2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
35 #include "helpers/ssltestlib.h"
37 #include "testutil/output.h"
38 #include "internal/nelem.h"
39 #include "internal/ktls.h"
40 #include "../ssl/ssl_local.h"
42 /* Defined in filterprov.c */
43 OSSL_provider_init_fn filter_provider_init;
44 int filter_provider_set_filter(int operation, const char *name);
46 /* Defined in tls-provider.c */
47 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
48 const OSSL_DISPATCH *in,
49 const OSSL_DISPATCH **out,
52 static OSSL_LIB_CTX *libctx = NULL;
53 static OSSL_PROVIDER *defctxnull = NULL;
55 #ifndef OPENSSL_NO_TLS1_3
57 static SSL_SESSION *clientpsk = NULL;
58 static SSL_SESSION *serverpsk = NULL;
59 static const char *pskid = "Identity";
60 static const char *srvid;
62 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
63 size_t *idlen, SSL_SESSION **sess);
64 static int find_session_cb(SSL *ssl, const unsigned char *identity,
65 size_t identity_len, SSL_SESSION **sess);
67 static int use_session_cb_cnt = 0;
68 static int find_session_cb_cnt = 0;
70 static SSL_SESSION *create_a_psk(SSL *ssl);
73 static char *certsdir = NULL;
74 static char *cert = NULL;
75 static char *privkey = NULL;
76 static char *cert2 = NULL;
77 static char *privkey2 = NULL;
78 static char *cert1024 = NULL;
79 static char *privkey1024 = NULL;
80 static char *cert3072 = NULL;
81 static char *privkey3072 = NULL;
82 static char *cert4096 = NULL;
83 static char *privkey4096 = NULL;
84 static char *cert8192 = NULL;
85 static char *privkey8192 = NULL;
86 static char *srpvfile = NULL;
87 static char *tmpfilename = NULL;
89 static int is_fips = 0;
91 #define LOG_BUFFER_SIZE 2048
92 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
93 static size_t server_log_buffer_index = 0;
94 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
95 static size_t client_log_buffer_index = 0;
96 static int error_writing_log = 0;
98 #ifndef OPENSSL_NO_OCSP
99 static const unsigned char orespder[] = "Dummy OCSP Response";
100 static int ocsp_server_called = 0;
101 static int ocsp_client_called = 0;
103 static int cdummyarg = 1;
104 static X509 *ocspcert = NULL;
107 #define NUM_EXTRA_CERTS 40
108 #define CLIENT_VERSION_LEN 2
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
114 struct sslapitest_log_counts {
115 unsigned int rsa_key_exchange_count;
116 unsigned int master_secret_count;
117 unsigned int client_early_secret_count;
118 unsigned int client_handshake_secret_count;
119 unsigned int server_handshake_secret_count;
120 unsigned int client_application_secret_count;
121 unsigned int server_application_secret_count;
122 unsigned int early_exporter_secret_count;
123 unsigned int exporter_secret_count;
127 static unsigned char serverinfov1[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
133 static unsigned char serverinfov2[] = {
135 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static int hostname_cb(SSL *s, int *al, void *arg)
143 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
145 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
146 || strcmp(hostname, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK;
149 return SSL_TLSEXT_ERR_NOACK;
152 static void client_keylog_callback(const SSL *ssl, const char *line)
154 int line_length = strlen(line);
156 /* If the log doesn't fit, error out. */
157 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
158 TEST_info("Client log too full");
159 error_writing_log = 1;
163 strcat(client_log_buffer, line);
164 client_log_buffer_index += line_length;
165 client_log_buffer[client_log_buffer_index++] = '\n';
168 static void server_keylog_callback(const SSL *ssl, const char *line)
170 int line_length = strlen(line);
172 /* If the log doesn't fit, error out. */
173 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
174 TEST_info("Server log too full");
175 error_writing_log = 1;
179 strcat(server_log_buffer, line);
180 server_log_buffer_index += line_length;
181 server_log_buffer[server_log_buffer_index++] = '\n';
184 static int compare_hex_encoded_buffer(const char *hex_encoded,
192 if (!TEST_size_t_eq(raw_length * 2, hex_length))
195 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
196 sprintf(hexed, "%02x", raw[i]);
197 if (!TEST_int_eq(hexed[0], hex_encoded[j])
198 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
205 static int test_keylog_output(char *buffer, const SSL *ssl,
206 const SSL_SESSION *session,
207 struct sslapitest_log_counts *expected)
210 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
211 size_t client_random_size = SSL3_RANDOM_SIZE;
212 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
213 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
214 unsigned int rsa_key_exchange_count = 0;
215 unsigned int master_secret_count = 0;
216 unsigned int client_early_secret_count = 0;
217 unsigned int client_handshake_secret_count = 0;
218 unsigned int server_handshake_secret_count = 0;
219 unsigned int client_application_secret_count = 0;
220 unsigned int server_application_secret_count = 0;
221 unsigned int early_exporter_secret_count = 0;
222 unsigned int exporter_secret_count = 0;
224 for (token = strtok(buffer, " \n"); token != NULL;
225 token = strtok(NULL, " \n")) {
226 if (strcmp(token, "RSA") == 0) {
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
229 * hex-encoded encrypted secret, then the hex-encoded pre-master
232 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 if (!TEST_size_t_eq(strlen(token), 16))
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
243 rsa_key_exchange_count++;
244 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
247 * client random, then the hex-encoded master secret.
249 client_random_size = SSL_get_client_random(ssl,
250 actual_client_random,
252 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
255 if (!TEST_ptr(token = strtok(NULL, " \n")))
257 if (!TEST_size_t_eq(strlen(token), 64))
259 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
260 actual_client_random,
261 client_random_size)))
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
266 master_key_size = SSL_SESSION_get_master_key(session,
269 if (!TEST_size_t_ne(master_key_size, 0))
271 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
275 master_secret_count++;
276 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
281 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
282 || strcmp(token, "EXPORTER_SECRET") == 0) {
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
289 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count++;
291 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 client_handshake_secret_count++;
293 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count++;
295 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count++;
297 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count++;
299 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count++;
301 else if (strcmp(token, "EXPORTER_SECRET") == 0)
302 exporter_secret_count++;
304 client_random_size = SSL_get_client_random(ssl,
305 actual_client_random,
307 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
310 if (!TEST_ptr(token = strtok(NULL, " \n")))
312 if (!TEST_size_t_eq(strlen(token), 64))
314 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
315 actual_client_random,
316 client_random_size)))
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
323 * TODO(TLS1.3): test that application traffic secrets are what
326 TEST_info("Unexpected token %s\n", token);
331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count,
333 expected->rsa_key_exchange_count)
334 || !TEST_size_t_eq(master_secret_count,
335 expected->master_secret_count)
336 || !TEST_size_t_eq(client_early_secret_count,
337 expected->client_early_secret_count)
338 || !TEST_size_t_eq(client_handshake_secret_count,
339 expected->client_handshake_secret_count)
340 || !TEST_size_t_eq(server_handshake_secret_count,
341 expected->server_handshake_secret_count)
342 || !TEST_size_t_eq(client_application_secret_count,
343 expected->client_application_secret_count)
344 || !TEST_size_t_eq(server_application_secret_count,
345 expected->server_application_secret_count)
346 || !TEST_size_t_eq(early_exporter_secret_count,
347 expected->early_exporter_secret_count)
348 || !TEST_size_t_eq(exporter_secret_count,
349 expected->exporter_secret_count))
354 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
355 static int test_keylog(void)
357 SSL_CTX *cctx = NULL, *sctx = NULL;
358 SSL *clientssl = NULL, *serverssl = NULL;
360 struct sslapitest_log_counts expected;
362 /* Clean up logging space */
363 memset(&expected, 0, sizeof(expected));
364 memset(client_log_buffer, 0, sizeof(client_log_buffer));
365 memset(server_log_buffer, 0, sizeof(server_log_buffer));
366 client_log_buffer_index = 0;
367 server_log_buffer_index = 0;
368 error_writing_log = 0;
370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
373 &sctx, &cctx, cert, privkey)))
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
378 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
380 /* We also want to ensure that we use RSA-based key exchange. */
381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
387 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
389 == client_keylog_callback))
391 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
393 == server_keylog_callback))
396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
398 &clientssl, NULL, NULL))
399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
401 || !TEST_false(error_writing_log)
402 || !TEST_int_gt(client_log_buffer_index, 0)
403 || !TEST_int_gt(server_log_buffer_index, 0))
407 * Now we want to test that our output data was vaguely sensible. We
408 * do that by using strtok and confirming that we have more or less the
409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
412 expected.rsa_key_exchange_count = 1;
413 expected.master_secret_count = 1;
414 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
415 SSL_get_session(clientssl), &expected)))
418 expected.rsa_key_exchange_count = 0;
419 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
420 SSL_get_session(serverssl), &expected)))
435 #ifndef OPENSSL_NO_TLS1_3
436 static int test_keylog_no_master_key(void)
438 SSL_CTX *cctx = NULL, *sctx = NULL;
439 SSL *clientssl = NULL, *serverssl = NULL;
440 SSL_SESSION *sess = NULL;
442 struct sslapitest_log_counts expected;
443 unsigned char buf[1];
444 size_t readbytes, written;
446 /* Clean up logging space */
447 memset(&expected, 0, sizeof(expected));
448 memset(client_log_buffer, 0, sizeof(client_log_buffer));
449 memset(server_log_buffer, 0, sizeof(server_log_buffer));
450 client_log_buffer_index = 0;
451 server_log_buffer_index = 0;
452 error_writing_log = 0;
454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION, 0,
456 &sctx, &cctx, cert, privkey))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
458 SSL3_RT_MAX_PLAIN_LENGTH)))
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
465 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
467 == client_keylog_callback))
470 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
472 == server_keylog_callback))
475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(create_ssl_connection(serverssl, clientssl,
480 || !TEST_false(error_writing_log))
484 * Now we want to test that our output data was vaguely sensible. For this
485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
486 * TLSv1.3, but we do expect both client and server to emit keys.
488 expected.client_handshake_secret_count = 1;
489 expected.server_handshake_secret_count = 1;
490 expected.client_application_secret_count = 1;
491 expected.server_application_secret_count = 1;
492 expected.exporter_secret_count = 1;
493 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
494 SSL_get_session(clientssl), &expected))
495 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
496 SSL_get_session(serverssl),
500 /* Terminate old session and resume with early data. */
501 sess = SSL_get1_session(clientssl);
502 SSL_shutdown(clientssl);
503 SSL_shutdown(serverssl);
506 serverssl = clientssl = NULL;
509 memset(client_log_buffer, 0, sizeof(client_log_buffer));
510 memset(server_log_buffer, 0, sizeof(server_log_buffer));
511 client_log_buffer_index = 0;
512 server_log_buffer_index = 0;
514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
515 &clientssl, NULL, NULL))
516 || !TEST_true(SSL_set_session(clientssl, sess))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
521 SSL_READ_EARLY_DATA_ERROR)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
523 SSL_EARLY_DATA_ACCEPTED)
524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
526 || !TEST_true(SSL_session_reused(clientssl)))
529 /* In addition to the previous entries, expect early secrets. */
530 expected.client_early_secret_count = 1;
531 expected.early_exporter_secret_count = 1;
532 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
533 SSL_get_session(clientssl), &expected))
534 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
535 SSL_get_session(serverssl),
542 SSL_SESSION_free(sess);
552 #ifndef OPENSSL_NO_TLS1_2
553 static int full_client_hello_callback(SSL *s, int *al, void *arg)
556 const unsigned char *p;
558 /* We only configure two ciphers, but the SCSV is added automatically. */
560 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
562 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
565 const int expected_extensions[] = {
566 #ifndef OPENSSL_NO_EC
572 /* Make sure we can defer processing and get called back. */
574 return SSL_CLIENT_HELLO_RETRY;
576 len = SSL_client_hello_get0_ciphers(s, &p);
577 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
579 SSL_client_hello_get0_compression_methods(s, &p), 1)
580 || !TEST_int_eq(*p, 0))
581 return SSL_CLIENT_HELLO_ERROR;
582 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
583 return SSL_CLIENT_HELLO_ERROR;
584 if (len != OSSL_NELEM(expected_extensions) ||
585 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
586 printf("ClientHello callback expected extensions mismatch\n");
588 return SSL_CLIENT_HELLO_ERROR;
591 return SSL_CLIENT_HELLO_SUCCESS;
594 static int test_client_hello_cb(void)
596 SSL_CTX *cctx = NULL, *sctx = NULL;
597 SSL *clientssl = NULL, *serverssl = NULL;
598 int testctr = 0, testresult = 0;
600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
601 TLS_client_method(), TLS1_VERSION, 0,
602 &sctx, &cctx, cert, privkey)))
604 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
606 /* The gimpy cipher list we configure can't do TLS 1.3. */
607 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
610 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
611 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
612 &clientssl, NULL, NULL))
613 || !TEST_false(create_ssl_connection(serverssl, clientssl,
614 SSL_ERROR_WANT_CLIENT_HELLO_CB))
616 * Passing a -1 literal is a hack since
617 * the real value was lost.
619 || !TEST_int_eq(SSL_get_error(serverssl, -1),
620 SSL_ERROR_WANT_CLIENT_HELLO_CB)
621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
636 static int test_no_ems(void)
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
642 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
643 TLS1_VERSION, TLS1_2_VERSION,
644 &sctx, &cctx, cert, privkey)) {
645 printf("Unable to create SSL_CTX pair\n");
649 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
651 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
652 printf("Unable to create SSL objects\n");
656 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
657 printf("Creating SSL connection failed\n");
661 if (SSL_get_extms_support(serverssl)) {
662 printf("Server reports Extended Master Secret support\n");
666 if (SSL_get_extms_support(clientssl)) {
667 printf("Client reports Extended Master Secret support\n");
682 * Very focused test to exercise a single case in the server-side state
683 * machine, when the ChangeCipherState message needs to actually change
684 * from one cipher to a different cipher (i.e., not changing from null
685 * encryption to real encryption).
687 static int test_ccs_change_cipher(void)
689 SSL_CTX *cctx = NULL, *sctx = NULL;
690 SSL *clientssl = NULL, *serverssl = NULL;
691 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
698 * Create a conection so we can resume and potentially (but not) use
699 * a different cipher in the second connection.
701 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
703 TLS1_VERSION, TLS1_2_VERSION,
704 &sctx, &cctx, cert, privkey))
705 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
706 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
708 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
711 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
712 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
718 /* Resume, preferring a different cipher. Our server will force the
719 * same cipher to be used as the initial handshake. */
720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
722 || !TEST_true(SSL_set_session(clientssl, sess))
723 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
726 || !TEST_true(SSL_session_reused(clientssl))
727 || !TEST_true(SSL_session_reused(serverssl))
728 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
729 || !TEST_ptr_eq(sesspre, sesspost)
730 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
731 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
733 shutdown_ssl_connection(serverssl, clientssl);
734 serverssl = clientssl = NULL;
737 * Now create a fresh connection and try to renegotiate a different
740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
742 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
743 || !TEST_true(create_ssl_connection(serverssl, clientssl,
745 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
746 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
747 || !TEST_true(SSL_renegotiate(clientssl))
748 || !TEST_true(SSL_renegotiate_pending(clientssl)))
750 /* Actually drive the renegotiation. */
751 for (i = 0; i < 3; i++) {
752 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
753 if (!TEST_ulong_eq(readbytes, 0))
755 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
756 SSL_ERROR_WANT_READ)) {
759 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
760 if (!TEST_ulong_eq(readbytes, 0))
762 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
763 SSL_ERROR_WANT_READ)) {
767 /* sesspre and sesspost should be different since the cipher changed. */
768 if (!TEST_false(SSL_renegotiate_pending(clientssl))
769 || !TEST_false(SSL_session_reused(clientssl))
770 || !TEST_false(SSL_session_reused(serverssl))
771 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
772 || !TEST_ptr_ne(sesspre, sesspost)
773 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
774 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
777 shutdown_ssl_connection(serverssl, clientssl);
778 serverssl = clientssl = NULL;
787 SSL_SESSION_free(sess);
793 static int execute_test_large_message(const SSL_METHOD *smeth,
794 const SSL_METHOD *cmeth,
795 int min_version, int max_version,
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
803 X509 *chaincert = NULL;
806 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
809 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
812 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
817 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
818 max_version, &sctx, &cctx, cert,
824 * Test that read_ahead works correctly when dealing with large
827 SSL_CTX_set_read_ahead(cctx, 1);
831 * We assume the supplied certificate is big enough so that if we add
832 * NUM_EXTRA_CERTS it will make the overall message large enough. The
833 * default buffer size is requested to be 16k, but due to the way BUF_MEM
834 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
835 * test we need to have a message larger than that.
837 certlen = i2d_X509(chaincert, NULL);
838 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
839 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
840 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
841 if (!X509_up_ref(chaincert))
843 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
844 X509_free(chaincert);
849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
856 * Calling SSL_clear() first is not required but this tests that SSL_clear()
859 if (!TEST_true(SSL_clear(serverssl)))
865 X509_free(chaincert);
874 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
875 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
876 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
877 /* sock must be connected */
878 static int ktls_chk_platform(int sock)
880 if (!ktls_enable(sock))
885 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
887 static char count = 1;
888 unsigned char cbuf[16000] = {0};
889 unsigned char sbuf[16000];
891 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
893 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
894 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
895 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
896 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
897 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
898 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
901 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
902 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
903 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
904 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
906 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
909 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
910 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
915 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
918 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
919 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
924 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
925 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
926 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
927 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
929 /* verify the payload */
930 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
933 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
934 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
935 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
936 crec_wseq_after, rec_seq_size))
939 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
940 crec_wseq_after, rec_seq_size))
944 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
945 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
946 srec_wseq_after, rec_seq_size))
949 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
950 srec_wseq_after, rec_seq_size))
954 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
955 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
956 crec_rseq_after, rec_seq_size))
959 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
960 crec_rseq_after, rec_seq_size))
964 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
965 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
966 srec_rseq_after, rec_seq_size))
969 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
970 srec_rseq_after, rec_seq_size))
979 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
980 int sis_ktls_tx, int sis_ktls_rx,
981 int tls_version, const char *cipher,
984 SSL_CTX *cctx = NULL, *sctx = NULL;
985 SSL *clientssl = NULL, *serverssl = NULL;
989 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
992 /* Skip this test if the platform does not support ktls */
993 if (!ktls_chk_platform(cfd))
996 /* Create a session based on SHA-256 */
997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
999 tls_version, tls_version,
1000 &sctx, &cctx, cert, privkey))
1001 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1002 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1003 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1004 &clientssl, sfd, cfd)))
1008 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1013 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1018 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1023 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1027 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1032 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1035 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1040 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1043 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1048 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1051 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1056 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1059 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1063 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1070 SSL_shutdown(clientssl);
1071 SSL_free(clientssl);
1074 SSL_shutdown(serverssl);
1075 SSL_free(serverssl);
1079 serverssl = clientssl = NULL;
1083 #define SENDFILE_SZ (16 * 4096)
1084 #define SENDFILE_CHUNK (4 * 4096)
1085 #define min(a,b) ((a) > (b) ? (b) : (a))
1087 static int test_ktls_sendfile(int tls_version, const char *cipher)
1089 SSL_CTX *cctx = NULL, *sctx = NULL;
1090 SSL *clientssl = NULL, *serverssl = NULL;
1091 unsigned char *buf, *buf_dst;
1092 BIO *out = NULL, *in = NULL;
1093 int cfd, sfd, ffd, err;
1094 ssize_t chunk_size = 0;
1095 off_t chunk_off = 0;
1099 buf = OPENSSL_zalloc(SENDFILE_SZ);
1100 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1101 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1102 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1105 /* Skip this test if the platform does not support ktls */
1106 if (!ktls_chk_platform(sfd)) {
1111 /* Create a session based on SHA-256 */
1112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1113 TLS_client_method(),
1114 tls_version, tls_version,
1115 &sctx, &cctx, cert, privkey))
1116 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1117 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1118 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1119 &clientssl, sfd, cfd)))
1122 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1124 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1127 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1130 out = BIO_new_file(tmpfilename, "wb");
1134 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1139 in = BIO_new_file(tmpfilename, "rb");
1140 BIO_get_fp(in, &ffdp);
1143 while (chunk_off < SENDFILE_SZ) {
1144 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1145 while ((err = SSL_sendfile(serverssl,
1149 0)) != chunk_size) {
1150 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1153 while ((err = SSL_read(clientssl,
1154 buf_dst + chunk_off,
1155 chunk_size)) != chunk_size) {
1156 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1160 /* verify the payload */
1161 if (!TEST_mem_eq(buf_dst + chunk_off,
1167 chunk_off += chunk_size;
1173 SSL_shutdown(clientssl);
1174 SSL_free(clientssl);
1177 SSL_shutdown(serverssl);
1178 SSL_free(serverssl);
1182 serverssl = clientssl = NULL;
1186 OPENSSL_free(buf_dst);
1190 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1191 static int test_ktls(int test)
1193 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1194 int tlsver, testresult;
1197 #if defined(OPENSSL_NO_TLS1_3)
1201 tlsver = TLS1_3_VERSION;
1204 #if defined(OPENSSL_NO_TLS1_2)
1207 tlsver = TLS1_2_VERSION;
1211 cis_ktls_tx = (test & 1) != 0;
1212 cis_ktls_rx = (test & 2) != 0;
1213 sis_ktls_tx = (test & 4) != 0;
1214 sis_ktls_rx = (test & 8) != 0;
1216 #if defined(OPENSSL_NO_KTLS_RX)
1217 if (cis_ktls_rx || sis_ktls_rx)
1220 #if !defined(OPENSSL_NO_TLS1_3)
1221 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1226 #ifdef OPENSSL_KTLS_AES_GCM_128
1227 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1228 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1229 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1231 #ifdef OPENSSL_KTLS_AES_CCM_128
1232 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1233 sis_ktls_rx, tlsver, "AES128-CCM",
1234 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1236 #ifdef OPENSSL_KTLS_AES_GCM_256
1237 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1238 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1239 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1244 static int test_ktls_sendfile_anytls(int tst)
1246 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1250 #if defined(OPENSSL_NO_TLS1_3)
1254 tlsver = TLS1_3_VERSION;
1257 #if defined(OPENSSL_NO_TLS1_2)
1260 tlsver = TLS1_2_VERSION;
1264 #ifndef OPENSSL_KTLS_AES_GCM_128
1265 if(tst == 0) return 1;
1267 #ifndef OPENSSL_KTLS_AES_CCM_128
1268 if(tst == 1) return 1;
1270 #ifndef OPENSSL_KTLS_AES_GCM_256
1271 if(tst == 2) return 1;
1273 return test_ktls_sendfile(tlsver, cipher[tst]);
1279 static int test_large_message_tls(void)
1281 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1282 TLS1_VERSION, 0, 0);
1285 static int test_large_message_tls_read_ahead(void)
1287 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1288 TLS1_VERSION, 0, 1);
1291 #ifndef OPENSSL_NO_DTLS
1292 static int test_large_message_dtls(void)
1295 * read_ahead is not relevant to DTLS because DTLS always acts as if
1296 * read_ahead is set.
1298 return execute_test_large_message(DTLS_server_method(),
1299 DTLS_client_method(),
1300 DTLS1_VERSION, 0, 0);
1304 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1305 const SSL_METHOD *cmeth,
1306 int min_version, int max_version)
1309 SSL_CTX *cctx = NULL, *sctx = NULL;
1310 SSL *clientssl = NULL, *serverssl = NULL;
1315 static unsigned char cbuf[16000];
1316 static unsigned char sbuf[16000];
1318 if (!TEST_true(create_ssl_ctx_pair(libctx,
1320 min_version, max_version,
1325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1329 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1332 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1336 for (i = 0; i < sizeof(cbuf); i++) {
1340 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1343 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1346 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1350 * Since we called SSL_peek(), we know the data in the record
1351 * layer is a plaintext record. We can gather the pointer to check
1352 * for zeroization after SSL_read().
1354 rr = serverssl->rlayer.rrec;
1355 zbuf = &rr->data[rr->off];
1356 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1360 * After SSL_peek() the plaintext must still be stored in the
1363 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1366 memset(sbuf, 0, sizeof(sbuf));
1367 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1370 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1373 /* Check if rbuf is cleansed */
1374 memset(cbuf, 0, sizeof(cbuf));
1375 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1380 SSL_free(serverssl);
1381 SSL_free(clientssl);
1388 static int test_cleanse_plaintext(void)
1390 #if !defined(OPENSSL_NO_TLS1_2)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1399 #if !defined(OPENSSL_NO_TLS1_3)
1400 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1401 TLS_client_method(),
1407 #if !defined(OPENSSL_NO_DTLS)
1408 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1409 DTLS_client_method(),
1417 #ifndef OPENSSL_NO_OCSP
1418 static int ocsp_server_cb(SSL *s, void *arg)
1420 int *argi = (int *)arg;
1421 unsigned char *copy = NULL;
1422 STACK_OF(OCSP_RESPID) *ids = NULL;
1423 OCSP_RESPID *id = NULL;
1426 /* In this test we are expecting exactly 1 OCSP_RESPID */
1427 SSL_get_tlsext_status_ids(s, &ids);
1428 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1429 return SSL_TLSEXT_ERR_ALERT_FATAL;
1431 id = sk_OCSP_RESPID_value(ids, 0);
1432 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1433 return SSL_TLSEXT_ERR_ALERT_FATAL;
1434 } else if (*argi != 1) {
1435 return SSL_TLSEXT_ERR_ALERT_FATAL;
1438 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1439 return SSL_TLSEXT_ERR_ALERT_FATAL;
1441 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1442 ocsp_server_called = 1;
1443 return SSL_TLSEXT_ERR_OK;
1446 static int ocsp_client_cb(SSL *s, void *arg)
1448 int *argi = (int *)arg;
1449 const unsigned char *respderin;
1452 if (*argi != 1 && *argi != 2)
1455 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1456 if (!TEST_mem_eq(orespder, len, respderin, len))
1459 ocsp_client_called = 1;
1463 static int test_tlsext_status_type(void)
1465 SSL_CTX *cctx = NULL, *sctx = NULL;
1466 SSL *clientssl = NULL, *serverssl = NULL;
1468 STACK_OF(OCSP_RESPID) *ids = NULL;
1469 OCSP_RESPID *id = NULL;
1470 BIO *certbio = NULL;
1472 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1474 &sctx, &cctx, cert, privkey))
1477 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1480 /* First just do various checks getting and setting tlsext_status_type */
1482 clientssl = SSL_new(cctx);
1483 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1484 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1485 TLSEXT_STATUSTYPE_ocsp))
1486 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1487 TLSEXT_STATUSTYPE_ocsp))
1490 SSL_free(clientssl);
1493 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1494 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1497 clientssl = SSL_new(cctx);
1498 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1500 SSL_free(clientssl);
1504 * Now actually do a handshake and check OCSP information is exchanged and
1505 * the callbacks get called
1507 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1508 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1509 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1510 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1512 &clientssl, NULL, NULL))
1513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1515 || !TEST_true(ocsp_client_called)
1516 || !TEST_true(ocsp_server_called))
1518 SSL_free(serverssl);
1519 SSL_free(clientssl);
1523 /* Try again but this time force the server side callback to fail */
1524 ocsp_client_called = 0;
1525 ocsp_server_called = 0;
1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1528 &clientssl, NULL, NULL))
1529 /* This should fail because the callback will fail */
1530 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1532 || !TEST_false(ocsp_client_called)
1533 || !TEST_false(ocsp_server_called))
1535 SSL_free(serverssl);
1536 SSL_free(clientssl);
1541 * This time we'll get the client to send an OCSP_RESPID that it will
1544 ocsp_client_called = 0;
1545 ocsp_server_called = 0;
1547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1548 &clientssl, NULL, NULL)))
1552 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1553 * specific one. We'll use the server cert.
1555 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1556 || !TEST_ptr(id = OCSP_RESPID_new())
1557 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1558 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1559 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1560 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1561 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1564 SSL_set_tlsext_status_ids(clientssl, ids);
1565 /* Control has been transferred */
1571 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1573 || !TEST_true(ocsp_client_called)
1574 || !TEST_true(ocsp_server_called))
1580 SSL_free(serverssl);
1581 SSL_free(clientssl);
1584 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1585 OCSP_RESPID_free(id);
1587 X509_free(ocspcert);
1594 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1595 static int new_called, remove_called, get_called;
1597 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1601 * sess has been up-refed for us, but we don't actually need it so free it
1604 SSL_SESSION_free(sess);
1608 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1613 static SSL_SESSION *get_sess_val = NULL;
1615 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1620 return get_sess_val;
1623 static int execute_test_session(int maxprot, int use_int_cache,
1624 int use_ext_cache, long s_options)
1626 SSL_CTX *sctx = NULL, *cctx = NULL;
1627 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1628 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1629 # ifndef OPENSSL_NO_TLS1_1
1630 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1632 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1633 int testresult = 0, numnewsesstick = 1;
1635 new_called = remove_called = 0;
1637 /* TLSv1.3 sends 2 NewSessionTickets */
1638 if (maxprot == TLS1_3_VERSION)
1641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1642 TLS_client_method(), TLS1_VERSION, 0,
1643 &sctx, &cctx, cert, privkey)))
1647 * Only allow the max protocol version so we can force a connection failure
1650 SSL_CTX_set_min_proto_version(cctx, maxprot);
1651 SSL_CTX_set_max_proto_version(cctx, maxprot);
1653 /* Set up session cache */
1654 if (use_ext_cache) {
1655 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1656 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1658 if (use_int_cache) {
1659 /* Also covers instance where both are set */
1660 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1662 SSL_CTX_set_session_cache_mode(cctx,
1663 SSL_SESS_CACHE_CLIENT
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1668 SSL_CTX_set_options(sctx, s_options);
1671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1673 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1675 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1678 /* Should fail because it should already be in the cache */
1679 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1682 && (!TEST_int_eq(new_called, numnewsesstick)
1684 || !TEST_int_eq(remove_called, 0)))
1687 new_called = remove_called = 0;
1688 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1689 &clientssl2, NULL, NULL))
1690 || !TEST_true(SSL_set_session(clientssl2, sess1))
1691 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1693 || !TEST_true(SSL_session_reused(clientssl2)))
1696 if (maxprot == TLS1_3_VERSION) {
1698 * In TLSv1.3 we should have created a new session even though we have
1699 * resumed. Since we attempted a resume we should also have removed the
1700 * old ticket from the cache so that we try to only use tickets once.
1703 && (!TEST_int_eq(new_called, 1)
1704 || !TEST_int_eq(remove_called, 1)))
1708 * In TLSv1.2 we expect to have resumed so no sessions added or
1712 && (!TEST_int_eq(new_called, 0)
1713 || !TEST_int_eq(remove_called, 0)))
1717 SSL_SESSION_free(sess1);
1718 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1720 shutdown_ssl_connection(serverssl2, clientssl2);
1721 serverssl2 = clientssl2 = NULL;
1723 new_called = remove_called = 0;
1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1725 &clientssl2, NULL, NULL))
1726 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1730 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1734 && (!TEST_int_eq(new_called, numnewsesstick)
1735 || !TEST_int_eq(remove_called, 0)))
1738 new_called = remove_called = 0;
1740 * This should clear sess2 from the cache because it is a "bad" session.
1741 * See SSL_set_session() documentation.
1743 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1746 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1748 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1751 if (use_int_cache) {
1752 /* Should succeeded because it should not already be in the cache */
1753 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1754 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1758 new_called = remove_called = 0;
1759 /* This shouldn't be in the cache so should fail */
1760 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1764 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1767 # if !defined(OPENSSL_NO_TLS1_1)
1768 new_called = remove_called = 0;
1769 /* Force a connection failure */
1770 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1772 &clientssl3, NULL, NULL))
1773 || !TEST_true(SSL_set_session(clientssl3, sess1))
1774 /* This should fail because of the mismatched protocol versions */
1775 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1779 /* We should have automatically removed the session from the cache */
1781 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1784 /* Should succeed because it should not already be in the cache */
1785 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1789 /* Now do some tests for server side caching */
1790 if (use_ext_cache) {
1791 SSL_CTX_sess_set_new_cb(cctx, NULL);
1792 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1793 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1794 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1795 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1796 get_sess_val = NULL;
1799 SSL_CTX_set_session_cache_mode(cctx, 0);
1800 /* Internal caching is the default on the server side */
1802 SSL_CTX_set_session_cache_mode(sctx,
1803 SSL_SESS_CACHE_SERVER
1804 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1806 SSL_free(serverssl1);
1807 SSL_free(clientssl1);
1808 serverssl1 = clientssl1 = NULL;
1809 SSL_free(serverssl2);
1810 SSL_free(clientssl2);
1811 serverssl2 = clientssl2 = NULL;
1812 SSL_SESSION_free(sess1);
1814 SSL_SESSION_free(sess2);
1817 SSL_CTX_set_max_proto_version(sctx, maxprot);
1818 if (maxprot == TLS1_2_VERSION)
1819 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1820 new_called = remove_called = get_called = 0;
1821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1823 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1825 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1826 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1829 if (use_int_cache) {
1830 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1832 * In TLSv1.3 it should not have been added to the internal cache,
1833 * except in the case where we also have an external cache (in that
1834 * case it gets added to the cache in order to generate remove
1835 * events after timeout).
1837 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1840 /* Should fail because it should already be in the cache */
1841 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1846 if (use_ext_cache) {
1847 SSL_SESSION *tmp = sess2;
1849 if (!TEST_int_eq(new_called, numnewsesstick)
1850 || !TEST_int_eq(remove_called, 0)
1851 || !TEST_int_eq(get_called, 0))
1854 * Delete the session from the internal cache to force a lookup from
1855 * the external cache. We take a copy first because
1856 * SSL_CTX_remove_session() also marks the session as non-resumable.
1858 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1859 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1860 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1862 SSL_SESSION_free(sess2);
1867 new_called = remove_called = get_called = 0;
1868 get_sess_val = sess2;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1877 if (use_ext_cache) {
1878 if (!TEST_int_eq(remove_called, 0))
1881 if (maxprot == TLS1_3_VERSION) {
1882 if (!TEST_int_eq(new_called, 1)
1883 || !TEST_int_eq(get_called, 0))
1886 if (!TEST_int_eq(new_called, 0)
1887 || !TEST_int_eq(get_called, 1))
1895 SSL_free(serverssl1);
1896 SSL_free(clientssl1);
1897 SSL_free(serverssl2);
1898 SSL_free(clientssl2);
1899 # ifndef OPENSSL_NO_TLS1_1
1900 SSL_free(serverssl3);
1901 SSL_free(clientssl3);
1903 SSL_SESSION_free(sess1);
1904 SSL_SESSION_free(sess2);
1910 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1912 static int test_session_with_only_int_cache(void)
1914 #ifndef OPENSSL_NO_TLS1_3
1915 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1919 #ifndef OPENSSL_NO_TLS1_2
1920 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1926 static int test_session_with_only_ext_cache(void)
1928 #ifndef OPENSSL_NO_TLS1_3
1929 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1933 #ifndef OPENSSL_NO_TLS1_2
1934 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1940 static int test_session_with_both_cache(void)
1942 #ifndef OPENSSL_NO_TLS1_3
1943 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1947 #ifndef OPENSSL_NO_TLS1_2
1948 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1954 static int test_session_wo_ca_names(void)
1956 #ifndef OPENSSL_NO_TLS1_3
1957 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1961 #ifndef OPENSSL_NO_TLS1_2
1962 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1969 #ifndef OPENSSL_NO_TLS1_3
1970 static SSL_SESSION *sesscache[6];
1971 static int do_cache;
1973 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1976 sesscache[new_called] = sess;
1978 /* We don't need the reference to the session, so free it */
1979 SSL_SESSION_free(sess);
1986 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1988 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1989 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1992 /* Start handshake on the server and client */
1993 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1994 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1995 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1996 || !TEST_true(create_ssl_connection(sssl, cssl,
2003 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2006 int sess_id_ctx = 1;
2008 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2009 TLS_client_method(), TLS1_VERSION, 0,
2010 sctx, cctx, cert, privkey))
2011 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2012 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2013 (void *)&sess_id_ctx,
2014 sizeof(sess_id_ctx))))
2018 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2020 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2021 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2022 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2027 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2029 SSL *serverssl = NULL, *clientssl = NULL;
2032 /* Test that we can resume with all the tickets we got given */
2033 for (i = 0; i < idx * 2; i++) {
2035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2036 &clientssl, NULL, NULL))
2037 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2040 SSL_set_post_handshake_auth(clientssl, 1);
2042 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2047 * Following a successful resumption we only get 1 ticket. After a
2048 * failed one we should get idx tickets.
2051 if (!TEST_true(SSL_session_reused(clientssl))
2052 || !TEST_int_eq(new_called, 1))
2055 if (!TEST_false(SSL_session_reused(clientssl))
2056 || !TEST_int_eq(new_called, idx))
2061 /* After a post-handshake authentication we should get 1 new ticket */
2063 && (!post_handshake_verify(serverssl, clientssl)
2064 || !TEST_int_eq(new_called, 1)))
2067 SSL_shutdown(clientssl);
2068 SSL_shutdown(serverssl);
2069 SSL_free(serverssl);
2070 SSL_free(clientssl);
2071 serverssl = clientssl = NULL;
2072 SSL_SESSION_free(sesscache[i]);
2073 sesscache[i] = NULL;
2079 SSL_free(clientssl);
2080 SSL_free(serverssl);
2084 static int test_tickets(int stateful, int idx)
2086 SSL_CTX *sctx = NULL, *cctx = NULL;
2087 SSL *serverssl = NULL, *clientssl = NULL;
2091 /* idx is the test number, but also the number of tickets we want */
2096 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2100 &clientssl, NULL, NULL)))
2103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2105 /* Check we got the number of tickets we were expecting */
2106 || !TEST_int_eq(idx, new_called))
2109 SSL_shutdown(clientssl);
2110 SSL_shutdown(serverssl);
2111 SSL_free(serverssl);
2112 SSL_free(clientssl);
2115 clientssl = serverssl = NULL;
2119 * Now we try to resume with the tickets we previously created. The
2120 * resumption attempt is expected to fail (because we're now using a new
2121 * SSL_CTX). We should see idx number of tickets issued again.
2124 /* Stop caching sessions - just count them */
2127 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2130 if (!check_resumption(idx, sctx, cctx, 0))
2133 /* Start again with caching sessions */
2140 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2144 &clientssl, NULL, NULL)))
2147 SSL_set_post_handshake_auth(clientssl, 1);
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx, new_called))
2155 /* After a post-handshake authentication we should get new tickets issued */
2156 if (!post_handshake_verify(serverssl, clientssl)
2157 || !TEST_int_eq(idx * 2, new_called))
2160 SSL_shutdown(clientssl);
2161 SSL_shutdown(serverssl);
2162 SSL_free(serverssl);
2163 SSL_free(clientssl);
2164 serverssl = clientssl = NULL;
2166 /* Stop caching sessions - just count them */
2170 * Check we can resume with all the tickets we created. This time around the
2171 * resumptions should all be successful.
2173 if (!check_resumption(idx, sctx, cctx, 1))
2179 SSL_free(serverssl);
2180 SSL_free(clientssl);
2181 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2182 SSL_SESSION_free(sesscache[j]);
2183 sesscache[j] = NULL;
2191 static int test_stateless_tickets(int idx)
2193 return test_tickets(0, idx);
2196 static int test_stateful_tickets(int idx)
2198 return test_tickets(1, idx);
2201 static int test_psk_tickets(void)
2203 SSL_CTX *sctx = NULL, *cctx = NULL;
2204 SSL *serverssl = NULL, *clientssl = NULL;
2206 int sess_id_ctx = 1;
2208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2209 TLS_client_method(), TLS1_VERSION, 0,
2210 &sctx, &cctx, NULL, NULL))
2211 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2212 (void *)&sess_id_ctx,
2213 sizeof(sess_id_ctx))))
2216 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2217 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2218 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2219 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2220 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2221 use_session_cb_cnt = 0;
2222 find_session_cb_cnt = 0;
2226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2229 clientpsk = serverpsk = create_a_psk(clientssl);
2230 if (!TEST_ptr(clientpsk))
2232 SSL_SESSION_up_ref(clientpsk);
2234 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2236 || !TEST_int_eq(1, find_session_cb_cnt)
2237 || !TEST_int_eq(1, use_session_cb_cnt)
2238 /* We should always get 1 ticket when using external PSK */
2239 || !TEST_int_eq(1, new_called))
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2249 SSL_SESSION_free(clientpsk);
2250 SSL_SESSION_free(serverpsk);
2251 clientpsk = serverpsk = NULL;
2256 static int test_extra_tickets(int idx)
2258 SSL_CTX *sctx = NULL, *cctx = NULL;
2259 SSL *serverssl = NULL, *clientssl = NULL;
2260 BIO *bretry = BIO_new(bio_s_always_retry());
2265 unsigned char c, buf[1];
2275 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2277 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2278 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2279 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2281 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2282 &clientssl, NULL, NULL)))
2286 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2287 * incremented by both client and server.
2289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2291 /* Check we got the number of tickets we were expecting */
2292 || !TEST_int_eq(idx * 2, new_called)
2293 || !TEST_true(SSL_new_session_ticket(serverssl))
2294 || !TEST_true(SSL_new_session_ticket(serverssl))
2295 || !TEST_int_eq(idx * 2, new_called))
2298 /* Now try a (real) write to actually send the tickets */
2300 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2301 || !TEST_size_t_eq(1, nbytes)
2302 || !TEST_int_eq(idx * 2 + 2, new_called)
2303 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2304 || !TEST_int_eq(idx * 2 + 4, new_called)
2305 || !TEST_int_eq(sizeof(buf), nbytes)
2306 || !TEST_int_eq(c, buf[0])
2307 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2310 /* Try with only requesting one new ticket, too */
2313 if (!TEST_true(SSL_new_session_ticket(serverssl))
2314 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2315 || !TEST_size_t_eq(sizeof(c), nbytes)
2316 || !TEST_int_eq(1, new_called)
2317 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2318 || !TEST_int_eq(2, new_called)
2319 || !TEST_size_t_eq(sizeof(buf), nbytes)
2320 || !TEST_int_eq(c, buf[0]))
2323 /* Do it again but use dummy writes to drive the ticket generation */
2326 if (!TEST_true(SSL_new_session_ticket(serverssl))
2327 || !TEST_true(SSL_new_session_ticket(serverssl))
2328 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2329 || !TEST_size_t_eq(0, nbytes)
2330 || !TEST_int_eq(2, new_called)
2331 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2332 || !TEST_int_eq(4, new_called))
2336 * Use the always-retry BIO to exercise the logic that forces ticket
2337 * generation to wait until a record boundary.
2341 tmp = SSL_get_wbio(serverssl);
2342 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2346 SSL_set0_wbio(serverssl, bretry);
2348 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2349 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2350 || !TEST_size_t_eq(nbytes, 0))
2352 /* Restore a BIO that will let the write succeed */
2353 SSL_set0_wbio(serverssl, tmp);
2355 /* These calls should just queue the request and not send anything. */
2356 if (!TEST_true(SSL_new_session_ticket(serverssl))
2357 || !TEST_true(SSL_new_session_ticket(serverssl))
2358 || !TEST_int_eq(0, new_called))
2360 /* Re-do the write; still no tickets sent */
2361 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2362 || !TEST_size_t_eq(1, nbytes)
2363 || !TEST_int_eq(0, new_called)
2364 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2365 || !TEST_int_eq(0, new_called)
2366 || !TEST_int_eq(sizeof(buf), nbytes)
2367 || !TEST_int_eq(c, buf[0])
2368 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2370 /* Now the *next* write should send the tickets */
2372 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2373 || !TEST_size_t_eq(1, nbytes)
2374 || !TEST_int_eq(2, new_called)
2375 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2376 || !TEST_int_eq(4, new_called)
2377 || !TEST_int_eq(sizeof(buf), nbytes)
2378 || !TEST_int_eq(c, buf[0])
2379 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2382 SSL_shutdown(clientssl);
2383 SSL_shutdown(serverssl);
2389 SSL_free(serverssl);
2390 SSL_free(clientssl);
2393 clientssl = serverssl = NULL;
2402 #define USE_DEFAULT 3
2404 #define CONNTYPE_CONNECTION_SUCCESS 0
2405 #define CONNTYPE_CONNECTION_FAIL 1
2406 #define CONNTYPE_NO_CONNECTION 2
2408 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2409 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2410 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2411 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2413 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2416 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2417 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2418 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2420 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2437 * Tests calls to SSL_set_bio() under various conditions.
2439 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2440 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2441 * then do more tests where we create a successful connection first using our
2442 * standard connection setup functions, and then call SSL_set_bio() with
2443 * various combinations of valid BIOs or NULL. We then repeat these tests
2444 * following a failed connection. In this last case we are looking to check that
2445 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2447 static int test_ssl_set_bio(int idx)
2449 SSL_CTX *sctx = NULL, *cctx = NULL;
2452 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2453 SSL *serverssl = NULL, *clientssl = NULL;
2454 int initrbio, initwbio, newrbio, newwbio, conntype;
2457 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2465 conntype = CONNTYPE_NO_CONNECTION;
2467 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2468 initrbio = initwbio = USE_DEFAULT;
2476 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2477 TLS_client_method(), TLS1_VERSION, 0,
2478 &sctx, &cctx, cert, privkey)))
2481 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2483 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2484 * because we reduced the number of tests in the definition of
2485 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2486 * mismatched protocol versions we will force a connection failure.
2488 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2489 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2496 if (initrbio == USE_BIO_1
2497 || initwbio == USE_BIO_1
2498 || newrbio == USE_BIO_1
2499 || newwbio == USE_BIO_1) {
2500 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2504 if (initrbio == USE_BIO_2
2505 || initwbio == USE_BIO_2
2506 || newrbio == USE_BIO_2
2507 || newwbio == USE_BIO_2) {
2508 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2512 if (initrbio != USE_DEFAULT) {
2513 setupbio(&irbio, bio1, bio2, initrbio);
2514 setupbio(&iwbio, bio1, bio2, initwbio);
2515 SSL_set_bio(clientssl, irbio, iwbio);
2518 * We want to maintain our own refs to these BIO, so do an up ref for
2519 * each BIO that will have ownership transferred in the SSL_set_bio()
2524 if (iwbio != NULL && iwbio != irbio)
2528 if (conntype != CONNTYPE_NO_CONNECTION
2529 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2531 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2534 setupbio(&nrbio, bio1, bio2, newrbio);
2535 setupbio(&nwbio, bio1, bio2, newwbio);
2538 * We will (maybe) transfer ownership again so do more up refs.
2539 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2544 && (nwbio != iwbio || nrbio != nwbio))
2548 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2551 SSL_set_bio(clientssl, nrbio, nwbio);
2560 * This test is checking that the ref counting for SSL_set_bio is correct.
2561 * If we get here and we did too many frees then we will fail in the above
2564 SSL_free(serverssl);
2565 SSL_free(clientssl);
2571 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2573 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2575 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2580 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2581 || !TEST_ptr(ssl = SSL_new(ctx))
2582 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2583 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2586 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2589 * If anything goes wrong here then we could leak memory.
2591 BIO_push(sslbio, membio1);
2593 /* Verify changing the rbio/wbio directly does not cause leaks */
2594 if (change_bio != NO_BIO_CHANGE) {
2595 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2597 if (change_bio == CHANGE_RBIO)
2598 SSL_set0_rbio(ssl, membio2);
2600 SSL_set0_wbio(ssl, membio2);
2619 static int test_ssl_bio_pop_next_bio(void)
2621 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2624 static int test_ssl_bio_pop_ssl_bio(void)
2626 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2629 static int test_ssl_bio_change_rbio(void)
2631 return execute_test_ssl_bio(0, CHANGE_RBIO);
2634 static int test_ssl_bio_change_wbio(void)
2636 return execute_test_ssl_bio(0, CHANGE_WBIO);
2639 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2641 /* The list of sig algs */
2643 /* The length of the list */
2645 /* A sigalgs list in string format */
2646 const char *liststr;
2647 /* Whether setting the list should succeed */
2649 /* Whether creating a connection with the list should succeed */
2653 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2654 # ifndef OPENSSL_NO_EC
2655 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2656 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2658 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2659 static const int invalidlist2[] = {NID_sha256, NID_undef};
2660 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2661 static const int invalidlist4[] = {NID_sha256};
2662 static const sigalgs_list testsigalgs[] = {
2663 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2664 # ifndef OPENSSL_NO_EC
2665 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2666 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2668 {NULL, 0, "RSA+SHA256", 1, 1},
2669 # ifndef OPENSSL_NO_EC
2670 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2671 {NULL, 0, "ECDSA+SHA512", 1, 0},
2673 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2674 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2675 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2676 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2677 {NULL, 0, "RSA", 0, 0},
2678 {NULL, 0, "SHA256", 0, 0},
2679 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2680 {NULL, 0, "Invalid", 0, 0}
2683 static int test_set_sigalgs(int idx)
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2688 const sigalgs_list *curr;
2691 /* Should never happen */
2692 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2695 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2696 curr = testctx ? &testsigalgs[idx]
2697 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2700 TLS_client_method(), TLS1_VERSION, 0,
2701 &sctx, &cctx, cert, privkey)))
2705 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2706 * for TLSv1.2 for now until we add a new API.
2708 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2713 if (curr->list != NULL)
2714 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2716 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2720 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2726 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2732 &clientssl, NULL, NULL)))
2738 if (curr->list != NULL)
2739 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2741 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2744 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2753 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2761 SSL_free(serverssl);
2762 SSL_free(clientssl);
2770 #ifndef OPENSSL_NO_TLS1_3
2771 static int psk_client_cb_cnt = 0;
2772 static int psk_server_cb_cnt = 0;
2774 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2775 size_t *idlen, SSL_SESSION **sess)
2777 switch (++use_session_cb_cnt) {
2779 /* The first call should always have a NULL md */
2785 /* The second call should always have an md */
2791 /* We should only be called a maximum of twice */
2795 if (clientpsk != NULL)
2796 SSL_SESSION_up_ref(clientpsk);
2799 *id = (const unsigned char *)pskid;
2800 *idlen = strlen(pskid);
2805 #ifndef OPENSSL_NO_PSK
2806 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2807 unsigned int max_id_len,
2809 unsigned int max_psk_len)
2811 unsigned int psklen = 0;
2813 psk_client_cb_cnt++;
2815 if (strlen(pskid) + 1 > max_id_len)
2818 /* We should only ever be called a maximum of twice per connection */
2819 if (psk_client_cb_cnt > 2)
2822 if (clientpsk == NULL)
2825 /* We'll reuse the PSK we set up for TLSv1.3 */
2826 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2828 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2829 strncpy(id, pskid, max_id_len);
2833 #endif /* OPENSSL_NO_PSK */
2835 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2836 size_t identity_len, SSL_SESSION **sess)
2838 find_session_cb_cnt++;
2840 /* We should only ever be called a maximum of twice per connection */
2841 if (find_session_cb_cnt > 2)
2844 if (serverpsk == NULL)
2847 /* Identity should match that set by the client */
2848 if (strlen(srvid) != identity_len
2849 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2850 /* No PSK found, continue but without a PSK */
2855 SSL_SESSION_up_ref(serverpsk);
2861 #ifndef OPENSSL_NO_PSK
2862 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2863 unsigned char *psk, unsigned int max_psk_len)
2865 unsigned int psklen = 0;
2867 psk_server_cb_cnt++;
2869 /* We should only ever be called a maximum of twice per connection */
2870 if (find_session_cb_cnt > 2)
2873 if (serverpsk == NULL)
2876 /* Identity should match that set by the client */
2877 if (strcmp(srvid, identity) != 0) {
2881 /* We'll reuse the PSK we set up for TLSv1.3 */
2882 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2884 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2888 #endif /* OPENSSL_NO_PSK */
2890 #define MSG1 "Hello"
2891 #define MSG2 "World."
2896 #define MSG7 "message."
2898 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2899 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2900 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2901 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2902 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2905 static SSL_SESSION *create_a_psk(SSL *ssl)
2907 const SSL_CIPHER *cipher = NULL;
2908 const unsigned char key[] = {
2909 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2910 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2911 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2912 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2913 0x2c, 0x2d, 0x2e, 0x2f
2915 SSL_SESSION *sess = NULL;
2917 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2918 sess = SSL_SESSION_new();
2920 || !TEST_ptr(cipher)
2921 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2923 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2925 SSL_SESSION_set_protocol_version(sess,
2927 SSL_SESSION_free(sess);
2934 * Helper method to setup objects for early data test. Caller frees objects on
2937 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2938 SSL **serverssl, SSL_SESSION **sess, int idx)
2941 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2942 TLS_client_method(),
2944 sctx, cctx, cert, privkey)))
2947 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2951 /* When idx == 1 we repeat the tests with read_ahead set */
2952 SSL_CTX_set_read_ahead(*cctx, 1);
2953 SSL_CTX_set_read_ahead(*sctx, 1);
2954 } else if (idx == 2) {
2955 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2956 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2957 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2958 use_session_cb_cnt = 0;
2959 find_session_cb_cnt = 0;
2963 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2968 * For one of the run throughs (doesn't matter which one), we'll try sending
2969 * some SNI data in the initial ClientHello. This will be ignored (because
2970 * there is no SNI cb set up by the server), so it should not impact
2974 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2978 clientpsk = create_a_psk(*clientssl);
2979 if (!TEST_ptr(clientpsk)
2981 * We just choose an arbitrary value for max_early_data which
2982 * should be big enough for testing purposes.
2984 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2986 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2987 SSL_SESSION_free(clientpsk);
2991 serverpsk = clientpsk;
2994 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2995 SSL_SESSION_free(clientpsk);
2996 SSL_SESSION_free(serverpsk);
2997 clientpsk = serverpsk = NULL;
3008 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3012 *sess = SSL_get1_session(*clientssl);
3013 SSL_shutdown(*clientssl);
3014 SSL_shutdown(*serverssl);
3015 SSL_free(*serverssl);
3016 SSL_free(*clientssl);
3017 *serverssl = *clientssl = NULL;
3019 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3020 clientssl, NULL, NULL))
3021 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3027 static int test_early_data_read_write(int idx)
3029 SSL_CTX *cctx = NULL, *sctx = NULL;
3030 SSL *clientssl = NULL, *serverssl = NULL;
3032 SSL_SESSION *sess = NULL;
3033 unsigned char buf[20], data[1024];
3034 size_t readbytes, written, eoedlen, rawread, rawwritten;
3037 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3038 &serverssl, &sess, idx)))
3041 /* Write and read some early data */
3042 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3044 || !TEST_size_t_eq(written, strlen(MSG1))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3046 sizeof(buf), &readbytes),
3047 SSL_READ_EARLY_DATA_SUCCESS)
3048 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_ACCEPTED))
3054 * Server should be able to write data, and client should be able to
3057 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3059 || !TEST_size_t_eq(written, strlen(MSG2))
3060 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3061 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3064 /* Even after reading normal data, client should be able write early data */
3065 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3067 || !TEST_size_t_eq(written, strlen(MSG3)))
3070 /* Server should still be able read early data after writing data */
3071 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3073 SSL_READ_EARLY_DATA_SUCCESS)
3074 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3077 /* Write more data from server and read it from client */
3078 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3080 || !TEST_size_t_eq(written, strlen(MSG4))
3081 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3082 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3086 * If client writes normal data it should mean writing early data is no
3089 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3090 || !TEST_size_t_eq(written, strlen(MSG5))
3091 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3092 SSL_EARLY_DATA_ACCEPTED))
3096 * At this point the client has written EndOfEarlyData, ClientFinished and
3097 * normal (fully protected) data. We are going to cause a delay between the
3098 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3099 * in the read BIO, and then just put back the EndOfEarlyData message.
3101 rbio = SSL_get_rbio(serverssl);
3102 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3103 || !TEST_size_t_lt(rawread, sizeof(data))
3104 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3107 /* Record length is in the 4th and 5th bytes of the record header */
3108 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3109 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3110 || !TEST_size_t_eq(rawwritten, eoedlen))
3113 /* Server should be told that there is no more early data */
3114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3116 SSL_READ_EARLY_DATA_FINISH)
3117 || !TEST_size_t_eq(readbytes, 0))
3121 * Server has not finished init yet, so should still be able to write early
3124 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3126 || !TEST_size_t_eq(written, strlen(MSG6)))
3129 /* Push the ClientFinished and the normal data back into the server rbio */
3130 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3132 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3135 /* Server should be able to read normal data */
3136 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3137 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3140 /* Client and server should not be able to write/read early data now */
3141 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3147 SSL_READ_EARLY_DATA_ERROR))
3151 /* Client should be able to read the data sent by the server */
3152 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3157 * Make sure we process the two NewSessionTickets. These arrive
3158 * post-handshake. We attempt reads which we do not expect to return any
3161 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3162 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3166 /* Server should be able to write normal data */
3167 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3168 || !TEST_size_t_eq(written, strlen(MSG7))
3169 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3170 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3173 SSL_SESSION_free(sess);
3174 sess = SSL_get1_session(clientssl);
3175 use_session_cb_cnt = 0;
3176 find_session_cb_cnt = 0;
3178 SSL_shutdown(clientssl);
3179 SSL_shutdown(serverssl);
3180 SSL_free(serverssl);
3181 SSL_free(clientssl);
3182 serverssl = clientssl = NULL;
3183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3184 &clientssl, NULL, NULL))
3185 || !TEST_true(SSL_set_session(clientssl, sess)))
3188 /* Write and read some early data */
3189 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3191 || !TEST_size_t_eq(written, strlen(MSG1))
3192 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3194 SSL_READ_EARLY_DATA_SUCCESS)
3195 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3198 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3199 || !TEST_int_gt(SSL_accept(serverssl), 0))
3202 /* Client and server should not be able to write/read early data now */
3203 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3207 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3209 SSL_READ_EARLY_DATA_ERROR))
3213 /* Client and server should be able to write/read normal data */
3214 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3215 || !TEST_size_t_eq(written, strlen(MSG5))
3216 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3217 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3223 SSL_SESSION_free(sess);
3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
3227 SSL_free(serverssl);
3228 SSL_free(clientssl);
3234 static int allow_ed_cb_called = 0;
3236 static int allow_early_data_cb(SSL *s, void *arg)
3238 int *usecb = (int *)arg;
3240 allow_ed_cb_called++;
3249 * idx == 0: Standard early_data setup
3250 * idx == 1: early_data setup using read_ahead
3251 * usecb == 0: Don't use a custom early data callback
3252 * usecb == 1: Use a custom early data callback and reject the early data
3253 * usecb == 2: Use a custom early data callback and accept the early data
3254 * confopt == 0: Configure anti-replay directly
3255 * confopt == 1: Configure anti-replay using SSL_CONF
3257 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3259 SSL_CTX *cctx = NULL, *sctx = NULL;
3260 SSL *clientssl = NULL, *serverssl = NULL;
3262 SSL_SESSION *sess = NULL;
3263 size_t readbytes, written;
3264 unsigned char buf[20];
3266 allow_ed_cb_called = 0;
3268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3269 TLS_client_method(), TLS1_VERSION, 0,
3270 &sctx, &cctx, cert, privkey)))
3275 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3277 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3279 if (!TEST_ptr(confctx))
3281 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3282 | SSL_CONF_FLAG_SERVER);
3283 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3284 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3286 SSL_CONF_CTX_free(confctx);
3289 SSL_CONF_CTX_free(confctx);
3291 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3294 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3295 &serverssl, &sess, idx)))
3299 * The server is configured to accept early data. Create a connection to
3300 * "use up" the ticket
3302 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3303 || !TEST_true(SSL_session_reused(clientssl)))
3306 SSL_shutdown(clientssl);
3307 SSL_shutdown(serverssl);
3308 SSL_free(serverssl);
3309 SSL_free(clientssl);
3310 serverssl = clientssl = NULL;
3312 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3313 &clientssl, NULL, NULL))
3314 || !TEST_true(SSL_set_session(clientssl, sess)))
3317 /* Write and read some early data */
3318 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3320 || !TEST_size_t_eq(written, strlen(MSG1)))
3324 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3326 SSL_READ_EARLY_DATA_FINISH)
3328 * The ticket was reused, so the we should have rejected the
3331 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3332 SSL_EARLY_DATA_REJECTED))
3335 /* In this case the callback decides to accept the early data */
3336 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3338 SSL_READ_EARLY_DATA_SUCCESS)
3339 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3341 * Server will have sent its flight so client can now send
3342 * end of early data and complete its half of the handshake
3344 || !TEST_int_gt(SSL_connect(clientssl), 0)
3345 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3347 SSL_READ_EARLY_DATA_FINISH)
3348 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3349 SSL_EARLY_DATA_ACCEPTED))
3353 /* Complete the connection */
3354 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3355 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3356 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3362 SSL_SESSION_free(sess);
3363 SSL_SESSION_free(clientpsk);
3364 SSL_SESSION_free(serverpsk);
3365 clientpsk = serverpsk = NULL;
3366 SSL_free(serverssl);
3367 SSL_free(clientssl);
3373 static int test_early_data_replay(int idx)
3375 int ret = 1, usecb, confopt;
3377 for (usecb = 0; usecb < 3; usecb++) {
3378 for (confopt = 0; confopt < 2; confopt++)
3379 ret &= test_early_data_replay_int(idx, usecb, confopt);
3386 * Helper function to test that a server attempting to read early data can
3387 * handle a connection from a client where the early data should be skipped.
3388 * testtype: 0 == No HRR
3389 * testtype: 1 == HRR
3390 * testtype: 2 == HRR, invalid early_data sent after HRR
3391 * testtype: 3 == recv_max_early_data set to 0
3393 static int early_data_skip_helper(int testtype, int idx)
3395 SSL_CTX *cctx = NULL, *sctx = NULL;
3396 SSL *clientssl = NULL, *serverssl = NULL;
3398 SSL_SESSION *sess = NULL;
3399 unsigned char buf[20];
3400 size_t readbytes, written;
3402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3403 &serverssl, &sess, idx)))
3406 if (testtype == 1 || testtype == 2) {
3407 /* Force an HRR to occur */
3408 #if defined(OPENSSL_NO_EC)
3409 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3412 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3415 } else if (idx == 2) {
3417 * We force early_data rejection by ensuring the PSK identity is
3420 srvid = "Dummy Identity";
3423 * Deliberately corrupt the creation time. We take 20 seconds off the
3424 * time. It could be any value as long as it is not within tolerance.
3425 * This should mean the ticket is rejected.
3427 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3432 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3435 /* Write some early data */
3436 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3438 || !TEST_size_t_eq(written, strlen(MSG1)))
3441 /* Server should reject the early data */
3442 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3444 SSL_READ_EARLY_DATA_FINISH)
3445 || !TEST_size_t_eq(readbytes, 0)
3446 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3447 SSL_EARLY_DATA_REJECTED))
3457 * Finish off the handshake. We perform the same writes and reads as
3458 * further down but we expect them to fail due to the incomplete
3461 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3462 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3469 BIO *wbio = SSL_get_wbio(clientssl);
3470 /* A record that will appear as bad early_data */
3471 const unsigned char bad_early_data[] = {
3472 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3476 * We force the client to attempt a write. This will fail because
3477 * we're still in the handshake. It will cause the second
3478 * ClientHello to be sent.
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3485 * Inject some early_data after the second ClientHello. This should
3486 * cause the server to fail
3488 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3489 sizeof(bad_early_data), &written)))
3496 * This client has sent more early_data than we are willing to skip
3497 * (case 3) or sent invalid early_data (case 2) so the connection should
3500 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3501 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3504 /* Connection has failed - nothing more to do */
3509 TEST_error("Invalid test type");
3514 * Should be able to send normal data despite rejection of early data. The
3515 * early_data should be skipped.
3517 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3518 || !TEST_size_t_eq(written, strlen(MSG2))
3519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3520 SSL_EARLY_DATA_REJECTED)
3521 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3522 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3528 SSL_SESSION_free(clientpsk);
3529 SSL_SESSION_free(serverpsk);
3530 clientpsk = serverpsk = NULL;
3531 SSL_SESSION_free(sess);
3532 SSL_free(serverssl);
3533 SSL_free(clientssl);
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where the early data is not acceptable.
3543 static int test_early_data_skip(int idx)
3545 return early_data_skip_helper(0, idx);
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs.
3552 static int test_early_data_skip_hrr(int idx)
3554 return early_data_skip_helper(1, idx);
3558 * Test that a server attempting to read early data can handle a connection
3559 * from a client where an HRR occurs and correctly fails if early_data is sent
3562 static int test_early_data_skip_hrr_fail(int idx)
3564 return early_data_skip_helper(2, idx);
3568 * Test that a server attempting to read early data will abort if it tries to
3569 * skip over too much.
3571 static int test_early_data_skip_abort(int idx)
3573 return early_data_skip_helper(3, idx);
3577 * Test that a server attempting to read early data can handle a connection
3578 * from a client that doesn't send any.
3580 static int test_early_data_not_sent(int idx)
3582 SSL_CTX *cctx = NULL, *sctx = NULL;
3583 SSL *clientssl = NULL, *serverssl = NULL;
3585 SSL_SESSION *sess = NULL;
3586 unsigned char buf[20];
3587 size_t readbytes, written;
3589 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3590 &serverssl, &sess, idx)))
3593 /* Write some data - should block due to handshake with server */
3594 SSL_set_connect_state(clientssl);
3595 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3598 /* Server should detect that early data has not been sent */
3599 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3601 SSL_READ_EARLY_DATA_FINISH)
3602 || !TEST_size_t_eq(readbytes, 0)
3603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3604 SSL_EARLY_DATA_NOT_SENT)
3605 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3606 SSL_EARLY_DATA_NOT_SENT))
3609 /* Continue writing the message we started earlier */
3610 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG1))
3612 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3613 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3614 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3615 || !TEST_size_t_eq(written, strlen(MSG2)))
3618 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3619 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3625 SSL_SESSION_free(sess);
3626 SSL_SESSION_free(clientpsk);
3627 SSL_SESSION_free(serverpsk);
3628 clientpsk = serverpsk = NULL;
3629 SSL_free(serverssl);
3630 SSL_free(clientssl);
3636 static const char *servalpn;
3638 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3639 unsigned char *outlen, const unsigned char *in,
3640 unsigned int inlen, void *arg)
3642 unsigned int protlen = 0;
3643 const unsigned char *prot;
3645 for (prot = in; prot < in + inlen; prot += protlen) {
3647 if (in + inlen < prot + protlen)
3648 return SSL_TLSEXT_ERR_NOACK;
3650 if (protlen == strlen(servalpn)
3651 && memcmp(prot, servalpn, protlen) == 0) {
3654 return SSL_TLSEXT_ERR_OK;
3658 return SSL_TLSEXT_ERR_NOACK;
3661 /* Test that a PSK can be used to send early_data */
3662 static int test_early_data_psk(int idx)
3664 SSL_CTX *cctx = NULL, *sctx = NULL;
3665 SSL *clientssl = NULL, *serverssl = NULL;
3667 SSL_SESSION *sess = NULL;
3668 unsigned char alpnlist[] = {
3669 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3672 #define GOODALPNLEN 9
3673 #define BADALPNLEN 8
3674 #define GOODALPN (alpnlist)
3675 #define BADALPN (alpnlist + GOODALPNLEN)
3677 unsigned char buf[20];
3678 size_t readbytes, written;
3679 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3680 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3682 /* We always set this up with a final parameter of "2" for PSK */
3683 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3684 &serverssl, &sess, 2)))
3687 servalpn = "goodalpn";
3690 * Note: There is no test for inconsistent SNI with late client detection.
3691 * This is because servers do not acknowledge SNI even if they are using
3692 * it in a resumption handshake - so it is not actually possible for a
3693 * client to detect a problem.
3697 /* Set inconsistent SNI (early client detection) */
3698 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3699 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3700 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3705 /* Set inconsistent ALPN (early client detection) */
3706 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3707 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3708 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3710 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3717 * Set invalid protocol version. Technically this affects PSKs without
3718 * early_data too, but we test it here because it is similar to the
3719 * SNI/ALPN consistency tests.
3721 err = SSL_R_BAD_PSK;
3722 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3728 * Set inconsistent SNI (server side). In this case the connection
3729 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3730 * is associated with each handshake - not the session. Therefore it
3731 * should not matter that we used a different server name last time.
3733 SSL_SESSION_free(serverpsk);
3734 serverpsk = SSL_SESSION_dup(clientpsk);
3735 if (!TEST_ptr(serverpsk)
3736 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3740 /* Set consistent SNI */
3741 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3742 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3743 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3750 * Set inconsistent ALPN (server detected). In this case the connection
3751 * will succeed but reject early_data.
3753 servalpn = "badalpn";
3754 edstatus = SSL_EARLY_DATA_REJECTED;
3755 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3759 * Set consistent ALPN.
3760 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3761 * accepts a list of protos (each one length prefixed).
3762 * SSL_set1_alpn_selected accepts a single protocol (not length
3765 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3767 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3771 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3775 /* Set inconsistent ALPN (late client detection) */
3776 SSL_SESSION_free(serverpsk);
3777 serverpsk = SSL_SESSION_dup(clientpsk);
3778 if (!TEST_ptr(serverpsk)
3779 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3782 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3785 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3788 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3789 edstatus = SSL_EARLY_DATA_ACCEPTED;
3790 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3791 /* SSL_connect() call should fail */
3796 TEST_error("Bad test index");
3800 SSL_set_connect_state(clientssl);
3802 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3804 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3805 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3812 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3813 &readbytes), readearlyres)
3814 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3815 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3816 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3817 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3824 SSL_SESSION_free(sess);
3825 SSL_SESSION_free(clientpsk);
3826 SSL_SESSION_free(serverpsk);
3827 clientpsk = serverpsk = NULL;
3828 SSL_free(serverssl);
3829 SSL_free(clientssl);
3836 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3837 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3838 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3839 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3840 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3841 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3843 static int test_early_data_psk_with_all_ciphers(int idx)
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3848 SSL_SESSION *sess = NULL;
3849 unsigned char buf[20];
3850 size_t readbytes, written;
3851 const SSL_CIPHER *cipher;
3852 const char *cipher_str[] = {
3853 TLS1_3_RFC_AES_128_GCM_SHA256,
3854 TLS1_3_RFC_AES_256_GCM_SHA384,
3855 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3856 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3860 TLS1_3_RFC_AES_128_CCM_SHA256,
3861 TLS1_3_RFC_AES_128_CCM_8_SHA256
3863 const unsigned char *cipher_bytes[] = {
3864 TLS13_AES_128_GCM_SHA256_BYTES,
3865 TLS13_AES_256_GCM_SHA384_BYTES,
3866 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3867 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3871 TLS13_AES_128_CCM_SHA256_BYTES,
3872 TLS13_AES_128_CCM_8_SHA256_BYTES
3875 if (cipher_str[idx] == NULL)
3877 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3878 if (idx == 2 && is_fips == 1)
3881 /* We always set this up with a final parameter of "2" for PSK */
3882 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3883 &serverssl, &sess, 2)))
3886 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3887 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3891 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3892 * and assigns to both client and server with incremented reference
3893 * and the same instance is updated in 'sess'.
3894 * So updating ciphersuite in 'sess' which will get reflected in
3895 * PSK handshake using psk use sess and find sess cb.
3897 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3898 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3901 SSL_set_connect_state(clientssl);
3902 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3906 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3908 SSL_READ_EARLY_DATA_SUCCESS)
3909 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3910 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3911 SSL_EARLY_DATA_ACCEPTED)
3912 || !TEST_int_eq(SSL_connect(clientssl), 1)
3913 || !TEST_int_eq(SSL_accept(serverssl), 1))
3916 /* Send some normal data from client to server */
3917 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3918 || !TEST_size_t_eq(written, strlen(MSG2)))
3921 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3922 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3927 SSL_SESSION_free(sess);
3928 SSL_SESSION_free(clientpsk);
3929 SSL_SESSION_free(serverpsk);
3930 clientpsk = serverpsk = NULL;
3931 if (clientssl != NULL)
3932 SSL_shutdown(clientssl);
3933 if (serverssl != NULL)
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3943 * Test that a server that doesn't try to read early data can handle a
3944 * client sending some.
3946 static int test_early_data_not_expected(int idx)
3948 SSL_CTX *cctx = NULL, *sctx = NULL;
3949 SSL *clientssl = NULL, *serverssl = NULL;
3951 SSL_SESSION *sess = NULL;
3952 unsigned char buf[20];
3953 size_t readbytes, written;
3955 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3956 &serverssl, &sess, idx)))
3959 /* Write some early data */
3960 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3965 * Server should skip over early data and then block waiting for client to
3966 * continue handshake
3968 if (!TEST_int_le(SSL_accept(serverssl), 0)
3969 || !TEST_int_gt(SSL_connect(clientssl), 0)
3970 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3971 SSL_EARLY_DATA_REJECTED)
3972 || !TEST_int_gt(SSL_accept(serverssl), 0)
3973 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3974 SSL_EARLY_DATA_REJECTED))
3977 /* Send some normal data from client to server */
3978 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3979 || !TEST_size_t_eq(written, strlen(MSG2)))
3982 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3983 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3989 SSL_SESSION_free(sess);
3990 SSL_SESSION_free(clientpsk);
3991 SSL_SESSION_free(serverpsk);
3992 clientpsk = serverpsk = NULL;
3993 SSL_free(serverssl);
3994 SSL_free(clientssl);
4001 # ifndef OPENSSL_NO_TLS1_2
4003 * Test that a server attempting to read early data can handle a connection
4004 * from a TLSv1.2 client.
4006 static int test_early_data_tls1_2(int idx)
4008 SSL_CTX *cctx = NULL, *sctx = NULL;
4009 SSL *clientssl = NULL, *serverssl = NULL;
4011 unsigned char buf[20];
4012 size_t readbytes, written;
4014 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4015 &serverssl, NULL, idx)))
4018 /* Write some data - should block due to handshake with server */
4019 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4020 SSL_set_connect_state(clientssl);
4021 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4025 * Server should do TLSv1.2 handshake. First it will block waiting for more
4026 * messages from client after ServerDone. Then SSL_read_early_data should
4027 * finish and detect that early data has not been sent
4029 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4031 SSL_READ_EARLY_DATA_ERROR))
4035 * Continue writing the message we started earlier. Will still block waiting
4036 * for the CCS/Finished from server
4038 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4039 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4041 SSL_READ_EARLY_DATA_FINISH)
4042 || !TEST_size_t_eq(readbytes, 0)
4043 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4044 SSL_EARLY_DATA_NOT_SENT))
4047 /* Continue writing the message we started earlier */
4048 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4049 || !TEST_size_t_eq(written, strlen(MSG1))
4050 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4051 SSL_EARLY_DATA_NOT_SENT)
4052 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4053 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4054 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4055 || !TEST_size_t_eq(written, strlen(MSG2))
4056 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4057 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4063 SSL_SESSION_free(clientpsk);
4064 SSL_SESSION_free(serverpsk);
4065 clientpsk = serverpsk = NULL;
4066 SSL_free(serverssl);
4067 SSL_free(clientssl);
4073 # endif /* OPENSSL_NO_TLS1_2 */
4076 * Test configuring the TLSv1.3 ciphersuites
4078 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4079 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4080 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4081 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4082 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4083 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4084 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4085 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4086 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4087 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4089 static int test_set_ciphersuite(int idx)
4091 SSL_CTX *cctx = NULL, *sctx = NULL;
4092 SSL *clientssl = NULL, *serverssl = NULL;
4095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4096 TLS_client_method(), TLS1_VERSION, 0,
4097 &sctx, &cctx, cert, privkey))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4099 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4102 if (idx >=4 && idx <= 7) {
4103 /* SSL_CTX explicit cipher list */
4104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4108 if (idx == 0 || idx == 4) {
4109 /* Default ciphersuite */
4110 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4111 "TLS_AES_128_GCM_SHA256")))
4113 } else if (idx == 1 || idx == 5) {
4114 /* Non default ciphersuite */
4115 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4116 "TLS_AES_128_CCM_SHA256")))
4120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4121 &clientssl, NULL, NULL)))
4124 if (idx == 8 || idx == 9) {
4125 /* SSL explicit cipher list */
4126 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4130 if (idx == 2 || idx == 6 || idx == 8) {
4131 /* Default ciphersuite */
4132 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4133 "TLS_AES_128_GCM_SHA256")))
4135 } else if (idx == 3 || idx == 7 || idx == 9) {
4136 /* Non default ciphersuite */
4137 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4138 "TLS_AES_128_CCM_SHA256")))
4142 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4148 SSL_free(serverssl);
4149 SSL_free(clientssl);
4156 static int test_ciphersuite_change(void)
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4160 SSL_SESSION *clntsess = NULL;
4162 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4164 /* Create a session based on SHA-256 */
4165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4166 TLS_client_method(), TLS1_VERSION, 0,
4167 &sctx, &cctx, cert, privkey))
4168 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4169 "TLS_AES_128_GCM_SHA256:"
4170 "TLS_AES_256_GCM_SHA384:"
4171 "TLS_AES_128_CCM_SHA256"))
4172 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4173 "TLS_AES_128_GCM_SHA256"))
4174 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4175 &clientssl, NULL, NULL))
4176 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4180 clntsess = SSL_get1_session(clientssl);
4181 /* Save for later */
4182 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4183 SSL_shutdown(clientssl);
4184 SSL_shutdown(serverssl);
4185 SSL_free(serverssl);
4186 SSL_free(clientssl);
4187 serverssl = clientssl = NULL;
4189 /* Check we can resume a session with a different SHA-256 ciphersuite */
4190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4191 "TLS_AES_128_CCM_SHA256"))
4192 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4193 &clientssl, NULL, NULL))
4194 || !TEST_true(SSL_set_session(clientssl, clntsess))
4195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4197 || !TEST_true(SSL_session_reused(clientssl)))
4200 SSL_SESSION_free(clntsess);
4201 clntsess = SSL_get1_session(clientssl);
4202 SSL_shutdown(clientssl);
4203 SSL_shutdown(serverssl);
4204 SSL_free(serverssl);
4205 SSL_free(clientssl);
4206 serverssl = clientssl = NULL;
4209 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4210 * succeeds but does not resume.
4212 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4213 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4215 || !TEST_true(SSL_set_session(clientssl, clntsess))
4216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4218 || !TEST_false(SSL_session_reused(clientssl)))
4221 SSL_SESSION_free(clntsess);
4223 SSL_shutdown(clientssl);
4224 SSL_shutdown(serverssl);
4225 SSL_free(serverssl);
4226 SSL_free(clientssl);
4227 serverssl = clientssl = NULL;
4229 /* Create a session based on SHA384 */
4230 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4231 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4232 &clientssl, NULL, NULL))
4233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4237 clntsess = SSL_get1_session(clientssl);
4238 SSL_shutdown(clientssl);
4239 SSL_shutdown(serverssl);
4240 SSL_free(serverssl);
4241 SSL_free(clientssl);
4242 serverssl = clientssl = NULL;
4244 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4245 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4246 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4247 "TLS_AES_256_GCM_SHA384"))
4248 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4250 || !TEST_true(SSL_set_session(clientssl, clntsess))
4252 * We use SSL_ERROR_WANT_READ below so that we can pause the
4253 * connection after the initial ClientHello has been sent to
4254 * enable us to make some session changes.
4256 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4257 SSL_ERROR_WANT_READ)))
4260 /* Trick the client into thinking this session is for a different digest */
4261 clntsess->cipher = aes_128_gcm_sha256;
4262 clntsess->cipher_id = clntsess->cipher->id;
4265 * Continue the previously started connection. Server has selected a SHA-384
4266 * ciphersuite, but client thinks the session is for SHA-256, so it should
4269 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4271 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4272 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4278 SSL_SESSION_free(clntsess);
4279 SSL_free(serverssl);
4280 SSL_free(clientssl);
4288 * Test TLSv1.3 Key exchange
4289 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4290 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4291 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4292 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4293 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4294 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4295 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4296 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4297 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4298 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4299 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4300 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4301 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4302 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4304 static int test_key_exchange(int idx)
4306 SSL_CTX *sctx = NULL, *cctx = NULL;
4307 SSL *serverssl = NULL, *clientssl = NULL;
4309 # ifndef OPENSSL_NO_EC
4310 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4311 NID_secp521r1, NID_X25519, NID_X448};
4313 # ifndef OPENSSL_NO_DH
4314 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4315 NID_ffdhe6144, NID_ffdhe8192};
4318 int *kexch_groups = &kexch_alg;
4319 int kexch_groups_size = 1;
4320 int max_version = TLS1_3_VERSION;
4323 # ifndef OPENSSL_NO_EC
4324 # ifndef OPENSSL_NO_TLS1_2
4326 max_version = TLS1_2_VERSION;
4330 kexch_groups = ecdhe_kexch_groups;
4331 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4334 kexch_alg = NID_X9_62_prime256v1;
4337 kexch_alg = NID_secp384r1;
4340 kexch_alg = NID_secp521r1;
4343 kexch_alg = NID_X25519;
4346 kexch_alg = NID_X448;
4349 # ifndef OPENSSL_NO_DH
4350 # ifndef OPENSSL_NO_TLS1_2
4352 max_version = TLS1_2_VERSION;
4356 kexch_groups = ffdhe_kexch_groups;
4357 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4360 kexch_alg = NID_ffdhe2048;
4363 kexch_alg = NID_ffdhe3072;
4366 kexch_alg = NID_ffdhe4096;
4369 kexch_alg = NID_ffdhe6144;
4372 kexch_alg = NID_ffdhe8192;
4376 /* We're skipping this test */
4380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4381 TLS_client_method(), TLS1_VERSION,
4382 max_version, &sctx, &cctx, cert,
4386 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4387 TLS1_3_RFC_AES_128_GCM_SHA256)))
4390 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4391 TLS1_3_RFC_AES_128_GCM_SHA256)))
4394 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4395 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4399 * Must include an EC ciphersuite so that we send supported groups in
4402 # ifndef OPENSSL_NO_TLS1_2
4403 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4404 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4405 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4409 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4413 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4414 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4417 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4421 * If Handshake succeeds the negotiated kexch alg should be the first one in
4422 * configured, except in the case of FFDHE groups (idx 13), which are
4423 * TLSv1.3 only so we expect no shared group to exist.
4425 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4426 idx == 13 ? 0 : kexch_groups[0]))
4428 if (max_version == TLS1_3_VERSION) {
4429 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4431 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4437 SSL_free(serverssl);
4438 SSL_free(clientssl);
4445 * Test TLSv1.3 Cipher Suite
4446 * Test 0 = Set TLS1.3 cipher on context
4447 * Test 1 = Set TLS1.3 cipher on SSL
4448 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4449 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4451 static int test_tls13_ciphersuite(int idx)
4453 SSL_CTX *sctx = NULL, *cctx = NULL;
4454 SSL *serverssl = NULL, *clientssl = NULL;
4455 static const struct {
4456 const char *ciphername;
4459 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4460 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4461 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4462 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4463 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4464 { TLS1_3_RFC_AES_256_GCM_SHA384
4465 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4467 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4469 const char *t13_cipher = NULL;
4470 const char *t12_cipher = NULL;
4471 const char *negotiated_scipher;
4472 const char *negotiated_ccipher;
4488 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4492 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4496 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4497 # ifdef OPENSSL_NO_TLS1_2
4498 if (max_ver == TLS1_2_VERSION)
4501 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4502 if (is_fips && !t13_ciphers[i].fipscapable)
4504 t13_cipher = t13_ciphers[i].ciphername;
4505 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4506 TLS_client_method(),
4507 TLS1_VERSION, max_ver,
4508 &sctx, &cctx, cert, privkey)))
4512 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4513 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4515 if (t12_cipher != NULL) {
4516 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4517 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4524 &clientssl, NULL, NULL)))
4528 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4529 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4531 if (t12_cipher != NULL) {
4532 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4533 || !TEST_true(SSL_set_cipher_list(clientssl,
4539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4543 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4545 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4547 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4551 * TEST_strn_eq is used below because t13_cipher can contain
4552 * multiple ciphersuites
4554 if (max_ver == TLS1_3_VERSION
4555 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4556 strlen(negotiated_scipher)))
4559 # ifndef OPENSSL_NO_TLS1_2
4560 /* Below validation is not done when t12_cipher is NULL */
4561 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4562 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4566 SSL_free(serverssl);
4568 SSL_free(clientssl);
4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4588 * Test 0 = Test new style callbacks
4589 * Test 1 = Test both new and old style callbacks
4590 * Test 2 = Test old style callbacks
4591 * Test 3 = Test old style callbacks with no certificate
4593 static int test_tls13_psk(int idx)
4595 SSL_CTX *sctx = NULL, *cctx = NULL;
4596 SSL *serverssl = NULL, *clientssl = NULL;
4597 const SSL_CIPHER *cipher = NULL;
4598 const unsigned char key[] = {
4599 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4600 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4601 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4602 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4606 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4607 TLS_client_method(), TLS1_VERSION, 0,
4608 &sctx, &cctx, idx == 3 ? NULL : cert,
4609 idx == 3 ? NULL : privkey)))
4614 * We use a ciphersuite with SHA256 to ease testing old style PSK
4615 * callbacks which will always default to SHA256. This should not be
4616 * necessary if we have no cert/priv key. In that case the server should
4617 * prefer SHA256 automatically.
4619 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4620 "TLS_AES_128_GCM_SHA256")))
4624 * As noted above the server should prefer SHA256 automatically. However
4625 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4626 * code works even if we are testing with only the FIPS provider loaded.
4628 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4629 "TLS_AES_256_GCM_SHA384:"
4630 "TLS_AES_128_GCM_SHA256")))
4635 * Test 0: New style callbacks only
4636 * Test 1: New and old style callbacks (only the new ones should be used)
4637 * Test 2: Old style callbacks only
4639 if (idx == 0 || idx == 1) {
4640 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4641 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4643 #ifndef OPENSSL_NO_PSK
4645 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4646 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4650 use_session_cb_cnt = 0;
4651 find_session_cb_cnt = 0;
4652 psk_client_cb_cnt = 0;
4653 psk_server_cb_cnt = 0;
4657 * Check we can create a connection if callback decides not to send a
4660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4664 || !TEST_false(SSL_session_reused(clientssl))
4665 || !TEST_false(SSL_session_reused(serverssl)))
4668 if (idx == 0 || idx == 1) {
4669 if (!TEST_true(use_session_cb_cnt == 1)
4670 || !TEST_true(find_session_cb_cnt == 0)
4672 * If no old style callback then below should be 0
4675 || !TEST_true(psk_client_cb_cnt == idx)
4676 || !TEST_true(psk_server_cb_cnt == 0))
4679 if (!TEST_true(use_session_cb_cnt == 0)
4680 || !TEST_true(find_session_cb_cnt == 0)
4681 || !TEST_true(psk_client_cb_cnt == 1)
4682 || !TEST_true(psk_server_cb_cnt == 0))
4686 shutdown_ssl_connection(serverssl, clientssl);
4687 serverssl = clientssl = NULL;
4688 use_session_cb_cnt = psk_client_cb_cnt = 0;
4691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4695 /* Create the PSK */
4696 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4697 clientpsk = SSL_SESSION_new();
4698 if (!TEST_ptr(clientpsk)
4699 || !TEST_ptr(cipher)
4700 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4702 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4703 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4705 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4707 serverpsk = clientpsk;
4709 /* Check we can create a connection and the PSK is used */
4710 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4711 || !TEST_true(SSL_session_reused(clientssl))
4712 || !TEST_true(SSL_session_reused(serverssl)))
4715 if (idx == 0 || idx == 1) {
4716 if (!TEST_true(use_session_cb_cnt == 1)
4717 || !TEST_true(find_session_cb_cnt == 1)
4718 || !TEST_true(psk_client_cb_cnt == 0)
4719 || !TEST_true(psk_server_cb_cnt == 0))
4722 if (!TEST_true(use_session_cb_cnt == 0)
4723 || !TEST_true(find_session_cb_cnt == 0)
4724 || !TEST_true(psk_client_cb_cnt == 1)
4725 || !TEST_true(psk_server_cb_cnt == 1))
4729 shutdown_ssl_connection(serverssl, clientssl);
4730 serverssl = clientssl = NULL;
4731 use_session_cb_cnt = find_session_cb_cnt = 0;
4732 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4739 #if defined(OPENSSL_NO_EC)
4740 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4743 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4748 * Check we can create a connection, the PSK is used and the callbacks are
4751 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4752 || !TEST_true(SSL_session_reused(clientssl))
4753 || !TEST_true(SSL_session_reused(serverssl)))
4756 if (idx == 0 || idx == 1) {
4757 if (!TEST_true(use_session_cb_cnt == 2)
4758 || !TEST_true(find_session_cb_cnt == 2)
4759 || !TEST_true(psk_client_cb_cnt == 0)
4760 || !TEST_true(psk_server_cb_cnt == 0))
4763 if (!TEST_true(use_session_cb_cnt == 0)
4764 || !TEST_true(find_session_cb_cnt == 0)
4765 || !TEST_true(psk_client_cb_cnt == 2)
4766 || !TEST_true(psk_server_cb_cnt == 2))
4770 shutdown_ssl_connection(serverssl, clientssl);
4771 serverssl = clientssl = NULL;
4772 use_session_cb_cnt = find_session_cb_cnt = 0;
4773 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4777 * Check that if the server rejects the PSK we can still connect, but with
4780 srvid = "Dummy Identity";
4781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4785 || !TEST_false(SSL_session_reused(clientssl))
4786 || !TEST_false(SSL_session_reused(serverssl)))
4789 if (idx == 0 || idx == 1) {
4790 if (!TEST_true(use_session_cb_cnt == 1)
4791 || !TEST_true(find_session_cb_cnt == 1)
4792 || !TEST_true(psk_client_cb_cnt == 0)
4794 * If no old style callback then below should be 0
4797 || !TEST_true(psk_server_cb_cnt == idx))
4800 if (!TEST_true(use_session_cb_cnt == 0)
4801 || !TEST_true(find_session_cb_cnt == 0)
4802 || !TEST_true(psk_client_cb_cnt == 1)
4803 || !TEST_true(psk_server_cb_cnt == 1))
4807 shutdown_ssl_connection(serverssl, clientssl);
4808 serverssl = clientssl = NULL;
4813 SSL_SESSION_free(clientpsk);
4814 SSL_SESSION_free(serverpsk);
4815 clientpsk = serverpsk = NULL;
4816 SSL_free(serverssl);
4817 SSL_free(clientssl);
4823 static unsigned char cookie_magic_value[] = "cookie magic";
4825 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4826 unsigned int *cookie_len)
4829 * Not suitable as a real cookie generation function but good enough for
4832 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4833 *cookie_len = sizeof(cookie_magic_value) - 1;
4838 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4839 unsigned int cookie_len)
4841 if (cookie_len == sizeof(cookie_magic_value) - 1
4842 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4848 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4852 int res = generate_cookie_callback(ssl, cookie, &temp);
4857 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4860 return verify_cookie_callback(ssl, cookie, cookie_len);
4863 static int test_stateless(void)
4865 SSL_CTX *sctx = NULL, *cctx = NULL;
4866 SSL *serverssl = NULL, *clientssl = NULL;
4869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4870 TLS_client_method(), TLS1_VERSION, 0,
4871 &sctx, &cctx, cert, privkey)))
4874 /* The arrival of CCS messages can confuse the test */
4875 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4879 /* Send the first ClientHello */
4880 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4881 SSL_ERROR_WANT_READ))
4883 * This should fail with a -1 return because we have no callbacks
4886 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4889 /* Fatal error so abandon the connection from this client */
4890 SSL_free(clientssl);
4893 /* Set up the cookie generation and verification callbacks */
4894 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4895 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4898 * Create a new connection from the client (we can reuse the server SSL
4901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4903 /* Send the first ClientHello */
4904 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4905 SSL_ERROR_WANT_READ))
4906 /* This should fail because there is no cookie */
4907 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4910 /* Abandon the connection from this client */
4911 SSL_free(clientssl);
4915 * Now create a connection from a new client but with the same server SSL
4918 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4920 /* Send the first ClientHello */
4921 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4922 SSL_ERROR_WANT_READ))
4923 /* This should fail because there is no cookie */
4924 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4925 /* Send the second ClientHello */
4926 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4927 SSL_ERROR_WANT_READ))
4928 /* This should succeed because a cookie is now present */
4929 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4930 /* Complete the connection */
4931 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4935 shutdown_ssl_connection(serverssl, clientssl);
4936 serverssl = clientssl = NULL;
4940 SSL_free(serverssl);
4941 SSL_free(clientssl);
4947 #endif /* OPENSSL_NO_TLS1_3 */
4949 static int clntaddoldcb = 0;
4950 static int clntparseoldcb = 0;
4951 static int srvaddoldcb = 0;
4952 static int srvparseoldcb = 0;
4953 static int clntaddnewcb = 0;
4954 static int clntparsenewcb = 0;
4955 static int srvaddnewcb = 0;
4956 static int srvparsenewcb = 0;
4957 static int snicb = 0;
4959 #define TEST_EXT_TYPE1 0xff00
4961 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4962 size_t *outlen, int *al, void *add_arg)
4964 int *server = (int *)add_arg;
4965 unsigned char *data;
4967 if (SSL_is_server(s))
4972 if (*server != SSL_is_server(s)
4973 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4978 *outlen = sizeof(char);
4982 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4985 OPENSSL_free((unsigned char *)out);
4988 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4989 size_t inlen, int *al, void *parse_arg)
4991 int *server = (int *)parse_arg;
4993 if (SSL_is_server(s))
4998 if (*server != SSL_is_server(s)
4999 || inlen != sizeof(char)
5006 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5007 const unsigned char **out, size_t *outlen, X509 *x,
5008 size_t chainidx, int *al, void *add_arg)
5010 int *server = (int *)add_arg;
5011 unsigned char *data;
5013 if (SSL_is_server(s))
5018 if (*server != SSL_is_server(s)
5019 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5024 *outlen = sizeof(*data);
5028 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5029 const unsigned char *out, void *add_arg)
5031 OPENSSL_free((unsigned char *)out);
5034 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5035 const unsigned char *in, size_t inlen, X509 *x,
5036 size_t chainidx, int *al, void *parse_arg)
5038 int *server = (int *)parse_arg;
5040 if (SSL_is_server(s))
5045 if (*server != SSL_is_server(s)
5046 || inlen != sizeof(char) || *in != 1)
5052 static int sni_cb(SSL *s, int *al, void *arg)
5054 SSL_CTX *ctx = (SSL_CTX *)arg;
5056 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5057 *al = SSL_AD_INTERNAL_ERROR;
5058 return SSL_TLSEXT_ERR_ALERT_FATAL;
5061 return SSL_TLSEXT_ERR_OK;
5065 * Custom call back tests.
5066 * Test 0: Old style callbacks in TLSv1.2
5067 * Test 1: New style callbacks in TLSv1.2
5068 * Test 2: New style callbacks in TLSv1.2 with SNI
5069 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5070 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5072 static int test_custom_exts(int tst)
5074 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5075 SSL *clientssl = NULL, *serverssl = NULL;
5077 static int server = 1;
5078 static int client = 0;
5079 SSL_SESSION *sess = NULL;
5080 unsigned int context;
5082 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5083 /* Skip tests for TLSv1.2 and below in this case */
5088 /* Reset callback counters */
5089 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5090 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5093 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5094 TLS_client_method(), TLS1_VERSION, 0,
5095 &sctx, &cctx, cert, privkey)))
5099 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5101 &sctx2, NULL, cert, privkey)))
5106 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5107 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5109 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5113 context = SSL_EXT_CLIENT_HELLO
5114 | SSL_EXT_TLS1_2_SERVER_HELLO
5115 | SSL_EXT_TLS1_3_SERVER_HELLO
5116 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5117 | SSL_EXT_TLS1_3_CERTIFICATE
5118 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5120 context = SSL_EXT_CLIENT_HELLO
5121 | SSL_EXT_TLS1_2_SERVER_HELLO
5122 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5125 /* Create a client side custom extension */
5127 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5128 old_add_cb, old_free_cb,
5129 &client, old_parse_cb,
5133 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5134 new_add_cb, new_free_cb,
5135 &client, new_parse_cb, &client)))
5139 /* Should not be able to add duplicates */
5140 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5141 old_add_cb, old_free_cb,
5142 &client, old_parse_cb,
5144 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5145 context, new_add_cb,
5146 new_free_cb, &client,
5147 new_parse_cb, &client)))
5150 /* Create a server side custom extension */
5152 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5153 old_add_cb, old_free_cb,
5154 &server, old_parse_cb,
5158 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5159 new_add_cb, new_free_cb,
5160 &server, new_parse_cb, &server)))
5163 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5164 context, new_add_cb,
5165 new_free_cb, &server,
5166 new_parse_cb, &server)))
5170 /* Should not be able to add duplicates */
5171 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5172 old_add_cb, old_free_cb,
5173 &server, old_parse_cb,
5175 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5176 context, new_add_cb,
5177 new_free_cb, &server,
5178 new_parse_cb, &server)))
5183 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5184 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5189 &clientssl, NULL, NULL))
5190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5195 if (clntaddoldcb != 1
5196 || clntparseoldcb != 1
5198 || srvparseoldcb != 1)
5200 } else if (tst == 1 || tst == 2 || tst == 3) {
5201 if (clntaddnewcb != 1
5202 || clntparsenewcb != 1
5204 || srvparsenewcb != 1
5205 || (tst != 2 && snicb != 0)
5206 || (tst == 2 && snicb != 1))
5209 /* In this case there 2 NewSessionTicket messages created */
5210 if (clntaddnewcb != 1
5211 || clntparsenewcb != 5
5213 || srvparsenewcb != 1)
5217 sess = SSL_get1_session(clientssl);
5218 SSL_shutdown(clientssl);
5219 SSL_shutdown(serverssl);
5220 SSL_free(serverssl);
5221 SSL_free(clientssl);
5222 serverssl = clientssl = NULL;
5225 /* We don't bother with the resumption aspects for this test */
5230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5232 || !TEST_true(SSL_set_session(clientssl, sess))
5233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5238 * For a resumed session we expect to add the ClientHello extension. For the
5239 * old style callbacks we ignore it on the server side because they set
5240 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5244 if (clntaddoldcb != 2
5245 || clntparseoldcb != 1
5247 || srvparseoldcb != 1)
5249 } else if (tst == 1 || tst == 2 || tst == 3) {
5250 if (clntaddnewcb != 2
5251 || clntparsenewcb != 2
5253 || srvparsenewcb != 2)
5257 * No Certificate message extensions in the resumption handshake,
5258 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5260 if (clntaddnewcb != 2
5261 || clntparsenewcb != 8
5263 || srvparsenewcb != 2)
5270 SSL_SESSION_free(sess);
5271 SSL_free(serverssl);
5272 SSL_free(clientssl);
5273 SSL_CTX_free(sctx2);
5280 * Test loading of serverinfo data in various formats. test_sslmessages actually
5281 * tests to make sure the extensions appear in the handshake
5283 static int test_serverinfo(int tst)
5285 unsigned int version;
5286 unsigned char *sibuf;
5288 int ret, expected, testresult = 0;
5291 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5295 if ((tst & 0x01) == 0x01)
5296 version = SSL_SERVERINFOV2;
5298 version = SSL_SERVERINFOV1;
5300 if ((tst & 0x02) == 0x02) {
5301 sibuf = serverinfov2;
5302 sibuflen = sizeof(serverinfov2);
5303 expected = (version == SSL_SERVERINFOV2);
5305 sibuf = serverinfov1;
5306 sibuflen = sizeof(serverinfov1);
5307 expected = (version == SSL_SERVERINFOV1);
5310 if ((tst & 0x04) == 0x04) {
5311 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5313 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5316 * The version variable is irrelevant in this case - it's what is in the
5317 * buffer that matters
5319 if ((tst & 0x02) == 0x02)
5325 if (!TEST_true(ret == expected))
5337 * Test that SSL_export_keying_material() produces expected results. There are
5338 * no test vectors so all we do is test that both sides of the communication
5339 * produce the same results for different protocol versions.
5341 #define SMALL_LABEL_LEN 10
5342 #define LONG_LABEL_LEN 249
5343 static int test_export_key_mat(int tst)
5346 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5347 SSL *clientssl = NULL, *serverssl = NULL;
5348 const char label[LONG_LABEL_LEN + 1] = "test label";
5349 const unsigned char context[] = "context";
5350 const unsigned char *emptycontext = NULL;
5351 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5352 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5354 const int protocols[] = {
5363 #ifdef OPENSSL_NO_TLS1
5367 #ifdef OPENSSL_NO_TLS1_1
5371 if (is_fips && (tst == 0 || tst == 1))
5373 #ifdef OPENSSL_NO_TLS1_2
5377 #ifdef OPENSSL_NO_TLS1_3
5381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5382 TLS_client_method(), TLS1_VERSION, 0,
5383 &sctx, &cctx, cert, privkey)))
5386 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5387 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5388 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5389 if ((protocols[tst] < TLS1_2_VERSION) &&
5390 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5391 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5399 * Premature call of SSL_export_keying_material should just fail.
5401 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5402 sizeof(ckeymat1), label,
5403 SMALL_LABEL_LEN + 1, context,
5404 sizeof(context) - 1, 1), 0))
5407 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5413 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5416 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5417 sizeof(ckeymat1), label,
5418 LONG_LABEL_LEN + 1, context,
5419 sizeof(context) - 1, 1), 0))
5424 } else if (tst == 4) {
5425 labellen = LONG_LABEL_LEN;
5427 labellen = SMALL_LABEL_LEN;
5430 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5431 sizeof(ckeymat1), label,
5433 sizeof(context) - 1, 1), 1)
5434 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5435 sizeof(ckeymat2), label,
5439 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5440 sizeof(ckeymat3), label,
5443 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5444 sizeof(skeymat1), label,
5447 sizeof(context) -1, 1),
5449 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5450 sizeof(skeymat2), label,
5454 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5455 sizeof(skeymat3), label,
5459 * Check that both sides created the same key material with the
5462 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5465 * Check that both sides created the same key material with an
5468 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5471 * Check that both sides created the same key material without a
5474 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5476 /* Different contexts should produce different results */
5477 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5482 * Check that an empty context and no context produce different results in
5483 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5485 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5487 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5494 SSL_free(serverssl);
5495 SSL_free(clientssl);
5496 SSL_CTX_free(sctx2);
5503 #ifndef OPENSSL_NO_TLS1_3
5505 * Test that SSL_export_keying_material_early() produces expected
5506 * results. There are no test vectors so all we do is test that both
5507 * sides of the communication produce the same results for different
5508 * protocol versions.
5510 static int test_export_key_mat_early(int idx)
5512 static const char label[] = "test label";
5513 static const unsigned char context[] = "context";
5515 SSL_CTX *cctx = NULL, *sctx = NULL;
5516 SSL *clientssl = NULL, *serverssl = NULL;
5517 SSL_SESSION *sess = NULL;
5518 const unsigned char *emptycontext = NULL;
5519 unsigned char ckeymat1[80], ckeymat2[80];
5520 unsigned char skeymat1[80], skeymat2[80];
5521 unsigned char buf[1];
5522 size_t readbytes, written;
5524 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5528 /* Here writing 0 length early data is enough. */
5529 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5530 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5532 SSL_READ_EARLY_DATA_ERROR)
5533 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5534 SSL_EARLY_DATA_ACCEPTED))
5537 if (!TEST_int_eq(SSL_export_keying_material_early(
5538 clientssl, ckeymat1, sizeof(ckeymat1), label,
5539 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5540 || !TEST_int_eq(SSL_export_keying_material_early(
5541 clientssl, ckeymat2, sizeof(ckeymat2), label,
5542 sizeof(label) - 1, emptycontext, 0), 1)
5543 || !TEST_int_eq(SSL_export_keying_material_early(
5544 serverssl, skeymat1, sizeof(skeymat1), label,
5545 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5546 || !TEST_int_eq(SSL_export_keying_material_early(
5547 serverssl, skeymat2, sizeof(skeymat2), label,
5548 sizeof(label) - 1, emptycontext, 0), 1)
5550 * Check that both sides created the same key material with the
5553 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5556 * Check that both sides created the same key material with an
5559 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5561 /* Different contexts should produce different results */
5562 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5569 SSL_SESSION_free(sess);
5570 SSL_SESSION_free(clientpsk);
5571 SSL_SESSION_free(serverpsk);
5572 clientpsk = serverpsk = NULL;
5573 SSL_free(serverssl);
5574 SSL_free(clientssl);
5581 #define NUM_KEY_UPDATE_MESSAGES 40
5585 static int test_key_update(void)
5587 SSL_CTX *cctx = NULL, *sctx = NULL;
5588 SSL *clientssl = NULL, *serverssl = NULL;
5589 int testresult = 0, i, j;
5591 static char *mess = "A test message";
5593 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5594 TLS_client_method(),
5597 &sctx, &cctx, cert, privkey))
5598 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5604 for (j = 0; j < 2; j++) {
5605 /* Send lots of KeyUpdate messages */
5606 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5607 if (!TEST_true(SSL_key_update(clientssl,
5609 ? SSL_KEY_UPDATE_NOT_REQUESTED
5610 : SSL_KEY_UPDATE_REQUESTED))
5611 || !TEST_true(SSL_do_handshake(clientssl)))
5615 /* Check that sending and receiving app data is ok */
5616 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5617 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5621 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5622 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5630 SSL_free(serverssl);
5631 SSL_free(clientssl);
5639 * Test we can handle a KeyUpdate (update requested) message while write data
5641 * Test 0: Client sends KeyUpdate while Server is writing
5642 * Test 1: Server sends KeyUpdate while Client is writing
5644 static int test_key_update_in_write(int tst)
5646 SSL_CTX *cctx = NULL, *sctx = NULL;
5647 SSL *clientssl = NULL, *serverssl = NULL;
5650 static char *mess = "A test message";
5651 BIO *bretry = BIO_new(bio_s_always_retry());
5653 SSL *peerupdate = NULL, *peerwrite = NULL;
5655 if (!TEST_ptr(bretry)
5656 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5657 TLS_client_method(),
5660 &sctx, &cctx, cert, privkey))
5661 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5667 peerupdate = tst == 0 ? clientssl : serverssl;
5668 peerwrite = tst == 0 ? serverssl : clientssl;
5670 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5671 || !TEST_true(SSL_do_handshake(peerupdate)))
5674 /* Swap the writing endpoint's write BIO to force a retry */
5675 tmp = SSL_get_wbio(peerwrite);
5676 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5680 SSL_set0_wbio(peerwrite, bretry);
5683 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5684 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5685 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5688 /* Reinstate the original writing endpoint's write BIO */
5689 SSL_set0_wbio(peerwrite, tmp);
5692 /* Now read some data - we will read the key update */
5693 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5694 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5698 * Complete the write we started previously and read it from the other
5701 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5702 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5705 /* Write more data to ensure we send the KeyUpdate message back */
5706 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5707 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5713 SSL_free(serverssl);
5714 SSL_free(clientssl);
5722 #endif /* OPENSSL_NO_TLS1_3 */
5724 static int test_ssl_clear(int idx)
5726 SSL_CTX *cctx = NULL, *sctx = NULL;
5727 SSL *clientssl = NULL, *serverssl = NULL;
5730 #ifdef OPENSSL_NO_TLS1_2
5735 /* Create an initial connection */
5736 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5737 TLS_client_method(), TLS1_VERSION, 0,
5738 &sctx, &cctx, cert, privkey))
5740 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5742 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5743 &clientssl, NULL, NULL))
5744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5748 SSL_shutdown(clientssl);
5749 SSL_shutdown(serverssl);
5750 SSL_free(serverssl);
5753 /* Clear clientssl - we're going to reuse the object */
5754 if (!TEST_true(SSL_clear(clientssl)))
5757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5761 || !TEST_true(SSL_session_reused(clientssl)))
5764 SSL_shutdown(clientssl);
5765 SSL_shutdown(serverssl);
5770 SSL_free(serverssl);
5771 SSL_free(clientssl);
5778 /* Parse CH and retrieve any MFL extension value if present */
5779 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5782 unsigned char *data;
5783 PACKET pkt, pkt2, pkt3;
5784 unsigned int MFL_code = 0, type = 0;
5786 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5789 memset(&pkt, 0, sizeof(pkt));
5790 memset(&pkt2, 0, sizeof(pkt2));
5791 memset(&pkt3, 0, sizeof(pkt3));
5793 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5794 /* Skip the record header */
5795 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5796 /* Skip the handshake message header */
5797 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5798 /* Skip client version and random */
5799 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5800 + SSL3_RANDOM_SIZE))
5801 /* Skip session id */
5802 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5804 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5805 /* Skip compression */
5806 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5807 /* Extensions len */
5808 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5811 /* Loop through all extensions */
5812 while (PACKET_remaining(&pkt2)) {
5813 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5814 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5817 if (type == TLSEXT_TYPE_max_fragment_length) {
5818 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5819 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5822 *mfl_codemfl_code = MFL_code;
5831 /* Maximum-Fragment-Length TLS extension mode to test */
5832 static const unsigned char max_fragment_len_test[] = {
5833 TLSEXT_max_fragment_length_512,
5834 TLSEXT_max_fragment_length_1024,
5835 TLSEXT_max_fragment_length_2048,
5836 TLSEXT_max_fragment_length_4096
5839 static int test_max_fragment_len_ext(int idx_tst)
5843 int testresult = 0, MFL_mode = 0;
5846 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5850 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5851 ctx, max_fragment_len_test[idx_tst])))
5858 rbio = BIO_new(BIO_s_mem());
5859 wbio = BIO_new(BIO_s_mem());
5860 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5866 SSL_set_bio(con, rbio, wbio);
5867 SSL_set_connect_state(con);
5869 if (!TEST_int_le(SSL_connect(con), 0)) {
5870 /* This shouldn't succeed because we don't have a server! */
5874 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5875 /* no MFL in client hello */
5877 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5889 #ifndef OPENSSL_NO_TLS1_3
5890 static int test_pha_key_update(void)
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5896 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5897 TLS_client_method(), TLS1_VERSION, 0,
5898 &sctx, &cctx, cert, privkey)))
5901 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5902 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5903 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5904 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5907 SSL_CTX_set_post_handshake_auth(cctx, 1);
5909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5913 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5917 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5918 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5921 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5924 /* Start handshake on the server */
5925 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5928 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5929 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5933 SSL_shutdown(clientssl);
5934 SSL_shutdown(serverssl);
5939 SSL_free(serverssl);
5940 SSL_free(clientssl);
5947 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5949 static SRP_VBASE *vbase = NULL;
5951 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5953 int ret = SSL3_AL_FATAL;
5955 SRP_user_pwd *user = NULL;
5957 username = SSL_get_srp_username(s);
5958 if (username == NULL) {
5959 *ad = SSL_AD_INTERNAL_ERROR;
5963 user = SRP_VBASE_get1_by_user(vbase, username);
5965 *ad = SSL_AD_INTERNAL_ERROR;
5969 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5971 *ad = SSL_AD_INTERNAL_ERROR;
5978 SRP_user_pwd_free(user);
5982 static int create_new_vfile(char *userid, char *password, const char *filename)
5985 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5988 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5991 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5994 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5995 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5996 if (!TEST_ptr(gNid))
6000 * The only way to create an empty TXT_DB is to provide a BIO with no data
6003 db = TXT_DB_read(dummy, DB_NUMBER);
6007 out = BIO_new_file(filename, "w");
6011 row[DB_srpid] = OPENSSL_strdup(userid);
6012 row[DB_srptype] = OPENSSL_strdup("V");
6013 row[DB_srpgN] = OPENSSL_strdup(gNid);
6015 if (!TEST_ptr(row[DB_srpid])
6016 || !TEST_ptr(row[DB_srptype])
6017 || !TEST_ptr(row[DB_srpgN])
6018 || !TEST_true(TXT_DB_insert(db, row)))
6023 if (!TXT_DB_write(out, db))
6029 for (i = 0; i < DB_NUMBER; i++)
6030 OPENSSL_free(row[i]);
6040 static int create_new_vbase(char *userid, char *password)
6042 BIGNUM *verifier = NULL, *salt = NULL;
6043 const SRP_gN *lgN = NULL;
6044 SRP_user_pwd *user_pwd = NULL;
6047 lgN = SRP_get_default_gN(NULL);
6051 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6052 lgN->N, lgN->g, libctx, NULL)))
6055 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6056 if (!TEST_ptr(user_pwd))
6059 user_pwd->N = lgN->N;
6060 user_pwd->g = lgN->g;
6061 user_pwd->id = OPENSSL_strdup(userid);
6062 if (!TEST_ptr(user_pwd->id))
6065 user_pwd->v = verifier;
6067 verifier = salt = NULL;
6069 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6075 SRP_user_pwd_free(user_pwd);
6085 * Test 0: Simple successful SRP connection, new vbase
6086 * Test 1: Connection failure due to bad password, new vbase
6087 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6088 * Test 3: Connection failure due to bad password, vbase loaded from existing
6090 * Test 4: Simple successful SRP connection, vbase loaded from new file
6091 * Test 5: Connection failure due to bad password, vbase loaded from new file
6093 static int test_srp(int tst)
6095 char *userid = "test", *password = "password", *tstsrpfile;
6096 SSL_CTX *cctx = NULL, *sctx = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6098 int ret, testresult = 0;
6100 vbase = SRP_VBASE_new(NULL);
6101 if (!TEST_ptr(vbase))
6104 if (tst == 0 || tst == 1) {
6105 if (!TEST_true(create_new_vbase(userid, password)))
6108 if (tst == 4 || tst == 5) {
6109 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6111 tstsrpfile = tmpfilename;
6113 tstsrpfile = srpvfile;
6115 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6120 TLS_client_method(), TLS1_VERSION, 0,
6121 &sctx, &cctx, cert, privkey)))
6124 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6125 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6126 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6127 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6128 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6132 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6135 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6143 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6145 if (!TEST_true(tst % 2 == 0))
6148 if (!TEST_true(tst % 2 == 1))
6155 SRP_VBASE_free(vbase);
6157 SSL_free(serverssl);
6158 SSL_free(clientssl);
6166 static int info_cb_failed = 0;
6167 static int info_cb_offset = 0;
6168 static int info_cb_this_state = -1;
6170 static struct info_cb_states_st {
6172 const char *statestr;
6173 } info_cb_states[][60] = {
6175 /* TLSv1.2 server followed by resumption */
6176 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6177 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6178 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6179 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6180 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6181 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6182 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6183 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6184 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6185 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6186 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6187 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6188 {SSL_CB_EXIT, NULL}, {0, NULL},
6190 /* TLSv1.2 client followed by resumption */
6191 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6192 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6193 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6194 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6195 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6196 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6197 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6198 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6199 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6200 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6201 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6202 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6204 /* TLSv1.3 server followed by resumption */
6205 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6206 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6207 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6208 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6209 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6210 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6211 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6212 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6213 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6214 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6215 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6216 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6217 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6219 /* TLSv1.3 client followed by resumption */
6220 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6221 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6222 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6223 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6224 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6225 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6226 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6227 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6228 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6229 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6230 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6231 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6232 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6233 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6234 {SSL_CB_EXIT, NULL}, {0, NULL},
6236 /* TLSv1.3 server, early_data */
6237 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6238 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6239 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6240 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6241 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6242 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6243 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6244 {SSL_CB_EXIT, NULL}, {0, NULL},
6246 /* TLSv1.3 client, early_data */
6247 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6248 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6250 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6251 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6252 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6253 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6254 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6255 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6261 static void sslapi_info_callback(const SSL *s, int where, int ret)
6263 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6265 /* We do not ever expect a connection to fail in this test */
6266 if (!TEST_false(ret == 0)) {
6272 * Do some sanity checks. We never expect these things to happen in this
6275 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6276 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6277 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6282 /* Now check we're in the right state */
6283 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6287 if ((where & SSL_CB_LOOP) != 0
6288 && !TEST_int_eq(strcmp(SSL_state_string(s),
6289 state[info_cb_this_state].statestr), 0)) {
6295 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6297 if ((where & SSL_CB_HANDSHAKE_DONE)
6298 && SSL_in_init((SSL *)s) != 0) {
6305 * Test the info callback gets called when we expect it to.
6307 * Test 0: TLSv1.2, server
6308 * Test 1: TLSv1.2, client
6309 * Test 2: TLSv1.3, server
6310 * Test 3: TLSv1.3, client
6311 * Test 4: TLSv1.3, server, early_data
6312 * Test 5: TLSv1.3, client, early_data
6314 static int test_info_callback(int tst)
6316 SSL_CTX *cctx = NULL, *sctx = NULL;
6317 SSL *clientssl = NULL, *serverssl = NULL;
6318 SSL_SESSION *clntsess = NULL;
6323 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6324 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6325 || !defined(OPENSSL_NO_DH))
6326 tlsvers = TLS1_2_VERSION;
6331 #ifndef OPENSSL_NO_TLS1_3
6332 tlsvers = TLS1_3_VERSION;
6340 info_cb_this_state = -1;
6341 info_cb_offset = tst;
6343 #ifndef OPENSSL_NO_TLS1_3
6345 SSL_SESSION *sess = NULL;
6346 size_t written, readbytes;
6347 unsigned char buf[80];
6349 /* early_data tests */
6350 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6351 &serverssl, &sess, 0)))
6354 /* We don't actually need this reference */
6355 SSL_SESSION_free(sess);
6357 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6358 sslapi_info_callback);
6360 /* Write and read some early data and then complete the connection */
6361 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6363 || !TEST_size_t_eq(written, strlen(MSG1))
6364 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6365 sizeof(buf), &readbytes),
6366 SSL_READ_EARLY_DATA_SUCCESS)
6367 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6368 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6369 SSL_EARLY_DATA_ACCEPTED)
6370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6372 || !TEST_false(info_cb_failed))
6380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6381 TLS_client_method(),
6382 tlsvers, tlsvers, &sctx, &cctx, cert,
6386 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6390 * For even numbered tests we check the server callbacks. For odd numbers we
6393 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6394 sslapi_info_callback);
6396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6397 &clientssl, NULL, NULL))
6398 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6400 || !TEST_false(info_cb_failed))
6405 clntsess = SSL_get1_session(clientssl);
6406 SSL_shutdown(clientssl);
6407 SSL_shutdown(serverssl);
6408 SSL_free(serverssl);
6409 SSL_free(clientssl);
6410 serverssl = clientssl = NULL;
6412 /* Now do a resumption */
6413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6415 || !TEST_true(SSL_set_session(clientssl, clntsess))
6416 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6418 || !TEST_true(SSL_session_reused(clientssl))
6419 || !TEST_false(info_cb_failed))
6425 SSL_free(serverssl);
6426 SSL_free(clientssl);
6427 SSL_SESSION_free(clntsess);
6433 static int test_ssl_pending(int tst)
6435 SSL_CTX *cctx = NULL, *sctx = NULL;
6436 SSL *clientssl = NULL, *serverssl = NULL;
6438 char msg[] = "A test message";
6440 size_t written, readbytes;
6443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6444 TLS_client_method(),
6446 &sctx, &cctx, cert, privkey)))
6449 #ifndef OPENSSL_NO_DTLS
6450 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6451 DTLS_client_method(),
6453 &sctx, &cctx, cert, privkey)))
6460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6462 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6466 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6467 || !TEST_false(SSL_has_pending(clientssl))
6468 || !TEST_int_eq(SSL_pending(serverssl), 0)
6469 || !TEST_false(SSL_has_pending(serverssl))
6470 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6471 || !TEST_size_t_eq(written, sizeof(msg))
6472 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6473 || !TEST_size_t_eq(readbytes, sizeof(buf))
6474 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6475 || !TEST_true(SSL_has_pending(clientssl)))
6481 SSL_free(serverssl);
6482 SSL_free(clientssl);
6490 unsigned int maxprot;
6491 const char *clntciphers;
6492 const char *clnttls13ciphers;
6493 const char *srvrciphers;
6494 const char *srvrtls13ciphers;
6496 const char *fipsshared;
6497 } shared_ciphers_data[] = {
6499 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6500 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6502 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6505 "AES128-SHA:AES256-SHA",
6507 "AES256-SHA:DHE-RSA-AES128-SHA",
6512 # if !defined(OPENSSL_NO_CHACHA) \
6513 && !defined(OPENSSL_NO_POLY1305) \
6514 && !defined(OPENSSL_NO_EC)
6517 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6519 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6521 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6527 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6529 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6531 "AES128-SHA:AES256-SHA",
6532 "AES128-SHA:AES256-SHA"
6536 "AES128-SHA:AES256-SHA",
6538 "AES128-SHA:DHE-RSA-AES128-SHA",
6545 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6548 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6549 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6552 "AES128-SHA:AES256-SHA",
6554 "AES256-SHA:AES128-SHA256",
6556 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6557 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6558 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6561 #ifndef OPENSSL_NO_TLS1_3
6565 "TLS_AES_256_GCM_SHA384",
6567 "TLS_AES_256_GCM_SHA384",
6568 "TLS_AES_256_GCM_SHA384",
6569 "TLS_AES_256_GCM_SHA384"
6574 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6576 SSL_CTX *cctx = NULL, *sctx = NULL;
6577 SSL *clientssl = NULL, *serverssl = NULL;
6580 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
6582 if (!TEST_ptr(tmplibctx))
6586 * Regardless of whether we're testing with the FIPS provider loaded into
6587 * libctx, we want one peer to always use the full set of ciphersuites
6588 * available. Therefore we use a separate libctx with the default provider
6589 * loaded into it. We run the same tests twice - once with the client side
6590 * having the full set of ciphersuites and once with the server side.
6593 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
6594 if (!TEST_ptr(cctx))
6597 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
6598 if (!TEST_ptr(sctx))
6602 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6603 TLS_client_method(),
6605 shared_ciphers_data[tst].maxprot,
6606 &sctx, &cctx, cert, privkey)))
6609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6610 shared_ciphers_data[tst].clntciphers))
6611 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6612 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6613 shared_ciphers_data[tst].clnttls13ciphers)))
6614 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6615 shared_ciphers_data[tst].srvrciphers))
6616 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6617 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6618 shared_ciphers_data[tst].srvrtls13ciphers))))
6622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6624 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6628 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6629 || !TEST_int_eq(strcmp(buf,
6631 ? shared_ciphers_data[tst].fipsshared
6632 : shared_ciphers_data[tst].shared),
6634 TEST_info("Shared ciphers are: %s\n", buf);
6641 SSL_free(serverssl);
6642 SSL_free(clientssl);
6645 OSSL_LIB_CTX_free(tmplibctx);
6650 static int test_ssl_get_shared_ciphers(int tst)
6652 return int_test_ssl_get_shared_ciphers(tst, 0)
6653 && int_test_ssl_get_shared_ciphers(tst, 1);
6657 static const char *appdata = "Hello World";
6658 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6659 static int tick_key_renew = 0;
6660 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6662 static int gen_tick_cb(SSL *s, void *arg)
6664 gen_tick_called = 1;
6666 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6670 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6671 const unsigned char *keyname,
6672 size_t keyname_length,
6673 SSL_TICKET_STATUS status,
6679 dec_tick_called = 1;
6681 if (status == SSL_TICKET_EMPTY)
6682 return SSL_TICKET_RETURN_IGNORE_RENEW;
6684 if (!TEST_true(status == SSL_TICKET_SUCCESS
6685 || status == SSL_TICKET_SUCCESS_RENEW))
6686 return SSL_TICKET_RETURN_ABORT;
6688 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6690 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6691 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6692 return SSL_TICKET_RETURN_ABORT;
6694 if (tick_key_cb_called) {
6695 /* Don't change what the ticket key callback wanted to do */
6697 case SSL_TICKET_NO_DECRYPT:
6698 return SSL_TICKET_RETURN_IGNORE_RENEW;
6700 case SSL_TICKET_SUCCESS:
6701 return SSL_TICKET_RETURN_USE;
6703 case SSL_TICKET_SUCCESS_RENEW:
6704 return SSL_TICKET_RETURN_USE_RENEW;
6707 return SSL_TICKET_RETURN_ABORT;
6710 return tick_dec_ret;
6714 #ifndef OPENSSL_NO_DEPRECATED_3_0
6715 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6716 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6717 HMAC_CTX *hctx, int enc)
6719 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6720 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6721 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6722 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6725 tick_key_cb_called = 1;
6726 memset(iv, 0, AES_BLOCK_SIZE);
6727 memset(key_name, 0, 16);
6728 if (aes128cbc == NULL
6730 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6731 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6735 ret = tick_key_renew ? 2 : 1;
6737 EVP_CIPHER_free(aes128cbc);
6738 EVP_MD_free(sha256);
6744 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6745 unsigned char iv[EVP_MAX_IV_LENGTH],
6746 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6748 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6749 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6750 OSSL_PARAM params[3];
6751 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6754 tick_key_cb_called = 1;
6755 memset(iv, 0, AES_BLOCK_SIZE);
6756 memset(key_name, 0, 16);
6757 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6759 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6761 sizeof(tick_hmac_key));
6762 params[2] = OSSL_PARAM_construct_end();
6763 if (aes128cbc == NULL
6764 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6765 || !EVP_MAC_CTX_set_params(hctx, params)
6766 || !EVP_MAC_init(hctx))
6769 ret = tick_key_renew ? 2 : 1;
6771 EVP_CIPHER_free(aes128cbc);
6777 * Test the various ticket callbacks
6778 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6779 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6780 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6781 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6782 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6783 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6784 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6785 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6786 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6787 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6788 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6789 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6790 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6791 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6792 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6793 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6795 static int test_ticket_callbacks(int tst)
6797 SSL_CTX *cctx = NULL, *sctx = NULL;
6798 SSL *clientssl = NULL, *serverssl = NULL;
6799 SSL_SESSION *clntsess = NULL;
6802 #ifdef OPENSSL_NO_TLS1_2
6806 #ifdef OPENSSL_NO_TLS1_3
6810 #ifdef OPENSSL_NO_DEPRECATED_3_0
6811 if (tst >= 8 && tst <= 11)
6815 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6817 /* Which tests the ticket key callback should request renewal for */
6818 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6823 /* Which tests the decrypt ticket callback should request renewal for */
6827 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6832 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6837 tick_dec_ret = SSL_TICKET_RETURN_USE;
6842 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6846 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6850 TLS_client_method(),
6852 ((tst % 2) == 0) ? TLS1_2_VERSION
6854 &sctx, &cctx, cert, privkey)))
6858 * We only want sessions to resume from tickets - not the session cache. So
6859 * switch the cache off.
6861 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6864 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6869 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6871 #ifndef OPENSSL_NO_DEPRECATED_3_0
6872 } else if (tst >= 8) {
6873 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6885 * The decrypt ticket key callback in TLSv1.2 should be called even though
6886 * we have no ticket yet, because it gets called with a status of
6887 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6888 * actually send any ticket data). This does not happen in TLSv1.3 because
6889 * it is not valid to send empty ticket data in TLSv1.3.
6891 if (!TEST_int_eq(gen_tick_called, 1)
6892 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6895 gen_tick_called = dec_tick_called = 0;
6897 clntsess = SSL_get1_session(clientssl);
6898 SSL_shutdown(clientssl);
6899 SSL_shutdown(serverssl);
6900 SSL_free(serverssl);
6901 SSL_free(clientssl);
6902 serverssl = clientssl = NULL;
6904 /* Now do a resumption */
6905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6907 || !TEST_true(SSL_set_session(clientssl, clntsess))
6908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6912 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6913 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6914 if (!TEST_false(SSL_session_reused(clientssl)))
6917 if (!TEST_true(SSL_session_reused(clientssl)))
6921 if (!TEST_int_eq(gen_tick_called,
6923 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6924 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6926 || !TEST_int_eq(dec_tick_called, 1))
6932 SSL_SESSION_free(clntsess);
6933 SSL_free(serverssl);
6934 SSL_free(clientssl);
6942 * Test incorrect shutdown.
6943 * Test 0: client does not shutdown properly,
6944 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6945 * server should get SSL_ERROR_SSL
6946 * Test 1: client does not shutdown properly,
6947 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6948 * server should get SSL_ERROR_ZERO_RETURN
6950 static int test_incorrect_shutdown(int tst)
6952 SSL_CTX *cctx = NULL, *sctx = NULL;
6953 SSL *clientssl = NULL, *serverssl = NULL;
6958 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6959 TLS_client_method(), 0, 0,
6960 &sctx, &cctx, cert, privkey)))
6964 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6970 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6974 c2s = SSL_get_rbio(serverssl);
6975 BIO_set_mem_eof_return(c2s, 0);
6977 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6980 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6982 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6988 SSL_free(serverssl);
6989 SSL_free(clientssl);
6997 * Test bi-directional shutdown.
6999 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7000 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7001 * Test 3: TLSv1.3, pending NewSessionTicket messages
7002 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7003 * sends key update, client reads it
7004 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7005 * sends CertificateRequest, client reads and ignores it
7006 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7009 static int test_shutdown(int tst)
7011 SSL_CTX *cctx = NULL, *sctx = NULL;
7012 SSL *clientssl = NULL, *serverssl = NULL;
7014 char msg[] = "A test message";
7016 size_t written, readbytes;
7019 #ifdef OPENSSL_NO_TLS1_2
7023 #ifdef OPENSSL_NO_TLS1_3
7028 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7029 TLS_client_method(),
7031 (tst <= 1) ? TLS1_2_VERSION
7033 &sctx, &cctx, cert, privkey)))
7037 SSL_CTX_set_post_handshake_auth(cctx, 1);
7039 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7044 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7046 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7047 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7049 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7051 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7052 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7056 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7061 * Reading on the server after the client has sent close_notify should
7062 * fail and provide SSL_ERROR_ZERO_RETURN
7064 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7065 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7066 SSL_ERROR_ZERO_RETURN)
7067 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7068 SSL_RECEIVED_SHUTDOWN)
7070 * Even though we're shutdown on receive we should still be
7073 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7076 && !TEST_true(SSL_key_update(serverssl,
7077 SSL_KEY_UPDATE_REQUESTED)))
7080 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7081 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7084 if ((tst == 4 || tst == 5)
7085 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7087 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7089 if (tst == 4 || tst == 5) {
7090 /* Should still be able to read data from server */
7091 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7093 || !TEST_size_t_eq(readbytes, sizeof(msg))
7094 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7095 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7097 || !TEST_size_t_eq(readbytes, sizeof(msg))
7098 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7103 /* Writing on the client after sending close_notify shouldn't be possible */
7104 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7109 * For these tests the client has sent close_notify but it has not yet
7110 * been received by the server. The server has not sent close_notify
7113 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7115 * Writing on the server after sending close_notify shouldn't
7118 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7119 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7120 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7121 || !TEST_true(SSL_SESSION_is_resumable(sess))
7122 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7124 } else if (tst == 4 || tst == 5) {
7126 * In this test the client has sent close_notify and it has been
7127 * received by the server which has responded with a close_notify. The
7128 * client needs to read the close_notify sent by the server.
7130 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7131 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7132 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7138 * The client has sent close_notify and is expecting a close_notify
7139 * back, but instead there is application data first. The shutdown
7140 * should fail with a fatal error.
7142 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7143 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7150 SSL_free(serverssl);
7151 SSL_free(clientssl);
7158 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7159 static int cert_cb_cnt;
7161 static int cert_cb(SSL *s, void *arg)
7163 SSL_CTX *ctx = (SSL_CTX *)arg;
7165 EVP_PKEY *pkey = NULL;
7166 X509 *x509 = NULL, *rootx = NULL;
7167 STACK_OF(X509) *chain = NULL;
7168 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7171 if (cert_cb_cnt == 0) {
7172 /* Suspend the handshake */
7175 } else if (cert_cb_cnt == 1) {
7177 * Update the SSL_CTX, set the certificate and private key and then
7178 * continue the handshake normally.
7180 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7183 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7184 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7186 || !TEST_true(SSL_check_private_key(s)))
7190 } else if (cert_cb_cnt == 3) {
7193 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7194 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7195 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7196 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7198 chain = sk_X509_new_null();
7199 if (!TEST_ptr(chain))
7201 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7202 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7203 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7204 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7205 || !TEST_true(sk_X509_push(chain, rootx)))
7209 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7210 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7211 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7212 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7215 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7216 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7217 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7221 rv = SSL_check_chain(s, x509, pkey, chain);
7223 * If the cert doesn't show as valid here (e.g., because we don't
7224 * have any shared sigalgs), then we will not set it, and there will
7225 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7226 * will cause tls_choose_sigalgs() to fail the connection.
7228 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7229 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7230 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7237 /* Abort the handshake */
7239 OPENSSL_free(ecdsacert);
7240 OPENSSL_free(ecdsakey);
7241 OPENSSL_free(rootfile);
7243 EVP_PKEY_free(pkey);
7246 sk_X509_pop_free(chain, X509_free);
7251 * Test the certificate callback.
7252 * Test 0: Callback fails
7253 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7254 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7255 * Test 3: Success - Call SSL_check_chain from the callback
7256 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7258 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7260 static int test_cert_cb_int(int prot, int tst)
7262 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7263 SSL *clientssl = NULL, *serverssl = NULL;
7264 int testresult = 0, ret;
7266 #ifdef OPENSSL_NO_EC
7267 /* We use an EC cert in these tests, so we skip in a no-ec build */
7272 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7273 TLS_client_method(),
7276 &sctx, &cctx, NULL, NULL)))
7287 snictx = SSL_CTX_new(TLS_server_method());
7288 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7296 * We cause SSL_check_chain() to fail by specifying sig_algs that
7297 * the chain doesn't meet (the root uses an RSA cert)
7299 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7300 "ecdsa_secp256r1_sha256")))
7302 } else if (tst == 5) {
7304 * We cause SSL_check_chain() to fail by specifying sig_algs that
7305 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7307 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7308 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7312 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7313 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7315 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7322 SSL_free(serverssl);
7323 SSL_free(clientssl);
7326 SSL_CTX_free(snictx);
7332 static int test_cert_cb(int tst)
7336 #ifndef OPENSSL_NO_TLS1_2
7337 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7339 #ifndef OPENSSL_NO_TLS1_3
7340 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7346 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7351 BIO *priv_in = NULL;
7353 /* Check that SSL_get0_peer_certificate() returns something sensible */
7354 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7357 in = BIO_new_file(cert, "r");
7361 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7362 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7363 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7364 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7382 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7387 static int test_client_cert_cb(int tst)
7389 SSL_CTX *cctx = NULL, *sctx = NULL;
7390 SSL *clientssl = NULL, *serverssl = NULL;
7393 #ifdef OPENSSL_NO_TLS1_2
7397 #ifdef OPENSSL_NO_TLS1_3
7402 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7403 TLS_client_method(),
7405 tst == 0 ? TLS1_2_VERSION
7407 &sctx, &cctx, cert, privkey)))
7411 * Test that setting a client_cert_cb results in a client certificate being
7414 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7415 SSL_CTX_set_verify(sctx,
7416 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7421 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7428 SSL_free(serverssl);
7429 SSL_free(clientssl);
7436 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7438 * Test setting certificate authorities on both client and server.
7440 * Test 0: SSL_CTX_set0_CA_list() only
7441 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7442 * Test 2: Only SSL_CTX_set_client_CA_list()
7444 static int test_ca_names_int(int prot, int tst)
7446 SSL_CTX *cctx = NULL, *sctx = NULL;
7447 SSL *clientssl = NULL, *serverssl = NULL;
7450 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7451 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7452 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7453 const STACK_OF(X509_NAME) *sktmp = NULL;
7455 for (i = 0; i < OSSL_NELEM(name); i++) {
7456 name[i] = X509_NAME_new();
7457 if (!TEST_ptr(name[i])
7458 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7467 TLS_client_method(),
7470 &sctx, &cctx, cert, privkey)))
7473 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7475 if (tst == 0 || tst == 1) {
7476 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7477 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7478 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7479 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7480 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7481 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7484 SSL_CTX_set0_CA_list(sctx, sk1);
7485 SSL_CTX_set0_CA_list(cctx, sk2);
7488 if (tst == 1 || tst == 2) {
7489 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7490 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7491 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7492 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7493 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7494 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7497 SSL_CTX_set_client_CA_list(sctx, sk1);
7498 SSL_CTX_set_client_CA_list(cctx, sk2);
7502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7509 * We only expect certificate authorities to have been sent to the server
7510 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7512 sktmp = SSL_get0_peer_CA_list(serverssl);
7513 if (prot == TLS1_3_VERSION
7514 && (tst == 0 || tst == 1)) {
7515 if (!TEST_ptr(sktmp)
7516 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7517 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7519 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7522 } else if (!TEST_ptr_null(sktmp)) {
7527 * In all tests we expect certificate authorities to have been sent to the
7528 * client. However, SSL_set_client_CA_list() should override
7529 * SSL_set0_CA_list()
7531 sktmp = SSL_get0_peer_CA_list(clientssl);
7532 if (!TEST_ptr(sktmp)
7533 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7534 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7535 name[tst == 0 ? 0 : 2]), 0)
7536 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7537 name[tst == 0 ? 1 : 3]), 0))
7543 SSL_free(serverssl);
7544 SSL_free(clientssl);
7547 for (i = 0; i < OSSL_NELEM(name); i++)
7548 X509_NAME_free(name[i]);
7549 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7550 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7556 static int test_ca_names(int tst)
7560 #ifndef OPENSSL_NO_TLS1_2
7561 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7563 #ifndef OPENSSL_NO_TLS1_3
7564 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7570 #ifndef OPENSSL_NO_TLS1_2
7571 static const char *multiblock_cipherlist_data[]=
7579 /* Reduce the fragment size - so the multiblock test buffer can be small */
7580 # define MULTIBLOCK_FRAGSIZE 512
7582 static int test_multiblock_write(int test_index)
7584 static const char *fetchable_ciphers[]=
7586 "AES-128-CBC-HMAC-SHA1",
7587 "AES-128-CBC-HMAC-SHA256",
7588 "AES-256-CBC-HMAC-SHA1",
7589 "AES-256-CBC-HMAC-SHA256"
7591 const char *cipherlist = multiblock_cipherlist_data[test_index];
7592 const SSL_METHOD *smeth = TLS_server_method();
7593 const SSL_METHOD *cmeth = TLS_client_method();
7594 int min_version = TLS1_VERSION;
7595 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7596 SSL_CTX *cctx = NULL, *sctx = NULL;
7597 SSL *clientssl = NULL, *serverssl = NULL;
7601 * Choose a buffer large enough to perform a multi-block operation
7602 * i.e: write_len >= 4 * frag_size
7603 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7605 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7606 unsigned char buf[sizeof(msg)], *p = buf;
7607 size_t readbytes, written, len;
7608 EVP_CIPHER *ciph = NULL;
7611 * Check if the cipher exists before attempting to use it since it only has
7612 * a hardware specific implementation.
7614 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7616 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7619 EVP_CIPHER_free(ciph);
7621 /* Set up a buffer with some data that will be sent to the client */
7622 RAND_bytes(msg, sizeof(msg));
7624 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7625 max_version, &sctx, &cctx, cert,
7629 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7636 /* settings to force it to use AES-CBC-HMAC_SHA */
7637 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7638 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7641 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7644 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7645 || !TEST_size_t_eq(written, sizeof(msg)))
7650 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7655 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7660 SSL_free(serverssl);
7661 SSL_free(clientssl);
7667 #endif /* OPENSSL_NO_TLS1_2 */
7670 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7671 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7672 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7673 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7674 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7675 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7676 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7677 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7678 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7679 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7681 static int test_servername(int tst)
7683 SSL_CTX *cctx = NULL, *sctx = NULL;
7684 SSL *clientssl = NULL, *serverssl = NULL;
7686 SSL_SESSION *sess = NULL;
7687 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7689 #ifdef OPENSSL_NO_TLS1_2
7693 #ifdef OPENSSL_NO_TLS1_3
7698 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7699 TLS_client_method(),
7701 (tst <= 4) ? TLS1_2_VERSION
7703 &sctx, &cctx, cert, privkey))
7704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7708 if (tst != 1 && tst != 6) {
7709 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7714 if (tst != 3 && tst != 8) {
7715 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7717 sexpectedhost = cexpectedhost = "goodhost";
7720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7723 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7725 || !TEST_str_eq(SSL_get_servername(serverssl,
7726 TLSEXT_NAMETYPE_host_name),
7730 /* Now repeat with a resumption handshake */
7732 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7733 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7734 || !TEST_true(SSL_SESSION_is_resumable(sess))
7735 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7738 SSL_free(clientssl);
7739 SSL_free(serverssl);
7740 clientssl = serverssl = NULL;
7742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7746 if (!TEST_true(SSL_set_session(clientssl, sess)))
7749 sexpectedhost = cexpectedhost = "goodhost";
7750 if (tst == 2 || tst == 7) {
7751 /* Set an inconsistent hostname */
7752 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7755 * In TLSv1.2 we expect the hostname from the original handshake, in
7756 * TLSv1.3 we expect the hostname from this handshake
7759 sexpectedhost = cexpectedhost = "altgoodhost";
7761 if (!TEST_str_eq(SSL_get_servername(clientssl,
7762 TLSEXT_NAMETYPE_host_name),
7765 } else if (tst == 4 || tst == 9) {
7767 * A TLSv1.3 session does not associate a session with a servername,
7768 * but a TLSv1.2 session does.
7771 sexpectedhost = cexpectedhost = NULL;
7773 if (!TEST_str_eq(SSL_get_servername(clientssl,
7774 TLSEXT_NAMETYPE_host_name),
7778 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7781 * In a TLSv1.2 resumption where the hostname was not acknowledged
7782 * we expect the hostname on the server to be empty. On the client we
7783 * return what was requested in this case.
7785 * Similarly if the client didn't set a hostname on an original TLSv1.2
7786 * session but is now, the server hostname will be empty, but the client
7789 if (tst == 1 || tst == 3)
7790 sexpectedhost = NULL;
7792 if (!TEST_str_eq(SSL_get_servername(clientssl,
7793 TLSEXT_NAMETYPE_host_name),
7798 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7801 if (!TEST_true(SSL_session_reused(clientssl))
7802 || !TEST_true(SSL_session_reused(serverssl))
7803 || !TEST_str_eq(SSL_get_servername(clientssl,
7804 TLSEXT_NAMETYPE_host_name),
7806 || !TEST_str_eq(SSL_get_servername(serverssl,
7807 TLSEXT_NAMETYPE_host_name),
7814 SSL_SESSION_free(sess);
7815 SSL_free(serverssl);
7816 SSL_free(clientssl);
7823 #if !defined(OPENSSL_NO_EC) \
7824 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7826 * Test that if signature algorithms are not available, then we do not offer or
7828 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7829 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7830 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7831 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7832 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7833 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7835 static int test_sigalgs_available(int idx)
7837 SSL_CTX *cctx = NULL, *sctx = NULL;
7838 SSL *clientssl = NULL, *serverssl = NULL;
7840 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7841 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
7842 OSSL_PROVIDER *filterprov = NULL;
7845 if (!TEST_ptr(tmpctx))
7848 if (idx != 0 && idx != 3) {
7849 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7850 filter_provider_init)))
7853 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7854 if (!TEST_ptr(filterprov))
7859 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7860 * or accepted for the peer that uses this libctx. Note that libssl
7861 * *requires* SHA2-256 to be available so we cannot disable that. We
7862 * also need SHA1 for our certificate.
7864 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7868 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7870 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7875 if (idx == 1 || idx == 4)
7881 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7882 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
7883 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7886 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7887 TLS_client_method(),
7890 &sctx, &cctx, cert, privkey)))
7893 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7895 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7896 "ECDHE-RSA-AES128-GCM-SHA256")))
7899 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7900 "ECDHE-ECDSA-AES128-GCM-SHA256")))
7905 if (!SSL_CTX_set1_sigalgs_list(cctx,
7906 "rsa_pss_rsae_sha384"
7907 ":rsa_pss_rsae_sha256")
7908 || !SSL_CTX_set1_sigalgs_list(sctx,
7909 "rsa_pss_rsae_sha384"
7910 ":rsa_pss_rsae_sha256"))
7913 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7914 || !SSL_CTX_set1_sigalgs_list(sctx,
7915 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7919 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7920 SSL_FILETYPE_PEM), 1)
7921 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7923 SSL_FILETYPE_PEM), 1)
7924 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7931 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7934 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7935 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7937 (idx == 0 || idx == 3) ? 2 : 1))
7940 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7943 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7950 SSL_free(serverssl);
7951 SSL_free(clientssl);
7954 OSSL_PROVIDER_unload(filterprov);
7955 OSSL_LIB_CTX_free(tmpctx);
7960 * !defined(OPENSSL_NO_EC) \
7961 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7964 #ifndef OPENSSL_NO_TLS1_3
7965 static int test_pluggable_group(int idx)
7967 SSL_CTX *cctx = NULL, *sctx = NULL;
7968 SSL *clientssl = NULL, *serverssl = NULL;
7970 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
7971 /* Check that we are not impacted by a provider without any groups */
7972 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
7973 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
7975 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
7978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7979 TLS_client_method(),
7982 &sctx, &cctx, cert, privkey))
7983 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7987 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
7988 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
7991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7997 SSL_free(serverssl);
7998 SSL_free(clientssl);
8001 OSSL_PROVIDER_unload(tlsprov);
8002 OSSL_PROVIDER_unload(legacyprov);
8008 #ifndef OPENSSL_NO_TLS1_2
8009 static int test_ssl_dup(void)
8011 SSL_CTX *cctx = NULL, *sctx = NULL;
8012 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8014 BIO *rbio = NULL, *wbio = NULL;
8016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8017 TLS_client_method(),
8020 &sctx, &cctx, cert, privkey)))
8023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8027 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8028 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8031 client2ssl = SSL_dup(clientssl);
8032 rbio = SSL_get_rbio(clientssl);
8034 || !TEST_true(BIO_up_ref(rbio)))
8036 SSL_set0_rbio(client2ssl, rbio);
8039 wbio = SSL_get_wbio(clientssl);
8040 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8042 SSL_set0_wbio(client2ssl, wbio);
8045 if (!TEST_ptr(client2ssl)
8046 /* Handshake not started so pointers should be different */
8047 || !TEST_ptr_ne(clientssl, client2ssl))
8050 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8051 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8054 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8057 SSL_free(clientssl);
8058 clientssl = SSL_dup(client2ssl);
8059 if (!TEST_ptr(clientssl)
8060 /* Handshake has finished so pointers should be the same */
8061 || !TEST_ptr_eq(clientssl, client2ssl))
8067 SSL_free(serverssl);
8068 SSL_free(clientssl);
8069 SSL_free(client2ssl);
8076 # ifndef OPENSSL_NO_DH
8078 static EVP_PKEY *tmp_dh_params = NULL;
8080 /* Helper function for the test_set_tmp_dh() tests */
8081 static EVP_PKEY *get_tmp_dh_params(void)
8083 if (tmp_dh_params == NULL) {
8085 OSSL_PARAM_BLD *tmpl = NULL;
8086 EVP_PKEY_CTX *pctx = NULL;
8087 OSSL_PARAM *params = NULL;
8088 EVP_PKEY *dhpkey = NULL;
8090 p = BN_get_rfc3526_prime_2048(NULL);
8094 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8096 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx)))
8099 tmpl = OSSL_PARAM_BLD_new();
8101 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8102 OSSL_PKEY_PARAM_FFC_P,
8104 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8105 OSSL_PKEY_PARAM_FFC_G,
8109 params = OSSL_PARAM_BLD_to_param(tmpl);
8110 if (!TEST_ptr(params)
8111 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params)))
8114 tmp_dh_params = dhpkey;
8117 EVP_PKEY_CTX_free(pctx);
8118 OSSL_PARAM_BLD_free(tmpl);
8119 OSSL_PARAM_BLD_free_params(params);
8122 if (!EVP_PKEY_up_ref(tmp_dh_params))
8125 return tmp_dh_params;
8128 # ifndef OPENSSL_NO_DEPRECATED
8129 /* Callback used by test_set_tmp_dh() */
8130 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8132 EVP_PKEY *dhpkey = get_tmp_dh_params();
8135 if (!TEST_ptr(dhpkey))
8138 ret = EVP_PKEY_get0_DH(dhpkey);
8140 EVP_PKEY_free(dhpkey);
8147 * Test the various methods for setting temporary DH parameters
8149 * Test 0: Default (no auto) setting
8150 * Test 1: Explicit SSL_CTX auto off
8151 * Test 2: Explicit SSL auto off
8152 * Test 3: Explicit SSL_CTX auto on
8153 * Test 4: Explicit SSL auto on
8154 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8155 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8157 * The following are testing deprecated APIs, so we only run them if available
8158 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8159 * Test 8: Explicit SSL auto off, custom DH params via DH
8160 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8161 * Test 10: Explicit SSL auto off, custom DH params via callback
8163 static int test_set_tmp_dh(int idx)
8165 SSL_CTX *cctx = NULL, *sctx = NULL;
8166 SSL *clientssl = NULL, *serverssl = NULL;
8168 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8169 int expected = (idx <= 2) ? 0 : 1;
8170 EVP_PKEY *dhpkey = NULL;
8171 # ifndef OPENSSL_NO_DEPRECATED_3_0
8179 if (idx >= 5 && idx <= 8) {
8180 dhpkey = get_tmp_dh_params();
8181 if (!TEST_ptr(dhpkey))
8184 # ifndef OPENSSL_NO_DEPRECATED_3_0
8185 if (idx == 7 || idx == 8) {
8186 dh = EVP_PKEY_get0_DH(dhpkey);
8192 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8193 TLS_client_method(),
8196 &sctx, &cctx, cert, privkey)))
8199 if ((idx & 1) == 1) {
8200 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8205 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8209 # ifndef OPENSSL_NO_DEPRECATED_3_0
8210 else if (idx == 7) {
8211 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8213 } else if (idx == 9) {
8214 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8218 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8222 if ((idx & 1) == 0 && idx != 0) {
8223 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8227 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8231 # ifndef OPENSSL_NO_DEPRECATED_3_0
8232 else if (idx == 8) {
8233 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8235 } else if (idx == 10) {
8236 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8240 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8241 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8242 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8246 * If autoon then we should succeed. Otherwise we expect failure because
8247 * there are no parameters
8249 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8250 SSL_ERROR_NONE), expected))
8256 SSL_free(serverssl);
8257 SSL_free(clientssl);
8260 EVP_PKEY_free(dhpkey);
8266 * Test the auto DH keys are appropriately sized
8268 static int test_dh_auto(int idx)
8270 SSL_CTX *cctx = NULL, *sctx = NULL;
8271 SSL *clientssl = NULL, *serverssl = NULL;
8273 EVP_PKEY *tmpkey = NULL;
8274 char *thiscert = NULL, *thiskey = NULL;
8275 size_t expdhsize = 0;
8276 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8280 /* The FIPS provider doesn't support this DH size - so we ignore it */
8283 thiscert = cert1024;
8284 thiskey = privkey1024;
8288 /* 2048 bit prime */
8294 thiscert = cert3072;
8295 thiskey = privkey3072;
8299 thiscert = cert4096;
8300 thiskey = privkey4096;
8304 thiscert = cert8192;
8305 thiskey = privkey8192;
8308 /* No certificate cases */
8310 /* The FIPS provider doesn't support this DH size - so we ignore it */
8313 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8317 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8321 TEST_error("Invalid text index");
8325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8326 TLS_client_method(),
8329 &sctx, &cctx, thiscert, thiskey)))
8332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8336 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8337 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8338 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8339 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8340 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8344 * Send the server's first flight. At this point the server has created the
8345 * temporary DH key but hasn't finished using it yet. Once used it is
8346 * removed, so we cannot test it.
8348 if (!TEST_int_le(SSL_connect(clientssl), 0)
8349 || !TEST_int_le(SSL_accept(serverssl), 0))
8352 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8354 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8357 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8363 SSL_free(serverssl);
8364 SSL_free(clientssl);
8367 EVP_PKEY_free(tmpkey);
8372 # endif /* OPENSSL_NO_DH */
8373 #endif /* OPENSSL_NO_TLS1_2 */
8375 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8377 int setup_tests(void)
8382 libctx = OSSL_LIB_CTX_new();
8383 if (!TEST_ptr(libctx))
8386 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8389 * Verify that the default and fips providers in the default libctx are not
8392 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8393 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8396 if (!test_skip_common_options()) {
8397 TEST_error("Error parsing test options\n");
8401 if (!TEST_ptr(certsdir = test_get_argument(0))
8402 || !TEST_ptr(srpvfile = test_get_argument(1))
8403 || !TEST_ptr(tmpfilename = test_get_argument(2))
8404 || !TEST_ptr(modulename = test_get_argument(3))
8405 || !TEST_ptr(configfile = test_get_argument(4)))
8408 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
8411 /* Check we have the expected provider available */
8412 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8415 /* Check the default provider is not available */
8416 if (strcmp(modulename, "default") != 0
8417 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8420 if (strcmp(modulename, "fips") == 0)
8424 * We add, but don't load the test "tls-provider". We'll load it when we
8427 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8428 tls_provider_init)))
8432 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8433 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8434 TEST_error("not supported in this build");
8437 int i, mcount, rcount, fcount;
8439 for (i = 0; i < 4; i++)
8440 test_export_key_mat(i);
8441 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8442 test_printf_stdout("malloc %d realloc %d free %d\n",
8443 mcount, rcount, fcount);
8448 cert = test_mk_file_path(certsdir, "servercert.pem");
8452 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8453 if (privkey == NULL)
8456 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8460 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8461 if (privkey2 == NULL)
8464 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8465 if (cert1024 == NULL)
8468 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8469 if (privkey1024 == NULL)
8472 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8473 if (cert3072 == NULL)
8476 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8477 if (privkey3072 == NULL)
8480 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8481 if (cert4096 == NULL)
8484 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8485 if (privkey4096 == NULL)
8488 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8489 if (cert8192 == NULL)
8492 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8493 if (privkey8192 == NULL)
8496 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8497 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8498 ADD_ALL_TESTS(test_ktls, 32);
8499 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8502 ADD_TEST(test_large_message_tls);
8503 ADD_TEST(test_large_message_tls_read_ahead);
8504 #ifndef OPENSSL_NO_DTLS
8505 ADD_TEST(test_large_message_dtls);
8507 ADD_TEST(test_cleanse_plaintext);
8508 #ifndef OPENSSL_NO_OCSP
8509 ADD_TEST(test_tlsext_status_type);
8511 ADD_TEST(test_session_with_only_int_cache);
8512 ADD_TEST(test_session_with_only_ext_cache);
8513 ADD_TEST(test_session_with_both_cache);
8514 ADD_TEST(test_session_wo_ca_names);
8515 #ifndef OPENSSL_NO_TLS1_3
8516 ADD_ALL_TESTS(test_stateful_tickets, 3);
8517 ADD_ALL_TESTS(test_stateless_tickets, 3);
8518 ADD_TEST(test_psk_tickets);
8519 ADD_ALL_TESTS(test_extra_tickets, 6);
8521 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8522 ADD_TEST(test_ssl_bio_pop_next_bio);
8523 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8524 ADD_TEST(test_ssl_bio_change_rbio);
8525 ADD_TEST(test_ssl_bio_change_wbio);
8526 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8527 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8528 ADD_TEST(test_keylog);
8530 #ifndef OPENSSL_NO_TLS1_3
8531 ADD_TEST(test_keylog_no_master_key);
8533 #ifndef OPENSSL_NO_TLS1_2
8534 ADD_TEST(test_client_hello_cb);
8535 ADD_TEST(test_no_ems);
8536 ADD_TEST(test_ccs_change_cipher);
8538 #ifndef OPENSSL_NO_TLS1_3
8539 ADD_ALL_TESTS(test_early_data_read_write, 3);
8541 * We don't do replay tests for external PSK. Replay protection isn't used
8544 ADD_ALL_TESTS(test_early_data_replay, 2);
8545 ADD_ALL_TESTS(test_early_data_skip, 3);
8546 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8547 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8548 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8549 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8550 ADD_ALL_TESTS(test_early_data_psk, 8);
8551 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8552 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8553 # ifndef OPENSSL_NO_TLS1_2
8554 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8557 #ifndef OPENSSL_NO_TLS1_3
8558 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8559 ADD_TEST(test_ciphersuite_change);
8560 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8561 # ifdef OPENSSL_NO_PSK
8562 ADD_ALL_TESTS(test_tls13_psk, 1);
8564 ADD_ALL_TESTS(test_tls13_psk, 4);
8565 # endif /* OPENSSL_NO_PSK */
8566 # ifndef OPENSSL_NO_TLS1_2
8567 /* Test with both TLSv1.3 and 1.2 versions */
8568 ADD_ALL_TESTS(test_key_exchange, 14);
8570 /* Test with only TLSv1.3 versions */
8571 ADD_ALL_TESTS(test_key_exchange, 12);
8573 ADD_ALL_TESTS(test_custom_exts, 5);
8574 ADD_TEST(test_stateless);
8575 ADD_TEST(test_pha_key_update);
8577 ADD_ALL_TESTS(test_custom_exts, 3);
8579 ADD_ALL_TESTS(test_serverinfo, 8);
8580 ADD_ALL_TESTS(test_export_key_mat, 6);
8581 #ifndef OPENSSL_NO_TLS1_3
8582 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8583 ADD_TEST(test_key_update);
8584 ADD_ALL_TESTS(test_key_update_in_write, 2);
8586 ADD_ALL_TESTS(test_ssl_clear, 2);
8587 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8588 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8589 ADD_ALL_TESTS(test_srp, 6);
8591 ADD_ALL_TESTS(test_info_callback, 6);
8592 ADD_ALL_TESTS(test_ssl_pending, 2);
8593 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8594 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8595 ADD_ALL_TESTS(test_shutdown, 7);
8596 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8597 ADD_ALL_TESTS(test_cert_cb, 6);
8598 ADD_ALL_TESTS(test_client_cert_cb, 2);
8599 ADD_ALL_TESTS(test_ca_names, 3);
8600 #ifndef OPENSSL_NO_TLS1_2
8601 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8603 ADD_ALL_TESTS(test_servername, 10);
8604 #if !defined(OPENSSL_NO_EC) \
8605 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8606 ADD_ALL_TESTS(test_sigalgs_available, 6);
8608 #ifndef OPENSSL_NO_TLS1_3
8609 ADD_ALL_TESTS(test_pluggable_group, 2);
8611 #ifndef OPENSSL_NO_TLS1_2
8612 ADD_TEST(test_ssl_dup);
8613 # ifndef OPENSSL_NO_DH
8614 ADD_ALL_TESTS(test_set_tmp_dh, 11);
8615 ADD_ALL_TESTS(test_dh_auto, 7);
8622 OPENSSL_free(privkey);
8623 OPENSSL_free(cert2);
8624 OPENSSL_free(privkey2);
8628 void cleanup_tests(void)
8630 # ifndef OPENSSL_NO_DH
8631 EVP_PKEY_free(tmp_dh_params);
8634 OPENSSL_free(privkey);
8635 OPENSSL_free(cert2);
8636 OPENSSL_free(privkey2);
8637 OPENSSL_free(cert1024);
8638 OPENSSL_free(privkey1024);
8639 OPENSSL_free(cert3072);
8640 OPENSSL_free(privkey3072);
8641 OPENSSL_free(cert4096);
8642 OPENSSL_free(privkey4096);
8643 OPENSSL_free(cert8192);
8644 OPENSSL_free(privkey8192);
8645 bio_s_mempacket_test_free();
8646 bio_s_always_retry_free();
8647 OSSL_PROVIDER_unload(defctxnull);
8648 OSSL_LIB_CTX_free(libctx);