2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
102 static int fips_ems_check = 0;
104 #define LOG_BUFFER_SIZE 2048
105 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t server_log_buffer_index = 0;
107 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
108 static size_t client_log_buffer_index = 0;
109 static int error_writing_log = 0;
111 #ifndef OPENSSL_NO_OCSP
112 static const unsigned char orespder[] = "Dummy OCSP Response";
113 static int ocsp_server_called = 0;
114 static int ocsp_client_called = 0;
116 static int cdummyarg = 1;
117 static X509 *ocspcert = NULL;
120 #define NUM_EXTRA_CERTS 40
121 #define CLIENT_VERSION_LEN 2
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
127 struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
130 unsigned int client_early_secret_count;
131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
135 unsigned int early_exporter_secret_count;
136 unsigned int exporter_secret_count;
140 static int hostname_cb(SSL *s, int *al, void *arg)
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
148 return SSL_TLSEXT_ERR_NOACK;
151 static void client_keylog_callback(const SSL *ssl, const char *line)
153 int line_length = strlen(line);
155 /* If the log doesn't fit, error out. */
156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
158 error_writing_log = 1;
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
164 client_log_buffer[client_log_buffer_index++] = '\n';
167 static void server_keylog_callback(const SSL *ssl, const char *line)
169 int line_length = strlen(line);
171 /* If the log doesn't fit, error out. */
172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173 TEST_info("Server log too full");
174 error_writing_log = 1;
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
180 server_log_buffer[server_log_buffer_index++] = '\n';
183 static int compare_hex_encoded_buffer(const char *hex_encoded,
191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195 sprintf(hexed, "%02x", raw[i]);
196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
204 static int test_keylog_output(char *buffer, const SSL *ssl,
205 const SSL_SESSION *session,
206 struct sslapitest_log_counts *expected)
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
215 unsigned int client_early_secret_count = 0;
216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
220 unsigned int early_exporter_secret_count = 0;
221 unsigned int exporter_secret_count = 0;
223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
225 if (strcmp(token, "RSA") == 0) {
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
228 * hex-encoded encrypted secret, then the hex-encoded pre-master
231 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 if (!TEST_size_t_eq(strlen(token), 16))
235 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
242 rsa_key_exchange_count++;
243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, then the hex-encoded master secret.
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
254 if (!TEST_ptr(token = strtok(NULL, " \n")))
256 if (!TEST_size_t_eq(strlen(token), 64))
258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 master_key_size = SSL_SESSION_get_master_key(session,
268 if (!TEST_size_t_ne(master_key_size, 0))
270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
274 master_secret_count++;
275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281 || strcmp(token, "EXPORTER_SECRET") == 0) {
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
309 if (!TEST_ptr(token = strtok(NULL, " \n")))
311 if (!TEST_size_t_eq(strlen(token), 64))
313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
321 TEST_info("Unexpected token %s\n", token);
326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
340 expected->server_application_secret_count)
341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
350 static int test_keylog(void)
352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
355 struct sslapitest_log_counts expected;
357 /* Clean up logging space */
358 memset(&expected, 0, sizeof(expected));
359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
368 &sctx, &cctx, cert, privkey)))
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
375 /* We also want to ensure that we use RSA-based key exchange. */
376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
402 * Now we want to test that our output data was vaguely sensible. We
403 * do that by using strtok and confirming that we have more or less the
404 * data we expect. For both client and server, we expect to see one master
405 * secret. The client should also see an RSA key exchange.
407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
413 expected.rsa_key_exchange_count = 0;
414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
430 #ifndef OSSL_NO_USABLE_TLS1_3
431 static int test_keylog_no_master_key(void)
433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
435 SSL_SESSION *sess = NULL;
437 struct sslapitest_log_counts expected;
438 unsigned char buf[1];
439 size_t readbytes, written;
441 /* Clean up logging space */
442 memset(&expected, 0, sizeof(expected));
443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453 SSL3_RT_MAX_PLAIN_LENGTH)))
456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_false(error_writing_log))
479 * Now we want to test that our output data was vaguely sensible. For this
480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481 * TLSv1.3, but we do expect both client and server to emit keys.
483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
487 expected.exporter_secret_count = 1;
488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
501 serverssl = clientssl = NULL;
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
521 || !TEST_true(SSL_session_reused(clientssl)))
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
526 expected.early_exporter_secret_count = 1;
527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
537 SSL_SESSION_free(sess);
547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
549 int res = X509_verify_cert(ctx);
550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
553 /* this should not happen but check anyway */
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
676 static const char pass[] = "testpass";
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
685 static int test_ssl_ctx_build_cert_chain(void)
689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
707 OPENSSL_free(leaf_chain);
712 #ifndef OPENSSL_NO_TLS1_2
713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
716 const unsigned char *p;
718 /* We only configure two ciphers, but the SCSV is added automatically. */
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
722 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
725 const int expected_extensions[] = {
726 #ifndef OPENSSL_NO_EC
732 /* Make sure we can defer processing and get called back. */
734 return SSL_CLIENT_HELLO_RETRY;
736 len = SSL_client_hello_get0_ciphers(s, &p);
737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
740 || !TEST_int_eq(*p, 0))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743 return SSL_CLIENT_HELLO_ERROR;
744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746 printf("ClientHello callback expected extensions mismatch\n");
748 return SSL_CLIENT_HELLO_ERROR;
751 return SSL_CLIENT_HELLO_SUCCESS;
754 static int test_client_hello_cb(void)
756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
762 &sctx, &cctx, cert, privkey)))
764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
770 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
772 &clientssl, NULL, NULL))
773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
774 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 * Passing a -1 literal is a hack since
777 * the real value was lost.
779 || !TEST_int_eq(SSL_get_error(serverssl, -1),
780 SSL_ERROR_WANT_CLIENT_HELLO_CB)
781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
796 static int test_no_ems(void)
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0, status;
802 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
803 TLS1_VERSION, TLS1_2_VERSION,
804 &sctx, &cctx, cert, privkey)) {
805 printf("Unable to create SSL_CTX pair\n");
809 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
812 printf("Unable to create SSL objects\n");
816 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
817 if (fips_ems_check) {
819 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
824 printf("Creating SSL connection failed\n");
827 if (SSL_get_extms_support(serverssl)) {
828 printf("Server reports Extended Master Secret support\n");
831 if (SSL_get_extms_support(clientssl)) {
832 printf("Client reports Extended Master Secret support\n");
848 * Very focused test to exercise a single case in the server-side state
849 * machine, when the ChangeCipherState message needs to actually change
850 * from one cipher to a different cipher (i.e., not changing from null
851 * encryption to real encryption).
853 static int test_ccs_change_cipher(void)
855 SSL_CTX *cctx = NULL, *sctx = NULL;
856 SSL *clientssl = NULL, *serverssl = NULL;
857 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
864 * Create a connection so we can resume and potentially (but not) use
865 * a different cipher in the second connection.
867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869 TLS1_VERSION, TLS1_2_VERSION,
870 &sctx, &cctx, cert, privkey))
871 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
875 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
878 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
884 /* Resume, preferring a different cipher. Our server will force the
885 * same cipher to be used as the initial handshake. */
886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888 || !TEST_true(SSL_set_session(clientssl, sess))
889 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 || !TEST_true(SSL_session_reused(clientssl))
893 || !TEST_true(SSL_session_reused(serverssl))
894 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
895 || !TEST_ptr_eq(sesspre, sesspost)
896 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
897 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899 shutdown_ssl_connection(serverssl, clientssl);
900 serverssl = clientssl = NULL;
903 * Now create a fresh connection and try to renegotiate a different
906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
911 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
913 || !TEST_true(SSL_renegotiate(clientssl))
914 || !TEST_true(SSL_renegotiate_pending(clientssl)))
916 /* Actually drive the renegotiation. */
917 for (i = 0; i < 3; i++) {
918 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
922 SSL_ERROR_WANT_READ)) {
925 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
926 if (!TEST_ulong_eq(readbytes, 0))
928 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
929 SSL_ERROR_WANT_READ)) {
933 /* sesspre and sesspost should be different since the cipher changed. */
934 if (!TEST_false(SSL_renegotiate_pending(clientssl))
935 || !TEST_false(SSL_session_reused(clientssl))
936 || !TEST_false(SSL_session_reused(serverssl))
937 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
938 || !TEST_ptr_ne(sesspre, sesspost)
939 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
940 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
943 shutdown_ssl_connection(serverssl, clientssl);
944 serverssl = clientssl = NULL;
953 SSL_SESSION_free(sess);
959 static int execute_test_large_message(const SSL_METHOD *smeth,
960 const SSL_METHOD *cmeth,
961 int min_version, int max_version,
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
969 X509 *chaincert = NULL;
972 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
975 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
978 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
983 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
984 max_version, &sctx, &cctx, cert,
988 #ifdef OPENSSL_NO_DTLS1_2
989 if (smeth == DTLS_server_method()) {
991 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
994 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
995 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
996 "DEFAULT:@SECLEVEL=0")))
1003 * Test that read_ahead works correctly when dealing with large
1006 SSL_CTX_set_read_ahead(cctx, 1);
1010 * We assume the supplied certificate is big enough so that if we add
1011 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1012 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1013 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1014 * test we need to have a message larger than that.
1016 certlen = i2d_X509(chaincert, NULL);
1017 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1018 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1019 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1020 if (!X509_up_ref(chaincert))
1022 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1023 X509_free(chaincert);
1028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1035 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1038 if (!TEST_true(SSL_clear(serverssl)))
1044 X509_free(chaincert);
1045 SSL_free(serverssl);
1046 SSL_free(clientssl);
1053 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1054 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1055 /* sock must be connected */
1056 static int ktls_chk_platform(int sock)
1058 if (!ktls_enable(sock))
1063 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1065 static char count = 1;
1066 unsigned char cbuf[16000] = {0};
1067 unsigned char sbuf[16000];
1069 char crec_wseq_before[SEQ_NUM_SIZE];
1070 char crec_wseq_after[SEQ_NUM_SIZE];
1071 char crec_rseq_before[SEQ_NUM_SIZE];
1072 char crec_rseq_after[SEQ_NUM_SIZE];
1073 char srec_wseq_before[SEQ_NUM_SIZE];
1074 char srec_wseq_after[SEQ_NUM_SIZE];
1075 char srec_rseq_before[SEQ_NUM_SIZE];
1076 char srec_rseq_after[SEQ_NUM_SIZE];
1077 SSL_CONNECTION *clientsc, *serversc;
1079 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1080 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1084 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1107 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1109 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1117 * If ktls is used then kernel sequences are used instead of
1120 if (!BIO_get_ktls_send(clientsc->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1130 if (!BIO_get_ktls_send(serversc->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1140 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1150 if (!BIO_get_ktls_recv(serversc->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1165 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1173 SSL_CONNECTION *clientsc, *serversc;
1175 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1178 /* Skip this test if the platform does not support ktls */
1179 if (!ktls_chk_platform(cfd)) {
1180 testresult = TEST_skip("Kernel does not support KTLS");
1184 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1185 testresult = TEST_skip("CHACHA is not supported in FIPS");
1189 /* Create a session based on SHA-256 */
1190 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1191 TLS_client_method(),
1192 tls_version, tls_version,
1193 &sctx, &cctx, cert, privkey)))
1196 if (tls_version == TLS1_3_VERSION) {
1197 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1198 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1201 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1206 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1207 &clientssl, sfd, cfd)))
1210 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1211 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1215 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1220 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1224 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1228 * The running kernel may not support a given cipher suite
1229 * or direction, so just check that KTLS isn't used when it
1233 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1236 if (BIO_get_ktls_send(clientsc->wbio))
1241 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1244 if (BIO_get_ktls_send(serversc->wbio))
1248 #if defined(OPENSSL_NO_KTLS_RX)
1253 if (!cis_ktls || !rx_supported) {
1254 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1257 if (BIO_get_ktls_send(clientsc->rbio))
1261 if (!sis_ktls || !rx_supported) {
1262 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1265 if (BIO_get_ktls_send(serversc->rbio))
1269 if ((cis_ktls || sis_ktls) && !ktls_used) {
1270 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1271 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1276 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1291 serverssl = clientssl = NULL;
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1315 SSL_CONNECTION *serversc;
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1381 out = BIO_new_file(tmpfilename, "wb");
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1418 chunk_off += chunk_size;
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1433 serverssl = clientssl = NULL;
1441 OPENSSL_free(buf_dst);
1445 static struct ktls_test_cipher {
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1484 static int test_ktls(int test)
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1499 static int test_ktls_sendfile(int test)
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1512 static int test_large_message_tls(void)
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1518 static int test_large_message_tls_read_ahead(void)
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1550 static int test_large_app_data(int tst)
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1622 /* Shouldn't happen */
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1665 if ((tst & 2) != 0) {
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1703 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1704 const SSL_METHOD *cmeth,
1705 int min_version, int max_version)
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1711 const unsigned char *zbuf;
1712 SSL_CONNECTION *serversc;
1715 static unsigned char cbuf[16000];
1716 static unsigned char sbuf[16000];
1718 if (!TEST_true(create_ssl_ctx_pair(libctx,
1720 min_version, max_version,
1725 #ifdef OPENSSL_NO_DTLS1_2
1726 if (smeth == DTLS_server_method()) {
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 /* Not supported in the FIPS provider */
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1756 for (i = 0; i < sizeof(cbuf); i++) {
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1776 rr = serversc->rlayer.tlsrecs;
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1783 * After SSL_peek() the plaintext must still be stored in the
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1811 static int test_cleanse_plaintext(void)
1813 #if !defined(OPENSSL_NO_TLS1_2)
1814 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1815 TLS_client_method(),
1822 #if !defined(OSSL_NO_USABLE_TLS1_3)
1823 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1824 TLS_client_method(),
1830 #if !defined(OPENSSL_NO_DTLS)
1832 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1833 DTLS_client_method(),
1841 #ifndef OPENSSL_NO_OCSP
1842 static int ocsp_server_cb(SSL *s, void *arg)
1844 int *argi = (int *)arg;
1845 unsigned char *copy = NULL;
1846 STACK_OF(OCSP_RESPID) *ids = NULL;
1847 OCSP_RESPID *id = NULL;
1850 /* In this test we are expecting exactly 1 OCSP_RESPID */
1851 SSL_get_tlsext_status_ids(s, &ids);
1852 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1853 return SSL_TLSEXT_ERR_ALERT_FATAL;
1855 id = sk_OCSP_RESPID_value(ids, 0);
1856 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858 } else if (*argi != 1) {
1859 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1865 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1866 sizeof(orespder)))) {
1868 return SSL_TLSEXT_ERR_ALERT_FATAL;
1870 ocsp_server_called = 1;
1871 return SSL_TLSEXT_ERR_OK;
1874 static int ocsp_client_cb(SSL *s, void *arg)
1876 int *argi = (int *)arg;
1877 const unsigned char *respderin;
1880 if (*argi != 1 && *argi != 2)
1883 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1884 if (!TEST_mem_eq(orespder, len, respderin, len))
1887 ocsp_client_called = 1;
1891 static int test_tlsext_status_type(void)
1893 SSL_CTX *cctx = NULL, *sctx = NULL;
1894 SSL *clientssl = NULL, *serverssl = NULL;
1896 STACK_OF(OCSP_RESPID) *ids = NULL;
1897 OCSP_RESPID *id = NULL;
1898 BIO *certbio = NULL;
1900 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1902 &sctx, &cctx, cert, privkey))
1905 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1908 /* First just do various checks getting and setting tlsext_status_type */
1910 clientssl = SSL_new(cctx);
1911 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1912 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1913 TLSEXT_STATUSTYPE_ocsp))
1914 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1915 TLSEXT_STATUSTYPE_ocsp))
1918 SSL_free(clientssl);
1921 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1922 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1925 clientssl = SSL_new(cctx);
1926 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1928 SSL_free(clientssl);
1932 * Now actually do a handshake and check OCSP information is exchanged and
1933 * the callbacks get called
1935 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1936 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1937 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1938 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1940 &clientssl, NULL, NULL))
1941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1943 || !TEST_true(ocsp_client_called)
1944 || !TEST_true(ocsp_server_called))
1946 SSL_free(serverssl);
1947 SSL_free(clientssl);
1951 /* Try again but this time force the server side callback to fail */
1952 ocsp_client_called = 0;
1953 ocsp_server_called = 0;
1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1956 &clientssl, NULL, NULL))
1957 /* This should fail because the callback will fail */
1958 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1960 || !TEST_false(ocsp_client_called)
1961 || !TEST_false(ocsp_server_called))
1963 SSL_free(serverssl);
1964 SSL_free(clientssl);
1969 * This time we'll get the client to send an OCSP_RESPID that it will
1972 ocsp_client_called = 0;
1973 ocsp_server_called = 0;
1975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1976 &clientssl, NULL, NULL)))
1980 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1981 * specific one. We'll use the server cert.
1983 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1984 || !TEST_ptr(id = OCSP_RESPID_new())
1985 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1986 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1987 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1988 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1989 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1992 SSL_set_tlsext_status_ids(clientssl, ids);
1993 /* Control has been transferred */
1999 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2001 || !TEST_true(ocsp_client_called)
2002 || !TEST_true(ocsp_server_called))
2008 SSL_free(serverssl);
2009 SSL_free(clientssl);
2012 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2013 OCSP_RESPID_free(id);
2015 X509_free(ocspcert);
2022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2023 static int new_called, remove_called, get_called;
2025 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2029 * sess has been up-refed for us, but we don't actually need it so free it
2032 SSL_SESSION_free(sess);
2036 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041 static SSL_SESSION *get_sess_val = NULL;
2043 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 return get_sess_val;
2051 static int execute_test_session(int maxprot, int use_int_cache,
2052 int use_ext_cache, long s_options)
2054 SSL_CTX *sctx = NULL, *cctx = NULL;
2055 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2056 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2057 # ifndef OPENSSL_NO_TLS1_1
2058 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2060 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2061 int testresult = 0, numnewsesstick = 1;
2063 new_called = remove_called = 0;
2065 /* TLSv1.3 sends 2 NewSessionTickets */
2066 if (maxprot == TLS1_3_VERSION)
2069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2070 TLS_client_method(), TLS1_VERSION, 0,
2071 &sctx, &cctx, cert, privkey)))
2075 * Only allow the max protocol version so we can force a connection failure
2078 SSL_CTX_set_min_proto_version(cctx, maxprot);
2079 SSL_CTX_set_max_proto_version(cctx, maxprot);
2081 /* Set up session cache */
2082 if (use_ext_cache) {
2083 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2084 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2086 if (use_int_cache) {
2087 /* Also covers instance where both are set */
2088 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2090 SSL_CTX_set_session_cache_mode(cctx,
2091 SSL_SESS_CACHE_CLIENT
2092 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2096 SSL_CTX_set_options(sctx, s_options);
2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2101 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2103 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2106 /* Should fail because it should already be in the cache */
2107 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2110 && (!TEST_int_eq(new_called, numnewsesstick)
2112 || !TEST_int_eq(remove_called, 0)))
2115 new_called = remove_called = 0;
2116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2117 &clientssl2, NULL, NULL))
2118 || !TEST_true(SSL_set_session(clientssl2, sess1))
2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2121 || !TEST_true(SSL_session_reused(clientssl2)))
2124 if (maxprot == TLS1_3_VERSION) {
2126 * In TLSv1.3 we should have created a new session even though we have
2127 * resumed. Since we attempted a resume we should also have removed the
2128 * old ticket from the cache so that we try to only use tickets once.
2131 && (!TEST_int_eq(new_called, 1)
2132 || !TEST_int_eq(remove_called, 1)))
2136 * In TLSv1.2 we expect to have resumed so no sessions added or
2140 && (!TEST_int_eq(new_called, 0)
2141 || !TEST_int_eq(remove_called, 0)))
2145 SSL_SESSION_free(sess1);
2146 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2148 shutdown_ssl_connection(serverssl2, clientssl2);
2149 serverssl2 = clientssl2 = NULL;
2151 new_called = remove_called = 0;
2152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2153 &clientssl2, NULL, NULL))
2154 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2158 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2162 && (!TEST_int_eq(new_called, numnewsesstick)
2163 || !TEST_int_eq(remove_called, 0)))
2166 new_called = remove_called = 0;
2168 * This should clear sess2 from the cache because it is a "bad" session.
2169 * See SSL_set_session() documentation.
2171 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2176 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2179 if (use_int_cache) {
2180 /* Should succeeded because it should not already be in the cache */
2181 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2182 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2186 new_called = remove_called = 0;
2187 /* This shouldn't be in the cache so should fail */
2188 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2192 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2195 # if !defined(OPENSSL_NO_TLS1_1)
2196 new_called = remove_called = 0;
2197 /* Force a connection failure */
2198 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2200 &clientssl3, NULL, NULL))
2201 || !TEST_true(SSL_set_session(clientssl3, sess1))
2202 /* This should fail because of the mismatched protocol versions */
2203 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2207 /* We should have automatically removed the session from the cache */
2209 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2212 /* Should succeed because it should not already be in the cache */
2213 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2217 /* Now do some tests for server side caching */
2218 if (use_ext_cache) {
2219 SSL_CTX_sess_set_new_cb(cctx, NULL);
2220 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2221 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2222 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2223 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2224 get_sess_val = NULL;
2227 SSL_CTX_set_session_cache_mode(cctx, 0);
2228 /* Internal caching is the default on the server side */
2230 SSL_CTX_set_session_cache_mode(sctx,
2231 SSL_SESS_CACHE_SERVER
2232 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2234 SSL_free(serverssl1);
2235 SSL_free(clientssl1);
2236 serverssl1 = clientssl1 = NULL;
2237 SSL_free(serverssl2);
2238 SSL_free(clientssl2);
2239 serverssl2 = clientssl2 = NULL;
2240 SSL_SESSION_free(sess1);
2242 SSL_SESSION_free(sess2);
2245 SSL_CTX_set_max_proto_version(sctx, maxprot);
2246 if (maxprot == TLS1_2_VERSION)
2247 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2248 new_called = remove_called = get_called = 0;
2249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2251 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2253 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2254 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2257 if (use_int_cache) {
2258 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2260 * In TLSv1.3 it should not have been added to the internal cache,
2261 * except in the case where we also have an external cache (in that
2262 * case it gets added to the cache in order to generate remove
2263 * events after timeout).
2265 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2268 /* Should fail because it should already be in the cache */
2269 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 if (use_ext_cache) {
2275 SSL_SESSION *tmp = sess2;
2277 if (!TEST_int_eq(new_called, numnewsesstick)
2278 || !TEST_int_eq(remove_called, 0)
2279 || !TEST_int_eq(get_called, 0))
2282 * Delete the session from the internal cache to force a lookup from
2283 * the external cache. We take a copy first because
2284 * SSL_CTX_remove_session() also marks the session as non-resumable.
2286 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2287 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2288 || !TEST_true(sess2->owner != NULL)
2289 || !TEST_true(tmp->owner == NULL)
2290 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2292 SSL_SESSION_free(sess2);
2297 new_called = remove_called = get_called = 0;
2298 get_sess_val = sess2;
2299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2300 &clientssl2, NULL, NULL))
2301 || !TEST_true(SSL_set_session(clientssl2, sess1))
2302 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2304 || !TEST_true(SSL_session_reused(clientssl2)))
2307 if (use_ext_cache) {
2308 if (!TEST_int_eq(remove_called, 0))
2311 if (maxprot == TLS1_3_VERSION) {
2312 if (!TEST_int_eq(new_called, 1)
2313 || !TEST_int_eq(get_called, 0))
2316 if (!TEST_int_eq(new_called, 0)
2317 || !TEST_int_eq(get_called, 1))
2322 * Make a small cache, force out all other sessions but
2323 * sess2, try to add sess1, which should succeed. Then
2324 * make sure it's there by checking the owners. Despite
2325 * the timeouts, sess1 should have kicked out sess2
2328 /* Make sess1 expire before sess2 */
2329 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2330 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2331 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2332 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2335 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2338 /* Don't care about results - cache should only be sess2 at end */
2339 SSL_CTX_add_session(sctx, sess1);
2340 SSL_CTX_add_session(sctx, sess2);
2342 /* Now add sess1, and make sure it remains, despite timeout */
2343 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2344 || !TEST_ptr(sess1->owner)
2345 || !TEST_ptr_null(sess2->owner))
2351 SSL_free(serverssl1);
2352 SSL_free(clientssl1);
2353 SSL_free(serverssl2);
2354 SSL_free(clientssl2);
2355 # ifndef OPENSSL_NO_TLS1_1
2356 SSL_free(serverssl3);
2357 SSL_free(clientssl3);
2359 SSL_SESSION_free(sess1);
2360 SSL_SESSION_free(sess2);
2366 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2368 static int test_session_with_only_int_cache(void)
2370 #ifndef OSSL_NO_USABLE_TLS1_3
2371 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2375 #ifndef OPENSSL_NO_TLS1_2
2376 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2382 static int test_session_with_only_ext_cache(void)
2384 #ifndef OSSL_NO_USABLE_TLS1_3
2385 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2389 #ifndef OPENSSL_NO_TLS1_2
2390 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2396 static int test_session_with_both_cache(void)
2398 #ifndef OSSL_NO_USABLE_TLS1_3
2399 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2403 #ifndef OPENSSL_NO_TLS1_2
2404 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2410 static int test_session_wo_ca_names(void)
2412 #ifndef OSSL_NO_USABLE_TLS1_3
2413 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2417 #ifndef OPENSSL_NO_TLS1_2
2418 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2425 #ifndef OSSL_NO_USABLE_TLS1_3
2426 static SSL_SESSION *sesscache[6];
2427 static int do_cache;
2429 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2432 sesscache[new_called] = sess;
2434 /* We don't need the reference to the session, so free it */
2435 SSL_SESSION_free(sess);
2442 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2444 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2445 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2448 /* Start handshake on the server and client */
2449 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2450 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2451 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2452 || !TEST_true(create_ssl_connection(sssl, cssl,
2459 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2462 int sess_id_ctx = 1;
2464 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2465 TLS_client_method(), TLS1_VERSION, 0,
2466 sctx, cctx, cert, privkey))
2467 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2468 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2469 (void *)&sess_id_ctx,
2470 sizeof(sess_id_ctx))))
2474 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2476 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2477 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2478 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2483 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2485 SSL *serverssl = NULL, *clientssl = NULL;
2488 /* Test that we can resume with all the tickets we got given */
2489 for (i = 0; i < idx * 2; i++) {
2491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2492 &clientssl, NULL, NULL))
2493 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2496 SSL_set_post_handshake_auth(clientssl, 1);
2498 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2503 * Following a successful resumption we only get 1 ticket. After a
2504 * failed one we should get idx tickets.
2507 if (!TEST_true(SSL_session_reused(clientssl))
2508 || !TEST_int_eq(new_called, 1))
2511 if (!TEST_false(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, idx))
2517 /* After a post-handshake authentication we should get 1 new ticket */
2519 && (!post_handshake_verify(serverssl, clientssl)
2520 || !TEST_int_eq(new_called, 1)))
2523 SSL_shutdown(clientssl);
2524 SSL_shutdown(serverssl);
2525 SSL_free(serverssl);
2526 SSL_free(clientssl);
2527 serverssl = clientssl = NULL;
2528 SSL_SESSION_free(sesscache[i]);
2529 sesscache[i] = NULL;
2535 SSL_free(clientssl);
2536 SSL_free(serverssl);
2540 static int test_tickets(int stateful, int idx)
2542 SSL_CTX *sctx = NULL, *cctx = NULL;
2543 SSL *serverssl = NULL, *clientssl = NULL;
2547 /* idx is the test number, but also the number of tickets we want */
2552 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2556 &clientssl, NULL, NULL)))
2559 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2561 /* Check we got the number of tickets we were expecting */
2562 || !TEST_int_eq(idx, new_called))
2565 SSL_shutdown(clientssl);
2566 SSL_shutdown(serverssl);
2567 SSL_free(serverssl);
2568 SSL_free(clientssl);
2571 clientssl = serverssl = NULL;
2575 * Now we try to resume with the tickets we previously created. The
2576 * resumption attempt is expected to fail (because we're now using a new
2577 * SSL_CTX). We should see idx number of tickets issued again.
2580 /* Stop caching sessions - just count them */
2583 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2586 if (!check_resumption(idx, sctx, cctx, 0))
2589 /* Start again with caching sessions */
2596 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2600 &clientssl, NULL, NULL)))
2603 SSL_set_post_handshake_auth(clientssl, 1);
2605 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2607 /* Check we got the number of tickets we were expecting */
2608 || !TEST_int_eq(idx, new_called))
2611 /* After a post-handshake authentication we should get new tickets issued */
2612 if (!post_handshake_verify(serverssl, clientssl)
2613 || !TEST_int_eq(idx * 2, new_called))
2616 SSL_shutdown(clientssl);
2617 SSL_shutdown(serverssl);
2618 SSL_free(serverssl);
2619 SSL_free(clientssl);
2620 serverssl = clientssl = NULL;
2622 /* Stop caching sessions - just count them */
2626 * Check we can resume with all the tickets we created. This time around the
2627 * resumptions should all be successful.
2629 if (!check_resumption(idx, sctx, cctx, 1))
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2637 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2638 SSL_SESSION_free(sesscache[j]);
2639 sesscache[j] = NULL;
2647 static int test_stateless_tickets(int idx)
2649 return test_tickets(0, idx);
2652 static int test_stateful_tickets(int idx)
2654 return test_tickets(1, idx);
2657 static int test_psk_tickets(void)
2659 SSL_CTX *sctx = NULL, *cctx = NULL;
2660 SSL *serverssl = NULL, *clientssl = NULL;
2662 int sess_id_ctx = 1;
2664 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2665 TLS_client_method(), TLS1_VERSION, 0,
2666 &sctx, &cctx, NULL, NULL))
2667 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2668 (void *)&sess_id_ctx,
2669 sizeof(sess_id_ctx))))
2672 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2673 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2674 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2675 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2676 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2677 use_session_cb_cnt = 0;
2678 find_session_cb_cnt = 0;
2682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2685 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2686 if (!TEST_ptr(clientpsk))
2688 SSL_SESSION_up_ref(clientpsk);
2690 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2692 || !TEST_int_eq(1, find_session_cb_cnt)
2693 || !TEST_int_eq(1, use_session_cb_cnt)
2694 /* We should always get 1 ticket when using external PSK */
2695 || !TEST_int_eq(1, new_called))
2701 SSL_free(serverssl);
2702 SSL_free(clientssl);
2705 SSL_SESSION_free(clientpsk);
2706 SSL_SESSION_free(serverpsk);
2707 clientpsk = serverpsk = NULL;
2712 static int test_extra_tickets(int idx)
2714 SSL_CTX *sctx = NULL, *cctx = NULL;
2715 SSL *serverssl = NULL, *clientssl = NULL;
2716 BIO *bretry = BIO_new(bio_s_always_retry());
2721 unsigned char c, buf[1];
2731 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2733 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2734 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2735 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2738 &clientssl, NULL, NULL)))
2742 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2743 * incremented by both client and server.
2745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2747 /* Check we got the number of tickets we were expecting */
2748 || !TEST_int_eq(idx * 2, new_called)
2749 || !TEST_true(SSL_new_session_ticket(serverssl))
2750 || !TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_int_eq(idx * 2, new_called))
2754 /* Now try a (real) write to actually send the tickets */
2756 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2757 || !TEST_size_t_eq(1, nbytes)
2758 || !TEST_int_eq(idx * 2 + 2, new_called)
2759 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2760 || !TEST_int_eq(idx * 2 + 4, new_called)
2761 || !TEST_int_eq(sizeof(buf), nbytes)
2762 || !TEST_int_eq(c, buf[0])
2763 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2766 /* Try with only requesting one new ticket, too */
2769 if (!TEST_true(SSL_new_session_ticket(serverssl))
2770 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2771 || !TEST_size_t_eq(sizeof(c), nbytes)
2772 || !TEST_int_eq(1, new_called)
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2774 || !TEST_int_eq(2, new_called)
2775 || !TEST_size_t_eq(sizeof(buf), nbytes)
2776 || !TEST_int_eq(c, buf[0]))
2779 /* Do it again but use dummy writes to drive the ticket generation */
2782 if (!TEST_true(SSL_new_session_ticket(serverssl))
2783 || !TEST_true(SSL_new_session_ticket(serverssl))
2784 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2785 || !TEST_size_t_eq(0, nbytes)
2786 || !TEST_int_eq(2, new_called)
2787 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2788 || !TEST_int_eq(4, new_called))
2791 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2794 if (!TEST_true(SSL_new_session_ticket(serverssl))
2795 || !TEST_true(SSL_new_session_ticket(serverssl))
2796 || !TEST_true(SSL_do_handshake(serverssl))
2797 || !TEST_int_eq(2, new_called)
2798 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2799 || !TEST_int_eq(4, new_called))
2803 * Use the always-retry BIO to exercise the logic that forces ticket
2804 * generation to wait until a record boundary.
2808 tmp = SSL_get_wbio(serverssl);
2809 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2813 SSL_set0_wbio(serverssl, bretry);
2815 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2816 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2817 || !TEST_size_t_eq(nbytes, 0))
2819 /* Restore a BIO that will let the write succeed */
2820 SSL_set0_wbio(serverssl, tmp);
2823 * These calls should just queue the request and not send anything
2824 * even if we explicitly try to hit the state machine.
2826 if (!TEST_true(SSL_new_session_ticket(serverssl))
2827 || !TEST_true(SSL_new_session_ticket(serverssl))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_true(SSL_do_handshake(serverssl))
2830 || !TEST_int_eq(0, new_called))
2832 /* Re-do the write; still no tickets sent */
2833 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2834 || !TEST_size_t_eq(1, nbytes)
2835 || !TEST_int_eq(0, new_called)
2836 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2837 || !TEST_int_eq(0, new_called)
2838 || !TEST_int_eq(sizeof(buf), nbytes)
2839 || !TEST_int_eq(c, buf[0])
2840 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2842 /* Even trying to hit the state machine now will still not send tickets */
2843 if (!TEST_true(SSL_do_handshake(serverssl))
2844 || !TEST_int_eq(0, new_called))
2846 /* Now the *next* write should send the tickets */
2848 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2849 || !TEST_size_t_eq(1, nbytes)
2850 || !TEST_int_eq(2, new_called)
2851 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2852 || !TEST_int_eq(4, new_called)
2853 || !TEST_int_eq(sizeof(buf), nbytes)
2854 || !TEST_int_eq(c, buf[0])
2855 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2858 SSL_shutdown(clientssl);
2859 SSL_shutdown(serverssl);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2869 clientssl = serverssl = NULL;
2878 #define USE_DEFAULT 3
2880 #define CONNTYPE_CONNECTION_SUCCESS 0
2881 #define CONNTYPE_CONNECTION_FAIL 1
2882 #define CONNTYPE_NO_CONNECTION 2
2884 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2885 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2886 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2887 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2889 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2892 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2893 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2894 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2896 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2913 * Tests calls to SSL_set_bio() under various conditions.
2915 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2916 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2917 * then do more tests where we create a successful connection first using our
2918 * standard connection setup functions, and then call SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL. We then repeat these tests
2920 * following a failed connection. In this last case we are looking to check that
2921 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2923 static int test_ssl_set_bio(int idx)
2925 SSL_CTX *sctx = NULL, *cctx = NULL;
2928 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2929 SSL *serverssl = NULL, *clientssl = NULL;
2930 int initrbio, initwbio, newrbio, newwbio, conntype;
2933 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2941 conntype = CONNTYPE_NO_CONNECTION;
2943 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2944 initrbio = initwbio = USE_DEFAULT;
2952 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2953 TLS_client_method(), TLS1_VERSION, 0,
2954 &sctx, &cctx, cert, privkey)))
2957 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2959 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2960 * because we reduced the number of tests in the definition of
2961 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2962 * mismatched protocol versions we will force a connection failure.
2964 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2965 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2972 if (initrbio == USE_BIO_1
2973 || initwbio == USE_BIO_1
2974 || newrbio == USE_BIO_1
2975 || newwbio == USE_BIO_1) {
2976 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2980 if (initrbio == USE_BIO_2
2981 || initwbio == USE_BIO_2
2982 || newrbio == USE_BIO_2
2983 || newwbio == USE_BIO_2) {
2984 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2988 if (initrbio != USE_DEFAULT) {
2989 setupbio(&irbio, bio1, bio2, initrbio);
2990 setupbio(&iwbio, bio1, bio2, initwbio);
2991 SSL_set_bio(clientssl, irbio, iwbio);
2994 * We want to maintain our own refs to these BIO, so do an up ref for
2995 * each BIO that will have ownership transferred in the SSL_set_bio()
3000 if (iwbio != NULL && iwbio != irbio)
3004 if (conntype != CONNTYPE_NO_CONNECTION
3005 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3007 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3010 setupbio(&nrbio, bio1, bio2, newrbio);
3011 setupbio(&nwbio, bio1, bio2, newwbio);
3014 * We will (maybe) transfer ownership again so do more up refs.
3015 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3020 && (nwbio != iwbio || nrbio != nwbio))
3024 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3027 SSL_set_bio(clientssl, nrbio, nwbio);
3036 * This test is checking that the ref counting for SSL_set_bio is correct.
3037 * If we get here and we did too many frees then we will fail in the above
3040 SSL_free(serverssl);
3041 SSL_free(clientssl);
3047 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3049 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3051 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3056 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3057 || !TEST_ptr(ssl = SSL_new(ctx))
3058 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3059 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3062 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3065 * If anything goes wrong here then we could leak memory.
3067 BIO_push(sslbio, membio1);
3069 /* Verify changing the rbio/wbio directly does not cause leaks */
3070 if (change_bio != NO_BIO_CHANGE) {
3071 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3075 if (change_bio == CHANGE_RBIO)
3076 SSL_set0_rbio(ssl, membio2);
3078 SSL_set0_wbio(ssl, membio2);
3097 static int test_ssl_bio_pop_next_bio(void)
3099 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3102 static int test_ssl_bio_pop_ssl_bio(void)
3104 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3107 static int test_ssl_bio_change_rbio(void)
3109 return execute_test_ssl_bio(0, CHANGE_RBIO);
3112 static int test_ssl_bio_change_wbio(void)
3114 return execute_test_ssl_bio(0, CHANGE_WBIO);
3117 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3119 /* The list of sig algs */
3121 /* The length of the list */
3123 /* A sigalgs list in string format */
3124 const char *liststr;
3125 /* Whether setting the list should succeed */
3127 /* Whether creating a connection with the list should succeed */
3131 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3132 # ifndef OPENSSL_NO_EC
3133 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3134 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3136 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3137 static const int invalidlist2[] = {NID_sha256, NID_undef};
3138 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3139 static const int invalidlist4[] = {NID_sha256};
3140 static const sigalgs_list testsigalgs[] = {
3141 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3142 # ifndef OPENSSL_NO_EC
3143 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3144 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3146 {NULL, 0, "RSA+SHA256", 1, 1},
3147 # ifndef OPENSSL_NO_EC
3148 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3149 {NULL, 0, "ECDSA+SHA512", 1, 0},
3151 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3152 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3153 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3154 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3155 {NULL, 0, "RSA", 0, 0},
3156 {NULL, 0, "SHA256", 0, 0},
3157 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3158 {NULL, 0, "Invalid", 0, 0}
3161 static int test_set_sigalgs(int idx)
3163 SSL_CTX *cctx = NULL, *sctx = NULL;
3164 SSL *clientssl = NULL, *serverssl = NULL;
3166 const sigalgs_list *curr;
3169 /* Should never happen */
3170 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3173 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3174 curr = testctx ? &testsigalgs[idx]
3175 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3177 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3178 TLS_client_method(), TLS1_VERSION, 0,
3179 &sctx, &cctx, cert, privkey)))
3182 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3187 if (curr->list != NULL)
3188 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3190 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3194 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3200 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3206 &clientssl, NULL, NULL)))
3212 if (curr->list != NULL)
3213 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3215 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3218 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3227 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3235 SSL_free(serverssl);
3236 SSL_free(clientssl);
3244 #ifndef OSSL_NO_USABLE_TLS1_3
3245 static int psk_client_cb_cnt = 0;
3246 static int psk_server_cb_cnt = 0;
3248 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3249 size_t *idlen, SSL_SESSION **sess)
3251 switch (++use_session_cb_cnt) {
3253 /* The first call should always have a NULL md */
3259 /* The second call should always have an md */
3265 /* We should only be called a maximum of twice */
3269 if (clientpsk != NULL)
3270 SSL_SESSION_up_ref(clientpsk);
3273 *id = (const unsigned char *)pskid;
3274 *idlen = strlen(pskid);
3279 #ifndef OPENSSL_NO_PSK
3280 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3281 unsigned int max_id_len,
3283 unsigned int max_psk_len)
3285 unsigned int psklen = 0;
3287 psk_client_cb_cnt++;
3289 if (strlen(pskid) + 1 > max_id_len)
3292 /* We should only ever be called a maximum of twice per connection */
3293 if (psk_client_cb_cnt > 2)
3296 if (clientpsk == NULL)
3299 /* We'll reuse the PSK we set up for TLSv1.3 */
3300 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3302 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3303 strncpy(id, pskid, max_id_len);
3307 #endif /* OPENSSL_NO_PSK */
3309 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3310 size_t identity_len, SSL_SESSION **sess)
3312 find_session_cb_cnt++;
3314 /* We should only ever be called a maximum of twice per connection */
3315 if (find_session_cb_cnt > 2)
3318 if (serverpsk == NULL)
3321 /* Identity should match that set by the client */
3322 if (strlen(srvid) != identity_len
3323 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3324 /* No PSK found, continue but without a PSK */
3329 SSL_SESSION_up_ref(serverpsk);
3335 #ifndef OPENSSL_NO_PSK
3336 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3337 unsigned char *psk, unsigned int max_psk_len)
3339 unsigned int psklen = 0;
3341 psk_server_cb_cnt++;
3343 /* We should only ever be called a maximum of twice per connection */
3344 if (find_session_cb_cnt > 2)
3347 if (serverpsk == NULL)
3350 /* Identity should match that set by the client */
3351 if (strcmp(srvid, identity) != 0) {
3355 /* We'll reuse the PSK we set up for TLSv1.3 */
3356 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3358 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3362 #endif /* OPENSSL_NO_PSK */
3364 #define MSG1 "Hello"
3365 #define MSG2 "World."
3370 #define MSG7 "message."
3372 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3373 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3374 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3375 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3376 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3379 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3381 const SSL_CIPHER *cipher = NULL;
3382 const unsigned char key[] = {
3383 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3384 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3385 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3386 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3387 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3389 SSL_SESSION *sess = NULL;
3391 if (mdsize == SHA384_DIGEST_LENGTH) {
3392 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3393 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3395 * Any ciphersuite using SHA256 will do - it will be compatible with
3396 * the actual ciphersuite selected as long as it too is based on SHA256
3398 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3400 /* Should not happen */
3403 sess = SSL_SESSION_new();
3405 || !TEST_ptr(cipher)
3406 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3407 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3409 SSL_SESSION_set_protocol_version(sess,
3411 SSL_SESSION_free(sess);
3417 static int artificial_ticket_time = 0;
3419 static int ed_gen_cb(SSL *s, void *arg)
3421 SSL_SESSION *sess = SSL_get0_session(s);
3427 * Artificially give the ticket some age. Just do it for the number of
3428 * tickets we've been told to do.
3430 if (artificial_ticket_time == 0)
3432 artificial_ticket_time--;
3434 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3441 * Helper method to setup objects for early data test. Caller frees objects on
3444 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3445 SSL **serverssl, SSL_SESSION **sess, int idx,
3448 int artificial = (artificial_ticket_time > 0);
3451 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3452 TLS_client_method(),
3454 sctx, cctx, cert, privkey)))
3458 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3460 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3464 /* When idx == 1 we repeat the tests with read_ahead set */
3465 SSL_CTX_set_read_ahead(*cctx, 1);
3466 SSL_CTX_set_read_ahead(*sctx, 1);
3467 } else if (idx == 2) {
3468 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3469 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3470 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3471 use_session_cb_cnt = 0;
3472 find_session_cb_cnt = 0;
3476 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3481 * For one of the run throughs (doesn't matter which one), we'll try sending
3482 * some SNI data in the initial ClientHello. This will be ignored (because
3483 * there is no SNI cb set up by the server), so it should not impact
3487 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3491 clientpsk = create_a_psk(*clientssl, mdsize);
3492 if (!TEST_ptr(clientpsk)
3494 * We just choose an arbitrary value for max_early_data which
3495 * should be big enough for testing purposes.
3497 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3499 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3500 SSL_SESSION_free(clientpsk);
3504 serverpsk = clientpsk;
3507 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3508 SSL_SESSION_free(clientpsk);
3509 SSL_SESSION_free(serverpsk);
3510 clientpsk = serverpsk = NULL;
3521 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3525 *sess = SSL_get1_session(*clientssl);
3526 SSL_shutdown(*clientssl);
3527 SSL_shutdown(*serverssl);
3528 SSL_free(*serverssl);
3529 SSL_free(*clientssl);
3530 *serverssl = *clientssl = NULL;
3533 * Artificially give the ticket some age to match the artificial age we
3534 * gave it on the server side
3537 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3538 SSL_SESSION_get_time(*sess) - 10), 0))
3541 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3542 clientssl, NULL, NULL))
3543 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3549 static int test_early_data_read_write(int idx)
3551 SSL_CTX *cctx = NULL, *sctx = NULL;
3552 SSL *clientssl = NULL, *serverssl = NULL;
3554 SSL_SESSION *sess = NULL;
3555 unsigned char buf[20], data[1024];
3556 size_t readbytes, written, eoedlen, rawread, rawwritten;
3559 /* Artificially give the next 2 tickets some age for non PSK sessions */
3561 artificial_ticket_time = 2;
3562 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3563 &serverssl, &sess, idx,
3564 SHA384_DIGEST_LENGTH))) {
3565 artificial_ticket_time = 0;
3568 artificial_ticket_time = 0;
3570 /* Write and read some early data */
3571 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3573 || !TEST_size_t_eq(written, strlen(MSG1))
3574 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3575 sizeof(buf), &readbytes),
3576 SSL_READ_EARLY_DATA_SUCCESS)
3577 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3578 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3579 SSL_EARLY_DATA_ACCEPTED))
3583 * Server should be able to write data, and client should be able to
3586 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3588 || !TEST_size_t_eq(written, strlen(MSG2))
3589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3590 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3593 /* Even after reading normal data, client should be able write early data */
3594 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3596 || !TEST_size_t_eq(written, strlen(MSG3)))
3599 /* Server should still be able read early data after writing data */
3600 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3602 SSL_READ_EARLY_DATA_SUCCESS)
3603 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3606 /* Write more data from server and read it from client */
3607 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3609 || !TEST_size_t_eq(written, strlen(MSG4))
3610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3611 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3615 * If client writes normal data it should mean writing early data is no
3618 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3619 || !TEST_size_t_eq(written, strlen(MSG5))
3620 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3621 SSL_EARLY_DATA_ACCEPTED))
3625 * At this point the client has written EndOfEarlyData, ClientFinished and
3626 * normal (fully protected) data. We are going to cause a delay between the
3627 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3628 * in the read BIO, and then just put back the EndOfEarlyData message.
3630 rbio = SSL_get_rbio(serverssl);
3631 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3632 || !TEST_size_t_lt(rawread, sizeof(data))
3633 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3636 /* Record length is in the 4th and 5th bytes of the record header */
3637 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3638 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3639 || !TEST_size_t_eq(rawwritten, eoedlen))
3642 /* Server should be told that there is no more early data */
3643 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3645 SSL_READ_EARLY_DATA_FINISH)
3646 || !TEST_size_t_eq(readbytes, 0))
3650 * Server has not finished init yet, so should still be able to write early
3653 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3655 || !TEST_size_t_eq(written, strlen(MSG6)))
3658 /* Push the ClientFinished and the normal data back into the server rbio */
3659 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3661 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3664 /* Server should be able to read normal data */
3665 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3666 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3669 /* Client and server should not be able to write/read early data now */
3670 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3676 SSL_READ_EARLY_DATA_ERROR))
3680 /* Client should be able to read the data sent by the server */
3681 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3686 * Make sure we process the two NewSessionTickets. These arrive
3687 * post-handshake. We attempt reads which we do not expect to return any
3690 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3695 /* Server should be able to write normal data */
3696 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3697 || !TEST_size_t_eq(written, strlen(MSG7))
3698 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3699 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3702 SSL_SESSION_free(sess);
3703 sess = SSL_get1_session(clientssl);
3704 use_session_cb_cnt = 0;
3705 find_session_cb_cnt = 0;
3707 SSL_shutdown(clientssl);
3708 SSL_shutdown(serverssl);
3709 SSL_free(serverssl);
3710 SSL_free(clientssl);
3711 serverssl = clientssl = NULL;
3712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3713 &clientssl, NULL, NULL))
3714 || !TEST_true(SSL_set_session(clientssl, sess)))
3717 /* Write and read some early data */
3718 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3720 || !TEST_size_t_eq(written, strlen(MSG1))
3721 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3723 SSL_READ_EARLY_DATA_SUCCESS)
3724 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3727 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3728 || !TEST_int_gt(SSL_accept(serverssl), 0))
3731 /* Client and server should not be able to write/read early data now */
3732 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3736 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3738 SSL_READ_EARLY_DATA_ERROR))
3742 /* Client and server should be able to write/read normal data */
3743 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3744 || !TEST_size_t_eq(written, strlen(MSG5))
3745 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3746 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3752 SSL_SESSION_free(sess);
3753 SSL_SESSION_free(clientpsk);
3754 SSL_SESSION_free(serverpsk);
3755 clientpsk = serverpsk = NULL;
3756 SSL_free(serverssl);
3757 SSL_free(clientssl);
3763 static int allow_ed_cb_called = 0;
3765 static int allow_early_data_cb(SSL *s, void *arg)
3767 int *usecb = (int *)arg;
3769 allow_ed_cb_called++;
3778 * idx == 0: Standard early_data setup
3779 * idx == 1: early_data setup using read_ahead
3780 * usecb == 0: Don't use a custom early data callback
3781 * usecb == 1: Use a custom early data callback and reject the early data
3782 * usecb == 2: Use a custom early data callback and accept the early data
3783 * confopt == 0: Configure anti-replay directly
3784 * confopt == 1: Configure anti-replay using SSL_CONF
3786 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3788 SSL_CTX *cctx = NULL, *sctx = NULL;
3789 SSL *clientssl = NULL, *serverssl = NULL;
3791 SSL_SESSION *sess = NULL;
3792 size_t readbytes, written;
3793 unsigned char buf[20];
3795 allow_ed_cb_called = 0;
3797 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3798 TLS_client_method(), TLS1_VERSION, 0,
3799 &sctx, &cctx, cert, privkey)))
3804 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3806 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3808 if (!TEST_ptr(confctx))
3810 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3811 | SSL_CONF_FLAG_SERVER);
3812 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3813 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3815 SSL_CONF_CTX_free(confctx);
3818 SSL_CONF_CTX_free(confctx);
3820 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3823 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3824 &serverssl, &sess, idx,
3825 SHA384_DIGEST_LENGTH)))
3829 * The server is configured to accept early data. Create a connection to
3830 * "use up" the ticket
3832 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3833 || !TEST_true(SSL_session_reused(clientssl)))
3836 SSL_shutdown(clientssl);
3837 SSL_shutdown(serverssl);
3838 SSL_free(serverssl);
3839 SSL_free(clientssl);
3840 serverssl = clientssl = NULL;
3842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3843 &clientssl, NULL, NULL))
3844 || !TEST_true(SSL_set_session(clientssl, sess)))
3847 /* Write and read some early data */
3848 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3850 || !TEST_size_t_eq(written, strlen(MSG1)))
3854 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3856 SSL_READ_EARLY_DATA_FINISH)
3858 * The ticket was reused, so the we should have rejected the
3861 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3862 SSL_EARLY_DATA_REJECTED))
3865 /* In this case the callback decides to accept the early data */
3866 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3868 SSL_READ_EARLY_DATA_SUCCESS)
3869 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3871 * Server will have sent its flight so client can now send
3872 * end of early data and complete its half of the handshake
3874 || !TEST_int_gt(SSL_connect(clientssl), 0)
3875 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3877 SSL_READ_EARLY_DATA_FINISH)
3878 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3879 SSL_EARLY_DATA_ACCEPTED))
3883 /* Complete the connection */
3884 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3885 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3886 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3892 SSL_SESSION_free(sess);
3893 SSL_SESSION_free(clientpsk);
3894 SSL_SESSION_free(serverpsk);
3895 clientpsk = serverpsk = NULL;
3896 SSL_free(serverssl);
3897 SSL_free(clientssl);
3903 static int test_early_data_replay(int idx)
3905 int ret = 1, usecb, confopt;
3907 for (usecb = 0; usecb < 3; usecb++) {
3908 for (confopt = 0; confopt < 2; confopt++)
3909 ret &= test_early_data_replay_int(idx, usecb, confopt);
3915 static const char *ciphersuites[] = {
3916 "TLS_AES_128_CCM_8_SHA256",
3917 "TLS_AES_128_GCM_SHA256",
3918 "TLS_AES_256_GCM_SHA384",
3919 "TLS_AES_128_CCM_SHA256",
3920 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3921 "TLS_CHACHA20_POLY1305_SHA256"
3926 * Helper function to test that a server attempting to read early data can
3927 * handle a connection from a client where the early data should be skipped.
3928 * testtype: 0 == No HRR
3929 * testtype: 1 == HRR
3930 * testtype: 2 == HRR, invalid early_data sent after HRR
3931 * testtype: 3 == recv_max_early_data set to 0
3933 static int early_data_skip_helper(int testtype, int cipher, int idx)
3935 SSL_CTX *cctx = NULL, *sctx = NULL;
3936 SSL *clientssl = NULL, *serverssl = NULL;
3938 SSL_SESSION *sess = NULL;
3939 unsigned char buf[20];
3940 size_t readbytes, written;
3942 if (is_fips && cipher == 4)
3945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3946 TLS_client_method(),
3948 &sctx, &cctx, cert, privkey)))
3952 SSL_CTX_set_security_level(sctx, 0);
3953 SSL_CTX_set_security_level(cctx, 0);
3956 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3957 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3961 &serverssl, &sess, idx,
3962 cipher == 2 ? SHA384_DIGEST_LENGTH
3963 : SHA256_DIGEST_LENGTH)))
3966 if (testtype == 1 || testtype == 2) {
3967 /* Force an HRR to occur */
3968 #if defined(OPENSSL_NO_EC)
3969 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3972 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3975 } else if (idx == 2) {
3977 * We force early_data rejection by ensuring the PSK identity is
3980 srvid = "Dummy Identity";
3983 * Deliberately corrupt the creation time. We take 20 seconds off the
3984 * time. It could be any value as long as it is not within tolerance.
3985 * This should mean the ticket is rejected.
3987 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3992 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3995 /* Write some early data */
3996 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3998 || !TEST_size_t_eq(written, strlen(MSG1)))
4001 /* Server should reject the early data */
4002 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4004 SSL_READ_EARLY_DATA_FINISH)
4005 || !TEST_size_t_eq(readbytes, 0)
4006 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4007 SSL_EARLY_DATA_REJECTED))
4017 * Finish off the handshake. We perform the same writes and reads as
4018 * further down but we expect them to fail due to the incomplete
4021 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4022 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4029 BIO *wbio = SSL_get_wbio(clientssl);
4030 /* A record that will appear as bad early_data */
4031 const unsigned char bad_early_data[] = {
4032 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4036 * We force the client to attempt a write. This will fail because
4037 * we're still in the handshake. It will cause the second
4038 * ClientHello to be sent.
4040 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4045 * Inject some early_data after the second ClientHello. This should
4046 * cause the server to fail
4048 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4049 sizeof(bad_early_data), &written)))
4056 * This client has sent more early_data than we are willing to skip
4057 * (case 3) or sent invalid early_data (case 2) so the connection should
4060 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4061 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4064 /* Connection has failed - nothing more to do */
4069 TEST_error("Invalid test type");
4075 * Should be able to send normal data despite rejection of early data. The
4076 * early_data should be skipped.
4078 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4079 || !TEST_size_t_eq(written, strlen(MSG2))
4080 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4081 SSL_EARLY_DATA_REJECTED)
4082 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4083 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4087 * Failure to decrypt early data records should not leave spurious errors
4088 * on the error stack
4090 if (!TEST_long_eq(ERR_peek_error(), 0))
4096 SSL_SESSION_free(clientpsk);
4097 SSL_SESSION_free(serverpsk);
4098 clientpsk = serverpsk = NULL;
4099 SSL_SESSION_free(sess);
4100 SSL_free(serverssl);
4101 SSL_free(clientssl);
4108 * Test that a server attempting to read early data can handle a connection
4109 * from a client where the early data is not acceptable.
4111 static int test_early_data_skip(int idx)
4113 return early_data_skip_helper(0,
4114 idx % OSSL_NELEM(ciphersuites),
4115 idx / OSSL_NELEM(ciphersuites));
4119 * Test that a server attempting to read early data can handle a connection
4120 * from a client where an HRR occurs.
4122 static int test_early_data_skip_hrr(int idx)
4124 return early_data_skip_helper(1,
4125 idx % OSSL_NELEM(ciphersuites),
4126 idx / OSSL_NELEM(ciphersuites));
4130 * Test that a server attempting to read early data can handle a connection
4131 * from a client where an HRR occurs and correctly fails if early_data is sent
4134 static int test_early_data_skip_hrr_fail(int idx)
4136 return early_data_skip_helper(2,
4137 idx % OSSL_NELEM(ciphersuites),
4138 idx / OSSL_NELEM(ciphersuites));
4142 * Test that a server attempting to read early data will abort if it tries to
4143 * skip over too much.
4145 static int test_early_data_skip_abort(int idx)
4147 return early_data_skip_helper(3,
4148 idx % OSSL_NELEM(ciphersuites),
4149 idx / OSSL_NELEM(ciphersuites));
4153 * Test that a server attempting to read early data can handle a connection
4154 * from a client that doesn't send any.
4156 static int test_early_data_not_sent(int idx)
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4161 SSL_SESSION *sess = NULL;
4162 unsigned char buf[20];
4163 size_t readbytes, written;
4165 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4166 &serverssl, &sess, idx,
4167 SHA384_DIGEST_LENGTH)))
4170 /* Write some data - should block due to handshake with server */
4171 SSL_set_connect_state(clientssl);
4172 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4175 /* Server should detect that early data has not been sent */
4176 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4178 SSL_READ_EARLY_DATA_FINISH)
4179 || !TEST_size_t_eq(readbytes, 0)
4180 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4181 SSL_EARLY_DATA_NOT_SENT)
4182 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4183 SSL_EARLY_DATA_NOT_SENT))
4186 /* Continue writing the message we started earlier */
4187 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4188 || !TEST_size_t_eq(written, strlen(MSG1))
4189 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4190 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4191 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4192 || !TEST_size_t_eq(written, strlen(MSG2)))
4195 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4196 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4202 SSL_SESSION_free(sess);
4203 SSL_SESSION_free(clientpsk);
4204 SSL_SESSION_free(serverpsk);
4205 clientpsk = serverpsk = NULL;
4206 SSL_free(serverssl);
4207 SSL_free(clientssl);
4213 static const char *servalpn;
4215 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4216 unsigned char *outlen, const unsigned char *in,
4217 unsigned int inlen, void *arg)
4219 unsigned int protlen = 0;
4220 const unsigned char *prot;
4222 for (prot = in; prot < in + inlen; prot += protlen) {
4224 if (in + inlen < prot + protlen)
4225 return SSL_TLSEXT_ERR_NOACK;
4227 if (protlen == strlen(servalpn)
4228 && memcmp(prot, servalpn, protlen) == 0) {
4231 return SSL_TLSEXT_ERR_OK;
4235 return SSL_TLSEXT_ERR_NOACK;
4238 /* Test that a PSK can be used to send early_data */
4239 static int test_early_data_psk(int idx)
4241 SSL_CTX *cctx = NULL, *sctx = NULL;
4242 SSL *clientssl = NULL, *serverssl = NULL;
4244 SSL_SESSION *sess = NULL;
4245 unsigned char alpnlist[] = {
4246 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4249 #define GOODALPNLEN 9
4250 #define BADALPNLEN 8
4251 #define GOODALPN (alpnlist)
4252 #define BADALPN (alpnlist + GOODALPNLEN)
4254 unsigned char buf[20];
4255 size_t readbytes, written;
4256 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4257 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4259 /* We always set this up with a final parameter of "2" for PSK */
4260 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4261 &serverssl, &sess, 2,
4262 SHA384_DIGEST_LENGTH)))
4265 servalpn = "goodalpn";
4268 * Note: There is no test for inconsistent SNI with late client detection.
4269 * This is because servers do not acknowledge SNI even if they are using
4270 * it in a resumption handshake - so it is not actually possible for a
4271 * client to detect a problem.
4275 /* Set inconsistent SNI (early client detection) */
4276 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4277 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4278 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4283 /* Set inconsistent ALPN (early client detection) */
4284 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4285 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4286 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4288 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4295 * Set invalid protocol version. Technically this affects PSKs without
4296 * early_data too, but we test it here because it is similar to the
4297 * SNI/ALPN consistency tests.
4299 err = SSL_R_BAD_PSK;
4300 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4306 * Set inconsistent SNI (server side). In this case the connection
4307 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4308 * is associated with each handshake - not the session. Therefore it
4309 * should not matter that we used a different server name last time.
4311 SSL_SESSION_free(serverpsk);
4312 serverpsk = SSL_SESSION_dup(clientpsk);
4313 if (!TEST_ptr(serverpsk)
4314 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4318 /* Set consistent SNI */
4319 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4320 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4321 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4328 * Set inconsistent ALPN (server detected). In this case the connection
4329 * will succeed but reject early_data.
4331 servalpn = "badalpn";
4332 edstatus = SSL_EARLY_DATA_REJECTED;
4333 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4337 * Set consistent ALPN.
4338 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4339 * accepts a list of protos (each one length prefixed).
4340 * SSL_set1_alpn_selected accepts a single protocol (not length
4343 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4345 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4349 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4353 /* Set inconsistent ALPN (late client detection) */
4354 SSL_SESSION_free(serverpsk);
4355 serverpsk = SSL_SESSION_dup(clientpsk);
4356 if (!TEST_ptr(serverpsk)
4357 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4360 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4363 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4366 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4367 edstatus = SSL_EARLY_DATA_ACCEPTED;
4368 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4369 /* SSL_connect() call should fail */
4374 TEST_error("Bad test index");
4378 SSL_set_connect_state(clientssl);
4380 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4382 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4383 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4386 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4390 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4391 &readbytes), readearlyres)
4392 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4393 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4394 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4395 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4402 SSL_SESSION_free(sess);
4403 SSL_SESSION_free(clientpsk);
4404 SSL_SESSION_free(serverpsk);
4405 clientpsk = serverpsk = NULL;
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4414 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4415 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4416 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4417 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4418 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4419 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4421 static int test_early_data_psk_with_all_ciphers(int idx)
4423 SSL_CTX *cctx = NULL, *sctx = NULL;
4424 SSL *clientssl = NULL, *serverssl = NULL;
4426 SSL_SESSION *sess = NULL;
4427 unsigned char buf[20];
4428 size_t readbytes, written;
4429 const SSL_CIPHER *cipher;
4430 const char *cipher_str[] = {
4431 TLS1_3_RFC_AES_128_GCM_SHA256,
4432 TLS1_3_RFC_AES_256_GCM_SHA384,
4433 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4434 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4438 TLS1_3_RFC_AES_128_CCM_SHA256,
4439 TLS1_3_RFC_AES_128_CCM_8_SHA256
4441 const unsigned char *cipher_bytes[] = {
4442 TLS13_AES_128_GCM_SHA256_BYTES,
4443 TLS13_AES_256_GCM_SHA384_BYTES,
4444 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4445 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4449 TLS13_AES_128_CCM_SHA256_BYTES,
4450 TLS13_AES_128_CCM_8_SHA256_BYTES
4453 if (cipher_str[idx] == NULL)
4455 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4456 if (idx == 2 && is_fips == 1)
4459 /* We always set this up with a final parameter of "2" for PSK */
4460 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4461 &serverssl, &sess, 2,
4462 SHA384_DIGEST_LENGTH)))
4466 /* CCM8 ciphers are considered low security due to their short tag */
4467 SSL_set_security_level(clientssl, 0);
4468 SSL_set_security_level(serverssl, 0);
4471 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4472 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4476 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4477 * and assigns to both client and server with incremented reference
4478 * and the same instance is updated in 'sess'.
4479 * So updating ciphersuite in 'sess' which will get reflected in
4480 * PSK handshake using psk use sess and find sess cb.
4482 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4483 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4486 SSL_set_connect_state(clientssl);
4487 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4491 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4493 SSL_READ_EARLY_DATA_SUCCESS)
4494 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4495 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4496 SSL_EARLY_DATA_ACCEPTED)
4497 || !TEST_int_eq(SSL_connect(clientssl), 1)
4498 || !TEST_int_eq(SSL_accept(serverssl), 1))
4501 /* Send some normal data from client to server */
4502 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4503 || !TEST_size_t_eq(written, strlen(MSG2)))
4506 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4507 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4512 SSL_SESSION_free(sess);
4513 SSL_SESSION_free(clientpsk);
4514 SSL_SESSION_free(serverpsk);
4515 clientpsk = serverpsk = NULL;
4516 if (clientssl != NULL)
4517 SSL_shutdown(clientssl);
4518 if (serverssl != NULL)
4519 SSL_shutdown(serverssl);
4520 SSL_free(serverssl);
4521 SSL_free(clientssl);
4528 * Test that a server that doesn't try to read early data can handle a
4529 * client sending some.
4531 static int test_early_data_not_expected(int idx)
4533 SSL_CTX *cctx = NULL, *sctx = NULL;
4534 SSL *clientssl = NULL, *serverssl = NULL;
4536 SSL_SESSION *sess = NULL;
4537 unsigned char buf[20];
4538 size_t readbytes, written;
4540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4541 &serverssl, &sess, idx,
4542 SHA384_DIGEST_LENGTH)))
4545 /* Write some early data */
4546 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4551 * Server should skip over early data and then block waiting for client to
4552 * continue handshake
4554 if (!TEST_int_le(SSL_accept(serverssl), 0)
4555 || !TEST_int_gt(SSL_connect(clientssl), 0)
4556 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4557 SSL_EARLY_DATA_REJECTED)
4558 || !TEST_int_gt(SSL_accept(serverssl), 0)
4559 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4560 SSL_EARLY_DATA_REJECTED))
4563 /* Send some normal data from client to server */
4564 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4565 || !TEST_size_t_eq(written, strlen(MSG2)))
4568 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4569 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4575 SSL_SESSION_free(sess);
4576 SSL_SESSION_free(clientpsk);
4577 SSL_SESSION_free(serverpsk);
4578 clientpsk = serverpsk = NULL;
4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4587 # ifndef OPENSSL_NO_TLS1_2
4589 * Test that a server attempting to read early data can handle a connection
4590 * from a TLSv1.2 client.
4592 static int test_early_data_tls1_2(int idx)
4594 SSL_CTX *cctx = NULL, *sctx = NULL;
4595 SSL *clientssl = NULL, *serverssl = NULL;
4597 unsigned char buf[20];
4598 size_t readbytes, written;
4600 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4601 &serverssl, NULL, idx,
4602 SHA384_DIGEST_LENGTH)))
4605 /* Write some data - should block due to handshake with server */
4606 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4607 SSL_set_connect_state(clientssl);
4608 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4612 * Server should do TLSv1.2 handshake. First it will block waiting for more
4613 * messages from client after ServerDone. Then SSL_read_early_data should
4614 * finish and detect that early data has not been sent
4616 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4618 SSL_READ_EARLY_DATA_ERROR))
4622 * Continue writing the message we started earlier. Will still block waiting
4623 * for the CCS/Finished from server
4625 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4626 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4628 SSL_READ_EARLY_DATA_FINISH)
4629 || !TEST_size_t_eq(readbytes, 0)
4630 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4631 SSL_EARLY_DATA_NOT_SENT))
4634 /* Continue writing the message we started earlier */
4635 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4636 || !TEST_size_t_eq(written, strlen(MSG1))
4637 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4638 SSL_EARLY_DATA_NOT_SENT)
4639 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4640 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4641 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4642 || !TEST_size_t_eq(written, strlen(MSG2))
4643 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4644 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4650 SSL_SESSION_free(clientpsk);
4651 SSL_SESSION_free(serverpsk);
4652 clientpsk = serverpsk = NULL;
4653 SSL_free(serverssl);
4654 SSL_free(clientssl);
4660 # endif /* OPENSSL_NO_TLS1_2 */
4663 * Test configuring the TLSv1.3 ciphersuites
4665 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4666 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4667 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4668 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4669 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4670 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4671 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4672 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4673 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4674 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4676 static int test_set_ciphersuite(int idx)
4678 SSL_CTX *cctx = NULL, *sctx = NULL;
4679 SSL *clientssl = NULL, *serverssl = NULL;
4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
4684 &sctx, &cctx, cert, privkey))
4685 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4686 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4689 if (idx >=4 && idx <= 7) {
4690 /* SSL_CTX explicit cipher list */
4691 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4695 if (idx == 0 || idx == 4) {
4696 /* Default ciphersuite */
4697 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4698 "TLS_AES_128_GCM_SHA256")))
4700 } else if (idx == 1 || idx == 5) {
4701 /* Non default ciphersuite */
4702 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4703 "TLS_AES_128_CCM_SHA256")))
4707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4708 &clientssl, NULL, NULL)))
4711 if (idx == 8 || idx == 9) {
4712 /* SSL explicit cipher list */
4713 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4717 if (idx == 2 || idx == 6 || idx == 8) {
4718 /* Default ciphersuite */
4719 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4720 "TLS_AES_128_GCM_SHA256")))
4722 } else if (idx == 3 || idx == 7 || idx == 9) {
4723 /* Non default ciphersuite */
4724 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4725 "TLS_AES_128_CCM_SHA256")))
4729 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4735 SSL_free(serverssl);
4736 SSL_free(clientssl);
4743 static int test_ciphersuite_change(void)
4745 SSL_CTX *cctx = NULL, *sctx = NULL;
4746 SSL *clientssl = NULL, *serverssl = NULL;
4747 SSL_SESSION *clntsess = NULL;
4749 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4751 /* Create a session based on SHA-256 */
4752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4753 TLS_client_method(), TLS1_VERSION, 0,
4754 &sctx, &cctx, cert, privkey))
4755 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4756 "TLS_AES_128_GCM_SHA256:"
4757 "TLS_AES_256_GCM_SHA384:"
4758 "TLS_AES_128_CCM_SHA256"))
4759 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4760 "TLS_AES_128_GCM_SHA256")))
4763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4769 clntsess = SSL_get1_session(clientssl);
4770 /* Save for later */
4771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4778 /* Check we can resume a session with a different SHA-256 ciphersuite */
4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4780 "TLS_AES_128_CCM_SHA256"))
4781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4782 &clientssl, NULL, NULL))
4783 || !TEST_true(SSL_set_session(clientssl, clntsess))
4784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4786 || !TEST_true(SSL_session_reused(clientssl)))
4789 SSL_SESSION_free(clntsess);
4790 clntsess = SSL_get1_session(clientssl);
4791 SSL_shutdown(clientssl);
4792 SSL_shutdown(serverssl);
4793 SSL_free(serverssl);
4794 SSL_free(clientssl);
4795 serverssl = clientssl = NULL;
4798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4799 * succeeds but does not resume.
4801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4804 || !TEST_true(SSL_set_session(clientssl, clntsess))
4805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4807 || !TEST_false(SSL_session_reused(clientssl)))
4810 SSL_SESSION_free(clntsess);
4812 SSL_shutdown(clientssl);
4813 SSL_shutdown(serverssl);
4814 SSL_free(serverssl);
4815 SSL_free(clientssl);
4816 serverssl = clientssl = NULL;
4818 /* Create a session based on SHA384 */
4819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4821 &clientssl, NULL, NULL))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4826 clntsess = SSL_get1_session(clientssl);
4827 SSL_shutdown(clientssl);
4828 SSL_shutdown(serverssl);
4829 SSL_free(serverssl);
4830 SSL_free(clientssl);
4831 serverssl = clientssl = NULL;
4833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4836 "TLS_AES_256_GCM_SHA384"))
4837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4839 || !TEST_true(SSL_set_session(clientssl, clntsess))
4841 * We use SSL_ERROR_WANT_READ below so that we can pause the
4842 * connection after the initial ClientHello has been sent to
4843 * enable us to make some session changes.
4845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4846 SSL_ERROR_WANT_READ)))
4849 /* Trick the client into thinking this session is for a different digest */
4850 clntsess->cipher = aes_128_gcm_sha256;
4851 clntsess->cipher_id = clntsess->cipher->id;
4854 * Continue the previously started connection. Server has selected a SHA-384
4855 * ciphersuite, but client thinks the session is for SHA-256, so it should
4858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4867 SSL_SESSION_free(clntsess);
4868 SSL_free(serverssl);
4869 SSL_free(clientssl);
4877 * Test TLSv1.3 Key exchange
4878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4893 # ifndef OPENSSL_NO_EC
4894 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4895 NID_secp521r1, NID_X25519, NID_X448};
4897 # ifndef OPENSSL_NO_DH
4898 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4899 NID_ffdhe6144, NID_ffdhe8192};
4901 static int test_key_exchange(int idx)
4903 SSL_CTX *sctx = NULL, *cctx = NULL;
4904 SSL *serverssl = NULL, *clientssl = NULL;
4907 int *kexch_groups = &kexch_alg;
4908 int kexch_groups_size = 1;
4909 int max_version = TLS1_3_VERSION;
4910 char *kexch_name0 = NULL;
4913 # ifndef OPENSSL_NO_EC
4914 # ifndef OPENSSL_NO_TLS1_2
4916 max_version = TLS1_2_VERSION;
4920 kexch_groups = ecdhe_kexch_groups;
4921 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4922 kexch_name0 = "secp256r1";
4925 kexch_alg = NID_X9_62_prime256v1;
4926 kexch_name0 = "secp256r1";
4929 kexch_alg = NID_secp384r1;
4930 kexch_name0 = "secp384r1";
4933 kexch_alg = NID_secp521r1;
4934 kexch_name0 = "secp521r1";
4937 kexch_alg = NID_X25519;
4938 kexch_name0 = "x25519";
4941 kexch_alg = NID_X448;
4942 kexch_name0 = "x448";
4945 # ifndef OPENSSL_NO_DH
4946 # ifndef OPENSSL_NO_TLS1_2
4948 max_version = TLS1_2_VERSION;
4949 kexch_name0 = "ffdhe2048";
4953 kexch_groups = ffdhe_kexch_groups;
4954 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4955 kexch_name0 = "ffdhe2048";
4958 kexch_alg = NID_ffdhe2048;
4959 kexch_name0 = "ffdhe2048";
4962 kexch_alg = NID_ffdhe3072;
4963 kexch_name0 = "ffdhe3072";
4966 kexch_alg = NID_ffdhe4096;
4967 kexch_name0 = "ffdhe4096";
4970 kexch_alg = NID_ffdhe6144;
4971 kexch_name0 = "ffdhe6144";
4974 kexch_alg = NID_ffdhe8192;
4975 kexch_name0 = "ffdhe8192";
4979 /* We're skipping this test */
4983 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4984 TLS_client_method(), TLS1_VERSION,
4985 max_version, &sctx, &cctx, cert,
4989 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4990 TLS1_3_RFC_AES_128_GCM_SHA256)))
4993 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4994 TLS1_3_RFC_AES_128_GCM_SHA256)))
4997 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4998 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4999 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5000 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5004 * Must include an EC ciphersuite so that we send supported groups in
5007 # ifndef OPENSSL_NO_TLS1_2
5008 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5009 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5010 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5018 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5019 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5022 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5026 * If Handshake succeeds the negotiated kexch alg should be the first one in
5027 * configured, except in the case of FFDHE groups (idx 13), which are
5028 * TLSv1.3 only so we expect no shared group to exist.
5030 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5031 idx == 13 ? 0 : kexch_groups[0]))
5034 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5038 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5040 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5042 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5048 SSL_free(serverssl);
5049 SSL_free(clientssl);
5055 # if !defined(OPENSSL_NO_TLS1_2) \
5056 && !defined(OPENSSL_NO_EC) \
5057 && !defined(OPENSSL_NO_DH)
5058 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5059 int isecdhe, int idx)
5062 int *kexch_groups = &kexch_alg;
5065 numec = OSSL_NELEM(ecdhe_kexch_groups);
5066 numff = OSSL_NELEM(ffdhe_kexch_groups);
5068 kexch_alg = ecdhe_kexch_groups[idx];
5070 kexch_alg = ffdhe_kexch_groups[idx];
5073 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5076 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5080 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5085 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5088 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5092 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5101 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5102 * Run through both the ECDHE and FFDHE group lists used in the previous
5103 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5104 * confirming the expected result; then perform a resumption handshake
5105 * while offering the same group list, and another resumption handshake
5106 * offering a different group list. The returned value should be the
5107 * negotiated group for the initial handshake; for TLS 1.3 resumption
5108 * handshakes the returned value will be negotiated on the resumption
5109 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5110 * be cached in the session from the original handshake, regardless of what
5111 * was offered in the resumption ClientHello.
5113 * Using E for the number of EC groups and F for the number of FF groups:
5114 * E tests of ECDHE with TLS 1.3, server only has one group
5115 * F tests of FFDHE with TLS 1.3, server only has one group
5116 * E tests of ECDHE with TLS 1.2, server only has one group
5117 * F tests of FFDHE with TLS 1.2, server only has one group
5118 * E tests of ECDHE with TLS 1.3, client sends only one group
5119 * F tests of FFDHE with TLS 1.3, client sends only one group
5120 * E tests of ECDHE with TLS 1.2, client sends only one group
5121 * F tests of FFDHE with TLS 1.2, client sends only one group
5123 static int test_negotiated_group(int idx)
5125 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5127 SSL_CTX *sctx = NULL, *cctx = NULL;
5128 SSL *serverssl = NULL, *clientssl = NULL;
5129 SSL_SESSION *origsess = NULL;
5132 int max_version = TLS1_3_VERSION;
5134 numec = OSSL_NELEM(ecdhe_kexch_groups);
5135 numff = OSSL_NELEM(ffdhe_kexch_groups);
5136 numgroups = numec + numff;
5137 clientmulti = (idx < 2 * numgroups);
5138 idx = idx % (2 * numgroups);
5139 istls13 = (idx < numgroups);
5140 idx = idx % numgroups;
5141 isecdhe = (idx < numec);
5144 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5146 kexch_alg = ecdhe_kexch_groups[idx];
5148 kexch_alg = ffdhe_kexch_groups[idx];
5149 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5150 if (!istls13 && !isecdhe)
5151 expectednid = NID_undef;
5153 expectednid = kexch_alg;
5156 max_version = TLS1_2_VERSION;
5158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5159 TLS_client_method(), TLS1_VERSION,
5160 max_version, &sctx, &cctx, cert,
5165 * Force (EC)DHE ciphers for TLS 1.2.
5166 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5168 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5169 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5170 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5171 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5173 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5174 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5175 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5182 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5189 /* Initial handshake; always the configured one */
5190 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5191 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5194 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5197 SSL_shutdown(clientssl);
5198 SSL_shutdown(serverssl);
5199 SSL_free(serverssl);
5200 SSL_free(clientssl);
5201 serverssl = clientssl = NULL;
5203 /* First resumption attempt; use the same config as initial handshake */
5204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5206 || !TEST_true(SSL_set_session(clientssl, origsess))
5207 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5212 || !TEST_true(SSL_session_reused(clientssl)))
5215 /* Still had better agree, since nothing changed... */
5216 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5217 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5220 SSL_shutdown(clientssl);
5221 SSL_shutdown(serverssl);
5222 SSL_free(serverssl);
5223 SSL_free(clientssl);
5224 serverssl = clientssl = NULL;
5227 * Second resumption attempt
5228 * The party that picks one group changes it, which we effectuate by
5229 * changing 'idx' and updating what we expect.
5237 expectednid = ecdhe_kexch_groups[idx];
5239 expectednid = ffdhe_kexch_groups[idx];
5240 /* Verify that we are changing what we expect. */
5241 if (!TEST_int_ne(expectednid, kexch_alg))
5244 /* TLS 1.2 only supports named groups for ECDHE. */
5246 expectednid = kexch_alg;
5250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5252 || !TEST_true(SSL_set_session(clientssl, origsess))
5253 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5257 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5258 || !TEST_true(SSL_session_reused(clientssl)))
5261 /* Check that we get what we expected */
5262 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5263 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5268 SSL_free(serverssl);
5269 SSL_free(clientssl);
5272 SSL_SESSION_free(origsess);
5275 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5278 * Test TLSv1.3 Cipher Suite
5279 * Test 0 = Set TLS1.3 cipher on context
5280 * Test 1 = Set TLS1.3 cipher on SSL
5281 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5282 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5284 static int test_tls13_ciphersuite(int idx)
5286 SSL_CTX *sctx = NULL, *cctx = NULL;
5287 SSL *serverssl = NULL, *clientssl = NULL;
5288 static const struct {
5289 const char *ciphername;
5293 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5294 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5295 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5296 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5297 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5298 { TLS1_3_RFC_AES_256_GCM_SHA384
5299 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5301 /* CCM8 ciphers are considered low security due to their short tag */
5302 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5303 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5305 const char *t13_cipher = NULL;
5306 const char *t12_cipher = NULL;
5307 const char *negotiated_scipher;
5308 const char *negotiated_ccipher;
5324 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5328 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5332 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5333 # ifdef OPENSSL_NO_TLS1_2
5334 if (max_ver == TLS1_2_VERSION)
5337 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5338 if (is_fips && !t13_ciphers[i].fipscapable)
5340 t13_cipher = t13_ciphers[i].ciphername;
5341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5342 TLS_client_method(),
5343 TLS1_VERSION, max_ver,
5344 &sctx, &cctx, cert, privkey)))
5347 if (t13_ciphers[i].low_security) {
5348 SSL_CTX_set_security_level(sctx, 0);
5349 SSL_CTX_set_security_level(cctx, 0);
5353 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5354 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5356 if (t12_cipher != NULL) {
5357 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5358 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5365 &clientssl, NULL, NULL)))
5369 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5370 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5372 if (t12_cipher != NULL) {
5373 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5374 || !TEST_true(SSL_set_cipher_list(clientssl,
5380 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5384 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5386 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5388 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5392 * TEST_strn_eq is used below because t13_cipher can contain
5393 * multiple ciphersuites
5395 if (max_ver == TLS1_3_VERSION
5396 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5397 strlen(negotiated_scipher)))
5400 # ifndef OPENSSL_NO_TLS1_2
5401 /* Below validation is not done when t12_cipher is NULL */
5402 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5403 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5407 SSL_free(serverssl);
5409 SSL_free(clientssl);
5420 SSL_free(serverssl);
5421 SSL_free(clientssl);
5429 * Test 0 = Test new style callbacks
5430 * Test 1 = Test both new and old style callbacks
5431 * Test 2 = Test old style callbacks
5432 * Test 3 = Test old style callbacks with no certificate
5434 static int test_tls13_psk(int idx)
5436 SSL_CTX *sctx = NULL, *cctx = NULL;
5437 SSL *serverssl = NULL, *clientssl = NULL;
5438 const SSL_CIPHER *cipher = NULL;
5439 const unsigned char key[] = {
5440 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5441 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5442 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5443 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5448 TLS_client_method(), TLS1_VERSION, 0,
5449 &sctx, &cctx, idx == 3 ? NULL : cert,
5450 idx == 3 ? NULL : privkey)))
5455 * We use a ciphersuite with SHA256 to ease testing old style PSK
5456 * callbacks which will always default to SHA256. This should not be
5457 * necessary if we have no cert/priv key. In that case the server should
5458 * prefer SHA256 automatically.
5460 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5461 "TLS_AES_128_GCM_SHA256")))
5465 * As noted above the server should prefer SHA256 automatically. However
5466 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5467 * code works even if we are testing with only the FIPS provider loaded.
5469 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5470 "TLS_AES_256_GCM_SHA384:"
5471 "TLS_AES_128_GCM_SHA256")))
5476 * Test 0: New style callbacks only
5477 * Test 1: New and old style callbacks (only the new ones should be used)
5478 * Test 2: Old style callbacks only
5480 if (idx == 0 || idx == 1) {
5481 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5482 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5484 #ifndef OPENSSL_NO_PSK
5486 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5487 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5491 use_session_cb_cnt = 0;
5492 find_session_cb_cnt = 0;
5493 psk_client_cb_cnt = 0;
5494 psk_server_cb_cnt = 0;
5498 * Check we can create a connection if callback decides not to send a
5501 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5503 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5505 || !TEST_false(SSL_session_reused(clientssl))
5506 || !TEST_false(SSL_session_reused(serverssl)))
5509 if (idx == 0 || idx == 1) {
5510 if (!TEST_true(use_session_cb_cnt == 1)
5511 || !TEST_true(find_session_cb_cnt == 0)
5513 * If no old style callback then below should be 0
5516 || !TEST_true(psk_client_cb_cnt == idx)
5517 || !TEST_true(psk_server_cb_cnt == 0))
5520 if (!TEST_true(use_session_cb_cnt == 0)
5521 || !TEST_true(find_session_cb_cnt == 0)
5522 || !TEST_true(psk_client_cb_cnt == 1)
5523 || !TEST_true(psk_server_cb_cnt == 0))
5527 shutdown_ssl_connection(serverssl, clientssl);
5528 serverssl = clientssl = NULL;
5529 use_session_cb_cnt = psk_client_cb_cnt = 0;
5532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5536 /* Create the PSK */
5537 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5538 clientpsk = SSL_SESSION_new();
5539 if (!TEST_ptr(clientpsk)
5540 || !TEST_ptr(cipher)
5541 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5543 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5544 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5546 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5548 serverpsk = clientpsk;
5550 /* Check we can create a connection and the PSK is used */
5551 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5552 || !TEST_true(SSL_session_reused(clientssl))
5553 || !TEST_true(SSL_session_reused(serverssl)))
5556 if (idx == 0 || idx == 1) {
5557 if (!TEST_true(use_session_cb_cnt == 1)
5558 || !TEST_true(find_session_cb_cnt == 1)
5559 || !TEST_true(psk_client_cb_cnt == 0)
5560 || !TEST_true(psk_server_cb_cnt == 0))
5563 if (!TEST_true(use_session_cb_cnt == 0)
5564 || !TEST_true(find_session_cb_cnt == 0)
5565 || !TEST_true(psk_client_cb_cnt == 1)
5566 || !TEST_true(psk_server_cb_cnt == 1))
5570 shutdown_ssl_connection(serverssl, clientssl);
5571 serverssl = clientssl = NULL;
5572 use_session_cb_cnt = find_session_cb_cnt = 0;
5573 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5575 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5580 #if defined(OPENSSL_NO_EC)
5581 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5584 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5589 * Check we can create a connection, the PSK is used and the callbacks are
5592 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5593 || !TEST_true(SSL_session_reused(clientssl))
5594 || !TEST_true(SSL_session_reused(serverssl)))
5597 if (idx == 0 || idx == 1) {
5598 if (!TEST_true(use_session_cb_cnt == 2)
5599 || !TEST_true(find_session_cb_cnt == 2)
5600 || !TEST_true(psk_client_cb_cnt == 0)
5601 || !TEST_true(psk_server_cb_cnt == 0))
5604 if (!TEST_true(use_session_cb_cnt == 0)
5605 || !TEST_true(find_session_cb_cnt == 0)
5606 || !TEST_true(psk_client_cb_cnt == 2)
5607 || !TEST_true(psk_server_cb_cnt == 2))
5611 shutdown_ssl_connection(serverssl, clientssl);
5612 serverssl = clientssl = NULL;
5613 use_session_cb_cnt = find_session_cb_cnt = 0;
5614 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5618 * Check that if the server rejects the PSK we can still connect, but with
5621 srvid = "Dummy Identity";
5622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5624 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5626 || !TEST_false(SSL_session_reused(clientssl))
5627 || !TEST_false(SSL_session_reused(serverssl)))
5630 if (idx == 0 || idx == 1) {
5631 if (!TEST_true(use_session_cb_cnt == 1)
5632 || !TEST_true(find_session_cb_cnt == 1)
5633 || !TEST_true(psk_client_cb_cnt == 0)
5635 * If no old style callback then below should be 0
5638 || !TEST_true(psk_server_cb_cnt == idx))
5641 if (!TEST_true(use_session_cb_cnt == 0)
5642 || !TEST_true(find_session_cb_cnt == 0)
5643 || !TEST_true(psk_client_cb_cnt == 1)
5644 || !TEST_true(psk_server_cb_cnt == 1))
5648 shutdown_ssl_connection(serverssl, clientssl);
5649 serverssl = clientssl = NULL;
5654 SSL_SESSION_free(clientpsk);
5655 SSL_SESSION_free(serverpsk);
5656 clientpsk = serverpsk = NULL;
5657 SSL_free(serverssl);
5658 SSL_free(clientssl);
5664 static unsigned char cookie_magic_value[] = "cookie magic";
5666 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5667 unsigned int *cookie_len)
5670 * Not suitable as a real cookie generation function but good enough for
5673 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5674 *cookie_len = sizeof(cookie_magic_value) - 1;
5679 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5680 unsigned int cookie_len)
5682 if (cookie_len == sizeof(cookie_magic_value) - 1
5683 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5689 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5693 int res = generate_cookie_callback(ssl, cookie, &temp);
5698 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5701 return verify_cookie_callback(ssl, cookie, cookie_len);
5704 static int test_stateless(void)
5706 SSL_CTX *sctx = NULL, *cctx = NULL;
5707 SSL *serverssl = NULL, *clientssl = NULL;
5710 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5711 TLS_client_method(), TLS1_VERSION, 0,
5712 &sctx, &cctx, cert, privkey)))
5715 /* The arrival of CCS messages can confuse the test */
5716 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5720 /* Send the first ClientHello */
5721 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5722 SSL_ERROR_WANT_READ))
5724 * This should fail with a -1 return because we have no callbacks
5727 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5730 /* Fatal error so abandon the connection from this client */
5731 SSL_free(clientssl);
5734 /* Set up the cookie generation and verification callbacks */
5735 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5736 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5739 * Create a new connection from the client (we can reuse the server SSL
5742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5744 /* Send the first ClientHello */
5745 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5746 SSL_ERROR_WANT_READ))
5747 /* This should fail because there is no cookie */
5748 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5751 /* Abandon the connection from this client */
5752 SSL_free(clientssl);
5756 * Now create a connection from a new client but with the same server SSL
5759 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5761 /* Send the first ClientHello */
5762 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5763 SSL_ERROR_WANT_READ))
5764 /* This should fail because there is no cookie */
5765 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5766 /* Send the second ClientHello */
5767 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5768 SSL_ERROR_WANT_READ))
5769 /* This should succeed because a cookie is now present */
5770 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5771 /* Complete the connection */
5772 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5776 shutdown_ssl_connection(serverssl, clientssl);
5777 serverssl = clientssl = NULL;
5781 SSL_free(serverssl);
5782 SSL_free(clientssl);
5788 #endif /* OSSL_NO_USABLE_TLS1_3 */
5790 static int clntaddoldcb = 0;
5791 static int clntparseoldcb = 0;
5792 static int srvaddoldcb = 0;
5793 static int srvparseoldcb = 0;
5794 static int clntaddnewcb = 0;
5795 static int clntparsenewcb = 0;
5796 static int srvaddnewcb = 0;
5797 static int srvparsenewcb = 0;
5798 static int snicb = 0;
5800 #define TEST_EXT_TYPE1 0xff00
5802 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5803 size_t *outlen, int *al, void *add_arg)
5805 int *server = (int *)add_arg;
5806 unsigned char *data;
5808 if (SSL_is_server(s))
5813 if (*server != SSL_is_server(s)
5814 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5819 *outlen = sizeof(char);
5823 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5826 OPENSSL_free((unsigned char *)out);
5829 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5830 size_t inlen, int *al, void *parse_arg)
5832 int *server = (int *)parse_arg;
5834 if (SSL_is_server(s))
5839 if (*server != SSL_is_server(s)
5840 || inlen != sizeof(char)
5847 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5848 const unsigned char **out, size_t *outlen, X509 *x,
5849 size_t chainidx, int *al, void *add_arg)
5851 int *server = (int *)add_arg;
5852 unsigned char *data;
5854 if (SSL_is_server(s))
5859 if (*server != SSL_is_server(s)
5860 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5865 *outlen = sizeof(*data);
5869 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5870 const unsigned char *out, void *add_arg)
5872 OPENSSL_free((unsigned char *)out);
5875 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5876 const unsigned char *in, size_t inlen, X509 *x,
5877 size_t chainidx, int *al, void *parse_arg)
5879 int *server = (int *)parse_arg;
5881 if (SSL_is_server(s))
5886 if (*server != SSL_is_server(s)
5887 || inlen != sizeof(char) || *in != 1)
5893 static int sni_cb(SSL *s, int *al, void *arg)
5895 SSL_CTX *ctx = (SSL_CTX *)arg;
5897 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5898 *al = SSL_AD_INTERNAL_ERROR;
5899 return SSL_TLSEXT_ERR_ALERT_FATAL;
5902 return SSL_TLSEXT_ERR_OK;
5905 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5911 * Custom call back tests.
5912 * Test 0: Old style callbacks in TLSv1.2
5913 * Test 1: New style callbacks in TLSv1.2
5914 * Test 2: New style callbacks in TLSv1.2 with SNI
5915 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5916 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5917 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5919 static int test_custom_exts(int tst)
5921 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5922 SSL *clientssl = NULL, *serverssl = NULL;
5924 static int server = 1;
5925 static int client = 0;
5926 SSL_SESSION *sess = NULL;
5927 unsigned int context;
5929 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5930 /* Skip tests for TLSv1.2 and below in this case */
5935 /* Reset callback counters */
5936 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5937 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5940 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5941 TLS_client_method(), TLS1_VERSION, 0,
5942 &sctx, &cctx, cert, privkey)))
5946 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5948 &sctx2, NULL, cert, privkey)))
5953 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5954 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5956 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5960 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5961 | SSL_EXT_TLS1_3_CERTIFICATE;
5962 SSL_CTX_set_verify(sctx,
5963 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5965 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5966 SSL_FILETYPE_PEM), 1)
5967 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5968 SSL_FILETYPE_PEM), 1)
5969 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5971 } else if (tst == 4) {
5972 context = SSL_EXT_CLIENT_HELLO
5973 | SSL_EXT_TLS1_2_SERVER_HELLO
5974 | SSL_EXT_TLS1_3_SERVER_HELLO
5975 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5976 | SSL_EXT_TLS1_3_CERTIFICATE
5977 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5979 context = SSL_EXT_CLIENT_HELLO
5980 | SSL_EXT_TLS1_2_SERVER_HELLO
5981 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5984 /* Create a client side custom extension */
5986 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5987 old_add_cb, old_free_cb,
5988 &client, old_parse_cb,
5992 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5993 new_add_cb, new_free_cb,
5994 &client, new_parse_cb, &client)))
5998 /* Should not be able to add duplicates */
5999 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6000 old_add_cb, old_free_cb,
6001 &client, old_parse_cb,
6003 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6004 context, new_add_cb,
6005 new_free_cb, &client,
6006 new_parse_cb, &client)))
6009 /* Create a server side custom extension */
6011 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6012 old_add_cb, old_free_cb,
6013 &server, old_parse_cb,
6017 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6018 new_add_cb, new_free_cb,
6019 &server, new_parse_cb, &server)))
6022 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6023 context, new_add_cb,
6024 new_free_cb, &server,
6025 new_parse_cb, &server)))
6029 /* Should not be able to add duplicates */
6030 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6031 old_add_cb, old_free_cb,
6032 &server, old_parse_cb,
6034 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6035 context, new_add_cb,
6036 new_free_cb, &server,
6037 new_parse_cb, &server)))
6042 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6043 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6048 &clientssl, NULL, NULL))
6049 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6054 if (clntaddoldcb != 1
6055 || clntparseoldcb != 1
6057 || srvparseoldcb != 1)
6059 } else if (tst == 1 || tst == 2 || tst == 3) {
6060 if (clntaddnewcb != 1
6061 || clntparsenewcb != 1
6063 || srvparsenewcb != 1
6064 || (tst != 2 && snicb != 0)
6065 || (tst == 2 && snicb != 1))
6067 } else if (tst == 5) {
6068 if (clntaddnewcb != 1
6069 || clntparsenewcb != 1
6071 || srvparsenewcb != 1)
6074 /* In this case there 2 NewSessionTicket messages created */
6075 if (clntaddnewcb != 1
6076 || clntparsenewcb != 5
6078 || srvparsenewcb != 1)
6082 sess = SSL_get1_session(clientssl);
6083 SSL_shutdown(clientssl);
6084 SSL_shutdown(serverssl);
6085 SSL_free(serverssl);
6086 SSL_free(clientssl);
6087 serverssl = clientssl = NULL;
6089 if (tst == 3 || tst == 5) {
6090 /* We don't bother with the resumption aspects for these tests */
6095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6097 || !TEST_true(SSL_set_session(clientssl, sess))
6098 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6103 * For a resumed session we expect to add the ClientHello extension. For the
6104 * old style callbacks we ignore it on the server side because they set
6105 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6109 if (clntaddoldcb != 2
6110 || clntparseoldcb != 1
6112 || srvparseoldcb != 1)
6114 } else if (tst == 1 || tst == 2 || tst == 3) {
6115 if (clntaddnewcb != 2
6116 || clntparsenewcb != 2
6118 || srvparsenewcb != 2)
6122 * No Certificate message extensions in the resumption handshake,
6123 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6125 if (clntaddnewcb != 2
6126 || clntparsenewcb != 8
6128 || srvparsenewcb != 2)
6135 SSL_SESSION_free(sess);
6136 SSL_free(serverssl);
6137 SSL_free(clientssl);
6138 SSL_CTX_free(sctx2);
6144 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6146 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6147 | SSL_EXT_CLIENT_HELLO \
6148 | SSL_EXT_TLS1_2_SERVER_HELLO \
6149 | SSL_EXT_IGNORE_ON_RESUMPTION)
6151 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6152 | SSL_EXT_TLS1_2_SERVER_HELLO \
6153 | SSL_EXT_CLIENT_HELLO)
6155 #define SERVERINFO_CUSTOM \
6156 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6160 static const unsigned char serverinfo_custom_tls13[] = {
6161 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6164 static const unsigned char serverinfo_custom_v2[] = {
6165 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6168 static const unsigned char serverinfo_custom_v1[] = {
6171 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6172 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6173 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6175 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6176 unsigned int context,
6177 const unsigned char *in,
6178 size_t inlen, X509 *x,
6179 size_t chainidx, int *al,
6182 const size_t len = serverinfo_custom_v1_len;
6183 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6184 int *p_cb_result = (int*)parse_arg;
6185 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6189 static int test_serverinfo_custom(const int idx)
6191 SSL_CTX *sctx = NULL, *cctx = NULL;
6192 SSL *clientssl = NULL, *serverssl = NULL;
6197 * Following variables are set in the switch statement
6198 * according to the test iteration.
6199 * Default values do not make much sense: test would fail with them.
6201 int serverinfo_version = 0;
6202 int protocol_version = 0;
6203 unsigned int extension_context = 0;
6204 const unsigned char *si = NULL;
6207 const int call_use_serverinfo_ex = idx > 0;
6209 case 0: /* FALLTHROUGH */
6211 serverinfo_version = SSL_SERVERINFOV1;
6212 protocol_version = TLS1_2_VERSION;
6213 extension_context = SYNTHV1CONTEXT;
6214 si = serverinfo_custom_v1;
6215 si_len = serverinfo_custom_v1_len;
6218 serverinfo_version = SSL_SERVERINFOV2;
6219 protocol_version = TLS1_2_VERSION;
6220 extension_context = SYNTHV1CONTEXT;
6221 si = serverinfo_custom_v2;
6222 si_len = serverinfo_custom_v2_len;
6225 serverinfo_version = SSL_SERVERINFOV2;
6226 protocol_version = TLS1_3_VERSION;
6227 extension_context = TLS13CONTEXT;
6228 si = serverinfo_custom_tls13;
6229 si_len = serverinfo_custom_tls13_len;
6233 if (!TEST_true(create_ssl_ctx_pair(libctx,
6238 &sctx, &cctx, cert, privkey)))
6241 if (call_use_serverinfo_ex) {
6242 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6246 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6250 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6253 serverinfo_custom_parse_cb,
6255 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6257 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6259 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6262 if (!TEST_true(cb_result))
6268 SSL_free(serverssl);
6269 SSL_free(clientssl);
6278 * Test that SSL_export_keying_material() produces expected results. There are
6279 * no test vectors so all we do is test that both sides of the communication
6280 * produce the same results for different protocol versions.
6282 #define SMALL_LABEL_LEN 10
6283 #define LONG_LABEL_LEN 249
6284 static int test_export_key_mat(int tst)
6287 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6288 SSL *clientssl = NULL, *serverssl = NULL;
6289 const char label[LONG_LABEL_LEN + 1] = "test label";
6290 const unsigned char context[] = "context";
6291 const unsigned char *emptycontext = NULL;
6292 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6293 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6295 const int protocols[] = {
6304 #ifdef OPENSSL_NO_TLS1
6308 #ifdef OPENSSL_NO_TLS1_1
6312 if (is_fips && (tst == 0 || tst == 1))
6314 #ifdef OPENSSL_NO_TLS1_2
6318 #ifdef OSSL_NO_USABLE_TLS1_3
6322 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6323 TLS_client_method(), TLS1_VERSION, 0,
6324 &sctx, &cctx, cert, privkey)))
6327 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6328 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6329 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6330 if ((protocols[tst] < TLS1_2_VERSION) &&
6331 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6332 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6340 * Premature call of SSL_export_keying_material should just fail.
6342 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6343 sizeof(ckeymat1), label,
6344 SMALL_LABEL_LEN + 1, context,
6345 sizeof(context) - 1, 1), 0))
6348 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6354 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6357 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6358 sizeof(ckeymat1), label,
6359 LONG_LABEL_LEN + 1, context,
6360 sizeof(context) - 1, 1), 0))
6365 } else if (tst == 4) {
6366 labellen = LONG_LABEL_LEN;
6368 labellen = SMALL_LABEL_LEN;
6371 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6372 sizeof(ckeymat1), label,
6374 sizeof(context) - 1, 1), 1)
6375 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6376 sizeof(ckeymat2), label,
6380 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6381 sizeof(ckeymat3), label,
6384 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6385 sizeof(skeymat1), label,
6388 sizeof(context) -1, 1),
6390 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6391 sizeof(skeymat2), label,
6395 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6396 sizeof(skeymat3), label,
6400 * Check that both sides created the same key material with the
6403 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6406 * Check that both sides created the same key material with an
6409 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6412 * Check that both sides created the same key material without a
6415 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6417 /* Different contexts should produce different results */
6418 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6423 * Check that an empty context and no context produce different results in
6424 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6426 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6428 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6435 SSL_free(serverssl);
6436 SSL_free(clientssl);
6437 SSL_CTX_free(sctx2);
6444 #ifndef OSSL_NO_USABLE_TLS1_3
6446 * Test that SSL_export_keying_material_early() produces expected
6447 * results. There are no test vectors so all we do is test that both
6448 * sides of the communication produce the same results for different
6449 * protocol versions.
6451 static int test_export_key_mat_early(int idx)
6453 static const char label[] = "test label";
6454 static const unsigned char context[] = "context";
6456 SSL_CTX *cctx = NULL, *sctx = NULL;
6457 SSL *clientssl = NULL, *serverssl = NULL;
6458 SSL_SESSION *sess = NULL;
6459 const unsigned char *emptycontext = NULL;
6460 unsigned char ckeymat1[80], ckeymat2[80];
6461 unsigned char skeymat1[80], skeymat2[80];
6462 unsigned char buf[1];
6463 size_t readbytes, written;
6465 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6466 &sess, idx, SHA384_DIGEST_LENGTH)))
6469 /* Here writing 0 length early data is enough. */
6470 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6473 SSL_READ_EARLY_DATA_ERROR)
6474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6475 SSL_EARLY_DATA_ACCEPTED))
6478 if (!TEST_int_eq(SSL_export_keying_material_early(
6479 clientssl, ckeymat1, sizeof(ckeymat1), label,
6480 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6481 || !TEST_int_eq(SSL_export_keying_material_early(
6482 clientssl, ckeymat2, sizeof(ckeymat2), label,
6483 sizeof(label) - 1, emptycontext, 0), 1)
6484 || !TEST_int_eq(SSL_export_keying_material_early(
6485 serverssl, skeymat1, sizeof(skeymat1), label,
6486 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6487 || !TEST_int_eq(SSL_export_keying_material_early(
6488 serverssl, skeymat2, sizeof(skeymat2), label,
6489 sizeof(label) - 1, emptycontext, 0), 1)
6491 * Check that both sides created the same key material with the
6494 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6497 * Check that both sides created the same key material with an
6500 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6502 /* Different contexts should produce different results */
6503 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6510 SSL_SESSION_free(sess);
6511 SSL_SESSION_free(clientpsk);
6512 SSL_SESSION_free(serverpsk);
6513 clientpsk = serverpsk = NULL;
6514 SSL_free(serverssl);
6515 SSL_free(clientssl);
6522 #define NUM_KEY_UPDATE_MESSAGES 40
6526 static int test_key_update(void)
6528 SSL_CTX *cctx = NULL, *sctx = NULL;
6529 SSL *clientssl = NULL, *serverssl = NULL;
6530 int testresult = 0, i, j;
6532 static char *mess = "A test message";
6534 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6535 TLS_client_method(),
6538 &sctx, &cctx, cert, privkey))
6539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6541 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6545 for (j = 0; j < 2; j++) {
6546 /* Send lots of KeyUpdate messages */
6547 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6548 if (!TEST_true(SSL_key_update(clientssl,
6550 ? SSL_KEY_UPDATE_NOT_REQUESTED
6551 : SSL_KEY_UPDATE_REQUESTED))
6552 || !TEST_true(SSL_do_handshake(clientssl)))
6556 /* Check that sending and receiving app data is ok */
6557 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6558 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6562 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6563 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6571 SSL_free(serverssl);
6572 SSL_free(clientssl);
6580 * Test we can handle a KeyUpdate (update requested) message while
6581 * write data is pending in peer.
6582 * Test 0: Client sends KeyUpdate while Server is writing
6583 * Test 1: Server sends KeyUpdate while Client is writing
6585 static int test_key_update_peer_in_write(int tst)
6587 SSL_CTX *cctx = NULL, *sctx = NULL;
6588 SSL *clientssl = NULL, *serverssl = NULL;
6591 static char *mess = "A test message";
6592 BIO *bretry = BIO_new(bio_s_always_retry());
6594 SSL *peerupdate = NULL, *peerwrite = NULL;
6596 if (!TEST_ptr(bretry)
6597 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6598 TLS_client_method(),
6601 &sctx, &cctx, cert, privkey))
6602 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6604 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6608 peerupdate = tst == 0 ? clientssl : serverssl;
6609 peerwrite = tst == 0 ? serverssl : clientssl;
6611 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6612 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6615 /* Swap the writing endpoint's write BIO to force a retry */
6616 tmp = SSL_get_wbio(peerwrite);
6617 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6621 SSL_set0_wbio(peerwrite, bretry);
6624 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6625 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6626 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6629 /* Reinstate the original writing endpoint's write BIO */
6630 SSL_set0_wbio(peerwrite, tmp);
6633 /* Now read some data - we will read the key update */
6634 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6635 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6639 * Complete the write we started previously and read it from the other
6642 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6643 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6646 /* Write more data to ensure we send the KeyUpdate message back */
6647 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6648 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6654 SSL_free(serverssl);
6655 SSL_free(clientssl);
6665 * Test we can handle a KeyUpdate (update requested) message while
6666 * peer read data is pending after peer accepted keyupdate(the msg header
6667 * had been read 5 bytes).
6668 * Test 0: Client sends KeyUpdate while Server is reading
6669 * Test 1: Server sends KeyUpdate while Client is reading
6671 static int test_key_update_peer_in_read(int tst)
6673 SSL_CTX *cctx = NULL, *sctx = NULL;
6674 SSL *clientssl = NULL, *serverssl = NULL;
6676 char prbuf[515], lwbuf[515] = {0};
6677 static char *mess = "A test message";
6678 BIO *lbio = NULL, *pbio = NULL;
6679 SSL *local = NULL, *peer = NULL;
6681 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6682 TLS_client_method(),
6685 &sctx, &cctx, cert, privkey))
6686 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6692 local = tst == 0 ? clientssl : serverssl;
6693 peer = tst == 0 ? serverssl : clientssl;
6695 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6698 SSL_set_bio(local, lbio, lbio);
6699 SSL_set_bio(peer, pbio, pbio);
6702 * we first write keyupdate msg then appdata in local
6703 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6704 * lwbuf app data msg size + key updata msg size > 512(the size of
6705 * the bio pair buffer)
6707 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6708 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6709 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6713 * first read keyupdate msg in peer in peer
6714 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6716 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6717 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6720 /* Now write some data in peer - we will write the key update */
6721 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6725 * write data in local previously that we will complete
6726 * read data in peer previously that we will complete
6728 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6729 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6732 /* check that sending and receiving appdata ok */
6733 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6734 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6740 SSL_free(serverssl);
6741 SSL_free(clientssl);
6749 * Test we can't send a KeyUpdate (update requested) message while
6750 * local write data is pending.
6751 * Test 0: Client sends KeyUpdate while Client is writing
6752 * Test 1: Server sends KeyUpdate while Server is writing
6754 static int test_key_update_local_in_write(int tst)
6756 SSL_CTX *cctx = NULL, *sctx = NULL;
6757 SSL *clientssl = NULL, *serverssl = NULL;
6760 static char *mess = "A test message";
6761 BIO *bretry = BIO_new(bio_s_always_retry());
6763 SSL *local = NULL, *peer = NULL;
6765 if (!TEST_ptr(bretry)
6766 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6767 TLS_client_method(),
6770 &sctx, &cctx, cert, privkey))
6771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6777 local = tst == 0 ? clientssl : serverssl;
6778 peer = tst == 0 ? serverssl : clientssl;
6780 /* Swap the writing endpoint's write BIO to force a retry */
6781 tmp = SSL_get_wbio(local);
6782 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6786 SSL_set0_wbio(local, bretry);
6789 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6790 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6791 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6794 /* Reinstate the original writing endpoint's write BIO */
6795 SSL_set0_wbio(local, tmp);
6798 /* SSL_key_update will fail, because writing in local*/
6799 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6800 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6804 /* write data in local previously that we will complete */
6805 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6808 /* SSL_key_update will succeed because there is no pending write data */
6809 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6810 || !TEST_int_eq(SSL_do_handshake(local), 1))
6814 * we write some appdata in local
6815 * read data in peer - we will read the keyupdate msg
6817 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6818 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6821 /* Write more peer more data to ensure we send the keyupdate message back */
6822 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6823 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6829 SSL_free(serverssl);
6830 SSL_free(clientssl);
6840 * Test we can handle a KeyUpdate (update requested) message while
6841 * local read data is pending(the msg header had been read 5 bytes).
6842 * Test 0: Client sends KeyUpdate while Client is reading
6843 * Test 1: Server sends KeyUpdate while Server is reading
6845 static int test_key_update_local_in_read(int tst)
6847 SSL_CTX *cctx = NULL, *sctx = NULL;
6848 SSL *clientssl = NULL, *serverssl = NULL;
6850 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6851 static char *mess = "A test message";
6852 BIO *lbio = NULL, *pbio = NULL;
6853 SSL *local = NULL, *peer = NULL;
6855 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6856 TLS_client_method(),
6859 &sctx, &cctx, cert, privkey))
6860 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6866 local = tst == 0 ? clientssl : serverssl;
6867 peer = tst == 0 ? serverssl : clientssl;
6869 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6872 SSL_set_bio(local, lbio, lbio);
6873 SSL_set_bio(peer, pbio, pbio);
6875 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6876 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6877 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6880 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6881 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6882 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6885 /* SSL_do_handshake will send keyupdate msg */
6886 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6887 || !TEST_int_eq(SSL_do_handshake(local), 1))
6891 * write data in peer previously that we will complete
6892 * read data in local previously that we will complete
6894 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6895 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6899 * write data in local
6900 * read data in peer - we will read the key update
6902 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6903 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6906 /* Write more peer data to ensure we send the keyupdate message back */
6907 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6908 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6914 SSL_free(serverssl);
6915 SSL_free(clientssl);
6921 #endif /* OSSL_NO_USABLE_TLS1_3 */
6923 static int test_ssl_clear(int idx)
6925 SSL_CTX *cctx = NULL, *sctx = NULL;
6926 SSL *clientssl = NULL, *serverssl = NULL;
6929 #ifdef OPENSSL_NO_TLS1_2
6934 /* Create an initial connection */
6935 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6936 TLS_client_method(), TLS1_VERSION, 0,
6937 &sctx, &cctx, cert, privkey))
6939 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6941 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6942 &clientssl, NULL, NULL))
6943 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6947 SSL_shutdown(clientssl);
6948 SSL_shutdown(serverssl);
6949 SSL_free(serverssl);
6952 /* Clear clientssl - we're going to reuse the object */
6953 if (!TEST_true(SSL_clear(clientssl)))
6956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6958 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6960 || !TEST_true(SSL_session_reused(clientssl)))
6963 SSL_shutdown(clientssl);
6964 SSL_shutdown(serverssl);
6969 SSL_free(serverssl);
6970 SSL_free(clientssl);
6977 /* Parse CH and retrieve any MFL extension value if present */
6978 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6981 unsigned char *data;
6982 PACKET pkt, pkt2, pkt3;
6983 unsigned int MFL_code = 0, type = 0;
6985 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6988 memset(&pkt, 0, sizeof(pkt));
6989 memset(&pkt2, 0, sizeof(pkt2));
6990 memset(&pkt3, 0, sizeof(pkt3));
6992 if (!TEST_long_gt(len, 0)
6993 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6994 /* Skip the record header */
6995 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6996 /* Skip the handshake message header */
6997 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6998 /* Skip client version and random */
6999 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7000 + SSL3_RANDOM_SIZE))
7001 /* Skip session id */
7002 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7004 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7005 /* Skip compression */
7006 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7007 /* Extensions len */
7008 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7011 /* Loop through all extensions */
7012 while (PACKET_remaining(&pkt2)) {
7013 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7014 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7017 if (type == TLSEXT_TYPE_max_fragment_length) {
7018 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7019 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7022 *mfl_codemfl_code = MFL_code;
7031 /* Maximum-Fragment-Length TLS extension mode to test */
7032 static const unsigned char max_fragment_len_test[] = {
7033 TLSEXT_max_fragment_length_512,
7034 TLSEXT_max_fragment_length_1024,
7035 TLSEXT_max_fragment_length_2048,
7036 TLSEXT_max_fragment_length_4096
7039 static int test_max_fragment_len_ext(int idx_tst)
7041 SSL_CTX *ctx = NULL;
7043 int testresult = 0, MFL_mode = 0;
7046 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7047 TLS1_VERSION, 0, NULL, &ctx, NULL,
7051 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7052 ctx, max_fragment_len_test[idx_tst])))
7059 rbio = BIO_new(BIO_s_mem());
7060 wbio = BIO_new(BIO_s_mem());
7061 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7067 SSL_set_bio(con, rbio, wbio);
7069 if (!TEST_int_le(SSL_connect(con), 0)) {
7070 /* This shouldn't succeed because we don't have a server! */
7074 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7075 /* no MFL in client hello */
7077 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7089 #ifndef OSSL_NO_USABLE_TLS1_3
7090 static int test_pha_key_update(void)
7092 SSL_CTX *cctx = NULL, *sctx = NULL;
7093 SSL *clientssl = NULL, *serverssl = NULL;
7096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7097 TLS_client_method(), TLS1_VERSION, 0,
7098 &sctx, &cctx, cert, privkey)))
7101 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7102 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7103 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7104 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7107 SSL_CTX_set_post_handshake_auth(cctx, 1);
7109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7113 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7117 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7118 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7121 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7124 /* Start handshake on the server */
7125 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7128 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7129 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7133 SSL_shutdown(clientssl);
7134 SSL_shutdown(serverssl);
7139 SSL_free(serverssl);
7140 SSL_free(clientssl);
7147 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7149 static SRP_VBASE *vbase = NULL;
7151 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7153 int ret = SSL3_AL_FATAL;
7155 SRP_user_pwd *user = NULL;
7157 username = SSL_get_srp_username(s);
7158 if (username == NULL) {
7159 *ad = SSL_AD_INTERNAL_ERROR;
7163 user = SRP_VBASE_get1_by_user(vbase, username);
7165 *ad = SSL_AD_INTERNAL_ERROR;
7169 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7171 *ad = SSL_AD_INTERNAL_ERROR;
7178 SRP_user_pwd_free(user);
7182 static int create_new_vfile(char *userid, char *password, const char *filename)
7185 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7188 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7191 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7194 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7195 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7196 if (!TEST_ptr(gNid))
7200 * The only way to create an empty TXT_DB is to provide a BIO with no data
7203 db = TXT_DB_read(dummy, DB_NUMBER);
7207 out = BIO_new_file(filename, "w");
7211 row[DB_srpid] = OPENSSL_strdup(userid);
7212 row[DB_srptype] = OPENSSL_strdup("V");
7213 row[DB_srpgN] = OPENSSL_strdup(gNid);
7215 if (!TEST_ptr(row[DB_srpid])
7216 || !TEST_ptr(row[DB_srptype])
7217 || !TEST_ptr(row[DB_srpgN])
7218 || !TEST_true(TXT_DB_insert(db, row)))
7223 if (TXT_DB_write(out, db) <= 0)
7229 for (i = 0; i < DB_NUMBER; i++)
7230 OPENSSL_free(row[i]);
7240 static int create_new_vbase(char *userid, char *password)
7242 BIGNUM *verifier = NULL, *salt = NULL;
7243 const SRP_gN *lgN = NULL;
7244 SRP_user_pwd *user_pwd = NULL;
7247 lgN = SRP_get_default_gN(NULL);
7251 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7252 lgN->N, lgN->g, libctx, NULL)))
7255 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7256 if (!TEST_ptr(user_pwd))
7259 user_pwd->N = lgN->N;
7260 user_pwd->g = lgN->g;
7261 user_pwd->id = OPENSSL_strdup(userid);
7262 if (!TEST_ptr(user_pwd->id))
7265 user_pwd->v = verifier;
7267 verifier = salt = NULL;
7269 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7275 SRP_user_pwd_free(user_pwd);
7285 * Test 0: Simple successful SRP connection, new vbase
7286 * Test 1: Connection failure due to bad password, new vbase
7287 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7288 * Test 3: Connection failure due to bad password, vbase loaded from existing
7290 * Test 4: Simple successful SRP connection, vbase loaded from new file
7291 * Test 5: Connection failure due to bad password, vbase loaded from new file
7293 static int test_srp(int tst)
7295 char *userid = "test", *password = "password", *tstsrpfile;
7296 SSL_CTX *cctx = NULL, *sctx = NULL;
7297 SSL *clientssl = NULL, *serverssl = NULL;
7298 int ret, testresult = 0;
7300 vbase = SRP_VBASE_new(NULL);
7301 if (!TEST_ptr(vbase))
7304 if (tst == 0 || tst == 1) {
7305 if (!TEST_true(create_new_vbase(userid, password)))
7308 if (tst == 4 || tst == 5) {
7309 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7311 tstsrpfile = tmpfilename;
7313 tstsrpfile = srpvfile;
7315 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7319 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7320 TLS_client_method(), TLS1_VERSION, 0,
7321 &sctx, &cctx, cert, privkey)))
7324 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7325 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7326 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7327 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7328 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7332 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7335 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7339 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7343 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7345 if (!TEST_true(tst % 2 == 0))
7348 if (!TEST_true(tst % 2 == 1))
7355 SRP_VBASE_free(vbase);
7357 SSL_free(serverssl);
7358 SSL_free(clientssl);
7366 static int info_cb_failed = 0;
7367 static int info_cb_offset = 0;
7368 static int info_cb_this_state = -1;
7370 static struct info_cb_states_st {
7372 const char *statestr;
7373 } info_cb_states[][60] = {
7375 /* TLSv1.2 server followed by resumption */
7376 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7377 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7378 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7379 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7380 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7381 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7382 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7383 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7384 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7385 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7386 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7387 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7388 {SSL_CB_EXIT, NULL}, {0, NULL},
7390 /* TLSv1.2 client followed by resumption */
7391 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7392 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7393 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7394 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7395 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7396 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7397 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7398 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7399 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7400 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7401 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7402 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7404 /* TLSv1.3 server followed by resumption */
7405 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7406 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7407 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7408 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7409 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7410 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7411 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7412 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7413 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7414 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7415 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7416 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7417 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7419 /* TLSv1.3 client followed by resumption */
7420 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7421 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7422 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7423 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7424 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7425 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7426 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7427 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7428 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7429 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7430 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7431 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7432 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7433 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7434 {SSL_CB_EXIT, NULL}, {0, NULL},
7436 /* TLSv1.3 server, early_data */
7437 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7438 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7439 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7440 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7441 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7442 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7443 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7444 {SSL_CB_EXIT, NULL}, {0, NULL},
7446 /* TLSv1.3 client, early_data */
7447 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7448 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7449 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7450 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7451 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7452 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7453 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7454 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7455 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7457 /* TLSv1.3 server, certificate compression, followed by resumption */
7458 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7459 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7460 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7461 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7462 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7463 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7464 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7465 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7466 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7467 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7468 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7469 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7470 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7472 /* TLSv1.3 client, certificate compression, followed by resumption */
7473 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7474 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7475 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7476 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7477 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7478 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7479 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7480 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7481 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7482 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7483 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7484 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7485 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7486 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7487 {SSL_CB_EXIT, NULL}, {0, NULL},
7493 static void sslapi_info_callback(const SSL *s, int where, int ret)
7495 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7497 /* We do not ever expect a connection to fail in this test */
7498 if (!TEST_false(ret == 0)) {
7504 * Do some sanity checks. We never expect these things to happen in this
7507 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7508 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7509 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7514 /* Now check we're in the right state */
7515 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7519 if ((where & SSL_CB_LOOP) != 0
7520 && !TEST_int_eq(strcmp(SSL_state_string(s),
7521 state[info_cb_this_state].statestr), 0)) {
7527 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7529 if ((where & SSL_CB_HANDSHAKE_DONE)
7530 && SSL_in_init((SSL *)s) != 0) {
7537 * Test the info callback gets called when we expect it to.
7539 * Test 0: TLSv1.2, server
7540 * Test 1: TLSv1.2, client
7541 * Test 2: TLSv1.3, server
7542 * Test 3: TLSv1.3, client
7543 * Test 4: TLSv1.3, server, early_data
7544 * Test 5: TLSv1.3, client, early_data
7545 * Test 6: TLSv1.3, server, compressed certificate
7546 * Test 7: TLSv1.3, client, compressed certificate
7548 static int test_info_callback(int tst)
7550 SSL_CTX *cctx = NULL, *sctx = NULL;
7551 SSL *clientssl = NULL, *serverssl = NULL;
7552 SSL_SESSION *clntsess = NULL;
7557 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7558 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7559 || !defined(OPENSSL_NO_DH))
7560 tlsvers = TLS1_2_VERSION;
7565 #ifndef OSSL_NO_USABLE_TLS1_3
7566 tlsvers = TLS1_3_VERSION;
7574 info_cb_this_state = -1;
7575 info_cb_offset = tst;
7577 #ifndef OSSL_NO_USABLE_TLS1_3
7578 if (tst >= 4 && tst < 6) {
7579 SSL_SESSION *sess = NULL;
7580 size_t written, readbytes;
7581 unsigned char buf[80];
7583 /* early_data tests */
7584 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7585 &serverssl, &sess, 0,
7586 SHA384_DIGEST_LENGTH)))
7589 /* We don't actually need this reference */
7590 SSL_SESSION_free(sess);
7592 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7593 sslapi_info_callback);
7595 /* Write and read some early data and then complete the connection */
7596 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7598 || !TEST_size_t_eq(written, strlen(MSG1))
7599 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7600 sizeof(buf), &readbytes),
7601 SSL_READ_EARLY_DATA_SUCCESS)
7602 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7604 SSL_EARLY_DATA_ACCEPTED)
7605 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7607 || !TEST_false(info_cb_failed))
7615 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7616 TLS_client_method(),
7617 tlsvers, tlsvers, &sctx, &cctx, cert,
7621 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7625 * For even numbered tests we check the server callbacks. For odd numbers we
7628 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7629 sslapi_info_callback);
7631 if (!SSL_CTX_compress_certs(sctx, 0))
7635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7636 &clientssl, NULL, NULL))
7637 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7639 || !TEST_false(info_cb_failed))
7644 clntsess = SSL_get1_session(clientssl);
7645 SSL_shutdown(clientssl);
7646 SSL_shutdown(serverssl);
7647 SSL_free(serverssl);
7648 SSL_free(clientssl);
7649 serverssl = clientssl = NULL;
7651 /* Now do a resumption */
7652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7654 || !TEST_true(SSL_set_session(clientssl, clntsess))
7655 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7657 || !TEST_true(SSL_session_reused(clientssl))
7658 || !TEST_false(info_cb_failed))
7664 SSL_free(serverssl);
7665 SSL_free(clientssl);
7666 SSL_SESSION_free(clntsess);
7672 static int test_ssl_pending(int tst)
7674 SSL_CTX *cctx = NULL, *sctx = NULL;
7675 SSL *clientssl = NULL, *serverssl = NULL;
7677 char msg[] = "A test message";
7679 size_t written, readbytes;
7682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7683 TLS_client_method(),
7685 &sctx, &cctx, cert, privkey)))
7688 #ifndef OPENSSL_NO_DTLS
7689 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7690 DTLS_client_method(),
7692 &sctx, &cctx, cert, privkey)))
7695 # ifdef OPENSSL_NO_DTLS1_2
7696 /* Not supported in the FIPS provider */
7702 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7705 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7706 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7707 "DEFAULT:@SECLEVEL=0")))
7715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7721 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7722 || !TEST_false(SSL_has_pending(clientssl))
7723 || !TEST_int_eq(SSL_pending(serverssl), 0)
7724 || !TEST_false(SSL_has_pending(serverssl))
7725 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7726 || !TEST_size_t_eq(written, sizeof(msg))
7727 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7728 || !TEST_size_t_eq(readbytes, sizeof(buf))
7729 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7730 || !TEST_true(SSL_has_pending(clientssl)))
7736 SSL_free(serverssl);
7737 SSL_free(clientssl);
7745 unsigned int maxprot;
7746 const char *clntciphers;
7747 const char *clnttls13ciphers;
7748 const char *srvrciphers;
7749 const char *srvrtls13ciphers;
7751 const char *fipsshared;
7752 } shared_ciphers_data[] = {
7754 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7755 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7757 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7760 "AES128-SHA:AES256-SHA",
7762 "AES256-SHA:DHE-RSA-AES128-SHA",
7767 # if !defined(OPENSSL_NO_CHACHA) \
7768 && !defined(OPENSSL_NO_POLY1305) \
7769 && !defined(OPENSSL_NO_EC)
7772 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7774 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7776 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7782 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7784 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7786 "AES128-SHA:AES256-SHA",
7787 "AES128-SHA:AES256-SHA"
7791 "AES128-SHA:AES256-SHA",
7793 "AES128-SHA:DHE-RSA-AES128-SHA",
7800 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7803 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7804 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7807 "AES128-SHA:AES256-SHA",
7809 "AES256-SHA:AES128-SHA256",
7811 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7812 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7813 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7816 #ifndef OSSL_NO_USABLE_TLS1_3
7820 "TLS_AES_256_GCM_SHA384",
7822 "TLS_AES_256_GCM_SHA384",
7823 "TLS_AES_256_GCM_SHA384",
7824 "TLS_AES_256_GCM_SHA384"
7829 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7831 SSL_CTX *cctx = NULL, *sctx = NULL;
7832 SSL *clientssl = NULL, *serverssl = NULL;
7835 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7837 if (!TEST_ptr(tmplibctx))
7841 * Regardless of whether we're testing with the FIPS provider loaded into
7842 * libctx, we want one peer to always use the full set of ciphersuites
7843 * available. Therefore we use a separate libctx with the default provider
7844 * loaded into it. We run the same tests twice - once with the client side
7845 * having the full set of ciphersuites and once with the server side.
7848 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7849 if (!TEST_ptr(cctx))
7852 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7853 if (!TEST_ptr(sctx))
7857 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7858 TLS_client_method(),
7860 shared_ciphers_data[tst].maxprot,
7861 &sctx, &cctx, cert, privkey)))
7864 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7865 shared_ciphers_data[tst].clntciphers))
7866 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7867 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7868 shared_ciphers_data[tst].clnttls13ciphers)))
7869 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7870 shared_ciphers_data[tst].srvrciphers))
7871 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7872 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7873 shared_ciphers_data[tst].srvrtls13ciphers))))
7877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7883 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7884 || !TEST_int_eq(strcmp(buf,
7886 ? shared_ciphers_data[tst].fipsshared
7887 : shared_ciphers_data[tst].shared),
7889 TEST_info("Shared ciphers are: %s\n", buf);
7896 SSL_free(serverssl);
7897 SSL_free(clientssl);
7900 OSSL_LIB_CTX_free(tmplibctx);
7905 static int test_ssl_get_shared_ciphers(int tst)
7907 return int_test_ssl_get_shared_ciphers(tst, 0)
7908 && int_test_ssl_get_shared_ciphers(tst, 1);
7912 static const char *appdata = "Hello World";
7913 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7914 static int tick_key_renew = 0;
7915 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7917 static int gen_tick_cb(SSL *s, void *arg)
7919 gen_tick_called = 1;
7921 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7925 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7926 const unsigned char *keyname,
7927 size_t keyname_length,
7928 SSL_TICKET_STATUS status,
7934 dec_tick_called = 1;
7936 if (status == SSL_TICKET_EMPTY)
7937 return SSL_TICKET_RETURN_IGNORE_RENEW;
7939 if (!TEST_true(status == SSL_TICKET_SUCCESS
7940 || status == SSL_TICKET_SUCCESS_RENEW))
7941 return SSL_TICKET_RETURN_ABORT;
7943 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7945 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7946 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7947 return SSL_TICKET_RETURN_ABORT;
7949 if (tick_key_cb_called) {
7950 /* Don't change what the ticket key callback wanted to do */
7952 case SSL_TICKET_NO_DECRYPT:
7953 return SSL_TICKET_RETURN_IGNORE_RENEW;
7955 case SSL_TICKET_SUCCESS:
7956 return SSL_TICKET_RETURN_USE;
7958 case SSL_TICKET_SUCCESS_RENEW:
7959 return SSL_TICKET_RETURN_USE_RENEW;
7962 return SSL_TICKET_RETURN_ABORT;
7965 return tick_dec_ret;
7969 #ifndef OPENSSL_NO_DEPRECATED_3_0
7970 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7971 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7972 HMAC_CTX *hctx, int enc)
7974 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7975 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7976 EVP_CIPHER *aes128cbc;
7980 tick_key_cb_called = 1;
7982 if (tick_key_renew == -1)
7985 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7986 if (!TEST_ptr(aes128cbc))
7988 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7989 if (!TEST_ptr(sha256)) {
7990 EVP_CIPHER_free(aes128cbc);
7994 memset(iv, 0, AES_BLOCK_SIZE);
7995 memset(key_name, 0, 16);
7996 if (aes128cbc == NULL
7998 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7999 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8003 ret = tick_key_renew ? 2 : 1;
8005 EVP_CIPHER_free(aes128cbc);
8006 EVP_MD_free(sha256);
8012 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8013 unsigned char iv[EVP_MAX_IV_LENGTH],
8014 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8016 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8017 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8018 OSSL_PARAM params[2];
8019 EVP_CIPHER *aes128cbc;
8022 tick_key_cb_called = 1;
8024 if (tick_key_renew == -1)
8027 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8028 if (!TEST_ptr(aes128cbc))
8031 memset(iv, 0, AES_BLOCK_SIZE);
8032 memset(key_name, 0, 16);
8033 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8035 params[1] = OSSL_PARAM_construct_end();
8036 if (aes128cbc == NULL
8037 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8038 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8042 ret = tick_key_renew ? 2 : 1;
8044 EVP_CIPHER_free(aes128cbc);
8050 * Test the various ticket callbacks
8051 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8052 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8053 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8054 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8055 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8056 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8057 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8058 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8059 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8060 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8061 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8062 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8063 * Test 12: TLSv1.2, old ticket key callback, no ticket
8064 * Test 13: TLSv1.3, old ticket key callback, no ticket
8065 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8066 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8067 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8068 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8069 * Test 18: TLSv1.2, ticket key callback, no ticket
8070 * Test 19: TLSv1.3, ticket key callback, no ticket
8072 static int test_ticket_callbacks(int tst)
8074 SSL_CTX *cctx = NULL, *sctx = NULL;
8075 SSL *clientssl = NULL, *serverssl = NULL;
8076 SSL_SESSION *clntsess = NULL;
8079 #ifdef OPENSSL_NO_TLS1_2
8083 #ifdef OSSL_NO_USABLE_TLS1_3
8087 #ifdef OPENSSL_NO_DEPRECATED_3_0
8088 if (tst >= 8 && tst <= 13)
8092 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8094 /* Which tests the ticket key callback should request renewal for */
8096 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8098 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8099 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8103 /* Which tests the decrypt ticket callback should request renewal for */
8107 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8112 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8117 tick_dec_ret = SSL_TICKET_RETURN_USE;
8122 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8126 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8130 TLS_client_method(),
8132 ((tst % 2) == 0) ? TLS1_2_VERSION
8134 &sctx, &cctx, cert, privkey)))
8138 * We only want sessions to resume from tickets - not the session cache. So
8139 * switch the cache off.
8141 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8144 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8149 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8151 #ifndef OPENSSL_NO_DEPRECATED_3_0
8152 } else if (tst >= 8) {
8153 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8160 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8165 * The decrypt ticket key callback in TLSv1.2 should be called even though
8166 * we have no ticket yet, because it gets called with a status of
8167 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8168 * actually send any ticket data). This does not happen in TLSv1.3 because
8169 * it is not valid to send empty ticket data in TLSv1.3.
8171 if (!TEST_int_eq(gen_tick_called, 1)
8172 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8175 gen_tick_called = dec_tick_called = 0;
8177 clntsess = SSL_get1_session(clientssl);
8178 SSL_shutdown(clientssl);
8179 SSL_shutdown(serverssl);
8180 SSL_free(serverssl);
8181 SSL_free(clientssl);
8182 serverssl = clientssl = NULL;
8184 /* Now do a resumption */
8185 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8187 || !TEST_true(SSL_set_session(clientssl, clntsess))
8188 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8192 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8193 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8194 || tick_key_renew == -1) {
8195 if (!TEST_false(SSL_session_reused(clientssl)))
8198 if (!TEST_true(SSL_session_reused(clientssl)))
8202 if (!TEST_int_eq(gen_tick_called,
8204 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8205 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8207 /* There is no ticket to decrypt in tests 13 and 19 */
8208 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8214 SSL_SESSION_free(clntsess);
8215 SSL_free(serverssl);
8216 SSL_free(clientssl);
8224 * Test incorrect shutdown.
8225 * Test 0: client does not shutdown properly,
8226 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8227 * server should get SSL_ERROR_SSL
8228 * Test 1: client does not shutdown properly,
8229 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8230 * server should get SSL_ERROR_ZERO_RETURN
8232 static int test_incorrect_shutdown(int tst)
8234 SSL_CTX *cctx = NULL, *sctx = NULL;
8235 SSL *clientssl = NULL, *serverssl = NULL;
8240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8241 TLS_client_method(), 0, 0,
8242 &sctx, &cctx, cert, privkey)))
8246 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8252 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8256 c2s = SSL_get_rbio(serverssl);
8257 BIO_set_mem_eof_return(c2s, 0);
8259 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8262 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8264 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8270 SSL_free(serverssl);
8271 SSL_free(clientssl);
8279 * Test bi-directional shutdown.
8281 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8282 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8283 * Test 3: TLSv1.3, pending NewSessionTicket messages
8284 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8285 * sends key update, client reads it
8286 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8287 * sends CertificateRequest, client reads and ignores it
8288 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8291 static int test_shutdown(int tst)
8293 SSL_CTX *cctx = NULL, *sctx = NULL;
8294 SSL *clientssl = NULL, *serverssl = NULL;
8296 char msg[] = "A test message";
8298 size_t written, readbytes;
8301 #ifdef OPENSSL_NO_TLS1_2
8305 #ifdef OSSL_NO_USABLE_TLS1_3
8310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8311 TLS_client_method(),
8313 (tst <= 1) ? TLS1_2_VERSION
8315 &sctx, &cctx, cert, privkey)))
8319 SSL_CTX_set_post_handshake_auth(cctx, 1);
8321 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8326 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8327 SSL_ERROR_NONE, 1, 0))
8328 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8329 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8331 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8333 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8334 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8338 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8343 * Reading on the server after the client has sent close_notify should
8344 * fail and provide SSL_ERROR_ZERO_RETURN
8346 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8347 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8348 SSL_ERROR_ZERO_RETURN)
8349 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8350 SSL_RECEIVED_SHUTDOWN)
8352 * Even though we're shutdown on receive we should still be
8355 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8358 && !TEST_true(SSL_key_update(serverssl,
8359 SSL_KEY_UPDATE_REQUESTED)))
8362 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8363 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8366 if ((tst == 4 || tst == 5)
8367 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8369 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8371 if (tst == 4 || tst == 5) {
8372 /* Should still be able to read data from server */
8373 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8375 || !TEST_size_t_eq(readbytes, sizeof(msg))
8376 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8377 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8379 || !TEST_size_t_eq(readbytes, sizeof(msg))
8380 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8385 /* Writing on the client after sending close_notify shouldn't be possible */
8386 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8391 * For these tests the client has sent close_notify but it has not yet
8392 * been received by the server. The server has not sent close_notify
8395 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8397 * Writing on the server after sending close_notify shouldn't
8400 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8401 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8402 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8403 || !TEST_true(SSL_SESSION_is_resumable(sess))
8404 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8406 } else if (tst == 4 || tst == 5) {
8408 * In this test the client has sent close_notify and it has been
8409 * received by the server which has responded with a close_notify. The
8410 * client needs to read the close_notify sent by the server.
8412 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8413 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8414 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8420 * The client has sent close_notify and is expecting a close_notify
8421 * back, but instead there is application data first. The shutdown
8422 * should fail with a fatal error.
8424 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8425 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8432 SSL_free(serverssl);
8433 SSL_free(clientssl);
8441 * Test that sending close_notify alerts works correctly in the case of a
8442 * retryable write failure.
8444 static int test_async_shutdown(void)
8446 SSL_CTX *cctx = NULL, *sctx = NULL;
8447 SSL *clientssl = NULL, *serverssl = NULL;
8449 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8451 if (!TEST_ptr(bretry))
8454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8455 TLS_client_method(),
8457 &sctx, &cctx, cert, privkey)))
8460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8464 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8467 /* Close write side of clientssl */
8468 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8471 tmp = SSL_get_wbio(serverssl);
8472 if (!TEST_true(BIO_up_ref(tmp))) {
8476 SSL_set0_wbio(serverssl, bretry);
8479 /* First server shutdown should fail because of a retrable write failure */
8480 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8481 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8484 /* Second server shutdown should fail for the same reason */
8485 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8486 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8489 SSL_set0_wbio(serverssl, tmp);
8492 /* Third server shutdown should send close_notify */
8493 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8496 /* Fourth server shutdown should read close_notify from client and finish */
8497 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8500 /* Client should also successfully fully shutdown */
8501 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8506 SSL_free(serverssl);
8507 SSL_free(clientssl);
8516 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8517 static int cert_cb_cnt;
8519 static int cert_cb(SSL *s, void *arg)
8521 SSL_CTX *ctx = (SSL_CTX *)arg;
8523 EVP_PKEY *pkey = NULL;
8524 X509 *x509 = NULL, *rootx = NULL;
8525 STACK_OF(X509) *chain = NULL;
8526 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8529 if (cert_cb_cnt == 0) {
8530 /* Suspend the handshake */
8533 } else if (cert_cb_cnt == 1) {
8535 * Update the SSL_CTX, set the certificate and private key and then
8536 * continue the handshake normally.
8538 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8541 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8542 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8544 || !TEST_true(SSL_check_private_key(s)))
8548 } else if (cert_cb_cnt == 3) {
8551 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8552 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8553 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8554 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8556 chain = sk_X509_new_null();
8557 if (!TEST_ptr(chain))
8559 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8560 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8561 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8562 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8563 || !TEST_true(sk_X509_push(chain, rootx)))
8567 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8568 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8569 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8570 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8573 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8574 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8575 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8579 rv = SSL_check_chain(s, x509, pkey, chain);
8581 * If the cert doesn't show as valid here (e.g., because we don't
8582 * have any shared sigalgs), then we will not set it, and there will
8583 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8584 * will cause tls_choose_sigalgs() to fail the connection.
8586 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8587 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8588 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8595 /* Abort the handshake */
8597 OPENSSL_free(ecdsacert);
8598 OPENSSL_free(ecdsakey);
8599 OPENSSL_free(rootfile);
8601 EVP_PKEY_free(pkey);
8604 OSSL_STACK_OF_X509_free(chain);
8609 * Test the certificate callback.
8610 * Test 0: Callback fails
8611 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8612 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8613 * Test 3: Success - Call SSL_check_chain from the callback
8614 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8616 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8618 static int test_cert_cb_int(int prot, int tst)
8620 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8621 SSL *clientssl = NULL, *serverssl = NULL;
8622 int testresult = 0, ret;
8624 #ifdef OPENSSL_NO_EC
8625 /* We use an EC cert in these tests, so we skip in a no-ec build */
8630 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8631 TLS_client_method(),
8634 &sctx, &cctx, NULL, NULL)))
8645 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8646 if (!TEST_ptr(snictx))
8650 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8658 * We cause SSL_check_chain() to fail by specifying sig_algs that
8659 * the chain doesn't meet (the root uses an RSA cert)
8661 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8662 "ecdsa_secp256r1_sha256")))
8664 } else if (tst == 5) {
8666 * We cause SSL_check_chain() to fail by specifying sig_algs that
8667 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8669 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8670 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8674 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8675 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8677 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8684 SSL_free(serverssl);
8685 SSL_free(clientssl);
8688 SSL_CTX_free(snictx);
8694 static int test_cert_cb(int tst)
8698 #ifndef OPENSSL_NO_TLS1_2
8699 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8701 #ifndef OSSL_NO_USABLE_TLS1_3
8702 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8708 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8713 BIO *priv_in = NULL;
8715 /* Check that SSL_get0_peer_certificate() returns something sensible */
8716 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8719 in = BIO_new_file(cert, "r");
8723 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8724 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8725 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8726 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8744 static int test_client_cert_cb(int tst)
8746 SSL_CTX *cctx = NULL, *sctx = NULL;
8747 SSL *clientssl = NULL, *serverssl = NULL;
8750 #ifdef OPENSSL_NO_TLS1_2
8754 #ifdef OSSL_NO_USABLE_TLS1_3
8759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8760 TLS_client_method(),
8762 tst == 0 ? TLS1_2_VERSION
8764 &sctx, &cctx, cert, privkey)))
8768 * Test that setting a client_cert_cb results in a client certificate being
8771 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8772 SSL_CTX_set_verify(sctx,
8773 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8785 SSL_free(serverssl);
8786 SSL_free(clientssl);
8793 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8795 * Test setting certificate authorities on both client and server.
8797 * Test 0: SSL_CTX_set0_CA_list() only
8798 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8799 * Test 2: Only SSL_CTX_set_client_CA_list()
8801 static int test_ca_names_int(int prot, int tst)
8803 SSL_CTX *cctx = NULL, *sctx = NULL;
8804 SSL *clientssl = NULL, *serverssl = NULL;
8807 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8808 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8809 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8810 const STACK_OF(X509_NAME) *sktmp = NULL;
8812 for (i = 0; i < OSSL_NELEM(name); i++) {
8813 name[i] = X509_NAME_new();
8814 if (!TEST_ptr(name[i])
8815 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8824 TLS_client_method(),
8827 &sctx, &cctx, cert, privkey)))
8830 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8832 if (tst == 0 || tst == 1) {
8833 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8834 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8835 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8836 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8837 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8838 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8841 SSL_CTX_set0_CA_list(sctx, sk1);
8842 SSL_CTX_set0_CA_list(cctx, sk2);
8845 if (tst == 1 || tst == 2) {
8846 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8847 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8848 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8849 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8850 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8851 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8854 SSL_CTX_set_client_CA_list(sctx, sk1);
8855 SSL_CTX_set_client_CA_list(cctx, sk2);
8859 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8861 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8866 * We only expect certificate authorities to have been sent to the server
8867 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8869 sktmp = SSL_get0_peer_CA_list(serverssl);
8870 if (prot == TLS1_3_VERSION
8871 && (tst == 0 || tst == 1)) {
8872 if (!TEST_ptr(sktmp)
8873 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8874 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8876 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8879 } else if (!TEST_ptr_null(sktmp)) {
8884 * In all tests we expect certificate authorities to have been sent to the
8885 * client. However, SSL_set_client_CA_list() should override
8886 * SSL_set0_CA_list()
8888 sktmp = SSL_get0_peer_CA_list(clientssl);
8889 if (!TEST_ptr(sktmp)
8890 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8891 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8892 name[tst == 0 ? 0 : 2]), 0)
8893 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8894 name[tst == 0 ? 1 : 3]), 0))
8900 SSL_free(serverssl);
8901 SSL_free(clientssl);
8904 for (i = 0; i < OSSL_NELEM(name); i++)
8905 X509_NAME_free(name[i]);
8906 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8907 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8913 static int test_ca_names(int tst)
8917 #ifndef OPENSSL_NO_TLS1_2
8918 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8920 #ifndef OSSL_NO_USABLE_TLS1_3
8921 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8927 #ifndef OPENSSL_NO_TLS1_2
8928 static const char *multiblock_cipherlist_data[]=
8936 /* Reduce the fragment size - so the multiblock test buffer can be small */
8937 # define MULTIBLOCK_FRAGSIZE 512
8939 static int test_multiblock_write(int test_index)
8941 static const char *fetchable_ciphers[]=
8943 "AES-128-CBC-HMAC-SHA1",
8944 "AES-128-CBC-HMAC-SHA256",
8945 "AES-256-CBC-HMAC-SHA1",
8946 "AES-256-CBC-HMAC-SHA256"
8948 const char *cipherlist = multiblock_cipherlist_data[test_index];
8949 const SSL_METHOD *smeth = TLS_server_method();
8950 const SSL_METHOD *cmeth = TLS_client_method();
8951 int min_version = TLS1_VERSION;
8952 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8953 SSL_CTX *cctx = NULL, *sctx = NULL;
8954 SSL *clientssl = NULL, *serverssl = NULL;
8958 * Choose a buffer large enough to perform a multi-block operation
8959 * i.e: write_len >= 4 * frag_size
8960 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8962 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8963 unsigned char buf[sizeof(msg)], *p = buf;
8964 size_t readbytes, written, len;
8965 EVP_CIPHER *ciph = NULL;
8968 * Check if the cipher exists before attempting to use it since it only has
8969 * a hardware specific implementation.
8971 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8973 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8976 EVP_CIPHER_free(ciph);
8978 /* Set up a buffer with some data that will be sent to the client */
8979 RAND_bytes(msg, sizeof(msg));
8981 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8982 max_version, &sctx, &cctx, cert,
8986 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8989 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8993 /* settings to force it to use AES-CBC-HMAC_SHA */
8994 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8995 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8998 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9001 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9002 || !TEST_size_t_eq(written, sizeof(msg)))
9007 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9012 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9017 SSL_free(serverssl);
9018 SSL_free(clientssl);
9024 #endif /* OPENSSL_NO_TLS1_2 */
9026 static int test_session_timeout(int test)
9029 * Test session ordering and timeout
9030 * Can't explicitly test performance of the new code,
9031 * but can test to see if the ordering of the sessions
9032 * are correct, and they they are removed as expected
9034 SSL_SESSION *early = NULL;
9035 SSL_SESSION *middle = NULL;
9036 SSL_SESSION *late = NULL;
9039 long now = (long)time(NULL);
9042 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9043 || !TEST_ptr(early = SSL_SESSION_new())
9044 || !TEST_ptr(middle = SSL_SESSION_new())
9045 || !TEST_ptr(late = SSL_SESSION_new()))
9048 /* assign unique session ids */
9049 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9050 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9051 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9052 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9053 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9054 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9056 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9057 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9058 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9061 /* Make sure they are all added */
9062 if (!TEST_ptr(early->prev)
9063 || !TEST_ptr(middle->prev)
9064 || !TEST_ptr(late->prev))
9067 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9068 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9069 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9072 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9073 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9074 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9077 /* Make sure they are all still there */
9078 if (!TEST_ptr(early->prev)
9079 || !TEST_ptr(middle->prev)
9080 || !TEST_ptr(late->prev))
9083 /* Make sure they are in the expected order */
9084 if (!TEST_ptr_eq(late->next, middle)
9085 || !TEST_ptr_eq(middle->next, early)
9086 || !TEST_ptr_eq(early->prev, middle)
9087 || !TEST_ptr_eq(middle->prev, late))
9090 /* This should remove "early" */
9091 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9092 if (!TEST_ptr_null(early->prev)
9093 || !TEST_ptr(middle->prev)
9094 || !TEST_ptr(late->prev))
9097 /* This should remove "middle" */
9098 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9099 if (!TEST_ptr_null(early->prev)
9100 || !TEST_ptr_null(middle->prev)
9101 || !TEST_ptr(late->prev))
9104 /* This should remove "late" */
9105 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9106 if (!TEST_ptr_null(early->prev)
9107 || !TEST_ptr_null(middle->prev)
9108 || !TEST_ptr_null(late->prev))
9111 /* Add them back in again */
9112 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9113 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9114 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9117 /* Make sure they are all added */
9118 if (!TEST_ptr(early->prev)
9119 || !TEST_ptr(middle->prev)
9120 || !TEST_ptr(late->prev))
9123 /* This should remove all of them */
9124 SSL_CTX_flush_sessions(ctx, 0);
9125 if (!TEST_ptr_null(early->prev)
9126 || !TEST_ptr_null(middle->prev)
9127 || !TEST_ptr_null(late->prev))
9130 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9131 | SSL_CTX_get_session_cache_mode(ctx));
9133 /* make sure |now| is NOT equal to the current time */
9135 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9136 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9137 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9143 SSL_SESSION_free(early);
9144 SSL_SESSION_free(middle);
9145 SSL_SESSION_free(late);
9150 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9151 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9152 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9153 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9154 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9155 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9156 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9157 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9158 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9159 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9161 static int test_servername(int tst)
9163 SSL_CTX *cctx = NULL, *sctx = NULL;
9164 SSL *clientssl = NULL, *serverssl = NULL;
9166 SSL_SESSION *sess = NULL;
9167 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9169 #ifdef OPENSSL_NO_TLS1_2
9173 #ifdef OSSL_NO_USABLE_TLS1_3
9178 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9179 TLS_client_method(),
9181 (tst <= 4) ? TLS1_2_VERSION
9183 &sctx, &cctx, cert, privkey))
9184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9188 if (tst != 1 && tst != 6) {
9189 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9194 if (tst != 3 && tst != 8) {
9195 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9197 sexpectedhost = cexpectedhost = "goodhost";
9200 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9203 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9205 || !TEST_str_eq(SSL_get_servername(serverssl,
9206 TLSEXT_NAMETYPE_host_name),
9210 /* Now repeat with a resumption handshake */
9212 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9213 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9214 || !TEST_true(SSL_SESSION_is_resumable(sess))
9215 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9218 SSL_free(clientssl);
9219 SSL_free(serverssl);
9220 clientssl = serverssl = NULL;
9222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9226 if (!TEST_true(SSL_set_session(clientssl, sess)))
9229 sexpectedhost = cexpectedhost = "goodhost";
9230 if (tst == 2 || tst == 7) {
9231 /* Set an inconsistent hostname */
9232 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9235 * In TLSv1.2 we expect the hostname from the original handshake, in
9236 * TLSv1.3 we expect the hostname from this handshake
9239 sexpectedhost = cexpectedhost = "altgoodhost";
9241 if (!TEST_str_eq(SSL_get_servername(clientssl,
9242 TLSEXT_NAMETYPE_host_name),
9245 } else if (tst == 4 || tst == 9) {
9247 * A TLSv1.3 session does not associate a session with a servername,
9248 * but a TLSv1.2 session does.
9251 sexpectedhost = cexpectedhost = NULL;
9253 if (!TEST_str_eq(SSL_get_servername(clientssl,
9254 TLSEXT_NAMETYPE_host_name),
9258 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9261 * In a TLSv1.2 resumption where the hostname was not acknowledged
9262 * we expect the hostname on the server to be empty. On the client we
9263 * return what was requested in this case.
9265 * Similarly if the client didn't set a hostname on an original TLSv1.2
9266 * session but is now, the server hostname will be empty, but the client
9269 if (tst == 1 || tst == 3)
9270 sexpectedhost = NULL;
9272 if (!TEST_str_eq(SSL_get_servername(clientssl,
9273 TLSEXT_NAMETYPE_host_name),
9278 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9281 if (!TEST_true(SSL_session_reused(clientssl))
9282 || !TEST_true(SSL_session_reused(serverssl))
9283 || !TEST_str_eq(SSL_get_servername(clientssl,
9284 TLSEXT_NAMETYPE_host_name),
9286 || !TEST_str_eq(SSL_get_servername(serverssl,
9287 TLSEXT_NAMETYPE_host_name),
9294 SSL_SESSION_free(sess);
9295 SSL_free(serverssl);
9296 SSL_free(clientssl);
9303 #if !defined(OPENSSL_NO_EC) \
9304 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9306 * Test that if signature algorithms are not available, then we do not offer or
9308 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9309 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9310 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9311 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9312 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9313 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9315 static int test_sigalgs_available(int idx)
9317 SSL_CTX *cctx = NULL, *sctx = NULL;
9318 SSL *clientssl = NULL, *serverssl = NULL;
9320 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9321 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9322 OSSL_PROVIDER *filterprov = NULL;
9325 if (!TEST_ptr(tmpctx))
9328 if (idx != 0 && idx != 3) {
9329 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9330 filter_provider_init)))
9333 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9334 if (!TEST_ptr(filterprov))
9339 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9340 * or accepted for the peer that uses this libctx. Note that libssl
9341 * *requires* SHA2-256 to be available so we cannot disable that. We
9342 * also need SHA1 for our certificate.
9344 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9348 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9350 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9355 if (idx == 1 || idx == 4)
9361 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9362 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9363 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9367 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9368 TLS_client_method(),
9371 &sctx, &cctx, cert, privkey)))
9374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9375 TLS_client_method(),
9378 &sctx, &cctx, cert2, privkey2)))
9382 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9384 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9385 "ECDHE-RSA-AES128-GCM-SHA256")))
9388 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9389 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9394 if (!SSL_CTX_set1_sigalgs_list(cctx,
9395 "rsa_pss_rsae_sha384"
9396 ":rsa_pss_rsae_sha256")
9397 || !SSL_CTX_set1_sigalgs_list(sctx,
9398 "rsa_pss_rsae_sha384"
9399 ":rsa_pss_rsae_sha256"))
9402 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9403 || !SSL_CTX_set1_sigalgs_list(sctx,
9404 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9409 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9410 SSL_FILETYPE_PEM), 1)
9411 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9413 SSL_FILETYPE_PEM), 1)
9414 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9421 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9424 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9425 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9427 (idx == 0 || idx == 3) ? 2 : 1))
9430 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9433 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9437 testresult = filter_provider_check_clean_finish();
9440 SSL_free(serverssl);
9441 SSL_free(clientssl);
9444 OSSL_PROVIDER_unload(filterprov);
9445 OSSL_LIB_CTX_free(tmpctx);
9450 * !defined(OPENSSL_NO_EC) \
9451 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9454 #ifndef OPENSSL_NO_TLS1_3
9455 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9456 static int test_pluggable_group(int idx)
9458 SSL_CTX *cctx = NULL, *sctx = NULL;
9459 SSL *clientssl = NULL, *serverssl = NULL;
9461 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9462 /* Check that we are not impacted by a provider without any groups */
9463 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9464 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9466 if (!TEST_ptr(tlsprov))
9469 if (legacyprov == NULL) {
9471 * In this case we assume we've been built with "no-legacy" and skip
9472 * this test (there is no OPENSSL_NO_LEGACY)
9478 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9479 TLS_client_method(),
9482 &sctx, &cctx, cert, privkey))
9483 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9487 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9488 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9491 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9494 if (!TEST_str_eq(group_name,
9495 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9501 SSL_free(serverssl);
9502 SSL_free(clientssl);
9505 OSSL_PROVIDER_unload(tlsprov);
9506 OSSL_PROVIDER_unload(legacyprov);
9512 * This function triggers encode, decode and sign functions
9513 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9514 * creating private key and certificate files for use in TLS testing.
9516 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9518 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9519 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9520 EVP_PKEY *pkey = NULL;
9521 X509 *x509 = X509_new();
9522 X509_NAME *name = NULL;
9523 BIO *keybio = NULL, *certbio = NULL;
9526 if (!TEST_ptr(evpctx)
9527 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9528 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9531 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9532 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9533 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9534 || !TEST_true(X509_set_pubkey(x509, pkey))
9535 || !TEST_ptr(name = X509_get_subject_name(x509))
9536 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9537 (unsigned char *)"CH", -1, -1, 0))
9538 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9539 (unsigned char *)"test.org", -1, -1, 0))
9540 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9541 (unsigned char *)"localhost", -1, -1, 0))
9542 || !TEST_true(X509_set_issuer_name(x509, name))
9543 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9544 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9545 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9546 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9547 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9550 EVP_PKEY_free(pkey);
9552 EVP_PKEY_CTX_free(evpctx);
9559 * Test that signature algorithms loaded via the provider interface can
9560 * correctly establish a TLS (1.3) connection.
9561 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9562 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9563 * Test 2: Test 0 using RPK
9564 * Test 3: Test 1 using RPK
9566 static int test_pluggable_signature(int idx)
9568 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9569 SSL_CTX *cctx = NULL, *sctx = NULL;
9570 SSL *clientssl = NULL, *serverssl = NULL;
9572 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9573 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9574 char *certfilename = "tls-prov-cert.pem";
9575 char *privkeyfilename = "tls-prov-key.pem";
9576 int sigidx = idx % 2;
9577 int rpkidx = idx / 2;
9579 /* create key and certificate for the different algorithm types */
9580 if (!TEST_ptr(tlsprov)
9581 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9584 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9585 TLS_client_method(),
9588 &sctx, &cctx, certfilename, privkeyfilename))
9589 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9593 /* Enable RPK for server cert */
9595 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9596 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9600 /* This is necessary to pass minimal setup w/o other groups configured */
9601 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9602 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9606 * If this connection gets established, it must have been completed
9607 * via the tls-provider-implemented "hmacsig" algorithm, testing
9608 * both sign and verify functions during handshake.
9610 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9613 /* If using RPK, make sure we got one */
9614 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9620 SSL_free(serverssl);
9621 SSL_free(clientssl);
9624 OSSL_PROVIDER_unload(tlsprov);
9625 OSSL_PROVIDER_unload(defaultprov);
9631 #ifndef OPENSSL_NO_TLS1_2
9632 static int test_ssl_dup(void)
9634 SSL_CTX *cctx = NULL, *sctx = NULL;
9635 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9637 BIO *rbio = NULL, *wbio = NULL;
9639 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9640 TLS_client_method(),
9643 &sctx, &cctx, cert, privkey)))
9646 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9650 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9651 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9654 client2ssl = SSL_dup(clientssl);
9655 rbio = SSL_get_rbio(clientssl);
9657 || !TEST_true(BIO_up_ref(rbio)))
9659 SSL_set0_rbio(client2ssl, rbio);
9662 wbio = SSL_get_wbio(clientssl);
9663 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9665 SSL_set0_wbio(client2ssl, wbio);
9668 if (!TEST_ptr(client2ssl)
9669 /* Handshake not started so pointers should be different */
9670 || !TEST_ptr_ne(clientssl, client2ssl))
9673 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9674 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9677 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9680 SSL_free(clientssl);
9681 clientssl = SSL_dup(client2ssl);
9682 if (!TEST_ptr(clientssl)
9683 /* Handshake has finished so pointers should be the same */
9684 || !TEST_ptr_eq(clientssl, client2ssl))
9690 SSL_free(serverssl);
9691 SSL_free(clientssl);
9692 SSL_free(client2ssl);
9699 # ifndef OPENSSL_NO_DH
9701 static EVP_PKEY *tmp_dh_params = NULL;
9703 /* Helper function for the test_set_tmp_dh() tests */
9704 static EVP_PKEY *get_tmp_dh_params(void)
9706 if (tmp_dh_params == NULL) {
9708 OSSL_PARAM_BLD *tmpl = NULL;
9709 EVP_PKEY_CTX *pctx = NULL;
9710 OSSL_PARAM *params = NULL;
9711 EVP_PKEY *dhpkey = NULL;
9713 p = BN_get_rfc3526_prime_2048(NULL);
9717 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9719 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9722 tmpl = OSSL_PARAM_BLD_new();
9724 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9725 OSSL_PKEY_PARAM_FFC_P,
9727 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9728 OSSL_PKEY_PARAM_FFC_G,
9732 params = OSSL_PARAM_BLD_to_param(tmpl);
9733 if (!TEST_ptr(params)
9734 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9735 EVP_PKEY_KEY_PARAMETERS,
9739 tmp_dh_params = dhpkey;
9742 EVP_PKEY_CTX_free(pctx);
9743 OSSL_PARAM_BLD_free(tmpl);
9744 OSSL_PARAM_free(params);
9747 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9750 return tmp_dh_params;
9753 # ifndef OPENSSL_NO_DEPRECATED_3_0
9754 /* Callback used by test_set_tmp_dh() */
9755 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9757 EVP_PKEY *dhpkey = get_tmp_dh_params();
9760 if (!TEST_ptr(dhpkey))
9764 * libssl does not free the returned DH, so we free it now knowing that even
9765 * after we free dhpkey, there will still be a reference to the owning
9766 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9767 * of time we need it for.
9769 ret = EVP_PKEY_get1_DH(dhpkey);
9772 EVP_PKEY_free(dhpkey);
9779 * Test the various methods for setting temporary DH parameters
9781 * Test 0: Default (no auto) setting
9782 * Test 1: Explicit SSL_CTX auto off
9783 * Test 2: Explicit SSL auto off
9784 * Test 3: Explicit SSL_CTX auto on
9785 * Test 4: Explicit SSL auto on
9786 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9787 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9789 * The following are testing deprecated APIs, so we only run them if available
9790 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9791 * Test 8: Explicit SSL auto off, custom DH params via DH
9792 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9793 * Test 10: Explicit SSL auto off, custom DH params via callback
9795 static int test_set_tmp_dh(int idx)
9797 SSL_CTX *cctx = NULL, *sctx = NULL;
9798 SSL *clientssl = NULL, *serverssl = NULL;
9800 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9801 int expected = (idx <= 2) ? 0 : 1;
9802 EVP_PKEY *dhpkey = NULL;
9803 # ifndef OPENSSL_NO_DEPRECATED_3_0
9811 if (idx >= 5 && idx <= 8) {
9812 dhpkey = get_tmp_dh_params();
9813 if (!TEST_ptr(dhpkey))
9816 # ifndef OPENSSL_NO_DEPRECATED_3_0
9817 if (idx == 7 || idx == 8) {
9818 dh = EVP_PKEY_get1_DH(dhpkey);
9824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9825 TLS_client_method(),
9828 &sctx, &cctx, cert, privkey)))
9831 if ((idx & 1) == 1) {
9832 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9837 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9841 # ifndef OPENSSL_NO_DEPRECATED_3_0
9842 else if (idx == 7) {
9843 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9845 } else if (idx == 9) {
9846 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9854 if ((idx & 1) == 0 && idx != 0) {
9855 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9859 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9863 # ifndef OPENSSL_NO_DEPRECATED_3_0
9864 else if (idx == 8) {
9865 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9867 } else if (idx == 10) {
9868 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9872 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9873 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9874 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9878 * If autoon then we should succeed. Otherwise we expect failure because
9879 * there are no parameters
9881 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9882 SSL_ERROR_NONE), expected))
9888 # ifndef OPENSSL_NO_DEPRECATED_3_0
9891 SSL_free(serverssl);
9892 SSL_free(clientssl);
9895 EVP_PKEY_free(dhpkey);
9901 * Test the auto DH keys are appropriately sized
9903 static int test_dh_auto(int idx)
9905 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9906 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9907 SSL *clientssl = NULL, *serverssl = NULL;
9909 EVP_PKEY *tmpkey = NULL;
9910 char *thiscert = NULL, *thiskey = NULL;
9911 size_t expdhsize = 0;
9912 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9914 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9919 /* The FIPS provider doesn't support this DH size - so we ignore it */
9924 thiscert = cert1024;
9925 thiskey = privkey1024;
9927 SSL_CTX_set_security_level(sctx, 1);
9928 SSL_CTX_set_security_level(cctx, 1);
9931 /* 2048 bit prime */
9937 thiscert = cert3072;
9938 thiskey = privkey3072;
9942 thiscert = cert4096;
9943 thiskey = privkey4096;
9947 thiscert = cert8192;
9948 thiskey = privkey8192;
9951 /* No certificate cases */
9953 /* The FIPS provider doesn't support this DH size - so we ignore it */
9958 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9962 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9966 TEST_error("Invalid text index");
9970 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9974 &sctx, &cctx, thiscert, thiskey)))
9977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9981 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9982 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9983 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9984 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9985 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9989 * Send the server's first flight. At this point the server has created the
9990 * temporary DH key but hasn't finished using it yet. Once used it is
9991 * removed, so we cannot test it.
9993 if (!TEST_int_le(SSL_connect(clientssl), 0)
9994 || !TEST_int_le(SSL_accept(serverssl), 0))
9997 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9999 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10002 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10008 SSL_free(serverssl);
10009 SSL_free(clientssl);
10010 SSL_CTX_free(sctx);
10011 SSL_CTX_free(cctx);
10012 EVP_PKEY_free(tmpkey);
10017 # endif /* OPENSSL_NO_DH */
10018 #endif /* OPENSSL_NO_TLS1_2 */
10020 #ifndef OSSL_NO_USABLE_TLS1_3
10022 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10023 * that it works even without a certificate configured for the original
10026 static int test_sni_tls13(void)
10028 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10029 SSL *clientssl = NULL, *serverssl = NULL;
10030 int testresult = 0;
10032 /* Reset callback counter */
10035 /* Create an initial SSL_CTX with no certificate configured */
10036 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10037 if (!TEST_ptr(sctx))
10039 /* Require TLSv1.3 as a minimum */
10040 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10041 TLS_client_method(), TLS1_3_VERSION, 0,
10042 &sctx2, &cctx, cert, privkey)))
10046 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10047 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10051 * Connection should still succeed because the final SSL_CTX has the right
10052 * certificates configured.
10054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10055 &clientssl, NULL, NULL))
10056 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10060 /* We should have had the SNI callback called exactly once */
10061 if (!TEST_int_eq(snicb, 1))
10067 SSL_free(serverssl);
10068 SSL_free(clientssl);
10069 SSL_CTX_free(sctx2);
10070 SSL_CTX_free(sctx);
10071 SSL_CTX_free(cctx);
10076 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10080 static int test_ticket_lifetime(int idx)
10082 SSL_CTX *cctx = NULL, *sctx = NULL;
10083 SSL *clientssl = NULL, *serverssl = NULL;
10084 int testresult = 0;
10085 int version = TLS1_3_VERSION;
10087 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10088 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10091 #ifdef OPENSSL_NO_TLS1_2
10092 return TEST_skip("TLS 1.2 is disabled.");
10094 version = TLS1_2_VERSION;
10098 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10099 TLS_client_method(), version, version,
10100 &sctx, &cctx, cert, privkey)))
10103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10104 &clientssl, NULL, NULL)))
10108 * Set the timeout to be more than 1 week
10109 * make sure the returned value is the default
10111 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10112 SSL_get_default_timeout(serverssl)))
10115 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10119 /* TLSv1.2 uses the set value */
10120 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10123 /* TLSv1.3 uses the limited value */
10124 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10130 SSL_free(serverssl);
10131 SSL_free(clientssl);
10132 SSL_CTX_free(sctx);
10133 SSL_CTX_free(cctx);
10138 * Test that setting an ALPN does not violate RFC
10140 static int test_set_alpn(void)
10142 SSL_CTX *ctx = NULL;
10144 int testresult = 0;
10146 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10147 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10148 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10149 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10150 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10151 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10153 /* Create an initial SSL_CTX with no certificate configured */
10154 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10155 if (!TEST_ptr(ctx))
10158 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10159 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10161 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10163 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10165 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10167 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10169 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10171 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10173 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10175 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10178 ssl = SSL_new(ctx);
10179 if (!TEST_ptr(ssl))
10182 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10184 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10186 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10188 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10190 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10192 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10194 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10196 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10198 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10210 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10212 static int test_set_verify_cert_store_ssl_ctx(void)
10214 SSL_CTX *ctx = NULL;
10215 int testresult = 0;
10216 X509_STORE *store = NULL, *new_store = NULL,
10217 *cstore = NULL, *new_cstore = NULL;
10219 /* Create an initial SSL_CTX. */
10220 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10221 if (!TEST_ptr(ctx))
10224 /* Retrieve verify store pointer. */
10225 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10228 /* Retrieve chain store pointer. */
10229 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10232 /* We haven't set any yet, so this should be NULL. */
10233 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10236 /* Create stores. We use separate stores so pointers are different. */
10237 new_store = X509_STORE_new();
10238 if (!TEST_ptr(new_store))
10241 new_cstore = X509_STORE_new();
10242 if (!TEST_ptr(new_cstore))
10246 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10249 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10252 /* Should be able to retrieve the same pointer. */
10253 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10256 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10259 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10262 /* Should be able to unset again. */
10263 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10266 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10269 /* Should now be NULL. */
10270 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10273 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10276 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10282 X509_STORE_free(new_store);
10283 X509_STORE_free(new_cstore);
10289 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10291 static int test_set_verify_cert_store_ssl(void)
10293 SSL_CTX *ctx = NULL;
10295 int testresult = 0;
10296 X509_STORE *store = NULL, *new_store = NULL,
10297 *cstore = NULL, *new_cstore = NULL;
10299 /* Create an initial SSL_CTX. */
10300 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10301 if (!TEST_ptr(ctx))
10304 /* Create an SSL object. */
10305 ssl = SSL_new(ctx);
10306 if (!TEST_ptr(ssl))
10309 /* Retrieve verify store pointer. */
10310 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10313 /* Retrieve chain store pointer. */
10314 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10317 /* We haven't set any yet, so this should be NULL. */
10318 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10321 /* Create stores. We use separate stores so pointers are different. */
10322 new_store = X509_STORE_new();
10323 if (!TEST_ptr(new_store))
10326 new_cstore = X509_STORE_new();
10327 if (!TEST_ptr(new_cstore))
10331 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10334 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10337 /* Should be able to retrieve the same pointer. */
10338 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10341 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10344 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10347 /* Should be able to unset again. */
10348 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10351 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10354 /* Should now be NULL. */
10355 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10358 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10361 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10367 X509_STORE_free(new_store);
10368 X509_STORE_free(new_cstore);
10375 static int test_inherit_verify_param(void)
10377 int testresult = 0;
10379 SSL_CTX *ctx = NULL;
10380 X509_VERIFY_PARAM *cp = NULL;
10382 X509_VERIFY_PARAM *sp = NULL;
10383 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10385 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10386 if (!TEST_ptr(ctx))
10389 cp = SSL_CTX_get0_param(ctx);
10392 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10395 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10397 ssl = SSL_new(ctx);
10398 if (!TEST_ptr(ssl))
10401 sp = SSL_get0_param(ssl);
10404 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10416 static int test_load_dhfile(void)
10418 #ifndef OPENSSL_NO_DH
10419 int testresult = 0;
10421 SSL_CTX *ctx = NULL;
10422 SSL_CONF_CTX *cctx = NULL;
10424 if (dhfile == NULL)
10427 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10428 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10431 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10432 SSL_CONF_CTX_set_flags(cctx,
10433 SSL_CONF_FLAG_CERTIFICATE
10434 | SSL_CONF_FLAG_SERVER
10435 | SSL_CONF_FLAG_FILE);
10437 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10442 SSL_CONF_CTX_free(cctx);
10447 return TEST_skip("DH not supported by this build");
10451 #ifndef OSSL_NO_USABLE_TLS1_3
10452 /* Test that read_ahead works across a key change */
10453 static int test_read_ahead_key_change(void)
10455 SSL_CTX *cctx = NULL, *sctx = NULL;
10456 SSL *clientssl = NULL, *serverssl = NULL;
10457 int testresult = 0;
10458 char *msg = "Hello World";
10459 size_t written, readbytes;
10463 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10464 TLS_client_method(), TLS1_3_VERSION, 0,
10465 &sctx, &cctx, cert, privkey)))
10468 SSL_CTX_set_read_ahead(sctx, 1);
10470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10471 &clientssl, NULL, NULL)))
10474 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10477 /* Write some data, send a key update, write more data */
10478 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10479 || !TEST_size_t_eq(written, strlen(msg)))
10482 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10485 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10486 || !TEST_size_t_eq(written, strlen(msg)))
10490 * Since read_ahead is on the first read below should read the record with
10491 * the first app data, the second record with the key update message, and
10492 * the third record with the app data all in one go. We should be able to
10493 * still process the read_ahead data correctly even though it crosses
10496 for (i = 0; i < 2; i++) {
10497 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10501 buf[readbytes] = '\0';
10502 if (!TEST_str_eq(buf, msg))
10509 SSL_free(serverssl);
10510 SSL_free(clientssl);
10511 SSL_CTX_free(sctx);
10512 SSL_CTX_free(cctx);
10516 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10520 switch ((*called)++) {
10522 /* Add some padding to first record */
10525 /* Maximally pad the second record */
10526 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10529 * Exceeding the maximum padding should be fine. It should just pad to
10530 * the maximum anyway
10532 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10535 * Very large padding should also be ok. Should just pad to the maximum
10545 * Test that setting record padding in TLSv1.3 works as expected
10546 * Test 0: Record padding callback on the SSL_CTX
10547 * Test 1: Record padding callback on the SSL
10548 * Test 2: Record block padding on the SSL_CTX
10549 * Test 3: Record block padding on the SSL
10551 static int test_tls13_record_padding(int idx)
10553 SSL_CTX *cctx = NULL, *sctx = NULL;
10554 SSL *clientssl = NULL, *serverssl = NULL;
10555 int testresult = 0;
10556 char *msg = "Hello World";
10557 size_t written, readbytes;
10562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10563 TLS_client_method(), TLS1_3_VERSION, 0,
10564 &sctx, &cctx, cert, privkey)))
10568 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10569 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10570 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10572 } else if (idx == 2) {
10573 /* Exceeding the max plain length should fail */
10574 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10575 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10577 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10581 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10582 &clientssl, NULL, NULL)))
10586 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10587 SSL_set_record_padding_callback_arg(clientssl, &called);
10588 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10590 } else if (idx == 3) {
10591 /* Exceeding the max plain length should fail */
10592 if (!TEST_false(SSL_set_block_padding(clientssl,
10593 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10595 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10599 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10604 * Write some data, then check we can read it. Do this four times to check
10605 * we can continue to write and read padded data after the initial record
10606 * padding has been added. We don't actually check that the padding has
10607 * been applied to the record - just that we can continue to communicate
10608 * normally and that the callback has been called (if appropriate).
10610 for (i = 0; i < 4; i++) {
10611 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10612 || !TEST_size_t_eq(written, strlen(msg)))
10615 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10617 || !TEST_size_t_eq(written, readbytes))
10620 buf[readbytes] = '\0';
10621 if (!TEST_str_eq(buf, msg))
10625 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10630 SSL_free(serverssl);
10631 SSL_free(clientssl);
10632 SSL_CTX_free(sctx);
10633 SSL_CTX_free(cctx);
10636 #endif /* OSSL_NO_USABLE_TLS1_3 */
10638 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10640 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10641 * support this yet. The only pipeline capable cipher that we have is in the
10642 * dasync engine (providers don't support this yet), so we have to use
10643 * deprecated APIs for this test.
10645 * Test 0: Client has pipelining enabled, server does not
10646 * Test 1: Server has pipelining enabled, client does not
10647 * Test 2: Client has pipelining enabled, server does not: not enough data to
10648 * fill all the pipelines
10649 * Test 3: Client has pipelining enabled, server does not: not enough data to
10650 * fill all the pipelines by more than a full pipeline's worth
10651 * Test 4: Client has pipelining enabled, server does not: more data than all
10652 * the available pipelines can take
10653 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10655 static int test_pipelining(int idx)
10657 SSL_CTX *cctx = NULL, *sctx = NULL;
10658 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10659 int testresult = 0, numreads;
10660 /* A 55 byte message */
10661 unsigned char *msg = (unsigned char *)
10662 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10663 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10664 size_t expectedreads;
10665 unsigned char *buf = NULL;
10668 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10671 if (!TEST_true(ENGINE_init(e))) {
10676 if (!TEST_true(ENGINE_register_ciphers(e)))
10679 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10680 TLS_client_method(), 0,
10681 TLS1_2_VERSION, &sctx, &cctx, cert,
10685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10686 &clientssl, NULL, NULL)))
10689 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10692 /* peera is always configured for pipelining, while peerb is not. */
10704 /* Maximum allowed fragment size */
10705 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10706 msglen = fragsize * numpipes;
10707 msg = OPENSSL_malloc(msglen);
10708 if (!TEST_ptr(msg))
10710 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10712 } else if (idx == 4) {
10718 msglen -= 2; /* Send 2 less bytes */
10720 msglen -= 12; /* Send 12 less bytes */
10722 buf = OPENSSL_malloc(msglen);
10723 if (!TEST_ptr(buf))
10728 * Test that setting a split send fragment longer than the maximum
10731 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10736 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10737 * (50 bytes in total). This is a ridiculously small number of bytes -
10738 * but sufficient for our purposes
10740 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10741 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10744 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10747 /* Write some data from peera to peerb */
10748 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10749 || !TEST_size_t_eq(written, msglen))
10753 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10754 * have been used - except in test 3 where only |numpipes - 1| pipelines
10755 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10756 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10757 * expect this to be read in |numpipes| or |numpipes - 1| separate
10758 * SSL_read_ex calls. In the case of test 4, there is then one additional
10759 * read for left over data that couldn't fit in the previous pipelines
10761 for (offset = 0, numreads = 0;
10763 offset += readbytes, numreads++) {
10764 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10765 msglen - offset, &readbytes)))
10769 expectedreads = idx == 4 ? numpipes + 1
10770 : (idx == 3 ? numpipes - 1 : numpipes);
10771 if (!TEST_mem_eq(msg, msglen, buf, offset)
10772 || !TEST_int_eq(numreads, expectedreads))
10776 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10777 * chunks to exercise the read pipelining code on peera.
10779 for (offset = 0; offset < msglen; offset += fragsize) {
10780 size_t sendlen = msglen - offset;
10782 if (sendlen > fragsize)
10783 sendlen = fragsize;
10784 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10785 || !TEST_size_t_eq(written, sendlen))
10790 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10791 * separate chunks (depending on which test we are running). If the
10792 * pipelining is working then we expect peera to read up to numpipes chunks
10793 * and process them in parallel, giving back the complete result in a single
10794 * call to SSL_read_ex
10796 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10797 || !TEST_size_t_le(readbytes, msglen))
10803 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10804 msglen - readbytes, &readbytes2)))
10806 readbytes += readbytes2;
10807 if (!TEST_size_t_le(readbytes, msglen))
10811 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10816 SSL_free(serverssl);
10817 SSL_free(clientssl);
10818 SSL_CTX_free(sctx);
10819 SSL_CTX_free(cctx);
10820 ENGINE_unregister_ciphers(e);
10828 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10830 static int check_version_string(SSL *s, int version)
10832 const char *verstr = NULL;
10841 case TLS1_1_VERSION:
10842 verstr = "TLSv1.1";
10844 case TLS1_2_VERSION:
10845 verstr = "TLSv1.2";
10847 case TLS1_3_VERSION:
10848 verstr = "TLSv1.3";
10850 case DTLS1_VERSION:
10853 case DTLS1_2_VERSION:
10854 verstr = "DTLSv1.2";
10857 return TEST_str_eq(verstr, SSL_get_version(s));
10861 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10862 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10863 * test_version() in quicapitest.c which does the same thing for QUIC
10866 static int test_version(int idx)
10868 SSL_CTX *cctx = NULL, *sctx = NULL;
10869 SSL *clientssl = NULL, *serverssl = NULL;
10870 int testresult = 0, version;
10871 const SSL_METHOD *servmeth = TLS_server_method();
10872 const SSL_METHOD *clientmeth = TLS_client_method();
10875 #if !defined(OPENSSL_NO_SSL3)
10877 version = SSL3_VERSION;
10880 #if !defined(OPENSSL_NO_TLS1)
10882 version = TLS1_VERSION;
10885 #if !defined(OPENSSL_NO_TLS1_2)
10887 version = TLS1_2_VERSION;
10890 #if !defined(OSSL_NO_USABLE_TLS1_3)
10892 version = TLS1_3_VERSION;
10895 #if !defined(OPENSSL_NO_DTLS1)
10897 version = DTLS1_VERSION;
10900 #if !defined(OPENSSL_NO_DTLS1_2)
10902 version = DTLS1_2_VERSION;
10906 * NB we do not support QUIC in this test. That is covered by quicapitest.c
10907 * We also don't support DTLS1_BAD_VER since we have no server support for
10911 TEST_skip("Unsupported protocol version");
10916 && (version == SSL3_VERSION
10917 || version == TLS1_VERSION
10918 || version == DTLS1_VERSION)) {
10919 TEST_skip("Protocol version not supported with FIPS");
10923 #if !defined(OPENSSL_NO_DTLS)
10924 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10925 servmeth = DTLS_server_method();
10926 clientmeth = DTLS_client_method();
10930 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
10931 version, &sctx, &cctx, cert, privkey)))
10934 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
10935 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
10936 "DEFAULT:@SECLEVEL=0")))
10939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10940 &clientssl, NULL, NULL)))
10943 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10946 if (!TEST_int_eq(SSL_version(serverssl), version)
10947 || !TEST_int_eq(SSL_version(clientssl), version)
10948 || !TEST_true(check_version_string(serverssl, version))
10949 || !TEST_true(check_version_string(clientssl, version)))
10952 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10953 if (!TEST_true(SSL_is_dtls(serverssl))
10954 || !TEST_true(SSL_is_dtls(clientssl))
10955 || !TEST_false(SSL_is_tls(serverssl))
10956 || !TEST_false(SSL_is_tls(clientssl))
10957 || !TEST_false(SSL_is_quic(serverssl))
10958 || !TEST_false(SSL_is_quic(clientssl)))
10961 if (!TEST_true(SSL_is_tls(serverssl))
10962 || !TEST_true(SSL_is_tls(clientssl))
10963 || !TEST_false(SSL_is_dtls(serverssl))
10964 || !TEST_false(SSL_is_dtls(clientssl))
10965 || !TEST_false(SSL_is_quic(serverssl))
10966 || !TEST_false(SSL_is_quic(clientssl)))
10972 SSL_free(serverssl);
10973 SSL_free(clientssl);
10974 SSL_CTX_free(sctx);
10975 SSL_CTX_free(cctx);
10980 * Test that the SSL_rstate_string*() APIs return sane results
10982 static int test_rstate_string(void)
10984 SSL_CTX *cctx = NULL, *sctx = NULL;
10985 SSL *clientssl = NULL, *serverssl = NULL;
10986 int testresult = 0, version;
10987 const SSL_METHOD *servmeth = TLS_server_method();
10988 const SSL_METHOD *clientmeth = TLS_client_method();
10989 size_t written, readbytes;
10990 unsigned char buf[2];
10991 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
10992 SSL3_RT_APPLICATION_DATA,
10993 TLS1_2_VERSION_MAJOR,
10994 0, /* To be filled in later */
10999 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11000 0, &sctx, &cctx, cert, privkey)))
11003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11004 &clientssl, NULL, NULL)))
11007 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11008 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11011 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11014 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11015 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11018 /* Fill in the correct version for the record header */
11019 version = SSL_version(serverssl);
11020 if (version == TLS1_3_VERSION)
11021 version = TLS1_2_VERSION;
11022 dummyheader[2] = version & 0xff;
11025 * Send a dummy header. If we continued to read the body as well this
11026 * would fail with a bad record mac, but we're not going to go that far.
11028 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11029 sizeof(dummyheader), &written))
11030 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11033 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11036 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11037 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11042 SSL_free(serverssl);
11043 SSL_free(clientssl);
11044 SSL_CTX_free(sctx);
11045 SSL_CTX_free(cctx);
11049 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11051 int setup_tests(void)
11056 libctx = OSSL_LIB_CTX_new();
11057 if (!TEST_ptr(libctx))
11060 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11063 * Verify that the default and fips providers in the default libctx are not
11066 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11067 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11070 if (!test_skip_common_options()) {
11071 TEST_error("Error parsing test options\n");
11075 if (!TEST_ptr(certsdir = test_get_argument(0))
11076 || !TEST_ptr(srpvfile = test_get_argument(1))
11077 || !TEST_ptr(tmpfilename = test_get_argument(2))
11078 || !TEST_ptr(modulename = test_get_argument(3))
11079 || !TEST_ptr(configfile = test_get_argument(4))
11080 || !TEST_ptr(dhfile = test_get_argument(5)))
11083 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11086 /* Check we have the expected provider available */
11087 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11090 /* Check the default provider is not available */
11091 if (strcmp(modulename, "default") != 0
11092 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11095 if (strcmp(modulename, "fips") == 0) {
11096 OSSL_PROVIDER *prov = NULL;
11097 OSSL_PARAM params[2];
11101 prov = OSSL_PROVIDER_load(libctx, "fips");
11102 if (prov != NULL) {
11103 /* Query the fips provider to check if the check ems option is enabled */
11105 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11107 params[1] = OSSL_PARAM_construct_end();
11108 OSSL_PROVIDER_get_params(prov, params);
11109 OSSL_PROVIDER_unload(prov);
11114 * We add, but don't load the test "tls-provider". We'll load it when we
11117 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11118 tls_provider_init)))
11122 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11123 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11124 TEST_error("not supported in this build");
11127 int i, mcount, rcount, fcount;
11129 for (i = 0; i < 4; i++)
11130 test_export_key_mat(i);
11131 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11132 test_printf_stdout("malloc %d realloc %d free %d\n",
11133 mcount, rcount, fcount);
11138 cert = test_mk_file_path(certsdir, "servercert.pem");
11142 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11143 if (privkey == NULL)
11146 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11150 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11151 if (privkey2 == NULL)
11154 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11155 if (cert1024 == NULL)
11158 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11159 if (privkey1024 == NULL)
11162 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11163 if (cert3072 == NULL)
11166 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11167 if (privkey3072 == NULL)
11170 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11171 if (cert4096 == NULL)
11174 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11175 if (privkey4096 == NULL)
11178 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11179 if (cert8192 == NULL)
11182 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11183 if (privkey8192 == NULL)
11186 if (fips_ems_check) {
11187 #ifndef OPENSSL_NO_TLS1_2
11188 ADD_TEST(test_no_ems);
11192 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11193 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11194 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11195 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11198 ADD_TEST(test_large_message_tls);
11199 ADD_TEST(test_large_message_tls_read_ahead);
11200 #ifndef OPENSSL_NO_DTLS
11201 ADD_TEST(test_large_message_dtls);
11203 ADD_ALL_TESTS(test_large_app_data, 28);
11204 ADD_TEST(test_cleanse_plaintext);
11205 #ifndef OPENSSL_NO_OCSP
11206 ADD_TEST(test_tlsext_status_type);
11208 ADD_TEST(test_session_with_only_int_cache);
11209 ADD_TEST(test_session_with_only_ext_cache);
11210 ADD_TEST(test_session_with_both_cache);
11211 ADD_TEST(test_session_wo_ca_names);
11212 #ifndef OSSL_NO_USABLE_TLS1_3
11213 ADD_ALL_TESTS(test_stateful_tickets, 3);
11214 ADD_ALL_TESTS(test_stateless_tickets, 3);
11215 ADD_TEST(test_psk_tickets);
11216 ADD_ALL_TESTS(test_extra_tickets, 6);
11218 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11219 ADD_TEST(test_ssl_bio_pop_next_bio);
11220 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11221 ADD_TEST(test_ssl_bio_change_rbio);
11222 ADD_TEST(test_ssl_bio_change_wbio);
11223 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11224 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11225 ADD_TEST(test_keylog);
11227 #ifndef OSSL_NO_USABLE_TLS1_3
11228 ADD_TEST(test_keylog_no_master_key);
11230 ADD_TEST(test_client_cert_verify_cb);
11231 ADD_TEST(test_ssl_build_cert_chain);
11232 ADD_TEST(test_ssl_ctx_build_cert_chain);
11233 #ifndef OPENSSL_NO_TLS1_2
11234 ADD_TEST(test_client_hello_cb);
11235 ADD_TEST(test_no_ems);
11236 ADD_TEST(test_ccs_change_cipher);
11238 #ifndef OSSL_NO_USABLE_TLS1_3
11239 ADD_ALL_TESTS(test_early_data_read_write, 6);
11241 * We don't do replay tests for external PSK. Replay protection isn't used
11242 * in that scenario.
11244 ADD_ALL_TESTS(test_early_data_replay, 2);
11245 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11246 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11247 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11248 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11249 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11250 ADD_ALL_TESTS(test_early_data_psk, 8);
11251 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11252 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11253 # ifndef OPENSSL_NO_TLS1_2
11254 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11257 #ifndef OSSL_NO_USABLE_TLS1_3
11258 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11259 ADD_TEST(test_ciphersuite_change);
11260 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11261 # ifdef OPENSSL_NO_PSK
11262 ADD_ALL_TESTS(test_tls13_psk, 1);
11264 ADD_ALL_TESTS(test_tls13_psk, 4);
11265 # endif /* OPENSSL_NO_PSK */
11266 # ifndef OPENSSL_NO_TLS1_2
11267 /* Test with both TLSv1.3 and 1.2 versions */
11268 ADD_ALL_TESTS(test_key_exchange, 14);
11269 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11270 ADD_ALL_TESTS(test_negotiated_group,
11271 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11272 + OSSL_NELEM(ffdhe_kexch_groups)));
11275 /* Test with only TLSv1.3 versions */
11276 ADD_ALL_TESTS(test_key_exchange, 12);
11278 ADD_ALL_TESTS(test_custom_exts, 6);
11279 ADD_TEST(test_stateless);
11280 ADD_TEST(test_pha_key_update);
11282 ADD_ALL_TESTS(test_custom_exts, 3);
11284 ADD_ALL_TESTS(test_export_key_mat, 6);
11285 #ifndef OSSL_NO_USABLE_TLS1_3
11286 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11287 ADD_TEST(test_key_update);
11288 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11289 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11290 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11291 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11293 ADD_ALL_TESTS(test_ssl_clear, 2);
11294 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11295 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11296 ADD_ALL_TESTS(test_srp, 6);
11298 #if !defined(OPENSSL_NO_COMP_ALG)
11299 /* Add compression case */
11300 ADD_ALL_TESTS(test_info_callback, 8);
11302 ADD_ALL_TESTS(test_info_callback, 6);
11304 ADD_ALL_TESTS(test_ssl_pending, 2);
11305 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11306 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11307 ADD_ALL_TESTS(test_shutdown, 7);
11308 ADD_TEST(test_async_shutdown);
11309 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11310 ADD_ALL_TESTS(test_cert_cb, 6);
11311 ADD_ALL_TESTS(test_client_cert_cb, 2);
11312 ADD_ALL_TESTS(test_ca_names, 3);
11313 #ifndef OPENSSL_NO_TLS1_2
11314 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11316 ADD_ALL_TESTS(test_servername, 10);
11317 #if !defined(OPENSSL_NO_EC) \
11318 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11319 ADD_ALL_TESTS(test_sigalgs_available, 6);
11321 #ifndef OPENSSL_NO_TLS1_3
11322 ADD_ALL_TESTS(test_pluggable_group, 2);
11323 ADD_ALL_TESTS(test_pluggable_signature, 4);
11325 #ifndef OPENSSL_NO_TLS1_2
11326 ADD_TEST(test_ssl_dup);
11327 # ifndef OPENSSL_NO_DH
11328 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11329 ADD_ALL_TESTS(test_dh_auto, 7);
11332 #ifndef OSSL_NO_USABLE_TLS1_3
11333 ADD_TEST(test_sni_tls13);
11334 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11336 ADD_TEST(test_inherit_verify_param);
11337 ADD_TEST(test_set_alpn);
11338 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11339 ADD_TEST(test_set_verify_cert_store_ssl);
11340 ADD_ALL_TESTS(test_session_timeout, 1);
11341 ADD_TEST(test_load_dhfile);
11342 #ifndef OSSL_NO_USABLE_TLS1_3
11343 ADD_TEST(test_read_ahead_key_change);
11344 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11346 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11347 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11349 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11350 ADD_ALL_TESTS(test_pipelining, 6);
11352 ADD_ALL_TESTS(test_version, 6);
11353 ADD_TEST(test_rstate_string);
11357 OPENSSL_free(cert);
11358 OPENSSL_free(privkey);
11359 OPENSSL_free(cert2);
11360 OPENSSL_free(privkey2);
11364 void cleanup_tests(void)
11366 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11367 EVP_PKEY_free(tmp_dh_params);
11369 OPENSSL_free(cert);
11370 OPENSSL_free(privkey);
11371 OPENSSL_free(cert2);
11372 OPENSSL_free(privkey2);
11373 OPENSSL_free(cert1024);
11374 OPENSSL_free(privkey1024);
11375 OPENSSL_free(cert3072);
11376 OPENSSL_free(privkey3072);
11377 OPENSSL_free(cert4096);
11378 OPENSSL_free(privkey4096);
11379 OPENSSL_free(cert8192);
11380 OPENSSL_free(privkey8192);
11381 bio_s_mempacket_test_free();
11382 bio_s_always_retry_free();
11383 OSSL_PROVIDER_unload(defctxnull);
11384 OSSL_LIB_CTX_free(libctx);