2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
36 #include "helpers/ssltestlib.h"
38 #include "testutil/output.h"
39 #include "internal/nelem.h"
40 #include "internal/ktls.h"
41 #include "../ssl/ssl_local.h"
42 #include "filterprov.h"
44 #undef OSSL_NO_USABLE_TLS1_3
45 #if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48 * If we don't have ec or dh then there are no built-in groups that are usable
51 # define OSSL_NO_USABLE_TLS1_3
54 /* Defined in tls-provider.c */
55 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
60 static OSSL_LIB_CTX *libctx = NULL;
61 static OSSL_PROVIDER *defctxnull = NULL;
63 #ifndef OSSL_NO_USABLE_TLS1_3
65 static SSL_SESSION *clientpsk = NULL;
66 static SSL_SESSION *serverpsk = NULL;
67 static const char *pskid = "Identity";
68 static const char *srvid;
70 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72 static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
75 static int use_session_cb_cnt = 0;
76 static int find_session_cb_cnt = 0;
78 static SSL_SESSION *create_a_psk(SSL *ssl);
81 static char *certsdir = NULL;
82 static char *cert = NULL;
83 static char *privkey = NULL;
84 static char *cert2 = NULL;
85 static char *privkey2 = NULL;
86 static char *cert1024 = NULL;
87 static char *privkey1024 = NULL;
88 static char *cert3072 = NULL;
89 static char *privkey3072 = NULL;
90 static char *cert4096 = NULL;
91 static char *privkey4096 = NULL;
92 static char *cert8192 = NULL;
93 static char *privkey8192 = NULL;
94 static char *srpvfile = NULL;
95 static char *tmpfilename = NULL;
97 static int is_fips = 0;
99 #define LOG_BUFFER_SIZE 2048
100 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
101 static size_t server_log_buffer_index = 0;
102 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t client_log_buffer_index = 0;
104 static int error_writing_log = 0;
106 #ifndef OPENSSL_NO_OCSP
107 static const unsigned char orespder[] = "Dummy OCSP Response";
108 static int ocsp_server_called = 0;
109 static int ocsp_client_called = 0;
111 static int cdummyarg = 1;
112 static X509 *ocspcert = NULL;
115 #define NUM_EXTRA_CERTS 40
116 #define CLIENT_VERSION_LEN 2
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
122 struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
125 unsigned int client_early_secret_count;
126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
130 unsigned int early_exporter_secret_count;
131 unsigned int exporter_secret_count;
135 static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
141 static unsigned char serverinfov2[] = {
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
149 static int hostname_cb(SSL *s, int *al, void *arg)
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
157 return SSL_TLSEXT_ERR_NOACK;
160 static void client_keylog_callback(const SSL *ssl, const char *line)
162 int line_length = strlen(line);
164 /* If the log doesn't fit, error out. */
165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
167 error_writing_log = 1;
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
173 client_log_buffer[client_log_buffer_index++] = '\n';
176 static void server_keylog_callback(const SSL *ssl, const char *line)
178 int line_length = strlen(line);
180 /* If the log doesn't fit, error out. */
181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
182 TEST_info("Server log too full");
183 error_writing_log = 1;
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
189 server_log_buffer[server_log_buffer_index++] = '\n';
192 static int compare_hex_encoded_buffer(const char *hex_encoded,
200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
204 sprintf(hexed, "%02x", raw[i]);
205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
213 static int test_keylog_output(char *buffer, const SSL *ssl,
214 const SSL_SESSION *session,
215 struct sslapitest_log_counts *expected)
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
224 unsigned int client_early_secret_count = 0;
225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
229 unsigned int early_exporter_secret_count = 0;
230 unsigned int exporter_secret_count = 0;
232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
234 if (strcmp(token, "RSA") == 0) {
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
237 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 if (!TEST_size_t_eq(strlen(token), 16))
244 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
251 rsa_key_exchange_count++;
252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
255 * client random, then the hex-encoded master secret.
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 if (!TEST_size_t_eq(strlen(token), 64))
267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
272 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 master_key_size = SSL_SESSION_get_master_key(session,
277 if (!TEST_size_t_ne(master_key_size, 0))
279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
283 master_secret_count++;
284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
290 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 if (!TEST_size_t_eq(strlen(token), 64))
322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
327 if (!TEST_ptr(token = strtok(NULL, " \n")))
330 TEST_info("Unexpected token %s\n", token);
335 /* Got what we expected? */
336 if (!TEST_size_t_eq(rsa_key_exchange_count,
337 expected->rsa_key_exchange_count)
338 || !TEST_size_t_eq(master_secret_count,
339 expected->master_secret_count)
340 || !TEST_size_t_eq(client_early_secret_count,
341 expected->client_early_secret_count)
342 || !TEST_size_t_eq(client_handshake_secret_count,
343 expected->client_handshake_secret_count)
344 || !TEST_size_t_eq(server_handshake_secret_count,
345 expected->server_handshake_secret_count)
346 || !TEST_size_t_eq(client_application_secret_count,
347 expected->client_application_secret_count)
348 || !TEST_size_t_eq(server_application_secret_count,
349 expected->server_application_secret_count)
350 || !TEST_size_t_eq(early_exporter_secret_count,
351 expected->early_exporter_secret_count)
352 || !TEST_size_t_eq(exporter_secret_count,
353 expected->exporter_secret_count))
358 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
359 static int test_keylog(void)
361 SSL_CTX *cctx = NULL, *sctx = NULL;
362 SSL *clientssl = NULL, *serverssl = NULL;
364 struct sslapitest_log_counts expected;
366 /* Clean up logging space */
367 memset(&expected, 0, sizeof(expected));
368 memset(client_log_buffer, 0, sizeof(client_log_buffer));
369 memset(server_log_buffer, 0, sizeof(server_log_buffer));
370 client_log_buffer_index = 0;
371 server_log_buffer_index = 0;
372 error_writing_log = 0;
374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
377 &sctx, &cctx, cert, privkey)))
380 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
381 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
382 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384 /* We also want to ensure that we use RSA-based key exchange. */
385 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
389 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
391 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
393 == client_keylog_callback))
395 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
396 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
397 == server_keylog_callback))
400 /* Now do a handshake and check that the logs have been written to. */
401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
402 &clientssl, NULL, NULL))
403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 || !TEST_false(error_writing_log)
406 || !TEST_int_gt(client_log_buffer_index, 0)
407 || !TEST_int_gt(server_log_buffer_index, 0))
411 * Now we want to test that our output data was vaguely sensible. We
412 * do that by using strtok and confirming that we have more or less the
413 * data we expect. For both client and server, we expect to see one master
414 * secret. The client should also see a RSA key exchange.
416 expected.rsa_key_exchange_count = 1;
417 expected.master_secret_count = 1;
418 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
419 SSL_get_session(clientssl), &expected)))
422 expected.rsa_key_exchange_count = 0;
423 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl), &expected)))
439 #ifndef OSSL_NO_USABLE_TLS1_3
440 static int test_keylog_no_master_key(void)
442 SSL_CTX *cctx = NULL, *sctx = NULL;
443 SSL *clientssl = NULL, *serverssl = NULL;
444 SSL_SESSION *sess = NULL;
446 struct sslapitest_log_counts expected;
447 unsigned char buf[1];
448 size_t readbytes, written;
450 /* Clean up logging space */
451 memset(&expected, 0, sizeof(expected));
452 memset(client_log_buffer, 0, sizeof(client_log_buffer));
453 memset(server_log_buffer, 0, sizeof(server_log_buffer));
454 client_log_buffer_index = 0;
455 server_log_buffer_index = 0;
456 error_writing_log = 0;
458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
459 TLS_client_method(), TLS1_VERSION, 0,
460 &sctx, &cctx, cert, privkey))
461 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
462 SSL3_RT_MAX_PLAIN_LENGTH)))
465 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
466 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
469 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
470 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
471 == client_keylog_callback))
474 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
475 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
476 == server_keylog_callback))
479 /* Now do a handshake and check that the logs have been written to. */
480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
481 &clientssl, NULL, NULL))
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 || !TEST_false(error_writing_log))
488 * Now we want to test that our output data was vaguely sensible. For this
489 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
490 * TLSv1.3, but we do expect both client and server to emit keys.
492 expected.client_handshake_secret_count = 1;
493 expected.server_handshake_secret_count = 1;
494 expected.client_application_secret_count = 1;
495 expected.server_application_secret_count = 1;
496 expected.exporter_secret_count = 1;
497 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
498 SSL_get_session(clientssl), &expected))
499 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
500 SSL_get_session(serverssl),
504 /* Terminate old session and resume with early data. */
505 sess = SSL_get1_session(clientssl);
506 SSL_shutdown(clientssl);
507 SSL_shutdown(serverssl);
510 serverssl = clientssl = NULL;
513 memset(client_log_buffer, 0, sizeof(client_log_buffer));
514 memset(server_log_buffer, 0, sizeof(server_log_buffer));
515 client_log_buffer_index = 0;
516 server_log_buffer_index = 0;
518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
519 &clientssl, NULL, NULL))
520 || !TEST_true(SSL_set_session(clientssl, sess))
521 /* Here writing 0 length early data is enough. */
522 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
523 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 SSL_READ_EARLY_DATA_ERROR)
526 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
527 SSL_EARLY_DATA_ACCEPTED)
528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 || !TEST_true(SSL_session_reused(clientssl)))
533 /* In addition to the previous entries, expect early secrets. */
534 expected.client_early_secret_count = 1;
535 expected.early_exporter_secret_count = 1;
536 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
537 SSL_get_session(clientssl), &expected))
538 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
539 SSL_get_session(serverssl),
546 SSL_SESSION_free(sess);
556 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558 int res = X509_verify_cert(ctx);
560 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
561 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
562 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
566 static int test_client_cert_verify_cb(void)
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
645 static int test_ssl_build_cert_chain(void)
648 SSL_CTX *ssl_ctx = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
674 static int test_ssl_ctx_build_cert_chain(void)
678 char *skey = test_mk_file_path(certsdir, "leaf.key");
679 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
681 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
683 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
684 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
685 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
686 SSL_FILETYPE_PEM), 1)
687 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
689 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
690 | SSL_BUILD_CHAIN_FLAG_CHECK)))
695 OPENSSL_free(leaf_chain);
700 #ifndef OPENSSL_NO_TLS1_2
701 static int full_client_hello_callback(SSL *s, int *al, void *arg)
704 const unsigned char *p;
706 /* We only configure two ciphers, but the SCSV is added automatically. */
708 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
710 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
713 const int expected_extensions[] = {
714 #ifndef OPENSSL_NO_EC
720 /* Make sure we can defer processing and get called back. */
722 return SSL_CLIENT_HELLO_RETRY;
724 len = SSL_client_hello_get0_ciphers(s, &p);
725 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
727 SSL_client_hello_get0_compression_methods(s, &p), 1)
728 || !TEST_int_eq(*p, 0))
729 return SSL_CLIENT_HELLO_ERROR;
730 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
731 return SSL_CLIENT_HELLO_ERROR;
732 if (len != OSSL_NELEM(expected_extensions) ||
733 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
734 printf("ClientHello callback expected extensions mismatch\n");
736 return SSL_CLIENT_HELLO_ERROR;
739 return SSL_CLIENT_HELLO_SUCCESS;
742 static int test_client_hello_cb(void)
744 SSL_CTX *cctx = NULL, *sctx = NULL;
745 SSL *clientssl = NULL, *serverssl = NULL;
746 int testctr = 0, testresult = 0;
748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
749 TLS_client_method(), TLS1_VERSION, 0,
750 &sctx, &cctx, cert, privkey)))
752 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
754 /* The gimpy cipher list we configure can't do TLS 1.3. */
755 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
757 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
758 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
760 &clientssl, NULL, NULL))
761 || !TEST_false(create_ssl_connection(serverssl, clientssl,
762 SSL_ERROR_WANT_CLIENT_HELLO_CB))
764 * Passing a -1 literal is a hack since
765 * the real value was lost.
767 || !TEST_int_eq(SSL_get_error(serverssl, -1),
768 SSL_ERROR_WANT_CLIENT_HELLO_CB)
769 || !TEST_true(create_ssl_connection(serverssl, clientssl,
784 static int test_no_ems(void)
786 SSL_CTX *cctx = NULL, *sctx = NULL;
787 SSL *clientssl = NULL, *serverssl = NULL;
790 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
791 TLS1_VERSION, TLS1_2_VERSION,
792 &sctx, &cctx, cert, privkey)) {
793 printf("Unable to create SSL_CTX pair\n");
797 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
799 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
800 printf("Unable to create SSL objects\n");
804 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
805 printf("Creating SSL connection failed\n");
809 if (SSL_get_extms_support(serverssl)) {
810 printf("Server reports Extended Master Secret support\n");
814 if (SSL_get_extms_support(clientssl)) {
815 printf("Client reports Extended Master Secret support\n");
830 * Very focused test to exercise a single case in the server-side state
831 * machine, when the ChangeCipherState message needs to actually change
832 * from one cipher to a different cipher (i.e., not changing from null
833 * encryption to real encryption).
835 static int test_ccs_change_cipher(void)
837 SSL_CTX *cctx = NULL, *sctx = NULL;
838 SSL *clientssl = NULL, *serverssl = NULL;
839 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
846 * Create a conection so we can resume and potentially (but not) use
847 * a different cipher in the second connection.
849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
851 TLS1_VERSION, TLS1_2_VERSION,
852 &sctx, &cctx, cert, privkey))
853 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
854 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
856 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
859 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
860 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
863 shutdown_ssl_connection(serverssl, clientssl);
864 serverssl = clientssl = NULL;
866 /* Resume, preferring a different cipher. Our server will force the
867 * same cipher to be used as the initial handshake. */
868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
870 || !TEST_true(SSL_set_session(clientssl, sess))
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 || !TEST_true(SSL_session_reused(clientssl))
875 || !TEST_true(SSL_session_reused(serverssl))
876 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
877 || !TEST_ptr_eq(sesspre, sesspost)
878 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
879 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
885 * Now create a fresh connection and try to renegotiate a different
888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
890 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
893 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
895 || !TEST_true(SSL_renegotiate(clientssl))
896 || !TEST_true(SSL_renegotiate_pending(clientssl)))
898 /* Actually drive the renegotiation. */
899 for (i = 0; i < 3; i++) {
900 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
901 if (!TEST_ulong_eq(readbytes, 0))
903 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
904 SSL_ERROR_WANT_READ)) {
907 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
908 if (!TEST_ulong_eq(readbytes, 0))
910 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
911 SSL_ERROR_WANT_READ)) {
915 /* sesspre and sesspost should be different since the cipher changed. */
916 if (!TEST_false(SSL_renegotiate_pending(clientssl))
917 || !TEST_false(SSL_session_reused(clientssl))
918 || !TEST_false(SSL_session_reused(serverssl))
919 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
920 || !TEST_ptr_ne(sesspre, sesspost)
921 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
922 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
925 shutdown_ssl_connection(serverssl, clientssl);
926 serverssl = clientssl = NULL;
935 SSL_SESSION_free(sess);
941 static int execute_test_large_message(const SSL_METHOD *smeth,
942 const SSL_METHOD *cmeth,
943 int min_version, int max_version,
946 SSL_CTX *cctx = NULL, *sctx = NULL;
947 SSL *clientssl = NULL, *serverssl = NULL;
951 X509 *chaincert = NULL;
954 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
957 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
960 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
970 #ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
985 * Test that read_ahead works correctly when dealing with large
988 SSL_CTX_set_read_ahead(cctx, 1);
992 * We assume the supplied certificate is big enough so that if we add
993 * NUM_EXTRA_CERTS it will make the overall message large enough. The
994 * default buffer size is requested to be 16k, but due to the way BUF_MEM
995 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
996 * test we need to have a message larger than that.
998 certlen = i2d_X509(chaincert, NULL);
999 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1000 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1001 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1002 if (!X509_up_ref(chaincert))
1004 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1005 X509_free(chaincert);
1010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1017 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1020 if (!TEST_true(SSL_clear(serverssl)))
1026 X509_free(chaincert);
1027 SSL_free(serverssl);
1028 SSL_free(clientssl);
1035 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1036 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1037 /* sock must be connected */
1038 static int ktls_chk_platform(int sock)
1040 if (!ktls_enable(sock))
1045 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1047 static char count = 1;
1048 unsigned char cbuf[16000] = {0};
1049 unsigned char sbuf[16000];
1051 char crec_wseq_before[SEQ_NUM_SIZE];
1052 char crec_wseq_after[SEQ_NUM_SIZE];
1053 char crec_rseq_before[SEQ_NUM_SIZE];
1054 char crec_rseq_after[SEQ_NUM_SIZE];
1055 char srec_wseq_before[SEQ_NUM_SIZE];
1056 char srec_wseq_after[SEQ_NUM_SIZE];
1057 char srec_rseq_before[SEQ_NUM_SIZE];
1058 char srec_rseq_after[SEQ_NUM_SIZE];
1061 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1062 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1063 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1066 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1069 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1070 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1075 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1078 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1079 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1084 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1089 /* verify the payload */
1090 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1094 * If ktls is used then kernel sequences are used instead of
1097 if (!BIO_get_ktls_send(clientssl->wbio)) {
1098 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1099 crec_wseq_after, SEQ_NUM_SIZE))
1102 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1103 crec_wseq_after, SEQ_NUM_SIZE))
1107 if (!BIO_get_ktls_send(serverssl->wbio)) {
1108 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1109 srec_wseq_after, SEQ_NUM_SIZE))
1112 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1113 srec_wseq_after, SEQ_NUM_SIZE))
1117 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1118 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1119 crec_rseq_after, SEQ_NUM_SIZE))
1122 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1123 crec_rseq_after, SEQ_NUM_SIZE))
1127 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1128 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1129 srec_rseq_after, SEQ_NUM_SIZE))
1132 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1133 srec_rseq_after, SEQ_NUM_SIZE))
1142 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1143 int tls_version, const char *cipher)
1145 SSL_CTX *cctx = NULL, *sctx = NULL;
1146 SSL *clientssl = NULL, *serverssl = NULL;
1147 int ktls_used = 0, testresult = 0;
1148 int cfd = -1, sfd = -1;
1151 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1154 /* Skip this test if the platform does not support ktls */
1155 if (!ktls_chk_platform(cfd)) {
1156 testresult = TEST_skip("Kernel does not support KTLS");
1160 /* Create a session based on SHA-256 */
1161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1162 TLS_client_method(),
1163 tls_version, tls_version,
1164 &sctx, &cctx, cert, privkey)))
1167 if (tls_version == TLS1_3_VERSION) {
1168 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1169 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1172 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1173 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1177 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1178 &clientssl, sfd, cfd)))
1182 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1187 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1195 * The running kernel may not support a given cipher suite
1196 * or direction, so just check that KTLS isn't used when it
1200 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1203 if (BIO_get_ktls_send(clientssl->wbio))
1208 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1211 if (BIO_get_ktls_send(serverssl->wbio))
1215 #if defined(OPENSSL_NO_KTLS_RX)
1218 rx_supported = (tls_version != TLS1_3_VERSION);
1220 if (!cis_ktls || !rx_supported) {
1221 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1224 if (BIO_get_ktls_send(clientssl->rbio))
1228 if (!sis_ktls || !rx_supported) {
1229 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1232 if (BIO_get_ktls_send(serverssl->rbio))
1236 if ((cis_ktls || sis_ktls) && !ktls_used) {
1237 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1238 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1243 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1249 SSL_shutdown(clientssl);
1250 SSL_free(clientssl);
1253 SSL_shutdown(serverssl);
1254 SSL_free(serverssl);
1258 serverssl = clientssl = NULL;
1266 #define SENDFILE_SZ (16 * 4096)
1267 #define SENDFILE_CHUNK (4 * 4096)
1268 #define min(a,b) ((a) > (b) ? (b) : (a))
1270 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1272 SSL_CTX *cctx = NULL, *sctx = NULL;
1273 SSL *clientssl = NULL, *serverssl = NULL;
1274 unsigned char *buf, *buf_dst;
1275 BIO *out = NULL, *in = NULL;
1276 int cfd = -1, sfd = -1, ffd, err;
1277 ssize_t chunk_size = 0;
1278 off_t chunk_off = 0;
1282 buf = OPENSSL_zalloc(SENDFILE_SZ);
1283 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1284 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1285 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1288 /* Skip this test if the platform does not support ktls */
1289 if (!ktls_chk_platform(sfd)) {
1290 testresult = TEST_skip("Kernel does not support KTLS");
1294 /* Create a session based on SHA-256 */
1295 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1296 TLS_client_method(),
1297 tls_version, tls_version,
1298 &sctx, &cctx, cert, privkey)))
1301 if (tls_version == TLS1_3_VERSION) {
1302 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1303 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1306 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1307 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1311 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1312 &clientssl, sfd, cfd)))
1315 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1318 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1322 if (!BIO_get_ktls_send(serverssl->wbio)) {
1323 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1324 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1329 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
1332 out = BIO_new_file(tmpfilename, "wb");
1336 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1341 in = BIO_new_file(tmpfilename, "rb");
1342 BIO_get_fp(in, &ffdp);
1345 while (chunk_off < SENDFILE_SZ) {
1346 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1347 while ((err = SSL_sendfile(serverssl,
1351 0)) != chunk_size) {
1352 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1355 while ((err = SSL_read(clientssl,
1356 buf_dst + chunk_off,
1357 chunk_size)) != chunk_size) {
1358 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1362 /* verify the payload */
1363 if (!TEST_mem_eq(buf_dst + chunk_off,
1369 chunk_off += chunk_size;
1375 SSL_shutdown(clientssl);
1376 SSL_free(clientssl);
1379 SSL_shutdown(serverssl);
1380 SSL_free(serverssl);
1384 serverssl = clientssl = NULL;
1392 OPENSSL_free(buf_dst);
1396 static struct ktls_test_cipher {
1399 } ktls_test_ciphers[] = {
1400 # if !defined(OPENSSL_NO_TLS1_2)
1401 # ifdef OPENSSL_KTLS_AES_GCM_128
1402 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1404 # ifdef OPENSSL_KTLS_AES_CCM_128
1405 { TLS1_2_VERSION, "AES128-CCM"},
1407 # ifdef OPENSSL_KTLS_AES_GCM_256
1408 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1410 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1411 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1414 # if !defined(OSSL_NO_USABLE_TLS1_3)
1415 # ifdef OPENSSL_KTLS_AES_GCM_128
1416 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1418 # ifdef OPENSSL_KTLS_AES_CCM_128
1419 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1421 # ifdef OPENSSL_KTLS_AES_GCM_256
1422 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1424 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1425 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1430 #define NUM_KTLS_TEST_CIPHERS \
1431 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1433 static int test_ktls(int test)
1435 struct ktls_test_cipher *cipher;
1436 int cis_ktls, sis_ktls;
1438 OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS);
1439 cipher = &ktls_test_ciphers[test / 4];
1441 cis_ktls = (test & 1) != 0;
1442 sis_ktls = (test & 2) != 0;
1444 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1448 static int test_ktls_sendfile(int tst)
1450 struct ktls_test_cipher *cipher;
1452 OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS);
1453 cipher = &ktls_test_ciphers[tst];
1455 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1459 static int test_large_message_tls(void)
1461 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1462 TLS1_VERSION, 0, 0);
1465 static int test_large_message_tls_read_ahead(void)
1467 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1468 TLS1_VERSION, 0, 1);
1471 #ifndef OPENSSL_NO_DTLS
1472 static int test_large_message_dtls(void)
1474 # ifdef OPENSSL_NO_DTLS1_2
1475 /* Not supported in the FIPS provider */
1480 * read_ahead is not relevant to DTLS because DTLS always acts as if
1481 * read_ahead is set.
1483 return execute_test_large_message(DTLS_server_method(),
1484 DTLS_client_method(),
1485 DTLS1_VERSION, 0, 0);
1489 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1490 const SSL_METHOD *cmeth,
1491 int min_version, int max_version)
1494 SSL_CTX *cctx = NULL, *sctx = NULL;
1495 SSL *clientssl = NULL, *serverssl = NULL;
1500 static unsigned char cbuf[16000];
1501 static unsigned char sbuf[16000];
1503 if (!TEST_true(create_ssl_ctx_pair(libctx,
1505 min_version, max_version,
1510 #ifdef OPENSSL_NO_DTLS1_2
1511 if (smeth == DTLS_server_method()) {
1512 # ifdef OPENSSL_NO_DTLS1_2
1513 /* Not supported in the FIPS provider */
1520 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1523 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1524 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1525 "DEFAULT:@SECLEVEL=0")))
1530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1534 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1537 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1541 for (i = 0; i < sizeof(cbuf); i++) {
1545 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1548 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1551 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1555 * Since we called SSL_peek(), we know the data in the record
1556 * layer is a plaintext record. We can gather the pointer to check
1557 * for zeroization after SSL_read().
1559 rr = serverssl->rlayer.rrec;
1560 zbuf = &rr->data[rr->off];
1561 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1565 * After SSL_peek() the plaintext must still be stored in the
1568 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1571 memset(sbuf, 0, sizeof(sbuf));
1572 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1575 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1578 /* Check if rbuf is cleansed */
1579 memset(cbuf, 0, sizeof(cbuf));
1580 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1585 SSL_free(serverssl);
1586 SSL_free(clientssl);
1593 static int test_cleanse_plaintext(void)
1595 #if !defined(OPENSSL_NO_TLS1_2)
1596 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1597 TLS_client_method(),
1604 #if !defined(OSSL_NO_USABLE_TLS1_3)
1605 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1606 TLS_client_method(),
1612 #if !defined(OPENSSL_NO_DTLS)
1614 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1615 DTLS_client_method(),
1623 #ifndef OPENSSL_NO_OCSP
1624 static int ocsp_server_cb(SSL *s, void *arg)
1626 int *argi = (int *)arg;
1627 unsigned char *copy = NULL;
1628 STACK_OF(OCSP_RESPID) *ids = NULL;
1629 OCSP_RESPID *id = NULL;
1632 /* In this test we are expecting exactly 1 OCSP_RESPID */
1633 SSL_get_tlsext_status_ids(s, &ids);
1634 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1635 return SSL_TLSEXT_ERR_ALERT_FATAL;
1637 id = sk_OCSP_RESPID_value(ids, 0);
1638 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1639 return SSL_TLSEXT_ERR_ALERT_FATAL;
1640 } else if (*argi != 1) {
1641 return SSL_TLSEXT_ERR_ALERT_FATAL;
1644 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1645 return SSL_TLSEXT_ERR_ALERT_FATAL;
1647 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1648 ocsp_server_called = 1;
1649 return SSL_TLSEXT_ERR_OK;
1652 static int ocsp_client_cb(SSL *s, void *arg)
1654 int *argi = (int *)arg;
1655 const unsigned char *respderin;
1658 if (*argi != 1 && *argi != 2)
1661 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1662 if (!TEST_mem_eq(orespder, len, respderin, len))
1665 ocsp_client_called = 1;
1669 static int test_tlsext_status_type(void)
1671 SSL_CTX *cctx = NULL, *sctx = NULL;
1672 SSL *clientssl = NULL, *serverssl = NULL;
1674 STACK_OF(OCSP_RESPID) *ids = NULL;
1675 OCSP_RESPID *id = NULL;
1676 BIO *certbio = NULL;
1678 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1680 &sctx, &cctx, cert, privkey))
1683 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1686 /* First just do various checks getting and setting tlsext_status_type */
1688 clientssl = SSL_new(cctx);
1689 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1690 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1691 TLSEXT_STATUSTYPE_ocsp))
1692 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1693 TLSEXT_STATUSTYPE_ocsp))
1696 SSL_free(clientssl);
1699 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1700 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1703 clientssl = SSL_new(cctx);
1704 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1706 SSL_free(clientssl);
1710 * Now actually do a handshake and check OCSP information is exchanged and
1711 * the callbacks get called
1713 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1714 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1715 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1716 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1718 &clientssl, NULL, NULL))
1719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1721 || !TEST_true(ocsp_client_called)
1722 || !TEST_true(ocsp_server_called))
1724 SSL_free(serverssl);
1725 SSL_free(clientssl);
1729 /* Try again but this time force the server side callback to fail */
1730 ocsp_client_called = 0;
1731 ocsp_server_called = 0;
1733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1734 &clientssl, NULL, NULL))
1735 /* This should fail because the callback will fail */
1736 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1738 || !TEST_false(ocsp_client_called)
1739 || !TEST_false(ocsp_server_called))
1741 SSL_free(serverssl);
1742 SSL_free(clientssl);
1747 * This time we'll get the client to send an OCSP_RESPID that it will
1750 ocsp_client_called = 0;
1751 ocsp_server_called = 0;
1753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1754 &clientssl, NULL, NULL)))
1758 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1759 * specific one. We'll use the server cert.
1761 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1762 || !TEST_ptr(id = OCSP_RESPID_new())
1763 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1764 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1765 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1766 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1767 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1770 SSL_set_tlsext_status_ids(clientssl, ids);
1771 /* Control has been transferred */
1777 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1779 || !TEST_true(ocsp_client_called)
1780 || !TEST_true(ocsp_server_called))
1786 SSL_free(serverssl);
1787 SSL_free(clientssl);
1790 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1791 OCSP_RESPID_free(id);
1793 X509_free(ocspcert);
1800 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1801 static int new_called, remove_called, get_called;
1803 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1807 * sess has been up-refed for us, but we don't actually need it so free it
1810 SSL_SESSION_free(sess);
1814 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1819 static SSL_SESSION *get_sess_val = NULL;
1821 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1826 return get_sess_val;
1829 static int execute_test_session(int maxprot, int use_int_cache,
1830 int use_ext_cache, long s_options)
1832 SSL_CTX *sctx = NULL, *cctx = NULL;
1833 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1834 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1835 # ifndef OPENSSL_NO_TLS1_1
1836 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1838 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1839 int testresult = 0, numnewsesstick = 1;
1841 new_called = remove_called = 0;
1843 /* TLSv1.3 sends 2 NewSessionTickets */
1844 if (maxprot == TLS1_3_VERSION)
1847 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1848 TLS_client_method(), TLS1_VERSION, 0,
1849 &sctx, &cctx, cert, privkey)))
1853 * Only allow the max protocol version so we can force a connection failure
1856 SSL_CTX_set_min_proto_version(cctx, maxprot);
1857 SSL_CTX_set_max_proto_version(cctx, maxprot);
1859 /* Set up session cache */
1860 if (use_ext_cache) {
1861 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1862 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1864 if (use_int_cache) {
1865 /* Also covers instance where both are set */
1866 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1868 SSL_CTX_set_session_cache_mode(cctx,
1869 SSL_SESS_CACHE_CLIENT
1870 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1874 SSL_CTX_set_options(sctx, s_options);
1877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1879 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1881 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1884 /* Should fail because it should already be in the cache */
1885 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1888 && (!TEST_int_eq(new_called, numnewsesstick)
1890 || !TEST_int_eq(remove_called, 0)))
1893 new_called = remove_called = 0;
1894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1895 &clientssl2, NULL, NULL))
1896 || !TEST_true(SSL_set_session(clientssl2, sess1))
1897 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1899 || !TEST_true(SSL_session_reused(clientssl2)))
1902 if (maxprot == TLS1_3_VERSION) {
1904 * In TLSv1.3 we should have created a new session even though we have
1905 * resumed. Since we attempted a resume we should also have removed the
1906 * old ticket from the cache so that we try to only use tickets once.
1909 && (!TEST_int_eq(new_called, 1)
1910 || !TEST_int_eq(remove_called, 1)))
1914 * In TLSv1.2 we expect to have resumed so no sessions added or
1918 && (!TEST_int_eq(new_called, 0)
1919 || !TEST_int_eq(remove_called, 0)))
1923 SSL_SESSION_free(sess1);
1924 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1926 shutdown_ssl_connection(serverssl2, clientssl2);
1927 serverssl2 = clientssl2 = NULL;
1929 new_called = remove_called = 0;
1930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1931 &clientssl2, NULL, NULL))
1932 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1936 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1940 && (!TEST_int_eq(new_called, numnewsesstick)
1941 || !TEST_int_eq(remove_called, 0)))
1944 new_called = remove_called = 0;
1946 * This should clear sess2 from the cache because it is a "bad" session.
1947 * See SSL_set_session() documentation.
1949 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1952 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1954 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1957 if (use_int_cache) {
1958 /* Should succeeded because it should not already be in the cache */
1959 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1960 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1964 new_called = remove_called = 0;
1965 /* This shouldn't be in the cache so should fail */
1966 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1970 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1973 # if !defined(OPENSSL_NO_TLS1_1)
1974 new_called = remove_called = 0;
1975 /* Force a connection failure */
1976 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1978 &clientssl3, NULL, NULL))
1979 || !TEST_true(SSL_set_session(clientssl3, sess1))
1980 /* This should fail because of the mismatched protocol versions */
1981 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1985 /* We should have automatically removed the session from the cache */
1987 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1990 /* Should succeed because it should not already be in the cache */
1991 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1995 /* Now do some tests for server side caching */
1996 if (use_ext_cache) {
1997 SSL_CTX_sess_set_new_cb(cctx, NULL);
1998 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1999 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2000 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2001 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2002 get_sess_val = NULL;
2005 SSL_CTX_set_session_cache_mode(cctx, 0);
2006 /* Internal caching is the default on the server side */
2008 SSL_CTX_set_session_cache_mode(sctx,
2009 SSL_SESS_CACHE_SERVER
2010 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2012 SSL_free(serverssl1);
2013 SSL_free(clientssl1);
2014 serverssl1 = clientssl1 = NULL;
2015 SSL_free(serverssl2);
2016 SSL_free(clientssl2);
2017 serverssl2 = clientssl2 = NULL;
2018 SSL_SESSION_free(sess1);
2020 SSL_SESSION_free(sess2);
2023 SSL_CTX_set_max_proto_version(sctx, maxprot);
2024 if (maxprot == TLS1_2_VERSION)
2025 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2026 new_called = remove_called = get_called = 0;
2027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2029 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2031 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2032 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2035 if (use_int_cache) {
2036 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2038 * In TLSv1.3 it should not have been added to the internal cache,
2039 * except in the case where we also have an external cache (in that
2040 * case it gets added to the cache in order to generate remove
2041 * events after timeout).
2043 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2046 /* Should fail because it should already be in the cache */
2047 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2052 if (use_ext_cache) {
2053 SSL_SESSION *tmp = sess2;
2055 if (!TEST_int_eq(new_called, numnewsesstick)
2056 || !TEST_int_eq(remove_called, 0)
2057 || !TEST_int_eq(get_called, 0))
2060 * Delete the session from the internal cache to force a lookup from
2061 * the external cache. We take a copy first because
2062 * SSL_CTX_remove_session() also marks the session as non-resumable.
2064 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2065 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2066 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2068 SSL_SESSION_free(sess2);
2073 new_called = remove_called = get_called = 0;
2074 get_sess_val = sess2;
2075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2076 &clientssl2, NULL, NULL))
2077 || !TEST_true(SSL_set_session(clientssl2, sess1))
2078 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2080 || !TEST_true(SSL_session_reused(clientssl2)))
2083 if (use_ext_cache) {
2084 if (!TEST_int_eq(remove_called, 0))
2087 if (maxprot == TLS1_3_VERSION) {
2088 if (!TEST_int_eq(new_called, 1)
2089 || !TEST_int_eq(get_called, 0))
2092 if (!TEST_int_eq(new_called, 0)
2093 || !TEST_int_eq(get_called, 1))
2101 SSL_free(serverssl1);
2102 SSL_free(clientssl1);
2103 SSL_free(serverssl2);
2104 SSL_free(clientssl2);
2105 # ifndef OPENSSL_NO_TLS1_1
2106 SSL_free(serverssl3);
2107 SSL_free(clientssl3);
2109 SSL_SESSION_free(sess1);
2110 SSL_SESSION_free(sess2);
2116 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2118 static int test_session_with_only_int_cache(void)
2120 #ifndef OSSL_NO_USABLE_TLS1_3
2121 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2125 #ifndef OPENSSL_NO_TLS1_2
2126 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2132 static int test_session_with_only_ext_cache(void)
2134 #ifndef OSSL_NO_USABLE_TLS1_3
2135 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2139 #ifndef OPENSSL_NO_TLS1_2
2140 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2146 static int test_session_with_both_cache(void)
2148 #ifndef OSSL_NO_USABLE_TLS1_3
2149 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2153 #ifndef OPENSSL_NO_TLS1_2
2154 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2160 static int test_session_wo_ca_names(void)
2162 #ifndef OSSL_NO_USABLE_TLS1_3
2163 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2167 #ifndef OPENSSL_NO_TLS1_2
2168 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2175 #ifndef OSSL_NO_USABLE_TLS1_3
2176 static SSL_SESSION *sesscache[6];
2177 static int do_cache;
2179 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2182 sesscache[new_called] = sess;
2184 /* We don't need the reference to the session, so free it */
2185 SSL_SESSION_free(sess);
2192 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2194 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2195 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2198 /* Start handshake on the server and client */
2199 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2200 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2201 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2202 || !TEST_true(create_ssl_connection(sssl, cssl,
2209 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2212 int sess_id_ctx = 1;
2214 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2215 TLS_client_method(), TLS1_VERSION, 0,
2216 sctx, cctx, cert, privkey))
2217 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2218 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2219 (void *)&sess_id_ctx,
2220 sizeof(sess_id_ctx))))
2224 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2226 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2227 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2228 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2233 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2235 SSL *serverssl = NULL, *clientssl = NULL;
2238 /* Test that we can resume with all the tickets we got given */
2239 for (i = 0; i < idx * 2; i++) {
2241 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2242 &clientssl, NULL, NULL))
2243 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2246 SSL_set_post_handshake_auth(clientssl, 1);
2248 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2253 * Following a successful resumption we only get 1 ticket. After a
2254 * failed one we should get idx tickets.
2257 if (!TEST_true(SSL_session_reused(clientssl))
2258 || !TEST_int_eq(new_called, 1))
2261 if (!TEST_false(SSL_session_reused(clientssl))
2262 || !TEST_int_eq(new_called, idx))
2267 /* After a post-handshake authentication we should get 1 new ticket */
2269 && (!post_handshake_verify(serverssl, clientssl)
2270 || !TEST_int_eq(new_called, 1)))
2273 SSL_shutdown(clientssl);
2274 SSL_shutdown(serverssl);
2275 SSL_free(serverssl);
2276 SSL_free(clientssl);
2277 serverssl = clientssl = NULL;
2278 SSL_SESSION_free(sesscache[i]);
2279 sesscache[i] = NULL;
2285 SSL_free(clientssl);
2286 SSL_free(serverssl);
2290 static int test_tickets(int stateful, int idx)
2292 SSL_CTX *sctx = NULL, *cctx = NULL;
2293 SSL *serverssl = NULL, *clientssl = NULL;
2297 /* idx is the test number, but also the number of tickets we want */
2302 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2305 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2306 &clientssl, NULL, NULL)))
2309 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2311 /* Check we got the number of tickets we were expecting */
2312 || !TEST_int_eq(idx, new_called))
2315 SSL_shutdown(clientssl);
2316 SSL_shutdown(serverssl);
2317 SSL_free(serverssl);
2318 SSL_free(clientssl);
2321 clientssl = serverssl = NULL;
2325 * Now we try to resume with the tickets we previously created. The
2326 * resumption attempt is expected to fail (because we're now using a new
2327 * SSL_CTX). We should see idx number of tickets issued again.
2330 /* Stop caching sessions - just count them */
2333 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2336 if (!check_resumption(idx, sctx, cctx, 0))
2339 /* Start again with caching sessions */
2346 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2350 &clientssl, NULL, NULL)))
2353 SSL_set_post_handshake_auth(clientssl, 1);
2355 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2357 /* Check we got the number of tickets we were expecting */
2358 || !TEST_int_eq(idx, new_called))
2361 /* After a post-handshake authentication we should get new tickets issued */
2362 if (!post_handshake_verify(serverssl, clientssl)
2363 || !TEST_int_eq(idx * 2, new_called))
2366 SSL_shutdown(clientssl);
2367 SSL_shutdown(serverssl);
2368 SSL_free(serverssl);
2369 SSL_free(clientssl);
2370 serverssl = clientssl = NULL;
2372 /* Stop caching sessions - just count them */
2376 * Check we can resume with all the tickets we created. This time around the
2377 * resumptions should all be successful.
2379 if (!check_resumption(idx, sctx, cctx, 1))
2385 SSL_free(serverssl);
2386 SSL_free(clientssl);
2387 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2388 SSL_SESSION_free(sesscache[j]);
2389 sesscache[j] = NULL;
2397 static int test_stateless_tickets(int idx)
2399 return test_tickets(0, idx);
2402 static int test_stateful_tickets(int idx)
2404 return test_tickets(1, idx);
2407 static int test_psk_tickets(void)
2409 SSL_CTX *sctx = NULL, *cctx = NULL;
2410 SSL *serverssl = NULL, *clientssl = NULL;
2412 int sess_id_ctx = 1;
2414 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2415 TLS_client_method(), TLS1_VERSION, 0,
2416 &sctx, &cctx, NULL, NULL))
2417 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2418 (void *)&sess_id_ctx,
2419 sizeof(sess_id_ctx))))
2422 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2423 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2424 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2425 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2426 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2427 use_session_cb_cnt = 0;
2428 find_session_cb_cnt = 0;
2432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2435 clientpsk = serverpsk = create_a_psk(clientssl);
2436 if (!TEST_ptr(clientpsk))
2438 SSL_SESSION_up_ref(clientpsk);
2440 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2442 || !TEST_int_eq(1, find_session_cb_cnt)
2443 || !TEST_int_eq(1, use_session_cb_cnt)
2444 /* We should always get 1 ticket when using external PSK */
2445 || !TEST_int_eq(1, new_called))
2451 SSL_free(serverssl);
2452 SSL_free(clientssl);
2455 SSL_SESSION_free(clientpsk);
2456 SSL_SESSION_free(serverpsk);
2457 clientpsk = serverpsk = NULL;
2462 static int test_extra_tickets(int idx)
2464 SSL_CTX *sctx = NULL, *cctx = NULL;
2465 SSL *serverssl = NULL, *clientssl = NULL;
2466 BIO *bretry = BIO_new(bio_s_always_retry());
2471 unsigned char c, buf[1];
2481 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2483 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2484 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2485 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2487 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2488 &clientssl, NULL, NULL)))
2492 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2493 * incremented by both client and server.
2495 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2497 /* Check we got the number of tickets we were expecting */
2498 || !TEST_int_eq(idx * 2, new_called)
2499 || !TEST_true(SSL_new_session_ticket(serverssl))
2500 || !TEST_true(SSL_new_session_ticket(serverssl))
2501 || !TEST_int_eq(idx * 2, new_called))
2504 /* Now try a (real) write to actually send the tickets */
2506 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2507 || !TEST_size_t_eq(1, nbytes)
2508 || !TEST_int_eq(idx * 2 + 2, new_called)
2509 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2510 || !TEST_int_eq(idx * 2 + 4, new_called)
2511 || !TEST_int_eq(sizeof(buf), nbytes)
2512 || !TEST_int_eq(c, buf[0])
2513 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2516 /* Try with only requesting one new ticket, too */
2519 if (!TEST_true(SSL_new_session_ticket(serverssl))
2520 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2521 || !TEST_size_t_eq(sizeof(c), nbytes)
2522 || !TEST_int_eq(1, new_called)
2523 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2524 || !TEST_int_eq(2, new_called)
2525 || !TEST_size_t_eq(sizeof(buf), nbytes)
2526 || !TEST_int_eq(c, buf[0]))
2529 /* Do it again but use dummy writes to drive the ticket generation */
2532 if (!TEST_true(SSL_new_session_ticket(serverssl))
2533 || !TEST_true(SSL_new_session_ticket(serverssl))
2534 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2535 || !TEST_size_t_eq(0, nbytes)
2536 || !TEST_int_eq(2, new_called)
2537 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2538 || !TEST_int_eq(4, new_called))
2541 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2544 if (!TEST_true(SSL_new_session_ticket(serverssl))
2545 || !TEST_true(SSL_new_session_ticket(serverssl))
2546 || !TEST_true(SSL_do_handshake(serverssl))
2547 || !TEST_int_eq(2, new_called)
2548 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2549 || !TEST_int_eq(4, new_called))
2553 * Use the always-retry BIO to exercise the logic that forces ticket
2554 * generation to wait until a record boundary.
2558 tmp = SSL_get_wbio(serverssl);
2559 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2563 SSL_set0_wbio(serverssl, bretry);
2565 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2566 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2567 || !TEST_size_t_eq(nbytes, 0))
2569 /* Restore a BIO that will let the write succeed */
2570 SSL_set0_wbio(serverssl, tmp);
2573 * These calls should just queue the request and not send anything
2574 * even if we explicitly try to hit the state machine.
2576 if (!TEST_true(SSL_new_session_ticket(serverssl))
2577 || !TEST_true(SSL_new_session_ticket(serverssl))
2578 || !TEST_int_eq(0, new_called)
2579 || !TEST_true(SSL_do_handshake(serverssl))
2580 || !TEST_int_eq(0, new_called))
2582 /* Re-do the write; still no tickets sent */
2583 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2584 || !TEST_size_t_eq(1, nbytes)
2585 || !TEST_int_eq(0, new_called)
2586 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2587 || !TEST_int_eq(0, new_called)
2588 || !TEST_int_eq(sizeof(buf), nbytes)
2589 || !TEST_int_eq(c, buf[0])
2590 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2592 /* Even trying to hit the state machine now will still not send tickets */
2593 if (!TEST_true(SSL_do_handshake(serverssl))
2594 || !TEST_int_eq(0, new_called))
2596 /* Now the *next* write should send the tickets */
2598 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2599 || !TEST_size_t_eq(1, nbytes)
2600 || !TEST_int_eq(2, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(4, new_called)
2603 || !TEST_int_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0])
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2608 SSL_shutdown(clientssl);
2609 SSL_shutdown(serverssl);
2615 SSL_free(serverssl);
2616 SSL_free(clientssl);
2619 clientssl = serverssl = NULL;
2628 #define USE_DEFAULT 3
2630 #define CONNTYPE_CONNECTION_SUCCESS 0
2631 #define CONNTYPE_CONNECTION_FAIL 1
2632 #define CONNTYPE_NO_CONNECTION 2
2634 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2635 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2636 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2637 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2639 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2642 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2643 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2644 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2646 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2663 * Tests calls to SSL_set_bio() under various conditions.
2665 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2666 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2667 * then do more tests where we create a successful connection first using our
2668 * standard connection setup functions, and then call SSL_set_bio() with
2669 * various combinations of valid BIOs or NULL. We then repeat these tests
2670 * following a failed connection. In this last case we are looking to check that
2671 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2673 static int test_ssl_set_bio(int idx)
2675 SSL_CTX *sctx = NULL, *cctx = NULL;
2678 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2679 SSL *serverssl = NULL, *clientssl = NULL;
2680 int initrbio, initwbio, newrbio, newwbio, conntype;
2683 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2691 conntype = CONNTYPE_NO_CONNECTION;
2693 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2694 initrbio = initwbio = USE_DEFAULT;
2702 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2703 TLS_client_method(), TLS1_VERSION, 0,
2704 &sctx, &cctx, cert, privkey)))
2707 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2709 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2710 * because we reduced the number of tests in the definition of
2711 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2712 * mismatched protocol versions we will force a connection failure.
2714 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2715 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2722 if (initrbio == USE_BIO_1
2723 || initwbio == USE_BIO_1
2724 || newrbio == USE_BIO_1
2725 || newwbio == USE_BIO_1) {
2726 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2730 if (initrbio == USE_BIO_2
2731 || initwbio == USE_BIO_2
2732 || newrbio == USE_BIO_2
2733 || newwbio == USE_BIO_2) {
2734 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2738 if (initrbio != USE_DEFAULT) {
2739 setupbio(&irbio, bio1, bio2, initrbio);
2740 setupbio(&iwbio, bio1, bio2, initwbio);
2741 SSL_set_bio(clientssl, irbio, iwbio);
2744 * We want to maintain our own refs to these BIO, so do an up ref for
2745 * each BIO that will have ownership transferred in the SSL_set_bio()
2750 if (iwbio != NULL && iwbio != irbio)
2754 if (conntype != CONNTYPE_NO_CONNECTION
2755 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2757 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2760 setupbio(&nrbio, bio1, bio2, newrbio);
2761 setupbio(&nwbio, bio1, bio2, newwbio);
2764 * We will (maybe) transfer ownership again so do more up refs.
2765 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2770 && (nwbio != iwbio || nrbio != nwbio))
2774 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2777 SSL_set_bio(clientssl, nrbio, nwbio);
2786 * This test is checking that the ref counting for SSL_set_bio is correct.
2787 * If we get here and we did too many frees then we will fail in the above
2790 SSL_free(serverssl);
2791 SSL_free(clientssl);
2797 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2799 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2801 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2806 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2807 || !TEST_ptr(ssl = SSL_new(ctx))
2808 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2809 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2812 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2815 * If anything goes wrong here then we could leak memory.
2817 BIO_push(sslbio, membio1);
2819 /* Verify changing the rbio/wbio directly does not cause leaks */
2820 if (change_bio != NO_BIO_CHANGE) {
2821 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2825 if (change_bio == CHANGE_RBIO)
2826 SSL_set0_rbio(ssl, membio2);
2828 SSL_set0_wbio(ssl, membio2);
2847 static int test_ssl_bio_pop_next_bio(void)
2849 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2852 static int test_ssl_bio_pop_ssl_bio(void)
2854 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2857 static int test_ssl_bio_change_rbio(void)
2859 return execute_test_ssl_bio(0, CHANGE_RBIO);
2862 static int test_ssl_bio_change_wbio(void)
2864 return execute_test_ssl_bio(0, CHANGE_WBIO);
2867 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2869 /* The list of sig algs */
2871 /* The length of the list */
2873 /* A sigalgs list in string format */
2874 const char *liststr;
2875 /* Whether setting the list should succeed */
2877 /* Whether creating a connection with the list should succeed */
2881 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2882 # ifndef OPENSSL_NO_EC
2883 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2884 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2886 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2887 static const int invalidlist2[] = {NID_sha256, NID_undef};
2888 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2889 static const int invalidlist4[] = {NID_sha256};
2890 static const sigalgs_list testsigalgs[] = {
2891 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2892 # ifndef OPENSSL_NO_EC
2893 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2894 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2896 {NULL, 0, "RSA+SHA256", 1, 1},
2897 # ifndef OPENSSL_NO_EC
2898 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2899 {NULL, 0, "ECDSA+SHA512", 1, 0},
2901 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2902 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2903 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2904 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2905 {NULL, 0, "RSA", 0, 0},
2906 {NULL, 0, "SHA256", 0, 0},
2907 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2908 {NULL, 0, "Invalid", 0, 0}
2911 static int test_set_sigalgs(int idx)
2913 SSL_CTX *cctx = NULL, *sctx = NULL;
2914 SSL *clientssl = NULL, *serverssl = NULL;
2916 const sigalgs_list *curr;
2919 /* Should never happen */
2920 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2923 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2924 curr = testctx ? &testsigalgs[idx]
2925 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2927 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2928 TLS_client_method(), TLS1_VERSION, 0,
2929 &sctx, &cctx, cert, privkey)))
2932 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2937 if (curr->list != NULL)
2938 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2940 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2944 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2950 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2956 &clientssl, NULL, NULL)))
2962 if (curr->list != NULL)
2963 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2965 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2968 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2977 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2985 SSL_free(serverssl);
2986 SSL_free(clientssl);
2994 #ifndef OSSL_NO_USABLE_TLS1_3
2995 static int psk_client_cb_cnt = 0;
2996 static int psk_server_cb_cnt = 0;
2998 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2999 size_t *idlen, SSL_SESSION **sess)
3001 switch (++use_session_cb_cnt) {
3003 /* The first call should always have a NULL md */
3009 /* The second call should always have an md */
3015 /* We should only be called a maximum of twice */
3019 if (clientpsk != NULL)
3020 SSL_SESSION_up_ref(clientpsk);
3023 *id = (const unsigned char *)pskid;
3024 *idlen = strlen(pskid);
3029 #ifndef OPENSSL_NO_PSK
3030 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3031 unsigned int max_id_len,
3033 unsigned int max_psk_len)
3035 unsigned int psklen = 0;
3037 psk_client_cb_cnt++;
3039 if (strlen(pskid) + 1 > max_id_len)
3042 /* We should only ever be called a maximum of twice per connection */
3043 if (psk_client_cb_cnt > 2)
3046 if (clientpsk == NULL)
3049 /* We'll reuse the PSK we set up for TLSv1.3 */
3050 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3052 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3053 strncpy(id, pskid, max_id_len);
3057 #endif /* OPENSSL_NO_PSK */
3059 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3060 size_t identity_len, SSL_SESSION **sess)
3062 find_session_cb_cnt++;
3064 /* We should only ever be called a maximum of twice per connection */
3065 if (find_session_cb_cnt > 2)
3068 if (serverpsk == NULL)
3071 /* Identity should match that set by the client */
3072 if (strlen(srvid) != identity_len
3073 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3074 /* No PSK found, continue but without a PSK */
3079 SSL_SESSION_up_ref(serverpsk);
3085 #ifndef OPENSSL_NO_PSK
3086 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3087 unsigned char *psk, unsigned int max_psk_len)
3089 unsigned int psklen = 0;
3091 psk_server_cb_cnt++;
3093 /* We should only ever be called a maximum of twice per connection */
3094 if (find_session_cb_cnt > 2)
3097 if (serverpsk == NULL)
3100 /* Identity should match that set by the client */
3101 if (strcmp(srvid, identity) != 0) {
3105 /* We'll reuse the PSK we set up for TLSv1.3 */
3106 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3108 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3112 #endif /* OPENSSL_NO_PSK */
3114 #define MSG1 "Hello"
3115 #define MSG2 "World."
3120 #define MSG7 "message."
3122 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3123 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3124 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3125 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3126 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3129 static SSL_SESSION *create_a_psk(SSL *ssl)
3131 const SSL_CIPHER *cipher = NULL;
3132 const unsigned char key[] = {
3133 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3134 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3135 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3136 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3137 0x2c, 0x2d, 0x2e, 0x2f
3139 SSL_SESSION *sess = NULL;
3141 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3142 sess = SSL_SESSION_new();
3144 || !TEST_ptr(cipher)
3145 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3147 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3149 SSL_SESSION_set_protocol_version(sess,
3151 SSL_SESSION_free(sess);
3158 * Helper method to setup objects for early data test. Caller frees objects on
3161 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3162 SSL **serverssl, SSL_SESSION **sess, int idx)
3165 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3166 TLS_client_method(),
3168 sctx, cctx, cert, privkey)))
3171 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3175 /* When idx == 1 we repeat the tests with read_ahead set */
3176 SSL_CTX_set_read_ahead(*cctx, 1);
3177 SSL_CTX_set_read_ahead(*sctx, 1);
3178 } else if (idx == 2) {
3179 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3180 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3181 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3182 use_session_cb_cnt = 0;
3183 find_session_cb_cnt = 0;
3187 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3192 * For one of the run throughs (doesn't matter which one), we'll try sending
3193 * some SNI data in the initial ClientHello. This will be ignored (because
3194 * there is no SNI cb set up by the server), so it should not impact
3198 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3202 clientpsk = create_a_psk(*clientssl);
3203 if (!TEST_ptr(clientpsk)
3205 * We just choose an arbitrary value for max_early_data which
3206 * should be big enough for testing purposes.
3208 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3210 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3211 SSL_SESSION_free(clientpsk);
3215 serverpsk = clientpsk;
3218 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3219 SSL_SESSION_free(clientpsk);
3220 SSL_SESSION_free(serverpsk);
3221 clientpsk = serverpsk = NULL;
3232 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3236 *sess = SSL_get1_session(*clientssl);
3237 SSL_shutdown(*clientssl);
3238 SSL_shutdown(*serverssl);
3239 SSL_free(*serverssl);
3240 SSL_free(*clientssl);
3241 *serverssl = *clientssl = NULL;
3243 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3244 clientssl, NULL, NULL))
3245 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3251 static int test_early_data_read_write(int idx)
3253 SSL_CTX *cctx = NULL, *sctx = NULL;
3254 SSL *clientssl = NULL, *serverssl = NULL;
3256 SSL_SESSION *sess = NULL;
3257 unsigned char buf[20], data[1024];
3258 size_t readbytes, written, eoedlen, rawread, rawwritten;
3261 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3262 &serverssl, &sess, idx)))
3265 /* Write and read some early data */
3266 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3268 || !TEST_size_t_eq(written, strlen(MSG1))
3269 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3270 sizeof(buf), &readbytes),
3271 SSL_READ_EARLY_DATA_SUCCESS)
3272 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3273 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3274 SSL_EARLY_DATA_ACCEPTED))
3278 * Server should be able to write data, and client should be able to
3281 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3283 || !TEST_size_t_eq(written, strlen(MSG2))
3284 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3285 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3288 /* Even after reading normal data, client should be able write early data */
3289 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3291 || !TEST_size_t_eq(written, strlen(MSG3)))
3294 /* Server should still be able read early data after writing data */
3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3297 SSL_READ_EARLY_DATA_SUCCESS)
3298 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3301 /* Write more data from server and read it from client */
3302 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3304 || !TEST_size_t_eq(written, strlen(MSG4))
3305 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3306 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3310 * If client writes normal data it should mean writing early data is no
3313 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3314 || !TEST_size_t_eq(written, strlen(MSG5))
3315 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3316 SSL_EARLY_DATA_ACCEPTED))
3320 * At this point the client has written EndOfEarlyData, ClientFinished and
3321 * normal (fully protected) data. We are going to cause a delay between the
3322 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3323 * in the read BIO, and then just put back the EndOfEarlyData message.
3325 rbio = SSL_get_rbio(serverssl);
3326 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3327 || !TEST_size_t_lt(rawread, sizeof(data))
3328 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3331 /* Record length is in the 4th and 5th bytes of the record header */
3332 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3333 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3334 || !TEST_size_t_eq(rawwritten, eoedlen))
3337 /* Server should be told that there is no more early data */
3338 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3340 SSL_READ_EARLY_DATA_FINISH)
3341 || !TEST_size_t_eq(readbytes, 0))
3345 * Server has not finished init yet, so should still be able to write early
3348 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3350 || !TEST_size_t_eq(written, strlen(MSG6)))
3353 /* Push the ClientFinished and the normal data back into the server rbio */
3354 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3356 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3359 /* Server should be able to read normal data */
3360 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3361 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3364 /* Client and server should not be able to write/read early data now */
3365 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3369 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3371 SSL_READ_EARLY_DATA_ERROR))
3375 /* Client should be able to read the data sent by the server */
3376 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3377 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3381 * Make sure we process the two NewSessionTickets. These arrive
3382 * post-handshake. We attempt reads which we do not expect to return any
3385 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3386 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3390 /* Server should be able to write normal data */
3391 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3392 || !TEST_size_t_eq(written, strlen(MSG7))
3393 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3394 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3397 SSL_SESSION_free(sess);
3398 sess = SSL_get1_session(clientssl);
3399 use_session_cb_cnt = 0;
3400 find_session_cb_cnt = 0;
3402 SSL_shutdown(clientssl);
3403 SSL_shutdown(serverssl);
3404 SSL_free(serverssl);
3405 SSL_free(clientssl);
3406 serverssl = clientssl = NULL;
3407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3408 &clientssl, NULL, NULL))
3409 || !TEST_true(SSL_set_session(clientssl, sess)))
3412 /* Write and read some early data */
3413 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3415 || !TEST_size_t_eq(written, strlen(MSG1))
3416 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3418 SSL_READ_EARLY_DATA_SUCCESS)
3419 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3422 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3423 || !TEST_int_gt(SSL_accept(serverssl), 0))
3426 /* Client and server should not be able to write/read early data now */
3427 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3431 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3433 SSL_READ_EARLY_DATA_ERROR))
3437 /* Client and server should be able to write/read normal data */
3438 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3439 || !TEST_size_t_eq(written, strlen(MSG5))
3440 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3441 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3447 SSL_SESSION_free(sess);
3448 SSL_SESSION_free(clientpsk);
3449 SSL_SESSION_free(serverpsk);
3450 clientpsk = serverpsk = NULL;
3451 SSL_free(serverssl);
3452 SSL_free(clientssl);
3458 static int allow_ed_cb_called = 0;
3460 static int allow_early_data_cb(SSL *s, void *arg)
3462 int *usecb = (int *)arg;
3464 allow_ed_cb_called++;
3473 * idx == 0: Standard early_data setup
3474 * idx == 1: early_data setup using read_ahead
3475 * usecb == 0: Don't use a custom early data callback
3476 * usecb == 1: Use a custom early data callback and reject the early data
3477 * usecb == 2: Use a custom early data callback and accept the early data
3478 * confopt == 0: Configure anti-replay directly
3479 * confopt == 1: Configure anti-replay using SSL_CONF
3481 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3483 SSL_CTX *cctx = NULL, *sctx = NULL;
3484 SSL *clientssl = NULL, *serverssl = NULL;
3486 SSL_SESSION *sess = NULL;
3487 size_t readbytes, written;
3488 unsigned char buf[20];
3490 allow_ed_cb_called = 0;
3492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3493 TLS_client_method(), TLS1_VERSION, 0,
3494 &sctx, &cctx, cert, privkey)))
3499 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3501 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3503 if (!TEST_ptr(confctx))
3505 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3506 | SSL_CONF_FLAG_SERVER);
3507 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3508 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3510 SSL_CONF_CTX_free(confctx);
3513 SSL_CONF_CTX_free(confctx);
3515 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3518 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3519 &serverssl, &sess, idx)))
3523 * The server is configured to accept early data. Create a connection to
3524 * "use up" the ticket
3526 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3527 || !TEST_true(SSL_session_reused(clientssl)))
3530 SSL_shutdown(clientssl);
3531 SSL_shutdown(serverssl);
3532 SSL_free(serverssl);
3533 SSL_free(clientssl);
3534 serverssl = clientssl = NULL;
3536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3537 &clientssl, NULL, NULL))
3538 || !TEST_true(SSL_set_session(clientssl, sess)))
3541 /* Write and read some early data */
3542 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3544 || !TEST_size_t_eq(written, strlen(MSG1)))
3548 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3550 SSL_READ_EARLY_DATA_FINISH)
3552 * The ticket was reused, so the we should have rejected the
3555 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3556 SSL_EARLY_DATA_REJECTED))
3559 /* In this case the callback decides to accept the early data */
3560 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3562 SSL_READ_EARLY_DATA_SUCCESS)
3563 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3565 * Server will have sent its flight so client can now send
3566 * end of early data and complete its half of the handshake
3568 || !TEST_int_gt(SSL_connect(clientssl), 0)
3569 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3571 SSL_READ_EARLY_DATA_FINISH)
3572 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3573 SSL_EARLY_DATA_ACCEPTED))
3577 /* Complete the connection */
3578 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3579 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3580 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3586 SSL_SESSION_free(sess);
3587 SSL_SESSION_free(clientpsk);
3588 SSL_SESSION_free(serverpsk);
3589 clientpsk = serverpsk = NULL;
3590 SSL_free(serverssl);
3591 SSL_free(clientssl);
3597 static int test_early_data_replay(int idx)
3599 int ret = 1, usecb, confopt;
3601 for (usecb = 0; usecb < 3; usecb++) {
3602 for (confopt = 0; confopt < 2; confopt++)
3603 ret &= test_early_data_replay_int(idx, usecb, confopt);
3610 * Helper function to test that a server attempting to read early data can
3611 * handle a connection from a client where the early data should be skipped.
3612 * testtype: 0 == No HRR
3613 * testtype: 1 == HRR
3614 * testtype: 2 == HRR, invalid early_data sent after HRR
3615 * testtype: 3 == recv_max_early_data set to 0
3617 static int early_data_skip_helper(int testtype, int idx)
3619 SSL_CTX *cctx = NULL, *sctx = NULL;
3620 SSL *clientssl = NULL, *serverssl = NULL;
3622 SSL_SESSION *sess = NULL;
3623 unsigned char buf[20];
3624 size_t readbytes, written;
3626 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3627 &serverssl, &sess, idx)))
3630 if (testtype == 1 || testtype == 2) {
3631 /* Force an HRR to occur */
3632 #if defined(OPENSSL_NO_EC)
3633 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3636 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3639 } else if (idx == 2) {
3641 * We force early_data rejection by ensuring the PSK identity is
3644 srvid = "Dummy Identity";
3647 * Deliberately corrupt the creation time. We take 20 seconds off the
3648 * time. It could be any value as long as it is not within tolerance.
3649 * This should mean the ticket is rejected.
3651 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3656 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3659 /* Write some early data */
3660 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3662 || !TEST_size_t_eq(written, strlen(MSG1)))
3665 /* Server should reject the early data */
3666 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3668 SSL_READ_EARLY_DATA_FINISH)
3669 || !TEST_size_t_eq(readbytes, 0)
3670 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3671 SSL_EARLY_DATA_REJECTED))
3681 * Finish off the handshake. We perform the same writes and reads as
3682 * further down but we expect them to fail due to the incomplete
3685 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3686 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3693 BIO *wbio = SSL_get_wbio(clientssl);
3694 /* A record that will appear as bad early_data */
3695 const unsigned char bad_early_data[] = {
3696 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3700 * We force the client to attempt a write. This will fail because
3701 * we're still in the handshake. It will cause the second
3702 * ClientHello to be sent.
3704 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3709 * Inject some early_data after the second ClientHello. This should
3710 * cause the server to fail
3712 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3713 sizeof(bad_early_data), &written)))
3720 * This client has sent more early_data than we are willing to skip
3721 * (case 3) or sent invalid early_data (case 2) so the connection should
3724 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3725 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3728 /* Connection has failed - nothing more to do */
3733 TEST_error("Invalid test type");
3738 * Should be able to send normal data despite rejection of early data. The
3739 * early_data should be skipped.
3741 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3742 || !TEST_size_t_eq(written, strlen(MSG2))
3743 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3744 SSL_EARLY_DATA_REJECTED)
3745 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3746 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3752 SSL_SESSION_free(clientpsk);
3753 SSL_SESSION_free(serverpsk);
3754 clientpsk = serverpsk = NULL;
3755 SSL_SESSION_free(sess);
3756 SSL_free(serverssl);
3757 SSL_free(clientssl);
3764 * Test that a server attempting to read early data can handle a connection
3765 * from a client where the early data is not acceptable.
3767 static int test_early_data_skip(int idx)
3769 return early_data_skip_helper(0, idx);
3773 * Test that a server attempting to read early data can handle a connection
3774 * from a client where an HRR occurs.
3776 static int test_early_data_skip_hrr(int idx)
3778 return early_data_skip_helper(1, idx);
3782 * Test that a server attempting to read early data can handle a connection
3783 * from a client where an HRR occurs and correctly fails if early_data is sent
3786 static int test_early_data_skip_hrr_fail(int idx)
3788 return early_data_skip_helper(2, idx);
3792 * Test that a server attempting to read early data will abort if it tries to
3793 * skip over too much.
3795 static int test_early_data_skip_abort(int idx)
3797 return early_data_skip_helper(3, idx);
3801 * Test that a server attempting to read early data can handle a connection
3802 * from a client that doesn't send any.
3804 static int test_early_data_not_sent(int idx)
3806 SSL_CTX *cctx = NULL, *sctx = NULL;
3807 SSL *clientssl = NULL, *serverssl = NULL;
3809 SSL_SESSION *sess = NULL;
3810 unsigned char buf[20];
3811 size_t readbytes, written;
3813 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3814 &serverssl, &sess, idx)))
3817 /* Write some data - should block due to handshake with server */
3818 SSL_set_connect_state(clientssl);
3819 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3822 /* Server should detect that early data has not been sent */
3823 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3825 SSL_READ_EARLY_DATA_FINISH)
3826 || !TEST_size_t_eq(readbytes, 0)
3827 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3828 SSL_EARLY_DATA_NOT_SENT)
3829 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3830 SSL_EARLY_DATA_NOT_SENT))
3833 /* Continue writing the message we started earlier */
3834 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3835 || !TEST_size_t_eq(written, strlen(MSG1))
3836 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3837 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3838 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3839 || !TEST_size_t_eq(written, strlen(MSG2)))
3842 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3843 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3849 SSL_SESSION_free(sess);
3850 SSL_SESSION_free(clientpsk);
3851 SSL_SESSION_free(serverpsk);
3852 clientpsk = serverpsk = NULL;
3853 SSL_free(serverssl);
3854 SSL_free(clientssl);
3860 static const char *servalpn;
3862 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3863 unsigned char *outlen, const unsigned char *in,
3864 unsigned int inlen, void *arg)
3866 unsigned int protlen = 0;
3867 const unsigned char *prot;
3869 for (prot = in; prot < in + inlen; prot += protlen) {
3871 if (in + inlen < prot + protlen)
3872 return SSL_TLSEXT_ERR_NOACK;
3874 if (protlen == strlen(servalpn)
3875 && memcmp(prot, servalpn, protlen) == 0) {
3878 return SSL_TLSEXT_ERR_OK;
3882 return SSL_TLSEXT_ERR_NOACK;
3885 /* Test that a PSK can be used to send early_data */
3886 static int test_early_data_psk(int idx)
3888 SSL_CTX *cctx = NULL, *sctx = NULL;
3889 SSL *clientssl = NULL, *serverssl = NULL;
3891 SSL_SESSION *sess = NULL;
3892 unsigned char alpnlist[] = {
3893 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3896 #define GOODALPNLEN 9
3897 #define BADALPNLEN 8
3898 #define GOODALPN (alpnlist)
3899 #define BADALPN (alpnlist + GOODALPNLEN)
3901 unsigned char buf[20];
3902 size_t readbytes, written;
3903 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3904 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3906 /* We always set this up with a final parameter of "2" for PSK */
3907 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3908 &serverssl, &sess, 2)))
3911 servalpn = "goodalpn";
3914 * Note: There is no test for inconsistent SNI with late client detection.
3915 * This is because servers do not acknowledge SNI even if they are using
3916 * it in a resumption handshake - so it is not actually possible for a
3917 * client to detect a problem.
3921 /* Set inconsistent SNI (early client detection) */
3922 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3923 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3924 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3929 /* Set inconsistent ALPN (early client detection) */
3930 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3931 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3932 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3934 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3941 * Set invalid protocol version. Technically this affects PSKs without
3942 * early_data too, but we test it here because it is similar to the
3943 * SNI/ALPN consistency tests.
3945 err = SSL_R_BAD_PSK;
3946 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3952 * Set inconsistent SNI (server side). In this case the connection
3953 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3954 * is associated with each handshake - not the session. Therefore it
3955 * should not matter that we used a different server name last time.
3957 SSL_SESSION_free(serverpsk);
3958 serverpsk = SSL_SESSION_dup(clientpsk);
3959 if (!TEST_ptr(serverpsk)
3960 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3964 /* Set consistent SNI */
3965 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3966 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3967 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3974 * Set inconsistent ALPN (server detected). In this case the connection
3975 * will succeed but reject early_data.
3977 servalpn = "badalpn";
3978 edstatus = SSL_EARLY_DATA_REJECTED;
3979 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3983 * Set consistent ALPN.
3984 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3985 * accepts a list of protos (each one length prefixed).
3986 * SSL_set1_alpn_selected accepts a single protocol (not length
3989 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3991 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3995 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3999 /* Set inconsistent ALPN (late client detection) */
4000 SSL_SESSION_free(serverpsk);
4001 serverpsk = SSL_SESSION_dup(clientpsk);
4002 if (!TEST_ptr(serverpsk)
4003 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4006 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4009 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4012 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4013 edstatus = SSL_EARLY_DATA_ACCEPTED;
4014 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4015 /* SSL_connect() call should fail */
4020 TEST_error("Bad test index");
4024 SSL_set_connect_state(clientssl);
4026 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4028 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4029 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4032 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4036 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4037 &readbytes), readearlyres)
4038 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4039 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4040 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4041 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4048 SSL_SESSION_free(sess);
4049 SSL_SESSION_free(clientpsk);
4050 SSL_SESSION_free(serverpsk);
4051 clientpsk = serverpsk = NULL;
4052 SSL_free(serverssl);
4053 SSL_free(clientssl);
4060 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4061 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4062 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4063 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4064 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4065 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4067 static int test_early_data_psk_with_all_ciphers(int idx)
4069 SSL_CTX *cctx = NULL, *sctx = NULL;
4070 SSL *clientssl = NULL, *serverssl = NULL;
4072 SSL_SESSION *sess = NULL;
4073 unsigned char buf[20];
4074 size_t readbytes, written;
4075 const SSL_CIPHER *cipher;
4076 const char *cipher_str[] = {
4077 TLS1_3_RFC_AES_128_GCM_SHA256,
4078 TLS1_3_RFC_AES_256_GCM_SHA384,
4079 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4080 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4084 TLS1_3_RFC_AES_128_CCM_SHA256,
4085 TLS1_3_RFC_AES_128_CCM_8_SHA256
4087 const unsigned char *cipher_bytes[] = {
4088 TLS13_AES_128_GCM_SHA256_BYTES,
4089 TLS13_AES_256_GCM_SHA384_BYTES,
4090 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4091 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4095 TLS13_AES_128_CCM_SHA256_BYTES,
4096 TLS13_AES_128_CCM_8_SHA256_BYTES
4099 if (cipher_str[idx] == NULL)
4101 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4102 if (idx == 2 && is_fips == 1)
4105 /* We always set this up with a final parameter of "2" for PSK */
4106 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4107 &serverssl, &sess, 2)))
4110 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4111 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4115 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4116 * and assigns to both client and server with incremented reference
4117 * and the same instance is updated in 'sess'.
4118 * So updating ciphersuite in 'sess' which will get reflected in
4119 * PSK handshake using psk use sess and find sess cb.
4121 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4122 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4125 SSL_set_connect_state(clientssl);
4126 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4130 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4132 SSL_READ_EARLY_DATA_SUCCESS)
4133 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4134 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4135 SSL_EARLY_DATA_ACCEPTED)
4136 || !TEST_int_eq(SSL_connect(clientssl), 1)
4137 || !TEST_int_eq(SSL_accept(serverssl), 1))
4140 /* Send some normal data from client to server */
4141 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4142 || !TEST_size_t_eq(written, strlen(MSG2)))
4145 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4146 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4151 SSL_SESSION_free(sess);
4152 SSL_SESSION_free(clientpsk);
4153 SSL_SESSION_free(serverpsk);
4154 clientpsk = serverpsk = NULL;
4155 if (clientssl != NULL)
4156 SSL_shutdown(clientssl);
4157 if (serverssl != NULL)
4158 SSL_shutdown(serverssl);
4159 SSL_free(serverssl);
4160 SSL_free(clientssl);
4167 * Test that a server that doesn't try to read early data can handle a
4168 * client sending some.
4170 static int test_early_data_not_expected(int idx)
4172 SSL_CTX *cctx = NULL, *sctx = NULL;
4173 SSL *clientssl = NULL, *serverssl = NULL;
4175 SSL_SESSION *sess = NULL;
4176 unsigned char buf[20];
4177 size_t readbytes, written;
4179 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4180 &serverssl, &sess, idx)))
4183 /* Write some early data */
4184 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4189 * Server should skip over early data and then block waiting for client to
4190 * continue handshake
4192 if (!TEST_int_le(SSL_accept(serverssl), 0)
4193 || !TEST_int_gt(SSL_connect(clientssl), 0)
4194 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4195 SSL_EARLY_DATA_REJECTED)
4196 || !TEST_int_gt(SSL_accept(serverssl), 0)
4197 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4198 SSL_EARLY_DATA_REJECTED))
4201 /* Send some normal data from client to server */
4202 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4203 || !TEST_size_t_eq(written, strlen(MSG2)))
4206 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4207 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4213 SSL_SESSION_free(sess);
4214 SSL_SESSION_free(clientpsk);
4215 SSL_SESSION_free(serverpsk);
4216 clientpsk = serverpsk = NULL;
4217 SSL_free(serverssl);
4218 SSL_free(clientssl);
4225 # ifndef OPENSSL_NO_TLS1_2
4227 * Test that a server attempting to read early data can handle a connection
4228 * from a TLSv1.2 client.
4230 static int test_early_data_tls1_2(int idx)
4232 SSL_CTX *cctx = NULL, *sctx = NULL;
4233 SSL *clientssl = NULL, *serverssl = NULL;
4235 unsigned char buf[20];
4236 size_t readbytes, written;
4238 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4239 &serverssl, NULL, idx)))
4242 /* Write some data - should block due to handshake with server */
4243 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4244 SSL_set_connect_state(clientssl);
4245 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4249 * Server should do TLSv1.2 handshake. First it will block waiting for more
4250 * messages from client after ServerDone. Then SSL_read_early_data should
4251 * finish and detect that early data has not been sent
4253 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4255 SSL_READ_EARLY_DATA_ERROR))
4259 * Continue writing the message we started earlier. Will still block waiting
4260 * for the CCS/Finished from server
4262 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4263 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4265 SSL_READ_EARLY_DATA_FINISH)
4266 || !TEST_size_t_eq(readbytes, 0)
4267 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4268 SSL_EARLY_DATA_NOT_SENT))
4271 /* Continue writing the message we started earlier */
4272 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4273 || !TEST_size_t_eq(written, strlen(MSG1))
4274 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4275 SSL_EARLY_DATA_NOT_SENT)
4276 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4277 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4278 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4279 || !TEST_size_t_eq(written, strlen(MSG2))
4280 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4281 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4287 SSL_SESSION_free(clientpsk);
4288 SSL_SESSION_free(serverpsk);
4289 clientpsk = serverpsk = NULL;
4290 SSL_free(serverssl);
4291 SSL_free(clientssl);
4297 # endif /* OPENSSL_NO_TLS1_2 */
4300 * Test configuring the TLSv1.3 ciphersuites
4302 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4303 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4304 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4305 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4306 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4307 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4308 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4309 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4310 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4311 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4313 static int test_set_ciphersuite(int idx)
4315 SSL_CTX *cctx = NULL, *sctx = NULL;
4316 SSL *clientssl = NULL, *serverssl = NULL;
4319 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4320 TLS_client_method(), TLS1_VERSION, 0,
4321 &sctx, &cctx, cert, privkey))
4322 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4323 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4326 if (idx >=4 && idx <= 7) {
4327 /* SSL_CTX explicit cipher list */
4328 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4332 if (idx == 0 || idx == 4) {
4333 /* Default ciphersuite */
4334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4335 "TLS_AES_128_GCM_SHA256")))
4337 } else if (idx == 1 || idx == 5) {
4338 /* Non default ciphersuite */
4339 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4340 "TLS_AES_128_CCM_SHA256")))
4344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4345 &clientssl, NULL, NULL)))
4348 if (idx == 8 || idx == 9) {
4349 /* SSL explicit cipher list */
4350 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4354 if (idx == 2 || idx == 6 || idx == 8) {
4355 /* Default ciphersuite */
4356 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4357 "TLS_AES_128_GCM_SHA256")))
4359 } else if (idx == 3 || idx == 7 || idx == 9) {
4360 /* Non default ciphersuite */
4361 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4362 "TLS_AES_128_CCM_SHA256")))
4366 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4372 SSL_free(serverssl);
4373 SSL_free(clientssl);
4380 static int test_ciphersuite_change(void)
4382 SSL_CTX *cctx = NULL, *sctx = NULL;
4383 SSL *clientssl = NULL, *serverssl = NULL;
4384 SSL_SESSION *clntsess = NULL;
4386 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4388 /* Create a session based on SHA-256 */
4389 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4390 TLS_client_method(), TLS1_VERSION, 0,
4391 &sctx, &cctx, cert, privkey))
4392 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4393 "TLS_AES_128_GCM_SHA256:"
4394 "TLS_AES_256_GCM_SHA384:"
4395 "TLS_AES_128_CCM_SHA256"))
4396 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4397 "TLS_AES_128_GCM_SHA256"))
4398 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4399 &clientssl, NULL, NULL))
4400 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4404 clntsess = SSL_get1_session(clientssl);
4405 /* Save for later */
4406 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4407 SSL_shutdown(clientssl);
4408 SSL_shutdown(serverssl);
4409 SSL_free(serverssl);
4410 SSL_free(clientssl);
4411 serverssl = clientssl = NULL;
4413 /* Check we can resume a session with a different SHA-256 ciphersuite */
4414 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4415 "TLS_AES_128_CCM_SHA256"))
4416 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4417 &clientssl, NULL, NULL))
4418 || !TEST_true(SSL_set_session(clientssl, clntsess))
4419 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4421 || !TEST_true(SSL_session_reused(clientssl)))
4424 SSL_SESSION_free(clntsess);
4425 clntsess = SSL_get1_session(clientssl);
4426 SSL_shutdown(clientssl);
4427 SSL_shutdown(serverssl);
4428 SSL_free(serverssl);
4429 SSL_free(clientssl);
4430 serverssl = clientssl = NULL;
4433 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4434 * succeeds but does not resume.
4436 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4437 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4439 || !TEST_true(SSL_set_session(clientssl, clntsess))
4440 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4442 || !TEST_false(SSL_session_reused(clientssl)))
4445 SSL_SESSION_free(clntsess);
4447 SSL_shutdown(clientssl);
4448 SSL_shutdown(serverssl);
4449 SSL_free(serverssl);
4450 SSL_free(clientssl);
4451 serverssl = clientssl = NULL;
4453 /* Create a session based on SHA384 */
4454 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4455 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4456 &clientssl, NULL, NULL))
4457 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4461 clntsess = SSL_get1_session(clientssl);
4462 SSL_shutdown(clientssl);
4463 SSL_shutdown(serverssl);
4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 serverssl = clientssl = NULL;
4468 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4469 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4470 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4471 "TLS_AES_256_GCM_SHA384"))
4472 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4474 || !TEST_true(SSL_set_session(clientssl, clntsess))
4476 * We use SSL_ERROR_WANT_READ below so that we can pause the
4477 * connection after the initial ClientHello has been sent to
4478 * enable us to make some session changes.
4480 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4481 SSL_ERROR_WANT_READ)))
4484 /* Trick the client into thinking this session is for a different digest */
4485 clntsess->cipher = aes_128_gcm_sha256;
4486 clntsess->cipher_id = clntsess->cipher->id;
4489 * Continue the previously started connection. Server has selected a SHA-384
4490 * ciphersuite, but client thinks the session is for SHA-256, so it should
4493 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4495 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4496 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4502 SSL_SESSION_free(clntsess);
4503 SSL_free(serverssl);
4504 SSL_free(clientssl);
4512 * Test TLSv1.3 Key exchange
4513 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4514 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4515 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4516 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4517 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4518 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4519 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4520 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4521 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4522 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4523 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4524 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4525 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4526 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4528 # ifndef OPENSSL_NO_EC
4529 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4530 NID_secp521r1, NID_X25519, NID_X448};
4532 # ifndef OPENSSL_NO_DH
4533 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4534 NID_ffdhe6144, NID_ffdhe8192};
4536 static int test_key_exchange(int idx)
4538 SSL_CTX *sctx = NULL, *cctx = NULL;
4539 SSL *serverssl = NULL, *clientssl = NULL;
4542 int *kexch_groups = &kexch_alg;
4543 int kexch_groups_size = 1;
4544 int max_version = TLS1_3_VERSION;
4545 char *kexch_name0 = NULL;
4548 # ifndef OPENSSL_NO_EC
4549 # ifndef OPENSSL_NO_TLS1_2
4551 max_version = TLS1_2_VERSION;
4555 kexch_groups = ecdhe_kexch_groups;
4556 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4557 kexch_name0 = "secp256r1";
4560 kexch_alg = NID_X9_62_prime256v1;
4561 kexch_name0 = "secp256r1";
4564 kexch_alg = NID_secp384r1;
4565 kexch_name0 = "secp384r1";
4568 kexch_alg = NID_secp521r1;
4569 kexch_name0 = "secp521r1";
4572 kexch_alg = NID_X25519;
4573 kexch_name0 = "x25519";
4576 kexch_alg = NID_X448;
4577 kexch_name0 = "x448";
4580 # ifndef OPENSSL_NO_DH
4581 # ifndef OPENSSL_NO_TLS1_2
4583 max_version = TLS1_2_VERSION;
4584 kexch_name0 = "ffdhe2048";
4588 kexch_groups = ffdhe_kexch_groups;
4589 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4590 kexch_name0 = "ffdhe2048";
4593 kexch_alg = NID_ffdhe2048;
4594 kexch_name0 = "ffdhe2048";
4597 kexch_alg = NID_ffdhe3072;
4598 kexch_name0 = "ffdhe3072";
4601 kexch_alg = NID_ffdhe4096;
4602 kexch_name0 = "ffdhe4096";
4605 kexch_alg = NID_ffdhe6144;
4606 kexch_name0 = "ffdhe6144";
4609 kexch_alg = NID_ffdhe8192;
4610 kexch_name0 = "ffdhe8192";
4614 /* We're skipping this test */
4618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4619 TLS_client_method(), TLS1_VERSION,
4620 max_version, &sctx, &cctx, cert,
4624 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4625 TLS1_3_RFC_AES_128_GCM_SHA256)))
4628 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4629 TLS1_3_RFC_AES_128_GCM_SHA256)))
4632 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4633 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4634 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4635 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4639 * Must include an EC ciphersuite so that we send supported groups in
4642 # ifndef OPENSSL_NO_TLS1_2
4643 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4644 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4645 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4649 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4653 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4654 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4661 * If Handshake succeeds the negotiated kexch alg should be the first one in
4662 * configured, except in the case of FFDHE groups (idx 13), which are
4663 * TLSv1.3 only so we expect no shared group to exist.
4665 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4666 idx == 13 ? 0 : kexch_groups[0]))
4669 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4673 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4675 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4677 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4683 SSL_free(serverssl);
4684 SSL_free(clientssl);
4690 # if !defined(OPENSSL_NO_TLS1_2) \
4691 && !defined(OPENSSL_NO_EC) \
4692 && !defined(OPENSSL_NO_DH)
4693 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4694 int isecdhe, int idx)
4697 int *kexch_groups = &kexch_alg;
4700 numec = OSSL_NELEM(ecdhe_kexch_groups);
4701 numff = OSSL_NELEM(ffdhe_kexch_groups);
4703 kexch_alg = ecdhe_kexch_groups[idx];
4705 kexch_alg = ffdhe_kexch_groups[idx];
4708 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4711 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4715 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4720 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4723 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4727 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4736 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4737 * Run through both the ECDHE and FFDHE group lists used in the previous
4738 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4739 * confirming the expected result; then perform a resumption handshake
4740 * while offering the same group list, and another resumption handshake
4741 * offering a different group list. The returned value should be the
4742 * negotiated group for the initial handshake; for TLS 1.3 resumption
4743 * handshakes the returned value will be negotiated on the resumption
4744 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4745 * be cached in the session from the original handshake, regardless of what
4746 * was offered in the resumption ClientHello.
4748 * Using E for the number of EC groups and F for the number of FF groups:
4749 * E tests of ECDHE with TLS 1.3, client sends only one group
4750 * F tests of FFDHE with TLS 1.3, client sends only one group
4751 * E tests of ECDHE with TLS 1.2, client sends only one group
4752 * F tests of FFDHE with TLS 1.2, client sends only one group
4753 * E tests of ECDHE with TLS 1.3, server only has one group
4754 * F tests of FFDHE with TLS 1.3, server only has one group
4755 * E tests of ECDHE with TLS 1.2, server only has one group
4756 * F tests of FFDHE with TLS 1.2, server only has one group
4758 static int test_negotiated_group(int idx)
4760 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4762 SSL_CTX *sctx = NULL, *cctx = NULL;
4763 SSL *serverssl = NULL, *clientssl = NULL;
4764 SSL_SESSION *origsess = NULL;
4767 int max_version = TLS1_3_VERSION;
4769 numec = OSSL_NELEM(ecdhe_kexch_groups);
4770 numff = OSSL_NELEM(ffdhe_kexch_groups);
4771 numgroups = numec + numff;
4772 clientmulti = (idx < 2 * numgroups);
4773 idx = idx % (2 * numgroups);
4774 istls13 = (idx < numgroups);
4775 idx = idx % numgroups;
4776 isecdhe = (idx < numec);
4779 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4781 kexch_alg = ecdhe_kexch_groups[idx];
4783 kexch_alg = ffdhe_kexch_groups[idx];
4784 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4785 if (!istls13 && !isecdhe)
4786 expectednid = NID_undef;
4788 expectednid = kexch_alg;
4791 max_version = TLS1_2_VERSION;
4793 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4794 TLS_client_method(), TLS1_VERSION,
4795 max_version, &sctx, &cctx, cert,
4800 * Force (EC)DHE ciphers for TLS 1.2.
4801 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4803 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4804 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4805 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4806 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4808 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4809 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4810 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4813 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4817 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4821 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4824 /* Initial handshake; always the configured one */
4825 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4826 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4829 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4832 SSL_shutdown(clientssl);
4833 SSL_shutdown(serverssl);
4834 SSL_free(serverssl);
4835 SSL_free(clientssl);
4836 serverssl = clientssl = NULL;
4838 /* First resumption attempt; use the same config as initial handshake */
4839 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4841 || !TEST_true(SSL_set_session(clientssl, origsess))
4842 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4846 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4847 || !TEST_true(SSL_session_reused(clientssl)))
4850 /* Still had better agree, since nothing changed... */
4851 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4852 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4855 SSL_shutdown(clientssl);
4856 SSL_shutdown(serverssl);
4857 SSL_free(serverssl);
4858 SSL_free(clientssl);
4859 serverssl = clientssl = NULL;
4862 * Second resumption attempt
4863 * The party that picks one group changes it, which we effectuate by
4864 * changing 'idx' and updating what we expect.
4872 expectednid = ecdhe_kexch_groups[idx];
4874 expectednid = ffdhe_kexch_groups[idx];
4875 /* Verify that we are changing what we expect. */
4876 if (!TEST_int_ne(expectednid, kexch_alg))
4879 /* TLS 1.2 only supports named groups for ECDHE. */
4881 expectednid = kexch_alg;
4885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4887 || !TEST_true(SSL_set_session(clientssl, origsess))
4888 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4892 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4893 || !TEST_true(SSL_session_reused(clientssl)))
4896 /* Check that we get what we expected */
4897 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4898 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4903 SSL_free(serverssl);
4904 SSL_free(clientssl);
4907 SSL_SESSION_free(origsess);
4910 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4913 * Test TLSv1.3 Cipher Suite
4914 * Test 0 = Set TLS1.3 cipher on context
4915 * Test 1 = Set TLS1.3 cipher on SSL
4916 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4917 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4919 static int test_tls13_ciphersuite(int idx)
4921 SSL_CTX *sctx = NULL, *cctx = NULL;
4922 SSL *serverssl = NULL, *clientssl = NULL;
4923 static const struct {
4924 const char *ciphername;
4927 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4928 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4929 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4930 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4931 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4932 { TLS1_3_RFC_AES_256_GCM_SHA384
4933 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4935 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4937 const char *t13_cipher = NULL;
4938 const char *t12_cipher = NULL;
4939 const char *negotiated_scipher;
4940 const char *negotiated_ccipher;
4956 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4960 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4964 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4965 # ifdef OPENSSL_NO_TLS1_2
4966 if (max_ver == TLS1_2_VERSION)
4969 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4970 if (is_fips && !t13_ciphers[i].fipscapable)
4972 t13_cipher = t13_ciphers[i].ciphername;
4973 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4974 TLS_client_method(),
4975 TLS1_VERSION, max_ver,
4976 &sctx, &cctx, cert, privkey)))
4980 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4981 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4983 if (t12_cipher != NULL) {
4984 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4992 &clientssl, NULL, NULL)))
4996 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4997 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4999 if (t12_cipher != NULL) {
5000 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5001 || !TEST_true(SSL_set_cipher_list(clientssl,
5007 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5011 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5013 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5015 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5019 * TEST_strn_eq is used below because t13_cipher can contain
5020 * multiple ciphersuites
5022 if (max_ver == TLS1_3_VERSION
5023 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5024 strlen(negotiated_scipher)))
5027 # ifndef OPENSSL_NO_TLS1_2
5028 /* Below validation is not done when t12_cipher is NULL */
5029 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5030 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5034 SSL_free(serverssl);
5036 SSL_free(clientssl);
5047 SSL_free(serverssl);
5048 SSL_free(clientssl);
5056 * Test 0 = Test new style callbacks
5057 * Test 1 = Test both new and old style callbacks
5058 * Test 2 = Test old style callbacks
5059 * Test 3 = Test old style callbacks with no certificate
5061 static int test_tls13_psk(int idx)
5063 SSL_CTX *sctx = NULL, *cctx = NULL;
5064 SSL *serverssl = NULL, *clientssl = NULL;
5065 const SSL_CIPHER *cipher = NULL;
5066 const unsigned char key[] = {
5067 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5068 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5069 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5070 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5074 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5075 TLS_client_method(), TLS1_VERSION, 0,
5076 &sctx, &cctx, idx == 3 ? NULL : cert,
5077 idx == 3 ? NULL : privkey)))
5082 * We use a ciphersuite with SHA256 to ease testing old style PSK
5083 * callbacks which will always default to SHA256. This should not be
5084 * necessary if we have no cert/priv key. In that case the server should
5085 * prefer SHA256 automatically.
5087 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5088 "TLS_AES_128_GCM_SHA256")))
5092 * As noted above the server should prefer SHA256 automatically. However
5093 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5094 * code works even if we are testing with only the FIPS provider loaded.
5096 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5097 "TLS_AES_256_GCM_SHA384:"
5098 "TLS_AES_128_GCM_SHA256")))
5103 * Test 0: New style callbacks only
5104 * Test 1: New and old style callbacks (only the new ones should be used)
5105 * Test 2: Old style callbacks only
5107 if (idx == 0 || idx == 1) {
5108 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5109 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5111 #ifndef OPENSSL_NO_PSK
5113 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5114 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5118 use_session_cb_cnt = 0;
5119 find_session_cb_cnt = 0;
5120 psk_client_cb_cnt = 0;
5121 psk_server_cb_cnt = 0;
5125 * Check we can create a connection if callback decides not to send a
5128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5130 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5132 || !TEST_false(SSL_session_reused(clientssl))
5133 || !TEST_false(SSL_session_reused(serverssl)))
5136 if (idx == 0 || idx == 1) {
5137 if (!TEST_true(use_session_cb_cnt == 1)
5138 || !TEST_true(find_session_cb_cnt == 0)
5140 * If no old style callback then below should be 0
5143 || !TEST_true(psk_client_cb_cnt == idx)
5144 || !TEST_true(psk_server_cb_cnt == 0))
5147 if (!TEST_true(use_session_cb_cnt == 0)
5148 || !TEST_true(find_session_cb_cnt == 0)
5149 || !TEST_true(psk_client_cb_cnt == 1)
5150 || !TEST_true(psk_server_cb_cnt == 0))
5154 shutdown_ssl_connection(serverssl, clientssl);
5155 serverssl = clientssl = NULL;
5156 use_session_cb_cnt = psk_client_cb_cnt = 0;
5159 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5163 /* Create the PSK */
5164 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5165 clientpsk = SSL_SESSION_new();
5166 if (!TEST_ptr(clientpsk)
5167 || !TEST_ptr(cipher)
5168 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5170 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5171 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5173 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5175 serverpsk = clientpsk;
5177 /* Check we can create a connection and the PSK is used */
5178 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5179 || !TEST_true(SSL_session_reused(clientssl))
5180 || !TEST_true(SSL_session_reused(serverssl)))
5183 if (idx == 0 || idx == 1) {
5184 if (!TEST_true(use_session_cb_cnt == 1)
5185 || !TEST_true(find_session_cb_cnt == 1)
5186 || !TEST_true(psk_client_cb_cnt == 0)
5187 || !TEST_true(psk_server_cb_cnt == 0))
5190 if (!TEST_true(use_session_cb_cnt == 0)
5191 || !TEST_true(find_session_cb_cnt == 0)
5192 || !TEST_true(psk_client_cb_cnt == 1)
5193 || !TEST_true(psk_server_cb_cnt == 1))
5197 shutdown_ssl_connection(serverssl, clientssl);
5198 serverssl = clientssl = NULL;
5199 use_session_cb_cnt = find_session_cb_cnt = 0;
5200 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5207 #if defined(OPENSSL_NO_EC)
5208 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5211 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5216 * Check we can create a connection, the PSK is used and the callbacks are
5219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5220 || !TEST_true(SSL_session_reused(clientssl))
5221 || !TEST_true(SSL_session_reused(serverssl)))
5224 if (idx == 0 || idx == 1) {
5225 if (!TEST_true(use_session_cb_cnt == 2)
5226 || !TEST_true(find_session_cb_cnt == 2)
5227 || !TEST_true(psk_client_cb_cnt == 0)
5228 || !TEST_true(psk_server_cb_cnt == 0))
5231 if (!TEST_true(use_session_cb_cnt == 0)
5232 || !TEST_true(find_session_cb_cnt == 0)
5233 || !TEST_true(psk_client_cb_cnt == 2)
5234 || !TEST_true(psk_server_cb_cnt == 2))
5238 shutdown_ssl_connection(serverssl, clientssl);
5239 serverssl = clientssl = NULL;
5240 use_session_cb_cnt = find_session_cb_cnt = 0;
5241 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5245 * Check that if the server rejects the PSK we can still connect, but with
5248 srvid = "Dummy Identity";
5249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5253 || !TEST_false(SSL_session_reused(clientssl))
5254 || !TEST_false(SSL_session_reused(serverssl)))
5257 if (idx == 0 || idx == 1) {
5258 if (!TEST_true(use_session_cb_cnt == 1)
5259 || !TEST_true(find_session_cb_cnt == 1)
5260 || !TEST_true(psk_client_cb_cnt == 0)
5262 * If no old style callback then below should be 0
5265 || !TEST_true(psk_server_cb_cnt == idx))
5268 if (!TEST_true(use_session_cb_cnt == 0)
5269 || !TEST_true(find_session_cb_cnt == 0)
5270 || !TEST_true(psk_client_cb_cnt == 1)
5271 || !TEST_true(psk_server_cb_cnt == 1))
5275 shutdown_ssl_connection(serverssl, clientssl);
5276 serverssl = clientssl = NULL;
5281 SSL_SESSION_free(clientpsk);
5282 SSL_SESSION_free(serverpsk);
5283 clientpsk = serverpsk = NULL;
5284 SSL_free(serverssl);
5285 SSL_free(clientssl);
5291 static unsigned char cookie_magic_value[] = "cookie magic";
5293 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5294 unsigned int *cookie_len)
5297 * Not suitable as a real cookie generation function but good enough for
5300 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5301 *cookie_len = sizeof(cookie_magic_value) - 1;
5306 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5307 unsigned int cookie_len)
5309 if (cookie_len == sizeof(cookie_magic_value) - 1
5310 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5316 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5320 int res = generate_cookie_callback(ssl, cookie, &temp);
5325 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5328 return verify_cookie_callback(ssl, cookie, cookie_len);
5331 static int test_stateless(void)
5333 SSL_CTX *sctx = NULL, *cctx = NULL;
5334 SSL *serverssl = NULL, *clientssl = NULL;
5337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5338 TLS_client_method(), TLS1_VERSION, 0,
5339 &sctx, &cctx, cert, privkey)))
5342 /* The arrival of CCS messages can confuse the test */
5343 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5347 /* Send the first ClientHello */
5348 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5349 SSL_ERROR_WANT_READ))
5351 * This should fail with a -1 return because we have no callbacks
5354 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5357 /* Fatal error so abandon the connection from this client */
5358 SSL_free(clientssl);
5361 /* Set up the cookie generation and verification callbacks */
5362 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5363 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5366 * Create a new connection from the client (we can reuse the server SSL
5369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5371 /* Send the first ClientHello */
5372 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5373 SSL_ERROR_WANT_READ))
5374 /* This should fail because there is no cookie */
5375 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5378 /* Abandon the connection from this client */
5379 SSL_free(clientssl);
5383 * Now create a connection from a new client but with the same server SSL
5386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5388 /* Send the first ClientHello */
5389 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5390 SSL_ERROR_WANT_READ))
5391 /* This should fail because there is no cookie */
5392 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5393 /* Send the second ClientHello */
5394 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5395 SSL_ERROR_WANT_READ))
5396 /* This should succeed because a cookie is now present */
5397 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5398 /* Complete the connection */
5399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5403 shutdown_ssl_connection(serverssl, clientssl);
5404 serverssl = clientssl = NULL;
5408 SSL_free(serverssl);
5409 SSL_free(clientssl);
5415 #endif /* OSSL_NO_USABLE_TLS1_3 */
5417 static int clntaddoldcb = 0;
5418 static int clntparseoldcb = 0;
5419 static int srvaddoldcb = 0;
5420 static int srvparseoldcb = 0;
5421 static int clntaddnewcb = 0;
5422 static int clntparsenewcb = 0;
5423 static int srvaddnewcb = 0;
5424 static int srvparsenewcb = 0;
5425 static int snicb = 0;
5427 #define TEST_EXT_TYPE1 0xff00
5429 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5430 size_t *outlen, int *al, void *add_arg)
5432 int *server = (int *)add_arg;
5433 unsigned char *data;
5435 if (SSL_is_server(s))
5440 if (*server != SSL_is_server(s)
5441 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5446 *outlen = sizeof(char);
5450 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5453 OPENSSL_free((unsigned char *)out);
5456 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5457 size_t inlen, int *al, void *parse_arg)
5459 int *server = (int *)parse_arg;
5461 if (SSL_is_server(s))
5466 if (*server != SSL_is_server(s)
5467 || inlen != sizeof(char)
5474 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5475 const unsigned char **out, size_t *outlen, X509 *x,
5476 size_t chainidx, int *al, void *add_arg)
5478 int *server = (int *)add_arg;
5479 unsigned char *data;
5481 if (SSL_is_server(s))
5486 if (*server != SSL_is_server(s)
5487 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5492 *outlen = sizeof(*data);
5496 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5497 const unsigned char *out, void *add_arg)
5499 OPENSSL_free((unsigned char *)out);
5502 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5503 const unsigned char *in, size_t inlen, X509 *x,
5504 size_t chainidx, int *al, void *parse_arg)
5506 int *server = (int *)parse_arg;
5508 if (SSL_is_server(s))
5513 if (*server != SSL_is_server(s)
5514 || inlen != sizeof(char) || *in != 1)
5520 static int sni_cb(SSL *s, int *al, void *arg)
5522 SSL_CTX *ctx = (SSL_CTX *)arg;
5524 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5525 *al = SSL_AD_INTERNAL_ERROR;
5526 return SSL_TLSEXT_ERR_ALERT_FATAL;
5529 return SSL_TLSEXT_ERR_OK;
5533 * Custom call back tests.
5534 * Test 0: Old style callbacks in TLSv1.2
5535 * Test 1: New style callbacks in TLSv1.2
5536 * Test 2: New style callbacks in TLSv1.2 with SNI
5537 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5538 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5540 static int test_custom_exts(int tst)
5542 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5543 SSL *clientssl = NULL, *serverssl = NULL;
5545 static int server = 1;
5546 static int client = 0;
5547 SSL_SESSION *sess = NULL;
5548 unsigned int context;
5550 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5551 /* Skip tests for TLSv1.2 and below in this case */
5556 /* Reset callback counters */
5557 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5558 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5562 TLS_client_method(), TLS1_VERSION, 0,
5563 &sctx, &cctx, cert, privkey)))
5567 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5569 &sctx2, NULL, cert, privkey)))
5574 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5575 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5577 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5581 context = SSL_EXT_CLIENT_HELLO
5582 | SSL_EXT_TLS1_2_SERVER_HELLO
5583 | SSL_EXT_TLS1_3_SERVER_HELLO
5584 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5585 | SSL_EXT_TLS1_3_CERTIFICATE
5586 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5588 context = SSL_EXT_CLIENT_HELLO
5589 | SSL_EXT_TLS1_2_SERVER_HELLO
5590 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5593 /* Create a client side custom extension */
5595 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5596 old_add_cb, old_free_cb,
5597 &client, old_parse_cb,
5601 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5602 new_add_cb, new_free_cb,
5603 &client, new_parse_cb, &client)))
5607 /* Should not be able to add duplicates */
5608 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5609 old_add_cb, old_free_cb,
5610 &client, old_parse_cb,
5612 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5613 context, new_add_cb,
5614 new_free_cb, &client,
5615 new_parse_cb, &client)))
5618 /* Create a server side custom extension */
5620 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5621 old_add_cb, old_free_cb,
5622 &server, old_parse_cb,
5626 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5627 new_add_cb, new_free_cb,
5628 &server, new_parse_cb, &server)))
5631 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5632 context, new_add_cb,
5633 new_free_cb, &server,
5634 new_parse_cb, &server)))
5638 /* Should not be able to add duplicates */
5639 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5640 old_add_cb, old_free_cb,
5641 &server, old_parse_cb,
5643 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5644 context, new_add_cb,
5645 new_free_cb, &server,
5646 new_parse_cb, &server)))
5651 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5652 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5657 &clientssl, NULL, NULL))
5658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5663 if (clntaddoldcb != 1
5664 || clntparseoldcb != 1
5666 || srvparseoldcb != 1)
5668 } else if (tst == 1 || tst == 2 || tst == 3) {
5669 if (clntaddnewcb != 1
5670 || clntparsenewcb != 1
5672 || srvparsenewcb != 1
5673 || (tst != 2 && snicb != 0)
5674 || (tst == 2 && snicb != 1))
5677 /* In this case there 2 NewSessionTicket messages created */
5678 if (clntaddnewcb != 1
5679 || clntparsenewcb != 5
5681 || srvparsenewcb != 1)
5685 sess = SSL_get1_session(clientssl);
5686 SSL_shutdown(clientssl);
5687 SSL_shutdown(serverssl);
5688 SSL_free(serverssl);
5689 SSL_free(clientssl);
5690 serverssl = clientssl = NULL;
5693 /* We don't bother with the resumption aspects for this test */
5698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5700 || !TEST_true(SSL_set_session(clientssl, sess))
5701 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5706 * For a resumed session we expect to add the ClientHello extension. For the
5707 * old style callbacks we ignore it on the server side because they set
5708 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5712 if (clntaddoldcb != 2
5713 || clntparseoldcb != 1
5715 || srvparseoldcb != 1)
5717 } else if (tst == 1 || tst == 2 || tst == 3) {
5718 if (clntaddnewcb != 2
5719 || clntparsenewcb != 2
5721 || srvparsenewcb != 2)
5725 * No Certificate message extensions in the resumption handshake,
5726 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5728 if (clntaddnewcb != 2
5729 || clntparsenewcb != 8
5731 || srvparsenewcb != 2)
5738 SSL_SESSION_free(sess);
5739 SSL_free(serverssl);
5740 SSL_free(clientssl);
5741 SSL_CTX_free(sctx2);
5748 * Test loading of serverinfo data in various formats. test_sslmessages actually
5749 * tests to make sure the extensions appear in the handshake
5751 static int test_serverinfo(int tst)
5753 unsigned int version;
5754 unsigned char *sibuf;
5756 int ret, expected, testresult = 0;
5759 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5763 if ((tst & 0x01) == 0x01)
5764 version = SSL_SERVERINFOV2;
5766 version = SSL_SERVERINFOV1;
5768 if ((tst & 0x02) == 0x02) {
5769 sibuf = serverinfov2;
5770 sibuflen = sizeof(serverinfov2);
5771 expected = (version == SSL_SERVERINFOV2);
5773 sibuf = serverinfov1;
5774 sibuflen = sizeof(serverinfov1);
5775 expected = (version == SSL_SERVERINFOV1);
5778 if ((tst & 0x04) == 0x04) {
5779 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5781 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5784 * The version variable is irrelevant in this case - it's what is in the
5785 * buffer that matters
5787 if ((tst & 0x02) == 0x02)
5793 if (!TEST_true(ret == expected))
5805 * Test that SSL_export_keying_material() produces expected results. There are
5806 * no test vectors so all we do is test that both sides of the communication
5807 * produce the same results for different protocol versions.
5809 #define SMALL_LABEL_LEN 10
5810 #define LONG_LABEL_LEN 249
5811 static int test_export_key_mat(int tst)
5814 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5815 SSL *clientssl = NULL, *serverssl = NULL;
5816 const char label[LONG_LABEL_LEN + 1] = "test label";
5817 const unsigned char context[] = "context";
5818 const unsigned char *emptycontext = NULL;
5819 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5820 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5822 const int protocols[] = {
5831 #ifdef OPENSSL_NO_TLS1
5835 #ifdef OPENSSL_NO_TLS1_1
5839 if (is_fips && (tst == 0 || tst == 1))
5841 #ifdef OPENSSL_NO_TLS1_2
5845 #ifdef OSSL_NO_USABLE_TLS1_3
5849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5850 TLS_client_method(), TLS1_VERSION, 0,
5851 &sctx, &cctx, cert, privkey)))
5854 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5855 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5856 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5857 if ((protocols[tst] < TLS1_2_VERSION) &&
5858 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5859 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5867 * Premature call of SSL_export_keying_material should just fail.
5869 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5870 sizeof(ckeymat1), label,
5871 SMALL_LABEL_LEN + 1, context,
5872 sizeof(context) - 1, 1), 0))
5875 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5881 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5884 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5885 sizeof(ckeymat1), label,
5886 LONG_LABEL_LEN + 1, context,
5887 sizeof(context) - 1, 1), 0))
5892 } else if (tst == 4) {
5893 labellen = LONG_LABEL_LEN;
5895 labellen = SMALL_LABEL_LEN;
5898 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5899 sizeof(ckeymat1), label,
5901 sizeof(context) - 1, 1), 1)
5902 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5903 sizeof(ckeymat2), label,
5907 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5908 sizeof(ckeymat3), label,
5911 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5912 sizeof(skeymat1), label,
5915 sizeof(context) -1, 1),
5917 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5918 sizeof(skeymat2), label,
5922 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5923 sizeof(skeymat3), label,
5927 * Check that both sides created the same key material with the
5930 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5933 * Check that both sides created the same key material with an
5936 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5939 * Check that both sides created the same key material without a
5942 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5944 /* Different contexts should produce different results */
5945 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5950 * Check that an empty context and no context produce different results in
5951 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5953 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5955 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5962 SSL_free(serverssl);
5963 SSL_free(clientssl);
5964 SSL_CTX_free(sctx2);
5971 #ifndef OSSL_NO_USABLE_TLS1_3
5973 * Test that SSL_export_keying_material_early() produces expected
5974 * results. There are no test vectors so all we do is test that both
5975 * sides of the communication produce the same results for different
5976 * protocol versions.
5978 static int test_export_key_mat_early(int idx)
5980 static const char label[] = "test label";
5981 static const unsigned char context[] = "context";
5983 SSL_CTX *cctx = NULL, *sctx = NULL;
5984 SSL *clientssl = NULL, *serverssl = NULL;
5985 SSL_SESSION *sess = NULL;
5986 const unsigned char *emptycontext = NULL;
5987 unsigned char ckeymat1[80], ckeymat2[80];
5988 unsigned char skeymat1[80], skeymat2[80];
5989 unsigned char buf[1];
5990 size_t readbytes, written;
5992 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5996 /* Here writing 0 length early data is enough. */
5997 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5998 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6000 SSL_READ_EARLY_DATA_ERROR)
6001 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6002 SSL_EARLY_DATA_ACCEPTED))
6005 if (!TEST_int_eq(SSL_export_keying_material_early(
6006 clientssl, ckeymat1, sizeof(ckeymat1), label,
6007 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6008 || !TEST_int_eq(SSL_export_keying_material_early(
6009 clientssl, ckeymat2, sizeof(ckeymat2), label,
6010 sizeof(label) - 1, emptycontext, 0), 1)
6011 || !TEST_int_eq(SSL_export_keying_material_early(
6012 serverssl, skeymat1, sizeof(skeymat1), label,
6013 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6014 || !TEST_int_eq(SSL_export_keying_material_early(
6015 serverssl, skeymat2, sizeof(skeymat2), label,
6016 sizeof(label) - 1, emptycontext, 0), 1)
6018 * Check that both sides created the same key material with the
6021 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6024 * Check that both sides created the same key material with an
6027 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6029 /* Different contexts should produce different results */
6030 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6037 SSL_SESSION_free(sess);
6038 SSL_SESSION_free(clientpsk);
6039 SSL_SESSION_free(serverpsk);
6040 clientpsk = serverpsk = NULL;
6041 SSL_free(serverssl);
6042 SSL_free(clientssl);
6049 #define NUM_KEY_UPDATE_MESSAGES 40
6053 static int test_key_update(void)
6055 SSL_CTX *cctx = NULL, *sctx = NULL;
6056 SSL *clientssl = NULL, *serverssl = NULL;
6057 int testresult = 0, i, j;
6059 static char *mess = "A test message";
6061 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6062 TLS_client_method(),
6065 &sctx, &cctx, cert, privkey))
6066 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6072 for (j = 0; j < 2; j++) {
6073 /* Send lots of KeyUpdate messages */
6074 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6075 if (!TEST_true(SSL_key_update(clientssl,
6077 ? SSL_KEY_UPDATE_NOT_REQUESTED
6078 : SSL_KEY_UPDATE_REQUESTED))
6079 || !TEST_true(SSL_do_handshake(clientssl)))
6083 /* Check that sending and receiving app data is ok */
6084 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6085 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6089 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6090 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6098 SSL_free(serverssl);
6099 SSL_free(clientssl);
6107 * Test we can handle a KeyUpdate (update requested) message while write data
6109 * Test 0: Client sends KeyUpdate while Server is writing
6110 * Test 1: Server sends KeyUpdate while Client is writing
6112 static int test_key_update_in_write(int tst)
6114 SSL_CTX *cctx = NULL, *sctx = NULL;
6115 SSL *clientssl = NULL, *serverssl = NULL;
6118 static char *mess = "A test message";
6119 BIO *bretry = BIO_new(bio_s_always_retry());
6121 SSL *peerupdate = NULL, *peerwrite = NULL;
6123 if (!TEST_ptr(bretry)
6124 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6125 TLS_client_method(),
6128 &sctx, &cctx, cert, privkey))
6129 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6135 peerupdate = tst == 0 ? clientssl : serverssl;
6136 peerwrite = tst == 0 ? serverssl : clientssl;
6138 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6139 || !TEST_true(SSL_do_handshake(peerupdate)))
6142 /* Swap the writing endpoint's write BIO to force a retry */
6143 tmp = SSL_get_wbio(peerwrite);
6144 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6148 SSL_set0_wbio(peerwrite, bretry);
6151 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6152 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6153 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6156 /* Reinstate the original writing endpoint's write BIO */
6157 SSL_set0_wbio(peerwrite, tmp);
6160 /* Now read some data - we will read the key update */
6161 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6162 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6166 * Complete the write we started previously and read it from the other
6169 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6170 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6173 /* Write more data to ensure we send the KeyUpdate message back */
6174 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6175 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6181 SSL_free(serverssl);
6182 SSL_free(clientssl);
6190 #endif /* OSSL_NO_USABLE_TLS1_3 */
6192 static int test_ssl_clear(int idx)
6194 SSL_CTX *cctx = NULL, *sctx = NULL;
6195 SSL *clientssl = NULL, *serverssl = NULL;
6198 #ifdef OPENSSL_NO_TLS1_2
6203 /* Create an initial connection */
6204 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6205 TLS_client_method(), TLS1_VERSION, 0,
6206 &sctx, &cctx, cert, privkey))
6208 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6210 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6211 &clientssl, NULL, NULL))
6212 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6216 SSL_shutdown(clientssl);
6217 SSL_shutdown(serverssl);
6218 SSL_free(serverssl);
6221 /* Clear clientssl - we're going to reuse the object */
6222 if (!TEST_true(SSL_clear(clientssl)))
6225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6227 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6229 || !TEST_true(SSL_session_reused(clientssl)))
6232 SSL_shutdown(clientssl);
6233 SSL_shutdown(serverssl);
6238 SSL_free(serverssl);
6239 SSL_free(clientssl);
6246 /* Parse CH and retrieve any MFL extension value if present */
6247 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6250 unsigned char *data;
6251 PACKET pkt, pkt2, pkt3;
6252 unsigned int MFL_code = 0, type = 0;
6254 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6257 memset(&pkt, 0, sizeof(pkt));
6258 memset(&pkt2, 0, sizeof(pkt2));
6259 memset(&pkt3, 0, sizeof(pkt3));
6261 if (!TEST_long_gt(len, 0)
6262 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6263 /* Skip the record header */
6264 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6265 /* Skip the handshake message header */
6266 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6267 /* Skip client version and random */
6268 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6269 + SSL3_RANDOM_SIZE))
6270 /* Skip session id */
6271 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6273 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6274 /* Skip compression */
6275 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6276 /* Extensions len */
6277 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6280 /* Loop through all extensions */
6281 while (PACKET_remaining(&pkt2)) {
6282 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6283 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6286 if (type == TLSEXT_TYPE_max_fragment_length) {
6287 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6288 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6291 *mfl_codemfl_code = MFL_code;
6300 /* Maximum-Fragment-Length TLS extension mode to test */
6301 static const unsigned char max_fragment_len_test[] = {
6302 TLSEXT_max_fragment_length_512,
6303 TLSEXT_max_fragment_length_1024,
6304 TLSEXT_max_fragment_length_2048,
6305 TLSEXT_max_fragment_length_4096
6308 static int test_max_fragment_len_ext(int idx_tst)
6310 SSL_CTX *ctx = NULL;
6312 int testresult = 0, MFL_mode = 0;
6315 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6316 TLS1_VERSION, 0, NULL, &ctx, NULL,
6320 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6321 ctx, max_fragment_len_test[idx_tst])))
6328 rbio = BIO_new(BIO_s_mem());
6329 wbio = BIO_new(BIO_s_mem());
6330 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6336 SSL_set_bio(con, rbio, wbio);
6338 if (!TEST_int_le(SSL_connect(con), 0)) {
6339 /* This shouldn't succeed because we don't have a server! */
6343 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6344 /* no MFL in client hello */
6346 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6358 #ifndef OSSL_NO_USABLE_TLS1_3
6359 static int test_pha_key_update(void)
6361 SSL_CTX *cctx = NULL, *sctx = NULL;
6362 SSL *clientssl = NULL, *serverssl = NULL;
6365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6366 TLS_client_method(), TLS1_VERSION, 0,
6367 &sctx, &cctx, cert, privkey)))
6370 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6371 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6372 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6373 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6376 SSL_CTX_set_post_handshake_auth(cctx, 1);
6378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6382 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6386 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6387 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6390 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6393 /* Start handshake on the server */
6394 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6397 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6398 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6402 SSL_shutdown(clientssl);
6403 SSL_shutdown(serverssl);
6408 SSL_free(serverssl);
6409 SSL_free(clientssl);
6416 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6418 static SRP_VBASE *vbase = NULL;
6420 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6422 int ret = SSL3_AL_FATAL;
6424 SRP_user_pwd *user = NULL;
6426 username = SSL_get_srp_username(s);
6427 if (username == NULL) {
6428 *ad = SSL_AD_INTERNAL_ERROR;
6432 user = SRP_VBASE_get1_by_user(vbase, username);
6434 *ad = SSL_AD_INTERNAL_ERROR;
6438 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6440 *ad = SSL_AD_INTERNAL_ERROR;
6447 SRP_user_pwd_free(user);
6451 static int create_new_vfile(char *userid, char *password, const char *filename)
6454 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6457 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6460 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6463 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6464 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6465 if (!TEST_ptr(gNid))
6469 * The only way to create an empty TXT_DB is to provide a BIO with no data
6472 db = TXT_DB_read(dummy, DB_NUMBER);
6476 out = BIO_new_file(filename, "w");
6480 row[DB_srpid] = OPENSSL_strdup(userid);
6481 row[DB_srptype] = OPENSSL_strdup("V");
6482 row[DB_srpgN] = OPENSSL_strdup(gNid);
6484 if (!TEST_ptr(row[DB_srpid])
6485 || !TEST_ptr(row[DB_srptype])
6486 || !TEST_ptr(row[DB_srpgN])
6487 || !TEST_true(TXT_DB_insert(db, row)))
6492 if (!TXT_DB_write(out, db))
6498 for (i = 0; i < DB_NUMBER; i++)
6499 OPENSSL_free(row[i]);
6509 static int create_new_vbase(char *userid, char *password)
6511 BIGNUM *verifier = NULL, *salt = NULL;
6512 const SRP_gN *lgN = NULL;
6513 SRP_user_pwd *user_pwd = NULL;
6516 lgN = SRP_get_default_gN(NULL);
6520 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6521 lgN->N, lgN->g, libctx, NULL)))
6524 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6525 if (!TEST_ptr(user_pwd))
6528 user_pwd->N = lgN->N;
6529 user_pwd->g = lgN->g;
6530 user_pwd->id = OPENSSL_strdup(userid);
6531 if (!TEST_ptr(user_pwd->id))
6534 user_pwd->v = verifier;
6536 verifier = salt = NULL;
6538 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6544 SRP_user_pwd_free(user_pwd);
6554 * Test 0: Simple successful SRP connection, new vbase
6555 * Test 1: Connection failure due to bad password, new vbase
6556 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6557 * Test 3: Connection failure due to bad password, vbase loaded from existing
6559 * Test 4: Simple successful SRP connection, vbase loaded from new file
6560 * Test 5: Connection failure due to bad password, vbase loaded from new file
6562 static int test_srp(int tst)
6564 char *userid = "test", *password = "password", *tstsrpfile;
6565 SSL_CTX *cctx = NULL, *sctx = NULL;
6566 SSL *clientssl = NULL, *serverssl = NULL;
6567 int ret, testresult = 0;
6569 vbase = SRP_VBASE_new(NULL);
6570 if (!TEST_ptr(vbase))
6573 if (tst == 0 || tst == 1) {
6574 if (!TEST_true(create_new_vbase(userid, password)))
6577 if (tst == 4 || tst == 5) {
6578 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6580 tstsrpfile = tmpfilename;
6582 tstsrpfile = srpvfile;
6584 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6588 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6589 TLS_client_method(), TLS1_VERSION, 0,
6590 &sctx, &cctx, cert, privkey)))
6593 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6594 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6595 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6596 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6597 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6601 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6604 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6612 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6614 if (!TEST_true(tst % 2 == 0))
6617 if (!TEST_true(tst % 2 == 1))
6624 SRP_VBASE_free(vbase);
6626 SSL_free(serverssl);
6627 SSL_free(clientssl);
6635 static int info_cb_failed = 0;
6636 static int info_cb_offset = 0;
6637 static int info_cb_this_state = -1;
6639 static struct info_cb_states_st {
6641 const char *statestr;
6642 } info_cb_states[][60] = {
6644 /* TLSv1.2 server followed by resumption */
6645 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6646 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6647 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6648 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6649 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6650 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6651 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6652 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6653 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6654 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6655 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6656 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6657 {SSL_CB_EXIT, NULL}, {0, NULL},
6659 /* TLSv1.2 client followed by resumption */
6660 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6661 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6662 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6663 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6664 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6665 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6667 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6668 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6669 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6670 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6671 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6673 /* TLSv1.3 server followed by resumption */
6674 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6675 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6676 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6677 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6678 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6679 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6680 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6681 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6682 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6683 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6684 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6685 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6686 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6688 /* TLSv1.3 client followed by resumption */
6689 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6690 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6691 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6692 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6693 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6694 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6695 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6696 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6697 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6698 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6699 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6700 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6701 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6702 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6703 {SSL_CB_EXIT, NULL}, {0, NULL},
6705 /* TLSv1.3 server, early_data */
6706 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6707 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6708 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6709 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6710 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6711 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6712 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6713 {SSL_CB_EXIT, NULL}, {0, NULL},
6715 /* TLSv1.3 client, early_data */
6716 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6717 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6718 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6719 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6720 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6721 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6722 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6723 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6724 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6730 static void sslapi_info_callback(const SSL *s, int where, int ret)
6732 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6734 /* We do not ever expect a connection to fail in this test */
6735 if (!TEST_false(ret == 0)) {
6741 * Do some sanity checks. We never expect these things to happen in this
6744 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6745 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6746 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6751 /* Now check we're in the right state */
6752 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6756 if ((where & SSL_CB_LOOP) != 0
6757 && !TEST_int_eq(strcmp(SSL_state_string(s),
6758 state[info_cb_this_state].statestr), 0)) {
6764 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6766 if ((where & SSL_CB_HANDSHAKE_DONE)
6767 && SSL_in_init((SSL *)s) != 0) {
6774 * Test the info callback gets called when we expect it to.
6776 * Test 0: TLSv1.2, server
6777 * Test 1: TLSv1.2, client
6778 * Test 2: TLSv1.3, server
6779 * Test 3: TLSv1.3, client
6780 * Test 4: TLSv1.3, server, early_data
6781 * Test 5: TLSv1.3, client, early_data
6783 static int test_info_callback(int tst)
6785 SSL_CTX *cctx = NULL, *sctx = NULL;
6786 SSL *clientssl = NULL, *serverssl = NULL;
6787 SSL_SESSION *clntsess = NULL;
6792 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6793 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6794 || !defined(OPENSSL_NO_DH))
6795 tlsvers = TLS1_2_VERSION;
6800 #ifndef OSSL_NO_USABLE_TLS1_3
6801 tlsvers = TLS1_3_VERSION;
6809 info_cb_this_state = -1;
6810 info_cb_offset = tst;
6812 #ifndef OSSL_NO_USABLE_TLS1_3
6814 SSL_SESSION *sess = NULL;
6815 size_t written, readbytes;
6816 unsigned char buf[80];
6818 /* early_data tests */
6819 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6820 &serverssl, &sess, 0)))
6823 /* We don't actually need this reference */
6824 SSL_SESSION_free(sess);
6826 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6827 sslapi_info_callback);
6829 /* Write and read some early data and then complete the connection */
6830 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6832 || !TEST_size_t_eq(written, strlen(MSG1))
6833 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6834 sizeof(buf), &readbytes),
6835 SSL_READ_EARLY_DATA_SUCCESS)
6836 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6837 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6838 SSL_EARLY_DATA_ACCEPTED)
6839 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6841 || !TEST_false(info_cb_failed))
6849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6850 TLS_client_method(),
6851 tlsvers, tlsvers, &sctx, &cctx, cert,
6855 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6859 * For even numbered tests we check the server callbacks. For odd numbers we
6862 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6863 sslapi_info_callback);
6865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6866 &clientssl, NULL, NULL))
6867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6869 || !TEST_false(info_cb_failed))
6874 clntsess = SSL_get1_session(clientssl);
6875 SSL_shutdown(clientssl);
6876 SSL_shutdown(serverssl);
6877 SSL_free(serverssl);
6878 SSL_free(clientssl);
6879 serverssl = clientssl = NULL;
6881 /* Now do a resumption */
6882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6884 || !TEST_true(SSL_set_session(clientssl, clntsess))
6885 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6887 || !TEST_true(SSL_session_reused(clientssl))
6888 || !TEST_false(info_cb_failed))
6894 SSL_free(serverssl);
6895 SSL_free(clientssl);
6896 SSL_SESSION_free(clntsess);
6902 static int test_ssl_pending(int tst)
6904 SSL_CTX *cctx = NULL, *sctx = NULL;
6905 SSL *clientssl = NULL, *serverssl = NULL;
6907 char msg[] = "A test message";
6909 size_t written, readbytes;
6912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6913 TLS_client_method(),
6915 &sctx, &cctx, cert, privkey)))
6918 #ifndef OPENSSL_NO_DTLS
6919 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6920 DTLS_client_method(),
6922 &sctx, &cctx, cert, privkey)))
6925 # ifdef OPENSSL_NO_DTLS1_2
6926 /* Not supported in the FIPS provider */
6932 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
6935 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
6936 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
6937 "DEFAULT:@SECLEVEL=0")))
6945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6947 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6951 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6952 || !TEST_false(SSL_has_pending(clientssl))
6953 || !TEST_int_eq(SSL_pending(serverssl), 0)
6954 || !TEST_false(SSL_has_pending(serverssl))
6955 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6956 || !TEST_size_t_eq(written, sizeof(msg))
6957 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6958 || !TEST_size_t_eq(readbytes, sizeof(buf))
6959 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6960 || !TEST_true(SSL_has_pending(clientssl)))
6966 SSL_free(serverssl);
6967 SSL_free(clientssl);
6975 unsigned int maxprot;
6976 const char *clntciphers;
6977 const char *clnttls13ciphers;
6978 const char *srvrciphers;
6979 const char *srvrtls13ciphers;
6981 const char *fipsshared;
6982 } shared_ciphers_data[] = {
6984 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6985 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6987 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6990 "AES128-SHA:AES256-SHA",
6992 "AES256-SHA:DHE-RSA-AES128-SHA",
6997 # if !defined(OPENSSL_NO_CHACHA) \
6998 && !defined(OPENSSL_NO_POLY1305) \
6999 && !defined(OPENSSL_NO_EC)
7002 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7004 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7006 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7012 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7014 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7016 "AES128-SHA:AES256-SHA",
7017 "AES128-SHA:AES256-SHA"
7021 "AES128-SHA:AES256-SHA",
7023 "AES128-SHA:DHE-RSA-AES128-SHA",
7030 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7033 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7034 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7037 "AES128-SHA:AES256-SHA",
7039 "AES256-SHA:AES128-SHA256",
7041 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7042 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7043 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7046 #ifndef OSSL_NO_USABLE_TLS1_3
7050 "TLS_AES_256_GCM_SHA384",
7052 "TLS_AES_256_GCM_SHA384",
7053 "TLS_AES_256_GCM_SHA384",
7054 "TLS_AES_256_GCM_SHA384"
7059 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7061 SSL_CTX *cctx = NULL, *sctx = NULL;
7062 SSL *clientssl = NULL, *serverssl = NULL;
7065 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7067 if (!TEST_ptr(tmplibctx))
7071 * Regardless of whether we're testing with the FIPS provider loaded into
7072 * libctx, we want one peer to always use the full set of ciphersuites
7073 * available. Therefore we use a separate libctx with the default provider
7074 * loaded into it. We run the same tests twice - once with the client side
7075 * having the full set of ciphersuites and once with the server side.
7078 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7079 if (!TEST_ptr(cctx))
7082 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7083 if (!TEST_ptr(sctx))
7087 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7088 TLS_client_method(),
7090 shared_ciphers_data[tst].maxprot,
7091 &sctx, &cctx, cert, privkey)))
7094 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7095 shared_ciphers_data[tst].clntciphers))
7096 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7097 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7098 shared_ciphers_data[tst].clnttls13ciphers)))
7099 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7100 shared_ciphers_data[tst].srvrciphers))
7101 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7102 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7103 shared_ciphers_data[tst].srvrtls13ciphers))))
7107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7109 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7113 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7114 || !TEST_int_eq(strcmp(buf,
7116 ? shared_ciphers_data[tst].fipsshared
7117 : shared_ciphers_data[tst].shared),
7119 TEST_info("Shared ciphers are: %s\n", buf);
7126 SSL_free(serverssl);
7127 SSL_free(clientssl);
7130 OSSL_LIB_CTX_free(tmplibctx);
7135 static int test_ssl_get_shared_ciphers(int tst)
7137 return int_test_ssl_get_shared_ciphers(tst, 0)
7138 && int_test_ssl_get_shared_ciphers(tst, 1);
7142 static const char *appdata = "Hello World";
7143 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7144 static int tick_key_renew = 0;
7145 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7147 static int gen_tick_cb(SSL *s, void *arg)
7149 gen_tick_called = 1;
7151 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7155 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7156 const unsigned char *keyname,
7157 size_t keyname_length,
7158 SSL_TICKET_STATUS status,
7164 dec_tick_called = 1;
7166 if (status == SSL_TICKET_EMPTY)
7167 return SSL_TICKET_RETURN_IGNORE_RENEW;
7169 if (!TEST_true(status == SSL_TICKET_SUCCESS
7170 || status == SSL_TICKET_SUCCESS_RENEW))
7171 return SSL_TICKET_RETURN_ABORT;
7173 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7175 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7176 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7177 return SSL_TICKET_RETURN_ABORT;
7179 if (tick_key_cb_called) {
7180 /* Don't change what the ticket key callback wanted to do */
7182 case SSL_TICKET_NO_DECRYPT:
7183 return SSL_TICKET_RETURN_IGNORE_RENEW;
7185 case SSL_TICKET_SUCCESS:
7186 return SSL_TICKET_RETURN_USE;
7188 case SSL_TICKET_SUCCESS_RENEW:
7189 return SSL_TICKET_RETURN_USE_RENEW;
7192 return SSL_TICKET_RETURN_ABORT;
7195 return tick_dec_ret;
7199 #ifndef OPENSSL_NO_DEPRECATED_3_0
7200 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7201 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7202 HMAC_CTX *hctx, int enc)
7204 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7205 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7206 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7207 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7210 tick_key_cb_called = 1;
7211 memset(iv, 0, AES_BLOCK_SIZE);
7212 memset(key_name, 0, 16);
7213 if (aes128cbc == NULL
7215 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7216 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7220 ret = tick_key_renew ? 2 : 1;
7222 EVP_CIPHER_free(aes128cbc);
7223 EVP_MD_free(sha256);
7229 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7230 unsigned char iv[EVP_MAX_IV_LENGTH],
7231 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7233 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7234 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7235 OSSL_PARAM params[2];
7236 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7239 tick_key_cb_called = 1;
7240 memset(iv, 0, AES_BLOCK_SIZE);
7241 memset(key_name, 0, 16);
7242 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7244 params[1] = OSSL_PARAM_construct_end();
7245 if (aes128cbc == NULL
7246 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7247 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7251 ret = tick_key_renew ? 2 : 1;
7253 EVP_CIPHER_free(aes128cbc);
7259 * Test the various ticket callbacks
7260 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7261 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7262 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7263 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7264 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7265 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7266 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7267 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7268 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7269 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7270 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7271 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7272 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7273 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7274 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7275 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7277 static int test_ticket_callbacks(int tst)
7279 SSL_CTX *cctx = NULL, *sctx = NULL;
7280 SSL *clientssl = NULL, *serverssl = NULL;
7281 SSL_SESSION *clntsess = NULL;
7284 #ifdef OPENSSL_NO_TLS1_2
7288 #ifdef OSSL_NO_USABLE_TLS1_3
7292 #ifdef OPENSSL_NO_DEPRECATED_3_0
7293 if (tst >= 8 && tst <= 11)
7297 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7299 /* Which tests the ticket key callback should request renewal for */
7300 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7305 /* Which tests the decrypt ticket callback should request renewal for */
7309 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7314 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7319 tick_dec_ret = SSL_TICKET_RETURN_USE;
7324 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7328 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7332 TLS_client_method(),
7334 ((tst % 2) == 0) ? TLS1_2_VERSION
7336 &sctx, &cctx, cert, privkey)))
7340 * We only want sessions to resume from tickets - not the session cache. So
7341 * switch the cache off.
7343 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7346 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7351 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7353 #ifndef OPENSSL_NO_DEPRECATED_3_0
7354 } else if (tst >= 8) {
7355 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7362 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7367 * The decrypt ticket key callback in TLSv1.2 should be called even though
7368 * we have no ticket yet, because it gets called with a status of
7369 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7370 * actually send any ticket data). This does not happen in TLSv1.3 because
7371 * it is not valid to send empty ticket data in TLSv1.3.
7373 if (!TEST_int_eq(gen_tick_called, 1)
7374 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7377 gen_tick_called = dec_tick_called = 0;
7379 clntsess = SSL_get1_session(clientssl);
7380 SSL_shutdown(clientssl);
7381 SSL_shutdown(serverssl);
7382 SSL_free(serverssl);
7383 SSL_free(clientssl);
7384 serverssl = clientssl = NULL;
7386 /* Now do a resumption */
7387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7389 || !TEST_true(SSL_set_session(clientssl, clntsess))
7390 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7394 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7395 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7396 if (!TEST_false(SSL_session_reused(clientssl)))
7399 if (!TEST_true(SSL_session_reused(clientssl)))
7403 if (!TEST_int_eq(gen_tick_called,
7405 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7406 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7408 || !TEST_int_eq(dec_tick_called, 1))
7414 SSL_SESSION_free(clntsess);
7415 SSL_free(serverssl);
7416 SSL_free(clientssl);
7424 * Test incorrect shutdown.
7425 * Test 0: client does not shutdown properly,
7426 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7427 * server should get SSL_ERROR_SSL
7428 * Test 1: client does not shutdown properly,
7429 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7430 * server should get SSL_ERROR_ZERO_RETURN
7432 static int test_incorrect_shutdown(int tst)
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7440 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7441 TLS_client_method(), 0, 0,
7442 &sctx, &cctx, cert, privkey)))
7446 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7452 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7456 c2s = SSL_get_rbio(serverssl);
7457 BIO_set_mem_eof_return(c2s, 0);
7459 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7462 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7464 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7470 SSL_free(serverssl);
7471 SSL_free(clientssl);
7479 * Test bi-directional shutdown.
7481 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7482 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7483 * Test 3: TLSv1.3, pending NewSessionTicket messages
7484 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7485 * sends key update, client reads it
7486 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7487 * sends CertificateRequest, client reads and ignores it
7488 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7491 static int test_shutdown(int tst)
7493 SSL_CTX *cctx = NULL, *sctx = NULL;
7494 SSL *clientssl = NULL, *serverssl = NULL;
7496 char msg[] = "A test message";
7498 size_t written, readbytes;
7501 #ifdef OPENSSL_NO_TLS1_2
7505 #ifdef OSSL_NO_USABLE_TLS1_3
7510 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7511 TLS_client_method(),
7513 (tst <= 1) ? TLS1_2_VERSION
7515 &sctx, &cctx, cert, privkey)))
7519 SSL_CTX_set_post_handshake_auth(cctx, 1);
7521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7526 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7528 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7529 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7531 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7533 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7534 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7538 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7543 * Reading on the server after the client has sent close_notify should
7544 * fail and provide SSL_ERROR_ZERO_RETURN
7546 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7547 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7548 SSL_ERROR_ZERO_RETURN)
7549 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7550 SSL_RECEIVED_SHUTDOWN)
7552 * Even though we're shutdown on receive we should still be
7555 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7558 && !TEST_true(SSL_key_update(serverssl,
7559 SSL_KEY_UPDATE_REQUESTED)))
7562 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7563 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7566 if ((tst == 4 || tst == 5)
7567 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7569 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7571 if (tst == 4 || tst == 5) {
7572 /* Should still be able to read data from server */
7573 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7575 || !TEST_size_t_eq(readbytes, sizeof(msg))
7576 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7577 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7579 || !TEST_size_t_eq(readbytes, sizeof(msg))
7580 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7585 /* Writing on the client after sending close_notify shouldn't be possible */
7586 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7591 * For these tests the client has sent close_notify but it has not yet
7592 * been received by the server. The server has not sent close_notify
7595 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7597 * Writing on the server after sending close_notify shouldn't
7600 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7601 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7602 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7603 || !TEST_true(SSL_SESSION_is_resumable(sess))
7604 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7606 } else if (tst == 4 || tst == 5) {
7608 * In this test the client has sent close_notify and it has been
7609 * received by the server which has responded with a close_notify. The
7610 * client needs to read the close_notify sent by the server.
7612 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7613 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7614 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7620 * The client has sent close_notify and is expecting a close_notify
7621 * back, but instead there is application data first. The shutdown
7622 * should fail with a fatal error.
7624 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7625 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7632 SSL_free(serverssl);
7633 SSL_free(clientssl);
7640 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7641 static int cert_cb_cnt;
7643 static int cert_cb(SSL *s, void *arg)
7645 SSL_CTX *ctx = (SSL_CTX *)arg;
7647 EVP_PKEY *pkey = NULL;
7648 X509 *x509 = NULL, *rootx = NULL;
7649 STACK_OF(X509) *chain = NULL;
7650 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7653 if (cert_cb_cnt == 0) {
7654 /* Suspend the handshake */
7657 } else if (cert_cb_cnt == 1) {
7659 * Update the SSL_CTX, set the certificate and private key and then
7660 * continue the handshake normally.
7662 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7665 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7666 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7668 || !TEST_true(SSL_check_private_key(s)))
7672 } else if (cert_cb_cnt == 3) {
7675 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7676 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7677 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7678 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7680 chain = sk_X509_new_null();
7681 if (!TEST_ptr(chain))
7683 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7684 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7685 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7686 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7687 || !TEST_true(sk_X509_push(chain, rootx)))
7691 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7692 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7693 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7694 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7697 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7698 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7699 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7703 rv = SSL_check_chain(s, x509, pkey, chain);
7705 * If the cert doesn't show as valid here (e.g., because we don't
7706 * have any shared sigalgs), then we will not set it, and there will
7707 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7708 * will cause tls_choose_sigalgs() to fail the connection.
7710 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7711 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7712 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7719 /* Abort the handshake */
7721 OPENSSL_free(ecdsacert);
7722 OPENSSL_free(ecdsakey);
7723 OPENSSL_free(rootfile);
7725 EVP_PKEY_free(pkey);
7728 sk_X509_pop_free(chain, X509_free);
7733 * Test the certificate callback.
7734 * Test 0: Callback fails
7735 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7736 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7737 * Test 3: Success - Call SSL_check_chain from the callback
7738 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7740 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7742 static int test_cert_cb_int(int prot, int tst)
7744 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7745 SSL *clientssl = NULL, *serverssl = NULL;
7746 int testresult = 0, ret;
7748 #ifdef OPENSSL_NO_EC
7749 /* We use an EC cert in these tests, so we skip in a no-ec build */
7754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7755 TLS_client_method(),
7758 &sctx, &cctx, NULL, NULL)))
7769 snictx = SSL_CTX_new(TLS_server_method());
7770 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7778 * We cause SSL_check_chain() to fail by specifying sig_algs that
7779 * the chain doesn't meet (the root uses an RSA cert)
7781 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7782 "ecdsa_secp256r1_sha256")))
7784 } else if (tst == 5) {
7786 * We cause SSL_check_chain() to fail by specifying sig_algs that
7787 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7789 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7790 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7794 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7795 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7797 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7804 SSL_free(serverssl);
7805 SSL_free(clientssl);
7808 SSL_CTX_free(snictx);
7814 static int test_cert_cb(int tst)
7818 #ifndef OPENSSL_NO_TLS1_2
7819 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7821 #ifndef OSSL_NO_USABLE_TLS1_3
7822 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7828 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7833 BIO *priv_in = NULL;
7835 /* Check that SSL_get0_peer_certificate() returns something sensible */
7836 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7839 in = BIO_new_file(cert, "r");
7843 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
7844 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7845 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7846 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7864 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7869 static int test_client_cert_cb(int tst)
7871 SSL_CTX *cctx = NULL, *sctx = NULL;
7872 SSL *clientssl = NULL, *serverssl = NULL;
7875 #ifdef OPENSSL_NO_TLS1_2
7879 #ifdef OSSL_NO_USABLE_TLS1_3
7884 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7885 TLS_client_method(),
7887 tst == 0 ? TLS1_2_VERSION
7889 &sctx, &cctx, cert, privkey)))
7893 * Test that setting a client_cert_cb results in a client certificate being
7896 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7897 SSL_CTX_set_verify(sctx,
7898 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7903 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7910 SSL_free(serverssl);
7911 SSL_free(clientssl);
7918 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7920 * Test setting certificate authorities on both client and server.
7922 * Test 0: SSL_CTX_set0_CA_list() only
7923 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7924 * Test 2: Only SSL_CTX_set_client_CA_list()
7926 static int test_ca_names_int(int prot, int tst)
7928 SSL_CTX *cctx = NULL, *sctx = NULL;
7929 SSL *clientssl = NULL, *serverssl = NULL;
7932 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7933 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7934 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7935 const STACK_OF(X509_NAME) *sktmp = NULL;
7937 for (i = 0; i < OSSL_NELEM(name); i++) {
7938 name[i] = X509_NAME_new();
7939 if (!TEST_ptr(name[i])
7940 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7948 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7949 TLS_client_method(),
7952 &sctx, &cctx, cert, privkey)))
7955 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7957 if (tst == 0 || tst == 1) {
7958 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7959 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7960 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7961 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7962 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7963 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7966 SSL_CTX_set0_CA_list(sctx, sk1);
7967 SSL_CTX_set0_CA_list(cctx, sk2);
7970 if (tst == 1 || tst == 2) {
7971 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7972 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7973 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7974 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7975 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7976 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7979 SSL_CTX_set_client_CA_list(sctx, sk1);
7980 SSL_CTX_set_client_CA_list(cctx, sk2);
7984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7986 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7991 * We only expect certificate authorities to have been sent to the server
7992 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7994 sktmp = SSL_get0_peer_CA_list(serverssl);
7995 if (prot == TLS1_3_VERSION
7996 && (tst == 0 || tst == 1)) {
7997 if (!TEST_ptr(sktmp)
7998 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7999 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8001 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8004 } else if (!TEST_ptr_null(sktmp)) {
8009 * In all tests we expect certificate authorities to have been sent to the
8010 * client. However, SSL_set_client_CA_list() should override
8011 * SSL_set0_CA_list()
8013 sktmp = SSL_get0_peer_CA_list(clientssl);
8014 if (!TEST_ptr(sktmp)
8015 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8016 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8017 name[tst == 0 ? 0 : 2]), 0)
8018 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8019 name[tst == 0 ? 1 : 3]), 0))
8025 SSL_free(serverssl);
8026 SSL_free(clientssl);
8029 for (i = 0; i < OSSL_NELEM(name); i++)
8030 X509_NAME_free(name[i]);
8031 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8032 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8038 static int test_ca_names(int tst)
8042 #ifndef OPENSSL_NO_TLS1_2
8043 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8045 #ifndef OSSL_NO_USABLE_TLS1_3
8046 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8052 #ifndef OPENSSL_NO_TLS1_2
8053 static const char *multiblock_cipherlist_data[]=
8061 /* Reduce the fragment size - so the multiblock test buffer can be small */
8062 # define MULTIBLOCK_FRAGSIZE 512
8064 static int test_multiblock_write(int test_index)
8066 static const char *fetchable_ciphers[]=
8068 "AES-128-CBC-HMAC-SHA1",
8069 "AES-128-CBC-HMAC-SHA256",
8070 "AES-256-CBC-HMAC-SHA1",
8071 "AES-256-CBC-HMAC-SHA256"
8073 const char *cipherlist = multiblock_cipherlist_data[test_index];
8074 const SSL_METHOD *smeth = TLS_server_method();
8075 const SSL_METHOD *cmeth = TLS_client_method();
8076 int min_version = TLS1_VERSION;
8077 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8078 SSL_CTX *cctx = NULL, *sctx = NULL;
8079 SSL *clientssl = NULL, *serverssl = NULL;
8083 * Choose a buffer large enough to perform a multi-block operation
8084 * i.e: write_len >= 4 * frag_size
8085 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8087 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8088 unsigned char buf[sizeof(msg)], *p = buf;
8089 size_t readbytes, written, len;
8090 EVP_CIPHER *ciph = NULL;
8093 * Check if the cipher exists before attempting to use it since it only has
8094 * a hardware specific implementation.
8096 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8098 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8101 EVP_CIPHER_free(ciph);
8103 /* Set up a buffer with some data that will be sent to the client */
8104 RAND_bytes(msg, sizeof(msg));
8106 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8107 max_version, &sctx, &cctx, cert,
8111 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8114 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8118 /* settings to force it to use AES-CBC-HMAC_SHA */
8119 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8120 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8123 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8126 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8127 || !TEST_size_t_eq(written, sizeof(msg)))
8132 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8137 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8142 SSL_free(serverssl);
8143 SSL_free(clientssl);
8149 #endif /* OPENSSL_NO_TLS1_2 */
8151 static int test_session_timeout(int test)
8154 * Test session ordering and timeout
8155 * Can't explicitly test performance of the new code,
8156 * but can test to see if the ordering of the sessions
8157 * are correct, and they they are removed as expected
8159 SSL_SESSION *early = NULL;
8160 SSL_SESSION *middle = NULL;
8161 SSL_SESSION *late = NULL;
8164 long now = (long)time(NULL);
8167 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8168 || !TEST_ptr(early = SSL_SESSION_new())
8169 || !TEST_ptr(middle = SSL_SESSION_new())
8170 || !TEST_ptr(late = SSL_SESSION_new()))
8173 /* assign unique session ids */
8174 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8175 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8176 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8177 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8178 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8179 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8181 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8182 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8183 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8186 /* Make sure they are all added */
8187 if (!TEST_ptr(early->prev)
8188 || !TEST_ptr(middle->prev)
8189 || !TEST_ptr(late->prev))
8192 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8193 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8194 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8197 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8198 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8199 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8202 /* Make sure they are all still there */
8203 if (!TEST_ptr(early->prev)
8204 || !TEST_ptr(middle->prev)
8205 || !TEST_ptr(late->prev))
8208 /* Make sure they are in the expected order */
8209 if (!TEST_ptr_eq(late->next, middle)
8210 || !TEST_ptr_eq(middle->next, early)
8211 || !TEST_ptr_eq(early->prev, middle)
8212 || !TEST_ptr_eq(middle->prev, late))
8215 /* This should remove "early" */
8216 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8217 if (!TEST_ptr_null(early->prev)
8218 || !TEST_ptr(middle->prev)
8219 || !TEST_ptr(late->prev))
8222 /* This should remove "middle" */
8223 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8224 if (!TEST_ptr_null(early->prev)
8225 || !TEST_ptr_null(middle->prev)
8226 || !TEST_ptr(late->prev))
8229 /* This should remove "late" */
8230 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8231 if (!TEST_ptr_null(early->prev)
8232 || !TEST_ptr_null(middle->prev)
8233 || !TEST_ptr_null(late->prev))
8236 /* Add them back in again */
8237 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8238 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8239 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8242 /* Make sure they are all added */
8243 if (!TEST_ptr(early->prev)
8244 || !TEST_ptr(middle->prev)
8245 || !TEST_ptr(late->prev))
8248 /* This should remove all of them */
8249 SSL_CTX_flush_sessions(ctx, 0);
8250 if (!TEST_ptr_null(early->prev)
8251 || !TEST_ptr_null(middle->prev)
8252 || !TEST_ptr_null(late->prev))
8255 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8256 | SSL_CTX_get_session_cache_mode(ctx));
8258 /* make sure |now| is NOT equal to the current time */
8260 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8261 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8262 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8268 SSL_SESSION_free(early);
8269 SSL_SESSION_free(middle);
8270 SSL_SESSION_free(late);
8275 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8276 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8277 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8278 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8279 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8280 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8281 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8282 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8283 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8284 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8286 static int test_servername(int tst)
8288 SSL_CTX *cctx = NULL, *sctx = NULL;
8289 SSL *clientssl = NULL, *serverssl = NULL;
8291 SSL_SESSION *sess = NULL;
8292 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8294 #ifdef OPENSSL_NO_TLS1_2
8298 #ifdef OSSL_NO_USABLE_TLS1_3
8303 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8304 TLS_client_method(),
8306 (tst <= 4) ? TLS1_2_VERSION
8308 &sctx, &cctx, cert, privkey))
8309 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8313 if (tst != 1 && tst != 6) {
8314 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8319 if (tst != 3 && tst != 8) {
8320 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8322 sexpectedhost = cexpectedhost = "goodhost";
8325 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8328 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8330 || !TEST_str_eq(SSL_get_servername(serverssl,
8331 TLSEXT_NAMETYPE_host_name),
8335 /* Now repeat with a resumption handshake */
8337 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8338 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8339 || !TEST_true(SSL_SESSION_is_resumable(sess))
8340 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8343 SSL_free(clientssl);
8344 SSL_free(serverssl);
8345 clientssl = serverssl = NULL;
8347 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8351 if (!TEST_true(SSL_set_session(clientssl, sess)))
8354 sexpectedhost = cexpectedhost = "goodhost";
8355 if (tst == 2 || tst == 7) {
8356 /* Set an inconsistent hostname */
8357 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8360 * In TLSv1.2 we expect the hostname from the original handshake, in
8361 * TLSv1.3 we expect the hostname from this handshake
8364 sexpectedhost = cexpectedhost = "altgoodhost";
8366 if (!TEST_str_eq(SSL_get_servername(clientssl,
8367 TLSEXT_NAMETYPE_host_name),
8370 } else if (tst == 4 || tst == 9) {
8372 * A TLSv1.3 session does not associate a session with a servername,
8373 * but a TLSv1.2 session does.
8376 sexpectedhost = cexpectedhost = NULL;
8378 if (!TEST_str_eq(SSL_get_servername(clientssl,
8379 TLSEXT_NAMETYPE_host_name),
8383 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8386 * In a TLSv1.2 resumption where the hostname was not acknowledged
8387 * we expect the hostname on the server to be empty. On the client we
8388 * return what was requested in this case.
8390 * Similarly if the client didn't set a hostname on an original TLSv1.2
8391 * session but is now, the server hostname will be empty, but the client
8394 if (tst == 1 || tst == 3)
8395 sexpectedhost = NULL;
8397 if (!TEST_str_eq(SSL_get_servername(clientssl,
8398 TLSEXT_NAMETYPE_host_name),
8403 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8406 if (!TEST_true(SSL_session_reused(clientssl))
8407 || !TEST_true(SSL_session_reused(serverssl))
8408 || !TEST_str_eq(SSL_get_servername(clientssl,
8409 TLSEXT_NAMETYPE_host_name),
8411 || !TEST_str_eq(SSL_get_servername(serverssl,
8412 TLSEXT_NAMETYPE_host_name),
8419 SSL_SESSION_free(sess);
8420 SSL_free(serverssl);
8421 SSL_free(clientssl);
8428 #if !defined(OPENSSL_NO_EC) \
8429 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8431 * Test that if signature algorithms are not available, then we do not offer or
8433 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8434 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8435 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8436 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8437 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8438 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8440 static int test_sigalgs_available(int idx)
8442 SSL_CTX *cctx = NULL, *sctx = NULL;
8443 SSL *clientssl = NULL, *serverssl = NULL;
8445 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8446 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8447 OSSL_PROVIDER *filterprov = NULL;
8450 if (!TEST_ptr(tmpctx))
8453 if (idx != 0 && idx != 3) {
8454 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8455 filter_provider_init)))
8458 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8459 if (!TEST_ptr(filterprov))
8464 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8465 * or accepted for the peer that uses this libctx. Note that libssl
8466 * *requires* SHA2-256 to be available so we cannot disable that. We
8467 * also need SHA1 for our certificate.
8469 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8473 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8475 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8480 if (idx == 1 || idx == 4)
8486 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8487 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8488 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8493 TLS_client_method(),
8496 &sctx, &cctx, cert, privkey)))
8499 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8500 TLS_client_method(),
8503 &sctx, &cctx, cert2, privkey2)))
8507 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8509 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8510 "ECDHE-RSA-AES128-GCM-SHA256")))
8513 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8514 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8519 if (!SSL_CTX_set1_sigalgs_list(cctx,
8520 "rsa_pss_rsae_sha384"
8521 ":rsa_pss_rsae_sha256")
8522 || !SSL_CTX_set1_sigalgs_list(sctx,
8523 "rsa_pss_rsae_sha384"
8524 ":rsa_pss_rsae_sha256"))
8527 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8528 || !SSL_CTX_set1_sigalgs_list(sctx,
8529 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8534 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8535 SSL_FILETYPE_PEM), 1)
8536 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8538 SSL_FILETYPE_PEM), 1)
8539 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8546 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8549 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8550 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8552 (idx == 0 || idx == 3) ? 2 : 1))
8555 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8558 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8562 testresult = filter_provider_check_clean_finish();
8565 SSL_free(serverssl);
8566 SSL_free(clientssl);
8569 OSSL_PROVIDER_unload(filterprov);
8570 OSSL_LIB_CTX_free(tmpctx);
8575 * !defined(OPENSSL_NO_EC) \
8576 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8579 #ifndef OPENSSL_NO_TLS1_3
8580 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8581 static int test_pluggable_group(int idx)
8583 SSL_CTX *cctx = NULL, *sctx = NULL;
8584 SSL *clientssl = NULL, *serverssl = NULL;
8586 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8587 /* Check that we are not impacted by a provider without any groups */
8588 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8589 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8591 if (!TEST_ptr(tlsprov))
8594 if (legacyprov == NULL) {
8596 * In this case we assume we've been built with "no-legacy" and skip
8597 * this test (there is no OPENSSL_NO_LEGACY)
8603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8604 TLS_client_method(),
8607 &sctx, &cctx, cert, privkey))
8608 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8612 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8613 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8616 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8619 if (!TEST_str_eq(group_name,
8620 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8626 SSL_free(serverssl);
8627 SSL_free(clientssl);
8630 OSSL_PROVIDER_unload(tlsprov);
8631 OSSL_PROVIDER_unload(legacyprov);
8637 #ifndef OPENSSL_NO_TLS1_2
8638 static int test_ssl_dup(void)
8640 SSL_CTX *cctx = NULL, *sctx = NULL;
8641 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8643 BIO *rbio = NULL, *wbio = NULL;
8645 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8646 TLS_client_method(),
8649 &sctx, &cctx, cert, privkey)))
8652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8656 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8657 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8660 client2ssl = SSL_dup(clientssl);
8661 rbio = SSL_get_rbio(clientssl);
8663 || !TEST_true(BIO_up_ref(rbio)))
8665 SSL_set0_rbio(client2ssl, rbio);
8668 wbio = SSL_get_wbio(clientssl);
8669 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8671 SSL_set0_wbio(client2ssl, wbio);
8674 if (!TEST_ptr(client2ssl)
8675 /* Handshake not started so pointers should be different */
8676 || !TEST_ptr_ne(clientssl, client2ssl))
8679 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8680 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8683 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8686 SSL_free(clientssl);
8687 clientssl = SSL_dup(client2ssl);
8688 if (!TEST_ptr(clientssl)
8689 /* Handshake has finished so pointers should be the same */
8690 || !TEST_ptr_eq(clientssl, client2ssl))
8696 SSL_free(serverssl);
8697 SSL_free(clientssl);
8698 SSL_free(client2ssl);
8705 # ifndef OPENSSL_NO_DH
8707 static EVP_PKEY *tmp_dh_params = NULL;
8709 /* Helper function for the test_set_tmp_dh() tests */
8710 static EVP_PKEY *get_tmp_dh_params(void)
8712 if (tmp_dh_params == NULL) {
8714 OSSL_PARAM_BLD *tmpl = NULL;
8715 EVP_PKEY_CTX *pctx = NULL;
8716 OSSL_PARAM *params = NULL;
8717 EVP_PKEY *dhpkey = NULL;
8719 p = BN_get_rfc3526_prime_2048(NULL);
8723 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8725 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
8728 tmpl = OSSL_PARAM_BLD_new();
8730 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8731 OSSL_PKEY_PARAM_FFC_P,
8733 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8734 OSSL_PKEY_PARAM_FFC_G,
8738 params = OSSL_PARAM_BLD_to_param(tmpl);
8739 if (!TEST_ptr(params)
8740 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8741 EVP_PKEY_KEY_PARAMETERS, params)))
8744 tmp_dh_params = dhpkey;
8747 EVP_PKEY_CTX_free(pctx);
8748 OSSL_PARAM_BLD_free(tmpl);
8749 OSSL_PARAM_free(params);
8752 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
8755 return tmp_dh_params;
8758 # ifndef OPENSSL_NO_DEPRECATED_3_0
8759 /* Callback used by test_set_tmp_dh() */
8760 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8762 EVP_PKEY *dhpkey = get_tmp_dh_params();
8765 if (!TEST_ptr(dhpkey))
8769 * libssl does not free the returned DH, so we free it now knowing that even
8770 * after we free dhpkey, there will still be a reference to the owning
8771 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8772 * of time we need it for.
8774 ret = EVP_PKEY_get1_DH(dhpkey);
8777 EVP_PKEY_free(dhpkey);
8784 * Test the various methods for setting temporary DH parameters
8786 * Test 0: Default (no auto) setting
8787 * Test 1: Explicit SSL_CTX auto off
8788 * Test 2: Explicit SSL auto off
8789 * Test 3: Explicit SSL_CTX auto on
8790 * Test 4: Explicit SSL auto on
8791 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8792 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8794 * The following are testing deprecated APIs, so we only run them if available
8795 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8796 * Test 8: Explicit SSL auto off, custom DH params via DH
8797 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8798 * Test 10: Explicit SSL auto off, custom DH params via callback
8800 static int test_set_tmp_dh(int idx)
8802 SSL_CTX *cctx = NULL, *sctx = NULL;
8803 SSL *clientssl = NULL, *serverssl = NULL;
8805 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8806 int expected = (idx <= 2) ? 0 : 1;
8807 EVP_PKEY *dhpkey = NULL;
8808 # ifndef OPENSSL_NO_DEPRECATED_3_0
8816 if (idx >= 5 && idx <= 8) {
8817 dhpkey = get_tmp_dh_params();
8818 if (!TEST_ptr(dhpkey))
8821 # ifndef OPENSSL_NO_DEPRECATED_3_0
8822 if (idx == 7 || idx == 8) {
8823 dh = EVP_PKEY_get1_DH(dhpkey);
8829 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8830 TLS_client_method(),
8833 &sctx, &cctx, cert, privkey)))
8836 if ((idx & 1) == 1) {
8837 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8842 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8846 # ifndef OPENSSL_NO_DEPRECATED_3_0
8847 else if (idx == 7) {
8848 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8850 } else if (idx == 9) {
8851 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8859 if ((idx & 1) == 0 && idx != 0) {
8860 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8864 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8868 # ifndef OPENSSL_NO_DEPRECATED_3_0
8869 else if (idx == 8) {
8870 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8872 } else if (idx == 10) {
8873 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8877 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8878 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8879 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8883 * If autoon then we should succeed. Otherwise we expect failure because
8884 * there are no parameters
8886 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8887 SSL_ERROR_NONE), expected))
8893 # ifndef OPENSSL_NO_DEPRECATED_3_0
8896 SSL_free(serverssl);
8897 SSL_free(clientssl);
8900 EVP_PKEY_free(dhpkey);
8906 * Test the auto DH keys are appropriately sized
8908 static int test_dh_auto(int idx)
8910 SSL_CTX *cctx = NULL, *sctx = NULL;
8911 SSL *clientssl = NULL, *serverssl = NULL;
8913 EVP_PKEY *tmpkey = NULL;
8914 char *thiscert = NULL, *thiskey = NULL;
8915 size_t expdhsize = 0;
8916 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8920 /* The FIPS provider doesn't support this DH size - so we ignore it */
8923 thiscert = cert1024;
8924 thiskey = privkey1024;
8928 /* 2048 bit prime */
8934 thiscert = cert3072;
8935 thiskey = privkey3072;
8939 thiscert = cert4096;
8940 thiskey = privkey4096;
8944 thiscert = cert8192;
8945 thiskey = privkey8192;
8948 /* No certificate cases */
8950 /* The FIPS provider doesn't support this DH size - so we ignore it */
8953 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8957 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8961 TEST_error("Invalid text index");
8965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8966 TLS_client_method(),
8969 &sctx, &cctx, thiscert, thiskey)))
8972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8976 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8977 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8978 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8979 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8980 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8984 * Send the server's first flight. At this point the server has created the
8985 * temporary DH key but hasn't finished using it yet. Once used it is
8986 * removed, so we cannot test it.
8988 if (!TEST_int_le(SSL_connect(clientssl), 0)
8989 || !TEST_int_le(SSL_accept(serverssl), 0))
8992 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8994 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
8997 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9003 SSL_free(serverssl);
9004 SSL_free(clientssl);
9007 EVP_PKEY_free(tmpkey);
9012 # endif /* OPENSSL_NO_DH */
9013 #endif /* OPENSSL_NO_TLS1_2 */
9015 #ifndef OSSL_NO_USABLE_TLS1_3
9017 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9018 * that it works even without a certificate configured for the original
9021 static int test_sni_tls13(void)
9023 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9024 SSL *clientssl = NULL, *serverssl = NULL;
9027 /* Reset callback counter */
9030 /* Create an initial SSL_CTX with no certificate configured */
9031 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9032 if (!TEST_ptr(sctx))
9034 /* Require TLSv1.3 as a minimum */
9035 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9036 TLS_client_method(), TLS1_3_VERSION, 0,
9037 &sctx2, &cctx, cert, privkey)))
9041 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9042 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9046 * Connection should still succeed because the final SSL_CTX has the right
9047 * certificates configured.
9049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9050 &clientssl, NULL, NULL))
9051 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9055 /* We should have had the SNI callback called exactly once */
9056 if (!TEST_int_eq(snicb, 1))
9062 SSL_free(serverssl);
9063 SSL_free(clientssl);
9064 SSL_CTX_free(sctx2);
9071 * Test that setting an ALPN does not violate RFC
9073 static int test_set_alpn(void)
9075 SSL_CTX *ctx = NULL;
9079 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9080 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9081 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9082 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9083 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9084 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9086 /* Create an initial SSL_CTX with no certificate configured */
9087 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9091 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9092 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9094 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9096 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9098 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9100 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9102 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9104 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9106 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9108 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9115 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9117 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9119 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9121 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9123 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9125 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9127 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9129 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9131 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9142 static int test_inherit_verify_param(void)
9146 SSL_CTX *ctx = NULL;
9147 X509_VERIFY_PARAM *cp = NULL;
9149 X509_VERIFY_PARAM *sp = NULL;
9150 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9152 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9156 cp = SSL_CTX_get0_param(ctx);
9159 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9162 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9168 sp = SSL_get0_param(ssl);
9171 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9183 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9185 int setup_tests(void)
9190 libctx = OSSL_LIB_CTX_new();
9191 if (!TEST_ptr(libctx))
9194 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9197 * Verify that the default and fips providers in the default libctx are not
9200 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9201 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9204 if (!test_skip_common_options()) {
9205 TEST_error("Error parsing test options\n");
9209 if (!TEST_ptr(certsdir = test_get_argument(0))
9210 || !TEST_ptr(srpvfile = test_get_argument(1))
9211 || !TEST_ptr(tmpfilename = test_get_argument(2))
9212 || !TEST_ptr(modulename = test_get_argument(3))
9213 || !TEST_ptr(configfile = test_get_argument(4)))
9216 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9219 /* Check we have the expected provider available */
9220 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9223 /* Check the default provider is not available */
9224 if (strcmp(modulename, "default") != 0
9225 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9228 if (strcmp(modulename, "fips") == 0)
9232 * We add, but don't load the test "tls-provider". We'll load it when we
9235 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9236 tls_provider_init)))
9240 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9241 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9242 TEST_error("not supported in this build");
9245 int i, mcount, rcount, fcount;
9247 for (i = 0; i < 4; i++)
9248 test_export_key_mat(i);
9249 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9250 test_printf_stdout("malloc %d realloc %d free %d\n",
9251 mcount, rcount, fcount);
9256 cert = test_mk_file_path(certsdir, "servercert.pem");
9260 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9261 if (privkey == NULL)
9264 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9268 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9269 if (privkey2 == NULL)
9272 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9273 if (cert1024 == NULL)
9276 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9277 if (privkey1024 == NULL)
9280 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9281 if (cert3072 == NULL)
9284 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9285 if (privkey3072 == NULL)
9288 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9289 if (cert4096 == NULL)
9292 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9293 if (privkey4096 == NULL)
9296 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9297 if (cert8192 == NULL)
9300 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9301 if (privkey8192 == NULL)
9304 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9305 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9306 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9307 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9310 ADD_TEST(test_large_message_tls);
9311 ADD_TEST(test_large_message_tls_read_ahead);
9312 #ifndef OPENSSL_NO_DTLS
9313 ADD_TEST(test_large_message_dtls);
9315 ADD_TEST(test_cleanse_plaintext);
9316 #ifndef OPENSSL_NO_OCSP
9317 ADD_TEST(test_tlsext_status_type);
9319 ADD_TEST(test_session_with_only_int_cache);
9320 ADD_TEST(test_session_with_only_ext_cache);
9321 ADD_TEST(test_session_with_both_cache);
9322 ADD_TEST(test_session_wo_ca_names);
9323 #ifndef OSSL_NO_USABLE_TLS1_3
9324 ADD_ALL_TESTS(test_stateful_tickets, 3);
9325 ADD_ALL_TESTS(test_stateless_tickets, 3);
9326 ADD_TEST(test_psk_tickets);
9327 ADD_ALL_TESTS(test_extra_tickets, 6);
9329 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9330 ADD_TEST(test_ssl_bio_pop_next_bio);
9331 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9332 ADD_TEST(test_ssl_bio_change_rbio);
9333 ADD_TEST(test_ssl_bio_change_wbio);
9334 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9335 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9336 ADD_TEST(test_keylog);
9338 #ifndef OSSL_NO_USABLE_TLS1_3
9339 ADD_TEST(test_keylog_no_master_key);
9341 ADD_TEST(test_client_cert_verify_cb);
9342 ADD_TEST(test_ssl_build_cert_chain);
9343 ADD_TEST(test_ssl_ctx_build_cert_chain);
9344 #ifndef OPENSSL_NO_TLS1_2
9345 ADD_TEST(test_client_hello_cb);
9346 ADD_TEST(test_no_ems);
9347 ADD_TEST(test_ccs_change_cipher);
9349 #ifndef OSSL_NO_USABLE_TLS1_3
9350 ADD_ALL_TESTS(test_early_data_read_write, 3);
9352 * We don't do replay tests for external PSK. Replay protection isn't used
9355 ADD_ALL_TESTS(test_early_data_replay, 2);
9356 ADD_ALL_TESTS(test_early_data_skip, 3);
9357 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9358 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9359 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9360 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9361 ADD_ALL_TESTS(test_early_data_psk, 8);
9362 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9363 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9364 # ifndef OPENSSL_NO_TLS1_2
9365 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9368 #ifndef OSSL_NO_USABLE_TLS1_3
9369 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9370 ADD_TEST(test_ciphersuite_change);
9371 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9372 # ifdef OPENSSL_NO_PSK
9373 ADD_ALL_TESTS(test_tls13_psk, 1);
9375 ADD_ALL_TESTS(test_tls13_psk, 4);
9376 # endif /* OPENSSL_NO_PSK */
9377 # ifndef OPENSSL_NO_TLS1_2
9378 /* Test with both TLSv1.3 and 1.2 versions */
9379 ADD_ALL_TESTS(test_key_exchange, 14);
9380 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9381 ADD_ALL_TESTS(test_negotiated_group,
9382 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9383 + OSSL_NELEM(ffdhe_kexch_groups)));
9386 /* Test with only TLSv1.3 versions */
9387 ADD_ALL_TESTS(test_key_exchange, 12);
9389 ADD_ALL_TESTS(test_custom_exts, 5);
9390 ADD_TEST(test_stateless);
9391 ADD_TEST(test_pha_key_update);
9393 ADD_ALL_TESTS(test_custom_exts, 3);
9395 ADD_ALL_TESTS(test_serverinfo, 8);
9396 ADD_ALL_TESTS(test_export_key_mat, 6);
9397 #ifndef OSSL_NO_USABLE_TLS1_3
9398 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9399 ADD_TEST(test_key_update);
9400 ADD_ALL_TESTS(test_key_update_in_write, 2);
9402 ADD_ALL_TESTS(test_ssl_clear, 2);
9403 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9404 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9405 ADD_ALL_TESTS(test_srp, 6);
9407 ADD_ALL_TESTS(test_info_callback, 6);
9408 ADD_ALL_TESTS(test_ssl_pending, 2);
9409 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9410 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9411 ADD_ALL_TESTS(test_shutdown, 7);
9412 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9413 ADD_ALL_TESTS(test_cert_cb, 6);
9414 ADD_ALL_TESTS(test_client_cert_cb, 2);
9415 ADD_ALL_TESTS(test_ca_names, 3);
9416 #ifndef OPENSSL_NO_TLS1_2
9417 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9419 ADD_ALL_TESTS(test_servername, 10);
9420 #if !defined(OPENSSL_NO_EC) \
9421 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9422 ADD_ALL_TESTS(test_sigalgs_available, 6);
9424 #ifndef OPENSSL_NO_TLS1_3
9425 ADD_ALL_TESTS(test_pluggable_group, 2);
9427 #ifndef OPENSSL_NO_TLS1_2
9428 ADD_TEST(test_ssl_dup);
9429 # ifndef OPENSSL_NO_DH
9430 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9431 ADD_ALL_TESTS(test_dh_auto, 7);
9434 #ifndef OSSL_NO_USABLE_TLS1_3
9435 ADD_TEST(test_sni_tls13);
9437 ADD_TEST(test_inherit_verify_param);
9438 ADD_TEST(test_set_alpn);
9439 ADD_ALL_TESTS(test_session_timeout, 1);
9444 OPENSSL_free(privkey);
9445 OPENSSL_free(cert2);
9446 OPENSSL_free(privkey2);
9450 void cleanup_tests(void)
9452 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9453 EVP_PKEY_free(tmp_dh_params);
9456 OPENSSL_free(privkey);
9457 OPENSSL_free(cert2);
9458 OPENSSL_free(privkey2);
9459 OPENSSL_free(cert1024);
9460 OPENSSL_free(privkey1024);
9461 OPENSSL_free(cert3072);
9462 OPENSSL_free(privkey3072);
9463 OPENSSL_free(cert4096);
9464 OPENSSL_free(privkey4096);
9465 OPENSSL_free(cert8192);
9466 OPENSSL_free(privkey8192);
9467 bio_s_mempacket_test_free();
9468 bio_s_always_retry_free();
9469 OSSL_PROVIDER_unload(defctxnull);
9470 OSSL_LIB_CTX_free(libctx);