFC_G,
10157 params = OSSL_PARAM_BLD_to_param(tmpl);
10158 if (!TEST_ptr(params)
10159 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10160 EVP_PKEY_KEY_PARAMETERS,
10164 tmp_dh_params = dhpkey;
10167 EVP_PKEY_CTX_free(pctx);
10168 OSSL_PARAM_BLD_free(tmpl);
10169 OSSL_PARAM_free(params);
10172 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10175 return tmp_dh_params;
10178 # ifndef OPENSSL_NO_DEPRECATED_3_0
10179 /* Callback used by test_set_tmp_dh() */
10180 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10182 EVP_PKEY *dhpkey = get_tmp_dh_params();
10185 if (!TEST_ptr(dhpkey))
10189 * libssl does not free the returned DH, so we free it now knowing that even
10190 * after we free dhpkey, there will still be a reference to the owning
10191 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10192 * of time we need it for.
10194 ret = EVP_PKEY_get1_DH(dhpkey);
10197 EVP_PKEY_free(dhpkey);
10204 * Test the various methods for setting temporary DH parameters
10206 * Test 0: Default (no auto) setting
10207 * Test 1: Explicit SSL_CTX auto off
10208 * Test 2: Explicit SSL auto off
10209 * Test 3: Explicit SSL_CTX auto on
10210 * Test 4: Explicit SSL auto on
10211 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10212 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10214 * The following are testing deprecated APIs, so we only run them if available
10215 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10216 * Test 8: Explicit SSL auto off, custom DH params via DH
10217 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10218 * Test 10: Explicit SSL auto off, custom DH params via callback
10220 static int test_set_tmp_dh(int idx)
10222 SSL_CTX *cctx = NULL, *sctx = NULL;
10223 SSL *clientssl = NULL, *serverssl = NULL;
10224 int testresult = 0;
10225 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10226 int expected = (idx <= 2) ? 0 : 1;
10227 EVP_PKEY *dhpkey = NULL;
10228 # ifndef OPENSSL_NO_DEPRECATED_3_0
10236 if (idx >= 5 && idx <= 8) {
10237 dhpkey = get_tmp_dh_params();
10238 if (!TEST_ptr(dhpkey))
10241 # ifndef OPENSSL_NO_DEPRECATED_3_0
10242 if (idx == 7 || idx == 8) {
10243 dh = EVP_PKEY_get1_DH(dhpkey);
10249 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10250 TLS_client_method(),
10253 &sctx, &cctx, cert, privkey)))
10256 if ((idx & 1) == 1) {
10257 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10262 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10266 # ifndef OPENSSL_NO_DEPRECATED_3_0
10267 else if (idx == 7) {
10268 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10270 } else if (idx == 9) {
10271 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10279 if ((idx & 1) == 0 && idx != 0) {
10280 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10284 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10288 # ifndef OPENSSL_NO_DEPRECATED_3_0
10289 else if (idx == 8) {
10290 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10292 } else if (idx == 10) {
10293 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10297 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10298 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10299 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10303 * If autoon then we should succeed. Otherwise we expect failure because
10304 * there are no parameters
10306 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10307 SSL_ERROR_NONE), expected))
10313 # ifndef OPENSSL_NO_DEPRECATED_3_0
10316 SSL_free(serverssl);
10317 SSL_free(clientssl);
10318 SSL_CTX_free(sctx);
10319 SSL_CTX_free(cctx);
10320 EVP_PKEY_free(dhpkey);
10326 * Test the auto DH keys are appropriately sized
10328 static int test_dh_auto(int idx)
10330 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10331 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10332 SSL *clientssl = NULL, *serverssl = NULL;
10333 int testresult = 0;
10334 EVP_PKEY *tmpkey = NULL;
10335 char *thiscert = NULL, *thiskey = NULL;
10336 size_t expdhsize = 0;
10337 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10339 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10344 /* The FIPS provider doesn't support this DH size - so we ignore it */
10349 thiscert = cert1024;
10350 thiskey = privkey1024;
10352 SSL_CTX_set_security_level(sctx, 1);
10353 SSL_CTX_set_security_level(cctx, 1);
10356 /* 2048 bit prime */
10362 thiscert = cert3072;
10363 thiskey = privkey3072;
10367 thiscert = cert4096;
10368 thiskey = privkey4096;
10372 thiscert = cert8192;
10373 thiskey = privkey8192;
10376 /* No certificate cases */
10378 /* The FIPS provider doesn't support this DH size - so we ignore it */
10383 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10387 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10391 TEST_error("Invalid text index");
10395 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10399 &sctx, &cctx, thiscert, thiskey)))
10402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10406 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10407 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10408 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10409 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10410 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10414 * Send the server's first flight. At this point the server has created the
10415 * temporary DH key but hasn't finished using it yet. Once used it is
10416 * removed, so we cannot test it.
10418 if (!TEST_int_le(SSL_connect(clientssl), 0)
10419 || !TEST_int_le(SSL_accept(serverssl), 0))
10422 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10424 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10427 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10433 SSL_free(serverssl);
10434 SSL_free(clientssl);
10435 SSL_CTX_free(sctx);
10436 SSL_CTX_free(cctx);
10437 EVP_PKEY_free(tmpkey);
10442 # endif /* OPENSSL_NO_DH */
10443 #endif /* OPENSSL_NO_TLS1_2 */
10445 #ifndef OSSL_NO_USABLE_TLS1_3
10447 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10448 * that it works even without a certificate configured for the original
10451 static int test_sni_tls13(void)
10453 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10454 SSL *clientssl = NULL, *serverssl = NULL;
10455 int testresult = 0;
10457 /* Reset callback counter */
10460 /* Create an initial SSL_CTX with no certificate configured */
10461 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10462 if (!TEST_ptr(sctx))
10464 /* Require TLSv1.3 as a minimum */
10465 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10466 TLS_client_method(), TLS1_3_VERSION, 0,
10467 &sctx2, &cctx, cert, privkey)))
10471 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10472 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10476 * Connection should still succeed because the final SSL_CTX has the right
10477 * certificates configured.
10479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10480 &clientssl, NULL, NULL))
10481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10485 /* We should have had the SNI callback called exactly once */
10486 if (!TEST_int_eq(snicb, 1))
10492 SSL_free(serverssl);
10493 SSL_free(clientssl);
10494 SSL_CTX_free(sctx2);
10495 SSL_CTX_free(sctx);
10496 SSL_CTX_free(cctx);
10501 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10505 static int test_ticket_lifetime(int idx)
10507 SSL_CTX *cctx = NULL, *sctx = NULL;
10508 SSL *clientssl = NULL, *serverssl = NULL;
10509 int testresult = 0;
10510 int version = TLS1_3_VERSION;
10512 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10513 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10516 #ifdef OPENSSL_NO_TLS1_2
10517 return TEST_skip("TLS 1.2 is disabled.");
10519 version = TLS1_2_VERSION;
10523 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10524 TLS_client_method(), version, version,
10525 &sctx, &cctx, cert, privkey)))
10528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10529 &clientssl, NULL, NULL)))
10533 * Set the timeout to be more than 1 week
10534 * make sure the returned value is the default
10536 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10537 SSL_get_default_timeout(serverssl)))
10540 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10544 /* TLSv1.2 uses the set value */
10545 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10548 /* TLSv1.3 uses the limited value */
10549 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10555 SSL_free(serverssl);
10556 SSL_free(clientssl);
10557 SSL_CTX_free(sctx);
10558 SSL_CTX_free(cctx);
10563 * Test that setting an ALPN does not violate RFC
10565 static int test_set_alpn(void)
10567 SSL_CTX *ctx = NULL;
10569 int testresult = 0;
10571 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10572 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10573 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10574 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10575 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10576 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10578 /* Create an initial SSL_CTX with no certificate configured */
10579 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10580 if (!TEST_ptr(ctx))
10583 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10584 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10586 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10588 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10590 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10592 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10594 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10596 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10598 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10600 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10603 ssl = SSL_new(ctx);
10604 if (!TEST_ptr(ssl))
10607 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10609 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10611 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10613 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10615 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10617 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10619 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10621 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10623 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10635 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10637 static int test_set_verify_cert_store_ssl_ctx(void)
10639 SSL_CTX *ctx = NULL;
10640 int testresult = 0;
10641 X509_STORE *store = NULL, *new_store = NULL,
10642 *cstore = NULL, *new_cstore = NULL;
10644 /* Create an initial SSL_CTX. */
10645 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10646 if (!TEST_ptr(ctx))
10649 /* Retrieve verify store pointer. */
10650 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10653 /* Retrieve chain store pointer. */
10654 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10657 /* We haven't set any yet, so this should be NULL. */
10658 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10661 /* Create stores. We use separate stores so pointers are different. */
10662 new_store = X509_STORE_new();
10663 if (!TEST_ptr(new_store))
10666 new_cstore = X509_STORE_new();
10667 if (!TEST_ptr(new_cstore))
10671 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10674 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10677 /* Should be able to retrieve the same pointer. */
10678 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10681 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10684 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10687 /* Should be able to unset again. */
10688 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10691 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10694 /* Should now be NULL. */
10695 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10698 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10701 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10707 X509_STORE_free(new_store);
10708 X509_STORE_free(new_cstore);
10714 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10716 static int test_set_verify_cert_store_ssl(void)
10718 SSL_CTX *ctx = NULL;
10720 int testresult = 0;
10721 X509_STORE *store = NULL, *new_store = NULL,
10722 *cstore = NULL, *new_cstore = NULL;
10724 /* Create an initial SSL_CTX. */
10725 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10726 if (!TEST_ptr(ctx))
10729 /* Create an SSL object. */
10730 ssl = SSL_new(ctx);
10731 if (!TEST_ptr(ssl))
10734 /* Retrieve verify store pointer. */
10735 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10738 /* Retrieve chain store pointer. */
10739 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10742 /* We haven't set any yet, so this should be NULL. */
10743 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10746 /* Create stores. We use separate stores so pointers are different. */
10747 new_store = X509_STORE_new();
10748 if (!TEST_ptr(new_store))
10751 new_cstore = X509_STORE_new();
10752 if (!TEST_ptr(new_cstore))
10756 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10759 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10762 /* Should be able to retrieve the same pointer. */
10763 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10766 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10769 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10772 /* Should be able to unset again. */
10773 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10776 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10779 /* Should now be NULL. */
10780 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10783 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10786 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10792 X509_STORE_free(new_store);
10793 X509_STORE_free(new_cstore);
10800 static int test_inherit_verify_param(void)
10802 int testresult = 0;
10804 SSL_CTX *ctx = NULL;
10805 X509_VERIFY_PARAM *cp = NULL;
10807 X509_VERIFY_PARAM *sp = NULL;
10808 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10810 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10811 if (!TEST_ptr(ctx))
10814 cp = SSL_CTX_get0_param(ctx);
10817 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10820 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10822 ssl = SSL_new(ctx);
10823 if (!TEST_ptr(ssl))
10826 sp = SSL_get0_param(ssl);
10829 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10841 static int test_load_dhfile(void)
10843 #ifndef OPENSSL_NO_DH
10844 int testresult = 0;
10846 SSL_CTX *ctx = NULL;
10847 SSL_CONF_CTX *cctx = NULL;
10849 if (dhfile == NULL)
10852 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10853 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10856 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10857 SSL_CONF_CTX_set_flags(cctx,
10858 SSL_CONF_FLAG_CERTIFICATE
10859 | SSL_CONF_FLAG_SERVER
10860 | SSL_CONF_FLAG_FILE);
10862 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10867 SSL_CONF_CTX_free(cctx);
10872 return TEST_skip("DH not supported by this build");
10876 #ifndef OSSL_NO_USABLE_TLS1_3
10877 /* Test that read_ahead works across a key change */
10878 static int test_read_ahead_key_change(void)
10880 SSL_CTX *cctx = NULL, *sctx = NULL;
10881 SSL *clientssl = NULL, *serverssl = NULL;
10882 int testresult = 0;
10883 char *msg = "Hello World";
10884 size_t written, readbytes;
10888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10889 TLS_client_method(), TLS1_3_VERSION, 0,
10890 &sctx, &cctx, cert, privkey)))
10893 SSL_CTX_set_read_ahead(sctx, 1);
10895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10896 &clientssl, NULL, NULL)))
10899 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10902 /* Write some data, send a key update, write more data */
10903 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10904 || !TEST_size_t_eq(written, strlen(msg)))
10907 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10910 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10911 || !TEST_size_t_eq(written, strlen(msg)))
10915 * Since read_ahead is on the first read below should read the record with
10916 * the first app data, the second record with the key update message, and
10917 * the third record with the app data all in one go. We should be able to
10918 * still process the read_ahead data correctly even though it crosses
10921 for (i = 0; i < 2; i++) {
10922 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10926 buf[readbytes] = '\0';
10927 if (!TEST_str_eq(buf, msg))
10934 SSL_free(serverssl);
10935 SSL_free(clientssl);
10936 SSL_CTX_free(sctx);
10937 SSL_CTX_free(cctx);
10941 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10945 switch ((*called)++) {
10947 /* Add some padding to first record */
10950 /* Maximally pad the second record */
10951 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10954 * Exceeding the maximum padding should be fine. It should just pad to
10955 * the maximum anyway
10957 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10960 * Very large padding should also be ok. Should just pad to the maximum
10970 * Test that setting record padding in TLSv1.3 works as expected
10971 * Test 0: Record padding callback on the SSL_CTX
10972 * Test 1: Record padding callback on the SSL
10973 * Test 2: Record block padding on the SSL_CTX
10974 * Test 3: Record block padding on the SSL
10976 static int test_tls13_record_padding(int idx)
10978 SSL_CTX *cctx = NULL, *sctx = NULL;
10979 SSL *clientssl = NULL, *serverssl = NULL;
10980 int testresult = 0;
10981 char *msg = "Hello World";
10982 size_t written, readbytes;
10987 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10988 TLS_client_method(), TLS1_3_VERSION, 0,
10989 &sctx, &cctx, cert, privkey)))
10993 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10994 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10995 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10997 } else if (idx == 2) {
10998 /* Exceeding the max plain length should fail */
10999 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11000 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11002 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11006 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11007 &clientssl, NULL, NULL)))
11011 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11012 SSL_set_record_padding_callback_arg(clientssl, &called);
11013 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11015 } else if (idx == 3) {
11016 /* Exceeding the max plain length should fail */
11017 if (!TEST_false(SSL_set_block_padding(clientssl,
11018 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11020 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11029 * Write some data, then check we can read it. Do this four times to check
11030 * we can continue to write and read padded data after the initial record
11031 * padding has been added. We don't actually check that the padding has
11032 * been applied to the record - just that we can continue to communicate
11033 * normally and that the callback has been called (if appropriate).
11035 for (i = 0; i < 4; i++) {
11036 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11037 || !TEST_size_t_eq(written, strlen(msg)))
11040 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11042 || !TEST_size_t_eq(written, readbytes))
11045 buf[readbytes] = '\0';
11046 if (!TEST_str_eq(buf, msg))
11050 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11055 SSL_free(serverssl);
11056 SSL_free(clientssl);
11057 SSL_CTX_free(sctx);
11058 SSL_CTX_free(cctx);
11061 #endif /* OSSL_NO_USABLE_TLS1_3 */
11063 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11065 static ENGINE *load_dasync(void)
11069 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
11072 if (!TEST_true(ENGINE_init(e))) {
11077 if (!TEST_true(ENGINE_register_ciphers(e))) {
11086 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11087 * support this yet. The only pipeline capable cipher that we have is in the
11088 * dasync engine (providers don't support this yet), so we have to use
11089 * deprecated APIs for this test.
11091 * Test 0: Client has pipelining enabled, server does not
11092 * Test 1: Server has pipelining enabled, client does not
11093 * Test 2: Client has pipelining enabled, server does not: not enough data to
11094 * fill all the pipelines
11095 * Test 3: Client has pipelining enabled, server does not: not enough data to
11096 * fill all the pipelines by more than a full pipeline's worth
11097 * Test 4: Client has pipelining enabled, server does not: more data than all
11098 * the available pipelines can take
11099 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11100 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11103 static int test_pipelining(int idx)
11105 SSL_CTX *cctx = NULL, *sctx = NULL;
11106 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11107 int testresult = 0, numreads;
11108 /* A 55 byte message */
11109 unsigned char *msg = (unsigned char *)
11110 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11111 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11112 size_t expectedreads;
11113 unsigned char *buf = NULL;
11122 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11123 TLS_client_method(), 0,
11124 TLS1_2_VERSION, &sctx, &cctx, cert,
11132 /* Now act like test 0 */
11136 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11137 &clientssl, NULL, NULL)))
11140 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11143 /* peera is always configured for pipelining, while peerb is not. */
11155 /* Maximum allowed fragment size */
11156 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11157 msglen = fragsize * numpipes;
11158 msg = OPENSSL_malloc(msglen);
11159 if (!TEST_ptr(msg))
11161 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11163 } else if (idx == 4) {
11169 msglen -= 2; /* Send 2 less bytes */
11171 msglen -= 12; /* Send 12 less bytes */
11173 buf = OPENSSL_malloc(msglen);
11174 if (!TEST_ptr(buf))
11179 * Test that setting a split send fragment longer than the maximum
11182 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11187 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11188 * (50 bytes in total). This is a ridiculously small number of bytes -
11189 * but sufficient for our purposes
11191 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11192 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11195 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11198 /* Write some data from peera to peerb */
11199 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11200 || !TEST_size_t_eq(written, msglen))
11204 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11205 * have been used - except in test 3 where only |numpipes - 1| pipelines
11206 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11207 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11208 * expect this to be read in |numpipes| or |numpipes - 1| separate
11209 * SSL_read_ex calls. In the case of test 4, there is then one additional
11210 * read for left over data that couldn't fit in the previous pipelines
11212 for (offset = 0, numreads = 0;
11214 offset += readbytes, numreads++) {
11215 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11216 msglen - offset, &readbytes)))
11220 expectedreads = idx == 4 ? numpipes + 1
11221 : (idx == 3 ? numpipes - 1 : numpipes);
11222 if (!TEST_mem_eq(msg, msglen, buf, offset)
11223 || !TEST_int_eq(numreads, expectedreads))
11227 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11228 * chunks to exercise the read pipelining code on peera.
11230 for (offset = 0; offset < msglen; offset += fragsize) {
11231 size_t sendlen = msglen - offset;
11233 if (sendlen > fragsize)
11234 sendlen = fragsize;
11235 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11236 || !TEST_size_t_eq(written, sendlen))
11241 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11242 * separate chunks (depending on which test we are running). If the
11243 * pipelining is working then we expect peera to read up to numpipes chunks
11244 * and process them in parallel, giving back the complete result in a single
11245 * call to SSL_read_ex
11247 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11248 || !TEST_size_t_le(readbytes, msglen))
11254 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11255 msglen - readbytes, &readbytes2)))
11257 readbytes += readbytes2;
11258 if (!TEST_size_t_le(readbytes, msglen))
11262 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11267 SSL_free(serverssl);
11268 SSL_free(clientssl);
11269 SSL_CTX_free(sctx);
11270 SSL_CTX_free(cctx);
11272 ENGINE_unregister_ciphers(e);
11277 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11281 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11283 static int check_version_string(SSL *s, int version)
11285 const char *verstr = NULL;
11294 case TLS1_1_VERSION:
11295 verstr = "TLSv1.1";
11297 case TLS1_2_VERSION:
11298 verstr = "TLSv1.2";
11300 case TLS1_3_VERSION:
11301 verstr = "TLSv1.3";
11303 case DTLS1_VERSION:
11306 case DTLS1_2_VERSION:
11307 verstr = "DTLSv1.2";
11310 return TEST_str_eq(verstr, SSL_get_version(s));
11314 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11315 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11316 * test_version() in quicapitest.c which does the same thing for QUIC
11319 static int test_version(int idx)
11321 SSL_CTX *cctx = NULL, *sctx = NULL;
11322 SSL *clientssl = NULL, *serverssl = NULL;
11323 int testresult = 0, version;
11324 const SSL_METHOD *servmeth = TLS_server_method();
11325 const SSL_METHOD *clientmeth = TLS_client_method();
11328 #if !defined(OPENSSL_NO_SSL3)
11330 version = SSL3_VERSION;
11333 #if !defined(OPENSSL_NO_TLS1)
11335 version = TLS1_VERSION;
11338 #if !defined(OPENSSL_NO_TLS1_2)
11340 version = TLS1_2_VERSION;
11343 #if !defined(OSSL_NO_USABLE_TLS1_3)
11345 version = TLS1_3_VERSION;
11348 #if !defined(OPENSSL_NO_DTLS1)
11350 version = DTLS1_VERSION;
11353 #if !defined(OPENSSL_NO_DTLS1_2)
11355 version = DTLS1_2_VERSION;
11359 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11360 * We also don't support DTLS1_BAD_VER since we have no server support for
11364 TEST_skip("Unsupported protocol version");
11369 && (version == SSL3_VERSION
11370 || version == TLS1_VERSION
11371 || version == DTLS1_VERSION)) {
11372 TEST_skip("Protocol version not supported with FIPS");
11376 #if !defined(OPENSSL_NO_DTLS)
11377 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11378 servmeth = DTLS_server_method();
11379 clientmeth = DTLS_client_method();
11383 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11384 version, &sctx, &cctx, cert, privkey)))
11387 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11388 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11389 "DEFAULT:@SECLEVEL=0")))
11392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11393 &clientssl, NULL, NULL)))
11396 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11399 if (!TEST_int_eq(SSL_version(serverssl), version)
11400 || !TEST_int_eq(SSL_version(clientssl), version)
11401 || !TEST_true(check_version_string(serverssl, version))
11402 || !TEST_true(check_version_string(clientssl, version)))
11405 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11406 if (!TEST_true(SSL_is_dtls(serverssl))
11407 || !TEST_true(SSL_is_dtls(clientssl))
11408 || !TEST_false(SSL_is_tls(serverssl))
11409 || !TEST_false(SSL_is_tls(clientssl))
11410 || !TEST_false(SSL_is_quic(serverssl))
11411 || !TEST_false(SSL_is_quic(clientssl)))
11414 if (!TEST_true(SSL_is_tls(serverssl))
11415 || !TEST_true(SSL_is_tls(clientssl))
11416 || !TEST_false(SSL_is_dtls(serverssl))
11417 || !TEST_false(SSL_is_dtls(clientssl))
11418 || !TEST_false(SSL_is_quic(serverssl))
11419 || !TEST_false(SSL_is_quic(clientssl)))
11425 SSL_free(serverssl);
11426 SSL_free(clientssl);
11427 SSL_CTX_free(sctx);
11428 SSL_CTX_free(cctx);
11433 * Test that the SSL_rstate_string*() APIs return sane results
11435 static int test_rstate_string(void)
11437 SSL_CTX *cctx = NULL, *sctx = NULL;
11438 SSL *clientssl = NULL, *serverssl = NULL;
11439 int testresult = 0, version;
11440 const SSL_METHOD *servmeth = TLS_server_method();
11441 const SSL_METHOD *clientmeth = TLS_client_method();
11442 size_t written, readbytes;
11443 unsigned char buf[2];
11444 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11445 SSL3_RT_APPLICATION_DATA,
11446 TLS1_2_VERSION_MAJOR,
11447 0, /* To be filled in later */
11452 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11453 0, &sctx, &cctx, cert, privkey)))
11456 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11457 &clientssl, NULL, NULL)))
11460 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11461 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11464 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11467 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11468 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11471 /* Fill in the correct version for the record header */
11472 version = SSL_version(serverssl);
11473 if (version == TLS1_3_VERSION)
11474 version = TLS1_2_VERSION;
11475 dummyheader[2] = version & 0xff;
11478 * Send a dummy header. If we continued to read the body as well this
11479 * would fail with a bad record mac, but we're not going to go that far.
11481 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11482 sizeof(dummyheader), &written))
11483 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11486 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11489 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11490 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11495 SSL_free(serverssl);
11496 SSL_free(clientssl);
11497 SSL_CTX_free(sctx);
11498 SSL_CTX_free(cctx);
11503 * Force a write retry during handshaking. We test various combinations of
11504 * scenarios. We test a large certificate message which will fill the buffering
11505 * BIO used in the handshake. We try with client auth on and off. Finally we
11506 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11507 * to indicate retry via -1 - but sometimes BIOs don't do that.
11509 * Test 0: Standard certificate message
11510 * Test 1: Large certificate message
11511 * Test 2: Standard cert, verify peer
11512 * Test 3: Large cert, verify peer
11513 * Test 4: Standard cert, BIO returns 0 on retry
11514 * Test 5: Large cert, BIO returns 0 on retry
11515 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11516 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11517 * Test 8-15: Repeat of above with TLSv1.2
11519 static int test_handshake_retry(int idx)
11521 SSL_CTX *cctx = NULL, *sctx = NULL;
11522 SSL *clientssl = NULL, *serverssl = NULL;
11523 int testresult = 0;
11524 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11525 int maxversion = 0;
11527 if (!TEST_ptr(bretry))
11530 #ifndef OPENSSL_NO_TLS1_2
11531 if ((idx & 8) == 8)
11532 maxversion = TLS1_2_VERSION;
11534 if ((idx & 8) == 8)
11535 return TEST_skip("No TLSv1.2");
11538 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11539 TLS_client_method(), 0, maxversion,
11540 &sctx, &cctx, cert, privkey)))
11544 * Add a large amount of data to fill the buffering BIO used by the SSL
11547 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11551 * We don't actually configure a client cert, but neither do we fail if one
11554 if ((idx & 2) == 2)
11555 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11557 if ((idx & 4) == 4)
11558 set_always_retry_err_val(0);
11560 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11561 &clientssl, NULL, NULL)))
11564 tmp = SSL_get_wbio(serverssl);
11565 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11569 SSL_set0_wbio(serverssl, bretry);
11572 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11575 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11576 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11579 /* Restore a BIO that will let the write succeed */
11580 SSL_set0_wbio(serverssl, tmp);
11583 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11588 SSL_free(serverssl);
11589 SSL_free(clientssl);
11590 SSL_CTX_free(sctx);
11591 SSL_CTX_free(cctx);
11594 set_always_retry_err_val(-1);
11599 * Test that receiving retries when writing application data works as expected
11601 static int test_data_retry(void)
11603 SSL_CTX *cctx = NULL, *sctx = NULL;
11604 SSL *clientssl = NULL, *serverssl = NULL;
11605 int testresult = 0;
11606 unsigned char inbuf[1200], outbuf[1200];
11609 BIO *bretry = BIO_new(bio_s_maybe_retry());
11610 size_t written, readbytes, totread = 0;
11612 if (!TEST_ptr(bretry))
11615 for (i = 0; i < sizeof(inbuf); i++)
11616 inbuf[i] = (unsigned char)(0xff & i);
11617 memset(outbuf, 0, sizeof(outbuf));
11619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11620 TLS_client_method(), 0, 0, &sctx, &cctx,
11624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11628 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11631 /* Smallest possible max send fragment is 512 */
11632 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11635 tmp = SSL_get_wbio(clientssl);
11636 if (!TEST_ptr(tmp))
11638 if (!TEST_true(BIO_up_ref(tmp)))
11640 BIO_push(bretry, tmp);
11642 SSL_set0_wbio(clientssl, bretry);
11643 if (!BIO_up_ref(bretry)) {
11648 for (i = 0; i < 3; i++) {
11649 /* We expect this call to make no progress and indicate retry */
11650 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11652 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11655 /* Allow one write to progress, but the next one to signal retry */
11656 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11664 * This call will hopefully make progress but will still indicate retry
11665 * because there is more data than will fit into a single record.
11667 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11669 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11673 /* The final call should write the last chunk of data and succeed */
11674 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11676 /* Read all the data available */
11677 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11679 totread += readbytes;
11680 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11685 SSL_free(serverssl);
11686 SSL_free(clientssl);
11687 SSL_CTX_free(sctx);
11688 SSL_CTX_free(cctx);
11689 BIO_free_all(bretry);
11694 struct resume_servername_cb_data {
11703 * Servername callback. We use it here to run another complete handshake using
11704 * the same session - and mark the session as not_resuamble at the end
11706 static int resume_servername_cb(SSL *s, int *ad, void *arg)
11708 struct resume_servername_cb_data *cbdata = arg;
11709 SSL *serverssl = NULL, *clientssl = NULL;
11710 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11712 if (cbdata->recurse)
11713 return SSL_TLSEXT_ERR_ALERT_FATAL;
11715 if ((cbdata->i % 3) != 1)
11716 return SSL_TLSEXT_ERR_OK;
11718 cbdata->recurse = 1;
11720 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11721 &clientssl, NULL, NULL))
11722 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11727 * We expect this to fail - because the servername cb will fail. This will
11728 * mark the session as not_resumable.
11730 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11731 ERR_clear_last_mark();
11736 ret = SSL_TLSEXT_ERR_OK;
11738 SSL_free(serverssl);
11739 SSL_free(clientssl);
11740 cbdata->recurse = 0;
11744 * Test multiple resumptions and cache size handling
11745 * Test 0: TLSv1.3 (max_early_data set)
11746 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11747 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11748 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11751 static int test_multi_resume(int idx)
11753 SSL_CTX *sctx = NULL, *cctx = NULL;
11754 SSL *serverssl = NULL, *clientssl = NULL;
11755 SSL_SESSION *sess = NULL;
11756 int max_version = TLS1_3_VERSION;
11757 int i, testresult = 0;
11758 struct resume_servername_cb_data cbdata;
11760 #if defined(OPENSSL_NO_TLS1_2)
11762 return TEST_skip("TLSv1.2 is disabled in this build");
11765 max_version = TLS1_2_VERSION;
11767 #if defined(OSSL_NO_USABLE_TLS1_3)
11769 return TEST_skip("No usable TLSv1.3 in this build");
11772 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11773 TLS_client_method(), TLS1_VERSION,
11774 max_version, &sctx, &cctx, cert,
11779 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11780 * replay protection), or if SSL_OP_NO_TICKET is in use
11782 if (idx == 0 || idx == 2) {
11783 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11786 if (idx == 1 || idx == 2 || idx == 3)
11787 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11789 SSL_CTX_sess_set_cache_size(sctx, 5);
11792 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11793 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11794 cbdata.cctx = cctx;
11795 cbdata.sctx = sctx;
11796 cbdata.recurse = 0;
11799 for (i = 0; i < 30; i++) {
11800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11802 || !TEST_true(SSL_set_session(clientssl, sess)))
11806 * Check simultaneous resumes. We pause the connection part way through
11807 * the handshake by (mis)using the servername_cb. The pause occurs after
11808 * session resumption has already occurred, but before any session
11809 * tickets have been issued. While paused we run another complete
11810 * handshake resuming the same session.
11814 cbdata.sess = sess;
11818 * Recreate a bug where dynamically changing the max_early_data value
11819 * can cause sessions in the session cache which cannot be deleted.
11821 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11822 SSL_set_max_early_data(serverssl, 0);
11824 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11827 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11828 if (!TEST_false(SSL_session_reused(clientssl)))
11831 if (!TEST_true(SSL_session_reused(clientssl)))
11834 SSL_SESSION_free(sess);
11836 /* Do a full handshake, followed by two resumptions */
11837 if ((i % 3) == 2) {
11840 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11844 SSL_shutdown(clientssl);
11845 SSL_shutdown(serverssl);
11846 SSL_free(serverssl);
11847 SSL_free(clientssl);
11848 serverssl = clientssl = NULL;
11851 /* We should never exceed the session cache size limit */
11852 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11857 SSL_free(serverssl);
11858 SSL_free(clientssl);
11859 SSL_CTX_free(sctx);
11860 SSL_CTX_free(cctx);
11861 SSL_SESSION_free(sess);
11865 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11867 int setup_tests(void)
11872 libctx = OSSL_LIB_CTX_new();
11873 if (!TEST_ptr(libctx))
11876 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11879 * Verify that the default and fips providers in the default libctx are not
11882 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11883 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11886 if (!test_skip_common_options()) {
11887 TEST_error("Error parsing test options\n");
11891 if (!TEST_ptr(certsdir = test_get_argument(0))
11892 || !TEST_ptr(srpvfile = test_get_argument(1))
11893 || !TEST_ptr(tmpfilename = test_get_argument(2))
11894 || !TEST_ptr(modulename = test_get_argument(3))
11895 || !TEST_ptr(configfile = test_get_argument(4))
11896 || !TEST_ptr(dhfile = test_get_argument(5)))
11899 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11902 /* Check we have the expected provider available */
11903 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11906 /* Check the default provider is not available */
11907 if (strcmp(modulename, "default") != 0
11908 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11911 if (strcmp(modulename, "fips") == 0) {
11912 OSSL_PROVIDER *prov = NULL;
11913 OSSL_PARAM params[2];
11917 prov = OSSL_PROVIDER_load(libctx, "fips");
11918 if (prov != NULL) {
11919 /* Query the fips provider to check if the check ems option is enabled */
11921 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11923 params[1] = OSSL_PARAM_construct_end();
11924 OSSL_PROVIDER_get_params(prov, params);
11925 OSSL_PROVIDER_unload(prov);
11930 * We add, but don't load the test "tls-provider". We'll load it when we
11933 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11934 tls_provider_init)))
11938 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11939 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11940 TEST_error("not supported in this build");
11943 int i, mcount, rcount, fcount;
11945 for (i = 0; i < 4; i++)
11946 test_export_key_mat(i);
11947 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11948 test_printf_stdout("malloc %d realloc %d free %d\n",
11949 mcount, rcount, fcount);
11954 cert = test_mk_file_path(certsdir, "servercert.pem");
11958 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11959 if (privkey == NULL)
11962 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11966 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11967 if (privkey2 == NULL)
11970 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11971 if (cert1024 == NULL)
11974 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11975 if (privkey1024 == NULL)
11978 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11979 if (cert3072 == NULL)
11982 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11983 if (privkey3072 == NULL)
11986 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11987 if (cert4096 == NULL)
11990 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11991 if (privkey4096 == NULL)
11994 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11995 if (cert8192 == NULL)
11998 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11999 if (privkey8192 == NULL)
12002 if (fips_ems_check) {
12003 #ifndef OPENSSL_NO_TLS1_2
12004 ADD_TEST(test_no_ems);
12008 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
12009 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
12010 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
12011 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
12014 ADD_TEST(test_large_message_tls);
12015 ADD_TEST(test_large_message_tls_read_ahead);
12016 #ifndef OPENSSL_NO_DTLS
12017 ADD_TEST(test_large_message_dtls);
12019 ADD_ALL_TESTS(test_large_app_data, 28);
12020 ADD_TEST(test_cleanse_plaintext);
12021 #ifndef OPENSSL_NO_OCSP
12022 ADD_TEST(test_tlsext_status_type);
12024 ADD_TEST(test_session_with_only_int_cache);
12025 ADD_TEST(test_session_with_only_ext_cache);
12026 ADD_TEST(test_session_with_both_cache);
12027 ADD_TEST(test_session_wo_ca_names);
12028 #ifndef OSSL_NO_USABLE_TLS1_3
12029 ADD_ALL_TESTS(test_stateful_tickets, 3);
12030 ADD_ALL_TESTS(test_stateless_tickets, 3);
12031 ADD_TEST(test_psk_tickets);
12032 ADD_ALL_TESTS(test_extra_tickets, 6);
12034 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
12035 ADD_TEST(test_ssl_bio_pop_next_bio);
12036 ADD_TEST(test_ssl_bio_pop_ssl_bio);
12037 ADD_TEST(test_ssl_bio_change_rbio);
12038 ADD_TEST(test_ssl_bio_change_wbio);
12039 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
12040 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
12041 ADD_TEST(test_keylog);
12043 #ifndef OSSL_NO_USABLE_TLS1_3
12044 ADD_TEST(test_keylog_no_master_key);
12046 ADD_TEST(test_client_cert_verify_cb);
12047 ADD_TEST(test_ssl_build_cert_chain);
12048 ADD_TEST(test_ssl_ctx_build_cert_chain);
12049 #ifndef OPENSSL_NO_TLS1_2
12050 ADD_TEST(test_client_hello_cb);
12051 ADD_TEST(test_no_ems);
12052 ADD_TEST(test_ccs_change_cipher);
12054 #ifndef OSSL_NO_USABLE_TLS1_3
12055 ADD_ALL_TESTS(test_early_data_read_write, 6);
12057 * We don't do replay tests for external PSK. Replay protection isn't used
12058 * in that scenario.
12060 ADD_ALL_TESTS(test_early_data_replay, 2);
12061 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12062 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12063 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12064 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
12065 ADD_ALL_TESTS(test_early_data_not_sent, 3);
12066 ADD_ALL_TESTS(test_early_data_psk, 8);
12067 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
12068 ADD_ALL_TESTS(test_early_data_not_expected, 3);
12069 # ifndef OPENSSL_NO_TLS1_2
12070 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
12073 #ifndef OSSL_NO_USABLE_TLS1_3
12074 ADD_ALL_TESTS(test_set_ciphersuite, 10);
12075 ADD_TEST(test_ciphersuite_change);
12076 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12077 # ifdef OPENSSL_NO_PSK
12078 ADD_ALL_TESTS(test_tls13_psk, 1);
12080 ADD_ALL_TESTS(test_tls13_psk, 4);
12081 # endif /* OPENSSL_NO_PSK */
12082 #ifndef OSSL_NO_USABLE_TLS1_3
12083 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12084 #endif /* OSSL_NO_USABLE_TLS1_3 */
12085 # ifndef OPENSSL_NO_TLS1_2
12086 /* Test with both TLSv1.3 and 1.2 versions */
12087 ADD_ALL_TESTS(test_key_exchange, 14);
12088 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12089 ADD_ALL_TESTS(test_negotiated_group,
12090 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12091 + OSSL_NELEM(ffdhe_kexch_groups)));
12094 /* Test with only TLSv1.3 versions */
12095 ADD_ALL_TESTS(test_key_exchange, 12);
12097 ADD_ALL_TESTS(test_custom_exts, 6);
12098 ADD_TEST(test_stateless);
12099 ADD_TEST(test_pha_key_update);
12101 ADD_ALL_TESTS(test_custom_exts, 3);
12103 ADD_ALL_TESTS(test_export_key_mat, 6);
12104 #ifndef OSSL_NO_USABLE_TLS1_3
12105 ADD_ALL_TESTS(test_export_key_mat_early, 3);
12106 ADD_TEST(test_key_update);
12107 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12108 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12109 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12110 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
12112 ADD_ALL_TESTS(test_ssl_clear, 8);
12113 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
12114 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12115 ADD_ALL_TESTS(test_srp, 6);
12117 #if !defined(OPENSSL_NO_COMP_ALG)
12118 /* Add compression case */
12119 ADD_ALL_TESTS(test_info_callback, 8);
12121 ADD_ALL_TESTS(test_info_callback, 6);
12123 ADD_ALL_TESTS(test_ssl_pending, 2);
12124 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
12125 ADD_ALL_TESTS(test_ticket_callbacks, 20);
12126 ADD_ALL_TESTS(test_shutdown, 7);
12127 ADD_TEST(test_async_shutdown);
12128 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
12129 ADD_ALL_TESTS(test_cert_cb, 6);
12130 ADD_ALL_TESTS(test_client_cert_cb, 2);
12131 ADD_ALL_TESTS(test_ca_names, 3);
12132 #ifndef OPENSSL_NO_TLS1_2
12133 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12135 ADD_ALL_TESTS(test_servername, 10);
12136 ADD_TEST(test_unknown_sigalgs_groups);
12137 #if !defined(OPENSSL_NO_EC) \
12138 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
12139 ADD_ALL_TESTS(test_sigalgs_available, 6);
12141 #ifndef OPENSSL_NO_TLS1_3
12142 ADD_ALL_TESTS(test_pluggable_group, 2);
12143 ADD_ALL_TESTS(test_pluggable_signature, 4);
12145 #ifndef OPENSSL_NO_TLS1_2
12146 ADD_TEST(test_ssl_dup);
12147 # ifndef OPENSSL_NO_DH
12148 ADD_ALL_TESTS(test_set_tmp_dh, 11);
12149 ADD_ALL_TESTS(test_dh_auto, 7);
12152 #ifndef OSSL_NO_USABLE_TLS1_3
12153 ADD_TEST(test_sni_tls13);
12154 ADD_ALL_TESTS(test_ticket_lifetime, 2);
12156 ADD_TEST(test_inherit_verify_param);
12157 ADD_TEST(test_set_alpn);
12158 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12159 ADD_TEST(test_set_verify_cert_store_ssl);
12160 ADD_ALL_TESTS(test_session_timeout, 1);
12161 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12162 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12164 ADD_TEST(test_load_dhfile);
12165 #ifndef OSSL_NO_USABLE_TLS1_3
12166 ADD_TEST(test_read_ahead_key_change);
12167 ADD_ALL_TESTS(test_tls13_record_padding, 4);
12169 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12170 ADD_ALL_TESTS(test_serverinfo_custom, 4);
12172 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
12173 ADD_ALL_TESTS(test_pipelining, 7);
12175 ADD_ALL_TESTS(test_version, 6);
12176 ADD_TEST(test_rstate_string);
12177 ADD_ALL_TESTS(test_handshake_retry, 16);
12178 ADD_TEST(test_data_retry);
12179 ADD_ALL_TESTS(test_multi_resume, 5);
12183 OPENSSL_free(cert);
12184 OPENSSL_free(privkey);
12185 OPENSSL_free(cert2);
12186 OPENSSL_free(privkey2);
12190 void cleanup_tests(void)
12192 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
12193 EVP_PKEY_free(tmp_dh_params);
12195 OPENSSL_free(cert);
12196 OPENSSL_free(privkey);
12197 OPENSSL_free(cert2);
12198 OPENSSL_free(privkey2);
12199 OPENSSL_free(cert1024);
12200 OPENSSL_free(privkey1024);
12201 OPENSSL_free(cert3072);
12202 OPENSSL_free(privkey3072);
12203 OPENSSL_free(cert4096);
12204 OPENSSL_free(privkey4096);
12205 OPENSSL_free(cert8192);
12206 OPENSSL_free(privkey8192);
12207 bio_s_mempacket_test_free();
12208 bio_s_always_retry_free();
12209 bio_s_maybe_retry_free();
12210 OSSL_PROVIDER_unload(defctxnull);
12211 OSSL_LIB_CTX_free(libctx);