2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
38 #include "helpers/ssltestlib.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 * If we don't have ec or dh then there are no built-in groups that are usable
54 # define OSSL_NO_USABLE_TLS1_3
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
66 #ifndef OSSL_NO_USABLE_TLS1_3
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
81 static SSL_SESSION *create_a_psk(SSL *ssl);
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
101 static int is_fips = 0;
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
119 #define NUM_EXTRA_CERTS 40
120 #define CLIENT_VERSION_LEN 2
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
126 struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
139 static int hostname_cb(SSL *s, int *al, void *arg)
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
147 return SSL_TLSEXT_ERR_NOACK;
150 static void client_keylog_callback(const SSL *ssl, const char *line)
152 int line_length = strlen(line);
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
166 static void server_keylog_callback(const SSL *ssl, const char *line)
168 int line_length = strlen(line);
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
182 static int compare_hex_encoded_buffer(const char *hex_encoded,
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
203 static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
232 if (!TEST_size_t_eq(strlen(token), 16))
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
255 if (!TEST_size_t_eq(strlen(token), 64))
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
264 master_key_size = SSL_SESSION_get_master_key(session,
267 if (!TEST_size_t_ne(master_key_size, 0))
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
310 if (!TEST_size_t_eq(strlen(token), 64))
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 TEST_info("Unexpected token %s\n", token);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
354 struct sslapitest_log_counts expected;
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
367 &sctx, &cctx, cert, privkey)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
429 #ifndef OSSL_NO_USABLE_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 || !TEST_false(error_writing_log))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
500 serverssl = clientssl = NULL;
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 || !TEST_true(SSL_session_reused(clientssl)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
536 SSL_SESSION_free(sess);
546 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
552 /* this should not happen but check anyway */
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
565 static int test_client_cert_verify_cb(void)
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
644 static int test_ssl_build_cert_chain(void)
647 SSL_CTX *ssl_ctx = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
673 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
675 static const char pass[] = "testpass";
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
684 static int test_ssl_ctx_build_cert_chain(void)
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
706 OPENSSL_free(leaf_chain);
711 #ifndef OPENSSL_NO_TLS1_2
712 static int full_client_hello_callback(SSL *s, int *al, void *arg)
715 const unsigned char *p;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
724 const int expected_extensions[] = {
725 #ifndef OPENSSL_NO_EC
731 /* Make sure we can defer processing and get called back. */
733 return SSL_CLIENT_HELLO_RETRY;
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
747 return SSL_CLIENT_HELLO_ERROR;
750 return SSL_CLIENT_HELLO_SUCCESS;
753 static int test_client_hello_cb(void)
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
795 static int test_no_ems(void)
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
844 * encryption to real encryption).
846 static int test_ccs_change_cipher(void)
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 * Create a connection so we can resume and potentially (but not) use
858 * a different cipher in the second connection.
860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
896 * Now create a fresh connection and try to renegotiate a different
899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
946 SSL_SESSION_free(sess);
952 static int execute_test_large_message(const SSL_METHOD *smeth,
953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
962 X509 *chaincert = NULL;
965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
996 * Test that read_ahead works correctly when dealing with large
999 SSL_CTX_set_read_ahead(cctx, 1);
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
1009 certlen = i2d_X509(chaincert, NULL);
1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1013 if (!X509_up_ref(chaincert))
1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1016 X509_free(chaincert);
1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1031 if (!TEST_true(SSL_clear(serverssl)))
1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1046 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1048 /* sock must be connected */
1049 static int ktls_chk_platform(int sock)
1051 if (!ktls_enable(sock))
1056 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
1070 SSL_CONNECTION *clientsc, *serversc;
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1110 * If ktls is used then kernel sequences are used instead of
1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
1123 if (!BIO_get_ktls_send(serversc->wbio)) {
1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
1158 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1159 int tls_version, const char *cipher)
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1166 SSL_CONNECTION *clientsc, *serversc;
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version, tls_version,
1186 &sctx, &cctx, cert, privkey)))
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1229 if (BIO_get_ktls_send(clientsc->wbio))
1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1237 if (BIO_get_ktls_send(serversc->wbio))
1241 #if defined(OPENSSL_NO_KTLS_RX)
1246 if (!cis_ktls || !rx_supported) {
1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1250 if (BIO_get_ktls_send(clientsc->rbio))
1254 if (!sis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1258 if (BIO_get_ktls_send(serversc->rbio))
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1284 serverssl = clientssl = NULL;
1292 #define SENDFILE_SZ (16 * 4096)
1293 #define SENDFILE_CHUNK (4 * 4096)
1294 #define min(a,b) ((a) > (b) ? (b) : (a))
1296 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1308 SSL_CONNECTION *serversc;
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1364 if (!BIO_get_ktls_send(serversc->wbio)) {
1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1374 out = BIO_new_file(tmpfilename, "wb");
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1411 chunk_off += chunk_size;
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1426 serverssl = clientssl = NULL;
1434 OPENSSL_free(buf_dst);
1438 static struct ktls_test_cipher {
1441 } ktls_test_ciphers[] = {
1442 # if !defined(OPENSSL_NO_TLS1_2)
1443 # ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1446 # ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1449 # ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1452 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1453 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1456 # if !defined(OSSL_NO_USABLE_TLS1_3)
1457 # ifdef OPENSSL_KTLS_AES_GCM_128
1458 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1460 # ifdef OPENSSL_KTLS_AES_CCM_128
1461 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1463 # ifdef OPENSSL_KTLS_AES_GCM_256
1464 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1466 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1467 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1472 #define NUM_KTLS_TEST_CIPHERS \
1473 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1475 static int test_ktls(int test)
1477 struct ktls_test_cipher *cipher;
1478 int cis_ktls, sis_ktls;
1480 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1481 cipher = &ktls_test_ciphers[test / 4];
1483 cis_ktls = (test & 1) != 0;
1484 sis_ktls = (test & 2) != 0;
1486 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1490 static int test_ktls_sendfile(int test)
1492 struct ktls_test_cipher *cipher;
1493 int tst = test >> 1;
1495 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1496 cipher = &ktls_test_ciphers[tst];
1498 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1503 static int test_large_message_tls(void)
1505 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1506 TLS1_VERSION, 0, 0);
1509 static int test_large_message_tls_read_ahead(void)
1511 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1512 TLS1_VERSION, 0, 1);
1515 #ifndef OPENSSL_NO_DTLS
1516 static int test_large_message_dtls(void)
1518 # ifdef OPENSSL_NO_DTLS1_2
1519 /* Not supported in the FIPS provider */
1524 * read_ahead is not relevant to DTLS because DTLS always acts as if
1525 * read_ahead is set.
1527 return execute_test_large_message(DTLS_server_method(),
1528 DTLS_client_method(),
1529 DTLS1_VERSION, 0, 0);
1533 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1534 const SSL_METHOD *cmeth,
1535 int min_version, int max_version)
1538 SSL_CTX *cctx = NULL, *sctx = NULL;
1539 SSL *clientssl = NULL, *serverssl = NULL;
1542 SSL_CONNECTION *serversc;
1545 static unsigned char cbuf[16000];
1546 static unsigned char sbuf[16000];
1548 if (!TEST_true(create_ssl_ctx_pair(libctx,
1550 min_version, max_version,
1555 #ifdef OPENSSL_NO_DTLS1_2
1556 if (smeth == DTLS_server_method()) {
1557 # ifdef OPENSSL_NO_DTLS1_2
1558 /* Not supported in the FIPS provider */
1565 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1568 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1569 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1570 "DEFAULT:@SECLEVEL=0")))
1575 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1579 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1582 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1586 for (i = 0; i < sizeof(cbuf); i++) {
1590 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1593 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1596 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1600 * Since we called SSL_peek(), we know the data in the record
1601 * layer is a plaintext record. We can gather the pointer to check
1602 * for zeroization after SSL_read().
1604 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1606 rr = serversc->rlayer.tlsrecs;
1608 zbuf = &rr->data[rr->off];
1609 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1613 * After SSL_peek() the plaintext must still be stored in the
1616 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1619 memset(sbuf, 0, sizeof(sbuf));
1620 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1623 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1626 /* Check if rbuf is cleansed */
1627 memset(cbuf, 0, sizeof(cbuf));
1628 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1633 SSL_free(serverssl);
1634 SSL_free(clientssl);
1641 static int test_cleanse_plaintext(void)
1643 #if !defined(OPENSSL_NO_TLS1_2)
1644 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1645 TLS_client_method(),
1652 #if !defined(OSSL_NO_USABLE_TLS1_3)
1653 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1654 TLS_client_method(),
1660 #if !defined(OPENSSL_NO_DTLS)
1662 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1663 DTLS_client_method(),
1671 #ifndef OPENSSL_NO_OCSP
1672 static int ocsp_server_cb(SSL *s, void *arg)
1674 int *argi = (int *)arg;
1675 unsigned char *copy = NULL;
1676 STACK_OF(OCSP_RESPID) *ids = NULL;
1677 OCSP_RESPID *id = NULL;
1680 /* In this test we are expecting exactly 1 OCSP_RESPID */
1681 SSL_get_tlsext_status_ids(s, &ids);
1682 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1683 return SSL_TLSEXT_ERR_ALERT_FATAL;
1685 id = sk_OCSP_RESPID_value(ids, 0);
1686 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1687 return SSL_TLSEXT_ERR_ALERT_FATAL;
1688 } else if (*argi != 1) {
1689 return SSL_TLSEXT_ERR_ALERT_FATAL;
1692 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1693 return SSL_TLSEXT_ERR_ALERT_FATAL;
1695 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1696 sizeof(orespder)))) {
1698 return SSL_TLSEXT_ERR_ALERT_FATAL;
1700 ocsp_server_called = 1;
1701 return SSL_TLSEXT_ERR_OK;
1704 static int ocsp_client_cb(SSL *s, void *arg)
1706 int *argi = (int *)arg;
1707 const unsigned char *respderin;
1710 if (*argi != 1 && *argi != 2)
1713 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1714 if (!TEST_mem_eq(orespder, len, respderin, len))
1717 ocsp_client_called = 1;
1721 static int test_tlsext_status_type(void)
1723 SSL_CTX *cctx = NULL, *sctx = NULL;
1724 SSL *clientssl = NULL, *serverssl = NULL;
1726 STACK_OF(OCSP_RESPID) *ids = NULL;
1727 OCSP_RESPID *id = NULL;
1728 BIO *certbio = NULL;
1730 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1732 &sctx, &cctx, cert, privkey))
1735 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1738 /* First just do various checks getting and setting tlsext_status_type */
1740 clientssl = SSL_new(cctx);
1741 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1742 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1743 TLSEXT_STATUSTYPE_ocsp))
1744 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1745 TLSEXT_STATUSTYPE_ocsp))
1748 SSL_free(clientssl);
1751 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1752 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1755 clientssl = SSL_new(cctx);
1756 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1758 SSL_free(clientssl);
1762 * Now actually do a handshake and check OCSP information is exchanged and
1763 * the callbacks get called
1765 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1766 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1767 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1768 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1770 &clientssl, NULL, NULL))
1771 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1773 || !TEST_true(ocsp_client_called)
1774 || !TEST_true(ocsp_server_called))
1776 SSL_free(serverssl);
1777 SSL_free(clientssl);
1781 /* Try again but this time force the server side callback to fail */
1782 ocsp_client_called = 0;
1783 ocsp_server_called = 0;
1785 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1786 &clientssl, NULL, NULL))
1787 /* This should fail because the callback will fail */
1788 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1790 || !TEST_false(ocsp_client_called)
1791 || !TEST_false(ocsp_server_called))
1793 SSL_free(serverssl);
1794 SSL_free(clientssl);
1799 * This time we'll get the client to send an OCSP_RESPID that it will
1802 ocsp_client_called = 0;
1803 ocsp_server_called = 0;
1805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1806 &clientssl, NULL, NULL)))
1810 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1811 * specific one. We'll use the server cert.
1813 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1814 || !TEST_ptr(id = OCSP_RESPID_new())
1815 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1816 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1817 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1818 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1819 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1822 SSL_set_tlsext_status_ids(clientssl, ids);
1823 /* Control has been transferred */
1829 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1831 || !TEST_true(ocsp_client_called)
1832 || !TEST_true(ocsp_server_called))
1838 SSL_free(serverssl);
1839 SSL_free(clientssl);
1842 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1843 OCSP_RESPID_free(id);
1845 X509_free(ocspcert);
1852 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1853 static int new_called, remove_called, get_called;
1855 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1859 * sess has been up-refed for us, but we don't actually need it so free it
1862 SSL_SESSION_free(sess);
1866 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1871 static SSL_SESSION *get_sess_val = NULL;
1873 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1878 return get_sess_val;
1881 static int execute_test_session(int maxprot, int use_int_cache,
1882 int use_ext_cache, long s_options)
1884 SSL_CTX *sctx = NULL, *cctx = NULL;
1885 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1886 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1887 # ifndef OPENSSL_NO_TLS1_1
1888 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1890 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1891 int testresult = 0, numnewsesstick = 1;
1893 new_called = remove_called = 0;
1895 /* TLSv1.3 sends 2 NewSessionTickets */
1896 if (maxprot == TLS1_3_VERSION)
1899 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1900 TLS_client_method(), TLS1_VERSION, 0,
1901 &sctx, &cctx, cert, privkey)))
1905 * Only allow the max protocol version so we can force a connection failure
1908 SSL_CTX_set_min_proto_version(cctx, maxprot);
1909 SSL_CTX_set_max_proto_version(cctx, maxprot);
1911 /* Set up session cache */
1912 if (use_ext_cache) {
1913 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1914 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1916 if (use_int_cache) {
1917 /* Also covers instance where both are set */
1918 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1920 SSL_CTX_set_session_cache_mode(cctx,
1921 SSL_SESS_CACHE_CLIENT
1922 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1926 SSL_CTX_set_options(sctx, s_options);
1929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1931 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1933 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1936 /* Should fail because it should already be in the cache */
1937 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1940 && (!TEST_int_eq(new_called, numnewsesstick)
1942 || !TEST_int_eq(remove_called, 0)))
1945 new_called = remove_called = 0;
1946 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1947 &clientssl2, NULL, NULL))
1948 || !TEST_true(SSL_set_session(clientssl2, sess1))
1949 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1951 || !TEST_true(SSL_session_reused(clientssl2)))
1954 if (maxprot == TLS1_3_VERSION) {
1956 * In TLSv1.3 we should have created a new session even though we have
1957 * resumed. Since we attempted a resume we should also have removed the
1958 * old ticket from the cache so that we try to only use tickets once.
1961 && (!TEST_int_eq(new_called, 1)
1962 || !TEST_int_eq(remove_called, 1)))
1966 * In TLSv1.2 we expect to have resumed so no sessions added or
1970 && (!TEST_int_eq(new_called, 0)
1971 || !TEST_int_eq(remove_called, 0)))
1975 SSL_SESSION_free(sess1);
1976 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1978 shutdown_ssl_connection(serverssl2, clientssl2);
1979 serverssl2 = clientssl2 = NULL;
1981 new_called = remove_called = 0;
1982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1983 &clientssl2, NULL, NULL))
1984 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1988 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1992 && (!TEST_int_eq(new_called, numnewsesstick)
1993 || !TEST_int_eq(remove_called, 0)))
1996 new_called = remove_called = 0;
1998 * This should clear sess2 from the cache because it is a "bad" session.
1999 * See SSL_set_session() documentation.
2001 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2004 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2006 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2009 if (use_int_cache) {
2010 /* Should succeeded because it should not already be in the cache */
2011 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2012 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2016 new_called = remove_called = 0;
2017 /* This shouldn't be in the cache so should fail */
2018 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2022 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2025 # if !defined(OPENSSL_NO_TLS1_1)
2026 new_called = remove_called = 0;
2027 /* Force a connection failure */
2028 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2030 &clientssl3, NULL, NULL))
2031 || !TEST_true(SSL_set_session(clientssl3, sess1))
2032 /* This should fail because of the mismatched protocol versions */
2033 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2037 /* We should have automatically removed the session from the cache */
2039 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2042 /* Should succeed because it should not already be in the cache */
2043 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2047 /* Now do some tests for server side caching */
2048 if (use_ext_cache) {
2049 SSL_CTX_sess_set_new_cb(cctx, NULL);
2050 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2051 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2052 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2053 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2054 get_sess_val = NULL;
2057 SSL_CTX_set_session_cache_mode(cctx, 0);
2058 /* Internal caching is the default on the server side */
2060 SSL_CTX_set_session_cache_mode(sctx,
2061 SSL_SESS_CACHE_SERVER
2062 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2064 SSL_free(serverssl1);
2065 SSL_free(clientssl1);
2066 serverssl1 = clientssl1 = NULL;
2067 SSL_free(serverssl2);
2068 SSL_free(clientssl2);
2069 serverssl2 = clientssl2 = NULL;
2070 SSL_SESSION_free(sess1);
2072 SSL_SESSION_free(sess2);
2075 SSL_CTX_set_max_proto_version(sctx, maxprot);
2076 if (maxprot == TLS1_2_VERSION)
2077 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2078 new_called = remove_called = get_called = 0;
2079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2081 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2083 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2084 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2087 if (use_int_cache) {
2088 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2090 * In TLSv1.3 it should not have been added to the internal cache,
2091 * except in the case where we also have an external cache (in that
2092 * case it gets added to the cache in order to generate remove
2093 * events after timeout).
2095 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2098 /* Should fail because it should already be in the cache */
2099 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2104 if (use_ext_cache) {
2105 SSL_SESSION *tmp = sess2;
2107 if (!TEST_int_eq(new_called, numnewsesstick)
2108 || !TEST_int_eq(remove_called, 0)
2109 || !TEST_int_eq(get_called, 0))
2112 * Delete the session from the internal cache to force a lookup from
2113 * the external cache. We take a copy first because
2114 * SSL_CTX_remove_session() also marks the session as non-resumable.
2116 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2117 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2118 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2120 SSL_SESSION_free(sess2);
2125 new_called = remove_called = get_called = 0;
2126 get_sess_val = sess2;
2127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2128 &clientssl2, NULL, NULL))
2129 || !TEST_true(SSL_set_session(clientssl2, sess1))
2130 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2132 || !TEST_true(SSL_session_reused(clientssl2)))
2135 if (use_ext_cache) {
2136 if (!TEST_int_eq(remove_called, 0))
2139 if (maxprot == TLS1_3_VERSION) {
2140 if (!TEST_int_eq(new_called, 1)
2141 || !TEST_int_eq(get_called, 0))
2144 if (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(get_called, 1))
2150 * Make a small cache, force out all other sessions but
2151 * sess2, try to add sess1, which should succeed. Then
2152 * make sure it's there by checking the owners. Despite
2153 * the timeouts, sess1 should have kicked out sess2
2156 /* Make sess1 expire before sess2 */
2157 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2158 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2159 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2160 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2163 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2166 /* Don't care about results - cache should only be sess2 at end */
2167 SSL_CTX_add_session(sctx, sess1);
2168 SSL_CTX_add_session(sctx, sess2);
2170 /* Now add sess1, and make sure it remains, despite timeout */
2171 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2172 || !TEST_ptr(sess1->owner)
2173 || !TEST_ptr_null(sess2->owner))
2179 SSL_free(serverssl1);
2180 SSL_free(clientssl1);
2181 SSL_free(serverssl2);
2182 SSL_free(clientssl2);
2183 # ifndef OPENSSL_NO_TLS1_1
2184 SSL_free(serverssl3);
2185 SSL_free(clientssl3);
2187 SSL_SESSION_free(sess1);
2188 SSL_SESSION_free(sess2);
2194 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2196 static int test_session_with_only_int_cache(void)
2198 #ifndef OSSL_NO_USABLE_TLS1_3
2199 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2203 #ifndef OPENSSL_NO_TLS1_2
2204 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2210 static int test_session_with_only_ext_cache(void)
2212 #ifndef OSSL_NO_USABLE_TLS1_3
2213 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2217 #ifndef OPENSSL_NO_TLS1_2
2218 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2224 static int test_session_with_both_cache(void)
2226 #ifndef OSSL_NO_USABLE_TLS1_3
2227 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2231 #ifndef OPENSSL_NO_TLS1_2
2232 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2238 static int test_session_wo_ca_names(void)
2240 #ifndef OSSL_NO_USABLE_TLS1_3
2241 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2245 #ifndef OPENSSL_NO_TLS1_2
2246 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2253 #ifndef OSSL_NO_USABLE_TLS1_3
2254 static SSL_SESSION *sesscache[6];
2255 static int do_cache;
2257 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2260 sesscache[new_called] = sess;
2262 /* We don't need the reference to the session, so free it */
2263 SSL_SESSION_free(sess);
2270 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2272 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2273 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2276 /* Start handshake on the server and client */
2277 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2278 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2279 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2280 || !TEST_true(create_ssl_connection(sssl, cssl,
2287 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2290 int sess_id_ctx = 1;
2292 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2293 TLS_client_method(), TLS1_VERSION, 0,
2294 sctx, cctx, cert, privkey))
2295 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2296 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2297 (void *)&sess_id_ctx,
2298 sizeof(sess_id_ctx))))
2302 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2304 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2305 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2306 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2311 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2313 SSL *serverssl = NULL, *clientssl = NULL;
2316 /* Test that we can resume with all the tickets we got given */
2317 for (i = 0; i < idx * 2; i++) {
2319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2320 &clientssl, NULL, NULL))
2321 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2324 SSL_set_post_handshake_auth(clientssl, 1);
2326 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2331 * Following a successful resumption we only get 1 ticket. After a
2332 * failed one we should get idx tickets.
2335 if (!TEST_true(SSL_session_reused(clientssl))
2336 || !TEST_int_eq(new_called, 1))
2339 if (!TEST_false(SSL_session_reused(clientssl))
2340 || !TEST_int_eq(new_called, idx))
2345 /* After a post-handshake authentication we should get 1 new ticket */
2347 && (!post_handshake_verify(serverssl, clientssl)
2348 || !TEST_int_eq(new_called, 1)))
2351 SSL_shutdown(clientssl);
2352 SSL_shutdown(serverssl);
2353 SSL_free(serverssl);
2354 SSL_free(clientssl);
2355 serverssl = clientssl = NULL;
2356 SSL_SESSION_free(sesscache[i]);
2357 sesscache[i] = NULL;
2363 SSL_free(clientssl);
2364 SSL_free(serverssl);
2368 static int test_tickets(int stateful, int idx)
2370 SSL_CTX *sctx = NULL, *cctx = NULL;
2371 SSL *serverssl = NULL, *clientssl = NULL;
2375 /* idx is the test number, but also the number of tickets we want */
2380 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2384 &clientssl, NULL, NULL)))
2387 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2389 /* Check we got the number of tickets we were expecting */
2390 || !TEST_int_eq(idx, new_called))
2393 SSL_shutdown(clientssl);
2394 SSL_shutdown(serverssl);
2395 SSL_free(serverssl);
2396 SSL_free(clientssl);
2399 clientssl = serverssl = NULL;
2403 * Now we try to resume with the tickets we previously created. The
2404 * resumption attempt is expected to fail (because we're now using a new
2405 * SSL_CTX). We should see idx number of tickets issued again.
2408 /* Stop caching sessions - just count them */
2411 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2414 if (!check_resumption(idx, sctx, cctx, 0))
2417 /* Start again with caching sessions */
2424 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2427 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2428 &clientssl, NULL, NULL)))
2431 SSL_set_post_handshake_auth(clientssl, 1);
2433 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2435 /* Check we got the number of tickets we were expecting */
2436 || !TEST_int_eq(idx, new_called))
2439 /* After a post-handshake authentication we should get new tickets issued */
2440 if (!post_handshake_verify(serverssl, clientssl)
2441 || !TEST_int_eq(idx * 2, new_called))
2444 SSL_shutdown(clientssl);
2445 SSL_shutdown(serverssl);
2446 SSL_free(serverssl);
2447 SSL_free(clientssl);
2448 serverssl = clientssl = NULL;
2450 /* Stop caching sessions - just count them */
2454 * Check we can resume with all the tickets we created. This time around the
2455 * resumptions should all be successful.
2457 if (!check_resumption(idx, sctx, cctx, 1))
2463 SSL_free(serverssl);
2464 SSL_free(clientssl);
2465 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2466 SSL_SESSION_free(sesscache[j]);
2467 sesscache[j] = NULL;
2475 static int test_stateless_tickets(int idx)
2477 return test_tickets(0, idx);
2480 static int test_stateful_tickets(int idx)
2482 return test_tickets(1, idx);
2485 static int test_psk_tickets(void)
2487 SSL_CTX *sctx = NULL, *cctx = NULL;
2488 SSL *serverssl = NULL, *clientssl = NULL;
2490 int sess_id_ctx = 1;
2492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2493 TLS_client_method(), TLS1_VERSION, 0,
2494 &sctx, &cctx, NULL, NULL))
2495 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2496 (void *)&sess_id_ctx,
2497 sizeof(sess_id_ctx))))
2500 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2501 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2502 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2503 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2504 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2505 use_session_cb_cnt = 0;
2506 find_session_cb_cnt = 0;
2510 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2513 clientpsk = serverpsk = create_a_psk(clientssl);
2514 if (!TEST_ptr(clientpsk))
2516 SSL_SESSION_up_ref(clientpsk);
2518 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2520 || !TEST_int_eq(1, find_session_cb_cnt)
2521 || !TEST_int_eq(1, use_session_cb_cnt)
2522 /* We should always get 1 ticket when using external PSK */
2523 || !TEST_int_eq(1, new_called))
2529 SSL_free(serverssl);
2530 SSL_free(clientssl);
2533 SSL_SESSION_free(clientpsk);
2534 SSL_SESSION_free(serverpsk);
2535 clientpsk = serverpsk = NULL;
2540 static int test_extra_tickets(int idx)
2542 SSL_CTX *sctx = NULL, *cctx = NULL;
2543 SSL *serverssl = NULL, *clientssl = NULL;
2544 BIO *bretry = BIO_new(bio_s_always_retry());
2549 unsigned char c, buf[1];
2559 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2561 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2562 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2563 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2566 &clientssl, NULL, NULL)))
2570 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2571 * incremented by both client and server.
2573 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2575 /* Check we got the number of tickets we were expecting */
2576 || !TEST_int_eq(idx * 2, new_called)
2577 || !TEST_true(SSL_new_session_ticket(serverssl))
2578 || !TEST_true(SSL_new_session_ticket(serverssl))
2579 || !TEST_int_eq(idx * 2, new_called))
2582 /* Now try a (real) write to actually send the tickets */
2584 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2585 || !TEST_size_t_eq(1, nbytes)
2586 || !TEST_int_eq(idx * 2 + 2, new_called)
2587 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2588 || !TEST_int_eq(idx * 2 + 4, new_called)
2589 || !TEST_int_eq(sizeof(buf), nbytes)
2590 || !TEST_int_eq(c, buf[0])
2591 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2594 /* Try with only requesting one new ticket, too */
2597 if (!TEST_true(SSL_new_session_ticket(serverssl))
2598 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2599 || !TEST_size_t_eq(sizeof(c), nbytes)
2600 || !TEST_int_eq(1, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(2, new_called)
2603 || !TEST_size_t_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0]))
2607 /* Do it again but use dummy writes to drive the ticket generation */
2610 if (!TEST_true(SSL_new_session_ticket(serverssl))
2611 || !TEST_true(SSL_new_session_ticket(serverssl))
2612 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2613 || !TEST_size_t_eq(0, nbytes)
2614 || !TEST_int_eq(2, new_called)
2615 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2616 || !TEST_int_eq(4, new_called))
2619 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2622 if (!TEST_true(SSL_new_session_ticket(serverssl))
2623 || !TEST_true(SSL_new_session_ticket(serverssl))
2624 || !TEST_true(SSL_do_handshake(serverssl))
2625 || !TEST_int_eq(2, new_called)
2626 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2627 || !TEST_int_eq(4, new_called))
2631 * Use the always-retry BIO to exercise the logic that forces ticket
2632 * generation to wait until a record boundary.
2636 tmp = SSL_get_wbio(serverssl);
2637 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2641 SSL_set0_wbio(serverssl, bretry);
2643 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2644 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2645 || !TEST_size_t_eq(nbytes, 0))
2647 /* Restore a BIO that will let the write succeed */
2648 SSL_set0_wbio(serverssl, tmp);
2651 * These calls should just queue the request and not send anything
2652 * even if we explicitly try to hit the state machine.
2654 if (!TEST_true(SSL_new_session_ticket(serverssl))
2655 || !TEST_true(SSL_new_session_ticket(serverssl))
2656 || !TEST_int_eq(0, new_called)
2657 || !TEST_true(SSL_do_handshake(serverssl))
2658 || !TEST_int_eq(0, new_called))
2660 /* Re-do the write; still no tickets sent */
2661 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2662 || !TEST_size_t_eq(1, nbytes)
2663 || !TEST_int_eq(0, new_called)
2664 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2665 || !TEST_int_eq(0, new_called)
2666 || !TEST_int_eq(sizeof(buf), nbytes)
2667 || !TEST_int_eq(c, buf[0])
2668 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2670 /* Even trying to hit the state machine now will still not send tickets */
2671 if (!TEST_true(SSL_do_handshake(serverssl))
2672 || !TEST_int_eq(0, new_called))
2674 /* Now the *next* write should send the tickets */
2676 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2677 || !TEST_size_t_eq(1, nbytes)
2678 || !TEST_int_eq(2, new_called)
2679 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2680 || !TEST_int_eq(4, new_called)
2681 || !TEST_int_eq(sizeof(buf), nbytes)
2682 || !TEST_int_eq(c, buf[0])
2683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2686 SSL_shutdown(clientssl);
2687 SSL_shutdown(serverssl);
2693 SSL_free(serverssl);
2694 SSL_free(clientssl);
2697 clientssl = serverssl = NULL;
2706 #define USE_DEFAULT 3
2708 #define CONNTYPE_CONNECTION_SUCCESS 0
2709 #define CONNTYPE_CONNECTION_FAIL 1
2710 #define CONNTYPE_NO_CONNECTION 2
2712 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2713 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2714 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2715 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2717 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2720 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2721 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2722 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2724 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2741 * Tests calls to SSL_set_bio() under various conditions.
2743 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2744 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2745 * then do more tests where we create a successful connection first using our
2746 * standard connection setup functions, and then call SSL_set_bio() with
2747 * various combinations of valid BIOs or NULL. We then repeat these tests
2748 * following a failed connection. In this last case we are looking to check that
2749 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2751 static int test_ssl_set_bio(int idx)
2753 SSL_CTX *sctx = NULL, *cctx = NULL;
2756 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2757 SSL *serverssl = NULL, *clientssl = NULL;
2758 int initrbio, initwbio, newrbio, newwbio, conntype;
2761 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2769 conntype = CONNTYPE_NO_CONNECTION;
2771 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2772 initrbio = initwbio = USE_DEFAULT;
2780 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2781 TLS_client_method(), TLS1_VERSION, 0,
2782 &sctx, &cctx, cert, privkey)))
2785 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2787 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2788 * because we reduced the number of tests in the definition of
2789 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2790 * mismatched protocol versions we will force a connection failure.
2792 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2793 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2796 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2800 if (initrbio == USE_BIO_1
2801 || initwbio == USE_BIO_1
2802 || newrbio == USE_BIO_1
2803 || newwbio == USE_BIO_1) {
2804 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2808 if (initrbio == USE_BIO_2
2809 || initwbio == USE_BIO_2
2810 || newrbio == USE_BIO_2
2811 || newwbio == USE_BIO_2) {
2812 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2816 if (initrbio != USE_DEFAULT) {
2817 setupbio(&irbio, bio1, bio2, initrbio);
2818 setupbio(&iwbio, bio1, bio2, initwbio);
2819 SSL_set_bio(clientssl, irbio, iwbio);
2822 * We want to maintain our own refs to these BIO, so do an up ref for
2823 * each BIO that will have ownership transferred in the SSL_set_bio()
2828 if (iwbio != NULL && iwbio != irbio)
2832 if (conntype != CONNTYPE_NO_CONNECTION
2833 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2835 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2838 setupbio(&nrbio, bio1, bio2, newrbio);
2839 setupbio(&nwbio, bio1, bio2, newwbio);
2842 * We will (maybe) transfer ownership again so do more up refs.
2843 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2848 && (nwbio != iwbio || nrbio != nwbio))
2852 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2855 SSL_set_bio(clientssl, nrbio, nwbio);
2864 * This test is checking that the ref counting for SSL_set_bio is correct.
2865 * If we get here and we did too many frees then we will fail in the above
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2875 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2877 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2879 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2884 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2885 || !TEST_ptr(ssl = SSL_new(ctx))
2886 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2887 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2890 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2893 * If anything goes wrong here then we could leak memory.
2895 BIO_push(sslbio, membio1);
2897 /* Verify changing the rbio/wbio directly does not cause leaks */
2898 if (change_bio != NO_BIO_CHANGE) {
2899 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2903 if (change_bio == CHANGE_RBIO)
2904 SSL_set0_rbio(ssl, membio2);
2906 SSL_set0_wbio(ssl, membio2);
2925 static int test_ssl_bio_pop_next_bio(void)
2927 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2930 static int test_ssl_bio_pop_ssl_bio(void)
2932 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2935 static int test_ssl_bio_change_rbio(void)
2937 return execute_test_ssl_bio(0, CHANGE_RBIO);
2940 static int test_ssl_bio_change_wbio(void)
2942 return execute_test_ssl_bio(0, CHANGE_WBIO);
2945 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2947 /* The list of sig algs */
2949 /* The length of the list */
2951 /* A sigalgs list in string format */
2952 const char *liststr;
2953 /* Whether setting the list should succeed */
2955 /* Whether creating a connection with the list should succeed */
2959 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2960 # ifndef OPENSSL_NO_EC
2961 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2962 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2964 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2965 static const int invalidlist2[] = {NID_sha256, NID_undef};
2966 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2967 static const int invalidlist4[] = {NID_sha256};
2968 static const sigalgs_list testsigalgs[] = {
2969 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2970 # ifndef OPENSSL_NO_EC
2971 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2972 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2974 {NULL, 0, "RSA+SHA256", 1, 1},
2975 # ifndef OPENSSL_NO_EC
2976 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2977 {NULL, 0, "ECDSA+SHA512", 1, 0},
2979 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2980 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2981 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2982 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2983 {NULL, 0, "RSA", 0, 0},
2984 {NULL, 0, "SHA256", 0, 0},
2985 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2986 {NULL, 0, "Invalid", 0, 0}
2989 static int test_set_sigalgs(int idx)
2991 SSL_CTX *cctx = NULL, *sctx = NULL;
2992 SSL *clientssl = NULL, *serverssl = NULL;
2994 const sigalgs_list *curr;
2997 /* Should never happen */
2998 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3001 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3002 curr = testctx ? &testsigalgs[idx]
3003 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3005 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3006 TLS_client_method(), TLS1_VERSION, 0,
3007 &sctx, &cctx, cert, privkey)))
3010 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3015 if (curr->list != NULL)
3016 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3018 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3022 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3028 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3034 &clientssl, NULL, NULL)))
3040 if (curr->list != NULL)
3041 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3043 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3046 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3055 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3063 SSL_free(serverssl);
3064 SSL_free(clientssl);
3072 #ifndef OSSL_NO_USABLE_TLS1_3
3073 static int psk_client_cb_cnt = 0;
3074 static int psk_server_cb_cnt = 0;
3076 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3077 size_t *idlen, SSL_SESSION **sess)
3079 switch (++use_session_cb_cnt) {
3081 /* The first call should always have a NULL md */
3087 /* The second call should always have an md */
3093 /* We should only be called a maximum of twice */
3097 if (clientpsk != NULL)
3098 SSL_SESSION_up_ref(clientpsk);
3101 *id = (const unsigned char *)pskid;
3102 *idlen = strlen(pskid);
3107 #ifndef OPENSSL_NO_PSK
3108 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3109 unsigned int max_id_len,
3111 unsigned int max_psk_len)
3113 unsigned int psklen = 0;
3115 psk_client_cb_cnt++;
3117 if (strlen(pskid) + 1 > max_id_len)
3120 /* We should only ever be called a maximum of twice per connection */
3121 if (psk_client_cb_cnt > 2)
3124 if (clientpsk == NULL)
3127 /* We'll reuse the PSK we set up for TLSv1.3 */
3128 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3130 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3131 strncpy(id, pskid, max_id_len);
3135 #endif /* OPENSSL_NO_PSK */
3137 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3138 size_t identity_len, SSL_SESSION **sess)
3140 find_session_cb_cnt++;
3142 /* We should only ever be called a maximum of twice per connection */
3143 if (find_session_cb_cnt > 2)
3146 if (serverpsk == NULL)
3149 /* Identity should match that set by the client */
3150 if (strlen(srvid) != identity_len
3151 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3152 /* No PSK found, continue but without a PSK */
3157 SSL_SESSION_up_ref(serverpsk);
3163 #ifndef OPENSSL_NO_PSK
3164 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3165 unsigned char *psk, unsigned int max_psk_len)
3167 unsigned int psklen = 0;
3169 psk_server_cb_cnt++;
3171 /* We should only ever be called a maximum of twice per connection */
3172 if (find_session_cb_cnt > 2)
3175 if (serverpsk == NULL)
3178 /* Identity should match that set by the client */
3179 if (strcmp(srvid, identity) != 0) {
3183 /* We'll reuse the PSK we set up for TLSv1.3 */
3184 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3186 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3190 #endif /* OPENSSL_NO_PSK */
3192 #define MSG1 "Hello"
3193 #define MSG2 "World."
3198 #define MSG7 "message."
3200 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3201 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3202 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3203 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3204 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3207 static SSL_SESSION *create_a_psk(SSL *ssl)
3209 const SSL_CIPHER *cipher = NULL;
3210 const unsigned char key[] = {
3211 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3212 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3213 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3214 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3215 0x2c, 0x2d, 0x2e, 0x2f
3217 SSL_SESSION *sess = NULL;
3219 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3220 sess = SSL_SESSION_new();
3222 || !TEST_ptr(cipher)
3223 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3225 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3227 SSL_SESSION_set_protocol_version(sess,
3229 SSL_SESSION_free(sess);
3236 * Helper method to setup objects for early data test. Caller frees objects on
3239 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3240 SSL **serverssl, SSL_SESSION **sess, int idx)
3243 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3244 TLS_client_method(),
3246 sctx, cctx, cert, privkey)))
3249 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3253 /* When idx == 1 we repeat the tests with read_ahead set */
3254 SSL_CTX_set_read_ahead(*cctx, 1);
3255 SSL_CTX_set_read_ahead(*sctx, 1);
3256 } else if (idx == 2) {
3257 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3258 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3259 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3260 use_session_cb_cnt = 0;
3261 find_session_cb_cnt = 0;
3265 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3270 * For one of the run throughs (doesn't matter which one), we'll try sending
3271 * some SNI data in the initial ClientHello. This will be ignored (because
3272 * there is no SNI cb set up by the server), so it should not impact
3276 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3280 clientpsk = create_a_psk(*clientssl);
3281 if (!TEST_ptr(clientpsk)
3283 * We just choose an arbitrary value for max_early_data which
3284 * should be big enough for testing purposes.
3286 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3288 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3289 SSL_SESSION_free(clientpsk);
3293 serverpsk = clientpsk;
3296 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3297 SSL_SESSION_free(clientpsk);
3298 SSL_SESSION_free(serverpsk);
3299 clientpsk = serverpsk = NULL;
3310 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3314 *sess = SSL_get1_session(*clientssl);
3315 SSL_shutdown(*clientssl);
3316 SSL_shutdown(*serverssl);
3317 SSL_free(*serverssl);
3318 SSL_free(*clientssl);
3319 *serverssl = *clientssl = NULL;
3321 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3322 clientssl, NULL, NULL))
3323 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3329 static int test_early_data_read_write(int idx)
3331 SSL_CTX *cctx = NULL, *sctx = NULL;
3332 SSL *clientssl = NULL, *serverssl = NULL;
3334 SSL_SESSION *sess = NULL;
3335 unsigned char buf[20], data[1024];
3336 size_t readbytes, written, eoedlen, rawread, rawwritten;
3339 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3340 &serverssl, &sess, idx)))
3343 /* Write and read some early data */
3344 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3346 || !TEST_size_t_eq(written, strlen(MSG1))
3347 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3348 sizeof(buf), &readbytes),
3349 SSL_READ_EARLY_DATA_SUCCESS)
3350 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3351 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3352 SSL_EARLY_DATA_ACCEPTED))
3356 * Server should be able to write data, and client should be able to
3359 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3361 || !TEST_size_t_eq(written, strlen(MSG2))
3362 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3363 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3366 /* Even after reading normal data, client should be able write early data */
3367 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3369 || !TEST_size_t_eq(written, strlen(MSG3)))
3372 /* Server should still be able read early data after writing data */
3373 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 SSL_READ_EARLY_DATA_SUCCESS)
3376 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3379 /* Write more data from server and read it from client */
3380 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3382 || !TEST_size_t_eq(written, strlen(MSG4))
3383 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3384 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3388 * If client writes normal data it should mean writing early data is no
3391 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3392 || !TEST_size_t_eq(written, strlen(MSG5))
3393 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3394 SSL_EARLY_DATA_ACCEPTED))
3398 * At this point the client has written EndOfEarlyData, ClientFinished and
3399 * normal (fully protected) data. We are going to cause a delay between the
3400 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3401 * in the read BIO, and then just put back the EndOfEarlyData message.
3403 rbio = SSL_get_rbio(serverssl);
3404 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3405 || !TEST_size_t_lt(rawread, sizeof(data))
3406 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3409 /* Record length is in the 4th and 5th bytes of the record header */
3410 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3411 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3412 || !TEST_size_t_eq(rawwritten, eoedlen))
3415 /* Server should be told that there is no more early data */
3416 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3418 SSL_READ_EARLY_DATA_FINISH)
3419 || !TEST_size_t_eq(readbytes, 0))
3423 * Server has not finished init yet, so should still be able to write early
3426 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3428 || !TEST_size_t_eq(written, strlen(MSG6)))
3431 /* Push the ClientFinished and the normal data back into the server rbio */
3432 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3434 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3437 /* Server should be able to read normal data */
3438 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3439 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3442 /* Client and server should not be able to write/read early data now */
3443 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3447 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3449 SSL_READ_EARLY_DATA_ERROR))
3453 /* Client should be able to read the data sent by the server */
3454 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3455 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3459 * Make sure we process the two NewSessionTickets. These arrive
3460 * post-handshake. We attempt reads which we do not expect to return any
3463 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3464 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3468 /* Server should be able to write normal data */
3469 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3470 || !TEST_size_t_eq(written, strlen(MSG7))
3471 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3472 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3475 SSL_SESSION_free(sess);
3476 sess = SSL_get1_session(clientssl);
3477 use_session_cb_cnt = 0;
3478 find_session_cb_cnt = 0;
3480 SSL_shutdown(clientssl);
3481 SSL_shutdown(serverssl);
3482 SSL_free(serverssl);
3483 SSL_free(clientssl);
3484 serverssl = clientssl = NULL;
3485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3486 &clientssl, NULL, NULL))
3487 || !TEST_true(SSL_set_session(clientssl, sess)))
3490 /* Write and read some early data */
3491 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3493 || !TEST_size_t_eq(written, strlen(MSG1))
3494 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3496 SSL_READ_EARLY_DATA_SUCCESS)
3497 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3500 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3501 || !TEST_int_gt(SSL_accept(serverssl), 0))
3504 /* Client and server should not be able to write/read early data now */
3505 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3509 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3511 SSL_READ_EARLY_DATA_ERROR))
3515 /* Client and server should be able to write/read normal data */
3516 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3517 || !TEST_size_t_eq(written, strlen(MSG5))
3518 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3519 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3525 SSL_SESSION_free(sess);
3526 SSL_SESSION_free(clientpsk);
3527 SSL_SESSION_free(serverpsk);
3528 clientpsk = serverpsk = NULL;
3529 SSL_free(serverssl);
3530 SSL_free(clientssl);
3536 static int allow_ed_cb_called = 0;
3538 static int allow_early_data_cb(SSL *s, void *arg)
3540 int *usecb = (int *)arg;
3542 allow_ed_cb_called++;
3551 * idx == 0: Standard early_data setup
3552 * idx == 1: early_data setup using read_ahead
3553 * usecb == 0: Don't use a custom early data callback
3554 * usecb == 1: Use a custom early data callback and reject the early data
3555 * usecb == 2: Use a custom early data callback and accept the early data
3556 * confopt == 0: Configure anti-replay directly
3557 * confopt == 1: Configure anti-replay using SSL_CONF
3559 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3561 SSL_CTX *cctx = NULL, *sctx = NULL;
3562 SSL *clientssl = NULL, *serverssl = NULL;
3564 SSL_SESSION *sess = NULL;
3565 size_t readbytes, written;
3566 unsigned char buf[20];
3568 allow_ed_cb_called = 0;
3570 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3571 TLS_client_method(), TLS1_VERSION, 0,
3572 &sctx, &cctx, cert, privkey)))
3577 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3579 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3581 if (!TEST_ptr(confctx))
3583 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3584 | SSL_CONF_FLAG_SERVER);
3585 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3586 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3588 SSL_CONF_CTX_free(confctx);
3591 SSL_CONF_CTX_free(confctx);
3593 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3596 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3597 &serverssl, &sess, idx)))
3601 * The server is configured to accept early data. Create a connection to
3602 * "use up" the ticket
3604 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3605 || !TEST_true(SSL_session_reused(clientssl)))
3608 SSL_shutdown(clientssl);
3609 SSL_shutdown(serverssl);
3610 SSL_free(serverssl);
3611 SSL_free(clientssl);
3612 serverssl = clientssl = NULL;
3614 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3615 &clientssl, NULL, NULL))
3616 || !TEST_true(SSL_set_session(clientssl, sess)))
3619 /* Write and read some early data */
3620 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3622 || !TEST_size_t_eq(written, strlen(MSG1)))
3626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3628 SSL_READ_EARLY_DATA_FINISH)
3630 * The ticket was reused, so the we should have rejected the
3633 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3634 SSL_EARLY_DATA_REJECTED))
3637 /* In this case the callback decides to accept the early data */
3638 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3640 SSL_READ_EARLY_DATA_SUCCESS)
3641 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3643 * Server will have sent its flight so client can now send
3644 * end of early data and complete its half of the handshake
3646 || !TEST_int_gt(SSL_connect(clientssl), 0)
3647 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3649 SSL_READ_EARLY_DATA_FINISH)
3650 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3651 SSL_EARLY_DATA_ACCEPTED))
3655 /* Complete the connection */
3656 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3657 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3658 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3664 SSL_SESSION_free(sess);
3665 SSL_SESSION_free(clientpsk);
3666 SSL_SESSION_free(serverpsk);
3667 clientpsk = serverpsk = NULL;
3668 SSL_free(serverssl);
3669 SSL_free(clientssl);
3675 static int test_early_data_replay(int idx)
3677 int ret = 1, usecb, confopt;
3679 for (usecb = 0; usecb < 3; usecb++) {
3680 for (confopt = 0; confopt < 2; confopt++)
3681 ret &= test_early_data_replay_int(idx, usecb, confopt);
3688 * Helper function to test that a server attempting to read early data can
3689 * handle a connection from a client where the early data should be skipped.
3690 * testtype: 0 == No HRR
3691 * testtype: 1 == HRR
3692 * testtype: 2 == HRR, invalid early_data sent after HRR
3693 * testtype: 3 == recv_max_early_data set to 0
3695 static int early_data_skip_helper(int testtype, int idx)
3697 SSL_CTX *cctx = NULL, *sctx = NULL;
3698 SSL *clientssl = NULL, *serverssl = NULL;
3700 SSL_SESSION *sess = NULL;
3701 unsigned char buf[20];
3702 size_t readbytes, written;
3704 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3705 &serverssl, &sess, idx)))
3708 if (testtype == 1 || testtype == 2) {
3709 /* Force an HRR to occur */
3710 #if defined(OPENSSL_NO_EC)
3711 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3714 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3717 } else if (idx == 2) {
3719 * We force early_data rejection by ensuring the PSK identity is
3722 srvid = "Dummy Identity";
3725 * Deliberately corrupt the creation time. We take 20 seconds off the
3726 * time. It could be any value as long as it is not within tolerance.
3727 * This should mean the ticket is rejected.
3729 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3734 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3737 /* Write some early data */
3738 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3740 || !TEST_size_t_eq(written, strlen(MSG1)))
3743 /* Server should reject the early data */
3744 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3746 SSL_READ_EARLY_DATA_FINISH)
3747 || !TEST_size_t_eq(readbytes, 0)
3748 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3749 SSL_EARLY_DATA_REJECTED))
3759 * Finish off the handshake. We perform the same writes and reads as
3760 * further down but we expect them to fail due to the incomplete
3763 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3764 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3771 BIO *wbio = SSL_get_wbio(clientssl);
3772 /* A record that will appear as bad early_data */
3773 const unsigned char bad_early_data[] = {
3774 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3778 * We force the client to attempt a write. This will fail because
3779 * we're still in the handshake. It will cause the second
3780 * ClientHello to be sent.
3782 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3787 * Inject some early_data after the second ClientHello. This should
3788 * cause the server to fail
3790 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3791 sizeof(bad_early_data), &written)))
3798 * This client has sent more early_data than we are willing to skip
3799 * (case 3) or sent invalid early_data (case 2) so the connection should
3802 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3803 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3806 /* Connection has failed - nothing more to do */
3811 TEST_error("Invalid test type");
3816 * Should be able to send normal data despite rejection of early data. The
3817 * early_data should be skipped.
3819 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3820 || !TEST_size_t_eq(written, strlen(MSG2))
3821 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3822 SSL_EARLY_DATA_REJECTED)
3823 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3824 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3830 SSL_SESSION_free(clientpsk);
3831 SSL_SESSION_free(serverpsk);
3832 clientpsk = serverpsk = NULL;
3833 SSL_SESSION_free(sess);
3834 SSL_free(serverssl);
3835 SSL_free(clientssl);
3842 * Test that a server attempting to read early data can handle a connection
3843 * from a client where the early data is not acceptable.
3845 static int test_early_data_skip(int idx)
3847 return early_data_skip_helper(0, idx);
3851 * Test that a server attempting to read early data can handle a connection
3852 * from a client where an HRR occurs.
3854 static int test_early_data_skip_hrr(int idx)
3856 return early_data_skip_helper(1, idx);
3860 * Test that a server attempting to read early data can handle a connection
3861 * from a client where an HRR occurs and correctly fails if early_data is sent
3864 static int test_early_data_skip_hrr_fail(int idx)
3866 return early_data_skip_helper(2, idx);
3870 * Test that a server attempting to read early data will abort if it tries to
3871 * skip over too much.
3873 static int test_early_data_skip_abort(int idx)
3875 return early_data_skip_helper(3, idx);
3879 * Test that a server attempting to read early data can handle a connection
3880 * from a client that doesn't send any.
3882 static int test_early_data_not_sent(int idx)
3884 SSL_CTX *cctx = NULL, *sctx = NULL;
3885 SSL *clientssl = NULL, *serverssl = NULL;
3887 SSL_SESSION *sess = NULL;
3888 unsigned char buf[20];
3889 size_t readbytes, written;
3891 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3892 &serverssl, &sess, idx)))
3895 /* Write some data - should block due to handshake with server */
3896 SSL_set_connect_state(clientssl);
3897 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3900 /* Server should detect that early data has not been sent */
3901 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3903 SSL_READ_EARLY_DATA_FINISH)
3904 || !TEST_size_t_eq(readbytes, 0)
3905 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3906 SSL_EARLY_DATA_NOT_SENT)
3907 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3908 SSL_EARLY_DATA_NOT_SENT))
3911 /* Continue writing the message we started earlier */
3912 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3913 || !TEST_size_t_eq(written, strlen(MSG1))
3914 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3915 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3916 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3917 || !TEST_size_t_eq(written, strlen(MSG2)))
3920 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3921 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3927 SSL_SESSION_free(sess);
3928 SSL_SESSION_free(clientpsk);
3929 SSL_SESSION_free(serverpsk);
3930 clientpsk = serverpsk = NULL;
3931 SSL_free(serverssl);
3932 SSL_free(clientssl);
3938 static const char *servalpn;
3940 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3941 unsigned char *outlen, const unsigned char *in,
3942 unsigned int inlen, void *arg)
3944 unsigned int protlen = 0;
3945 const unsigned char *prot;
3947 for (prot = in; prot < in + inlen; prot += protlen) {
3949 if (in + inlen < prot + protlen)
3950 return SSL_TLSEXT_ERR_NOACK;
3952 if (protlen == strlen(servalpn)
3953 && memcmp(prot, servalpn, protlen) == 0) {
3956 return SSL_TLSEXT_ERR_OK;
3960 return SSL_TLSEXT_ERR_NOACK;
3963 /* Test that a PSK can be used to send early_data */
3964 static int test_early_data_psk(int idx)
3966 SSL_CTX *cctx = NULL, *sctx = NULL;
3967 SSL *clientssl = NULL, *serverssl = NULL;
3969 SSL_SESSION *sess = NULL;
3970 unsigned char alpnlist[] = {
3971 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3974 #define GOODALPNLEN 9
3975 #define BADALPNLEN 8
3976 #define GOODALPN (alpnlist)
3977 #define BADALPN (alpnlist + GOODALPNLEN)
3979 unsigned char buf[20];
3980 size_t readbytes, written;
3981 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3982 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3984 /* We always set this up with a final parameter of "2" for PSK */
3985 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3986 &serverssl, &sess, 2)))
3989 servalpn = "goodalpn";
3992 * Note: There is no test for inconsistent SNI with late client detection.
3993 * This is because servers do not acknowledge SNI even if they are using
3994 * it in a resumption handshake - so it is not actually possible for a
3995 * client to detect a problem.
3999 /* Set inconsistent SNI (early client detection) */
4000 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4001 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4002 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4007 /* Set inconsistent ALPN (early client detection) */
4008 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4009 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4010 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4012 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4019 * Set invalid protocol version. Technically this affects PSKs without
4020 * early_data too, but we test it here because it is similar to the
4021 * SNI/ALPN consistency tests.
4023 err = SSL_R_BAD_PSK;
4024 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4030 * Set inconsistent SNI (server side). In this case the connection
4031 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4032 * is associated with each handshake - not the session. Therefore it
4033 * should not matter that we used a different server name last time.
4035 SSL_SESSION_free(serverpsk);
4036 serverpsk = SSL_SESSION_dup(clientpsk);
4037 if (!TEST_ptr(serverpsk)
4038 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4042 /* Set consistent SNI */
4043 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4044 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4045 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4052 * Set inconsistent ALPN (server detected). In this case the connection
4053 * will succeed but reject early_data.
4055 servalpn = "badalpn";
4056 edstatus = SSL_EARLY_DATA_REJECTED;
4057 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4061 * Set consistent ALPN.
4062 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4063 * accepts a list of protos (each one length prefixed).
4064 * SSL_set1_alpn_selected accepts a single protocol (not length
4067 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4069 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4073 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4077 /* Set inconsistent ALPN (late client detection) */
4078 SSL_SESSION_free(serverpsk);
4079 serverpsk = SSL_SESSION_dup(clientpsk);
4080 if (!TEST_ptr(serverpsk)
4081 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4084 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4087 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4090 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4091 edstatus = SSL_EARLY_DATA_ACCEPTED;
4092 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4093 /* SSL_connect() call should fail */
4098 TEST_error("Bad test index");
4102 SSL_set_connect_state(clientssl);
4104 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4106 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4107 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4110 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4115 &readbytes), readearlyres)
4116 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4117 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4118 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4119 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4126 SSL_SESSION_free(sess);
4127 SSL_SESSION_free(clientpsk);
4128 SSL_SESSION_free(serverpsk);
4129 clientpsk = serverpsk = NULL;
4130 SSL_free(serverssl);
4131 SSL_free(clientssl);
4138 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4139 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4140 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4141 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4142 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4143 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4145 static int test_early_data_psk_with_all_ciphers(int idx)
4147 SSL_CTX *cctx = NULL, *sctx = NULL;
4148 SSL *clientssl = NULL, *serverssl = NULL;
4150 SSL_SESSION *sess = NULL;
4151 unsigned char buf[20];
4152 size_t readbytes, written;
4153 const SSL_CIPHER *cipher;
4154 const char *cipher_str[] = {
4155 TLS1_3_RFC_AES_128_GCM_SHA256,
4156 TLS1_3_RFC_AES_256_GCM_SHA384,
4157 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4158 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4162 TLS1_3_RFC_AES_128_CCM_SHA256,
4163 TLS1_3_RFC_AES_128_CCM_8_SHA256
4165 const unsigned char *cipher_bytes[] = {
4166 TLS13_AES_128_GCM_SHA256_BYTES,
4167 TLS13_AES_256_GCM_SHA384_BYTES,
4168 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4169 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4173 TLS13_AES_128_CCM_SHA256_BYTES,
4174 TLS13_AES_128_CCM_8_SHA256_BYTES
4177 if (cipher_str[idx] == NULL)
4179 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4180 if (idx == 2 && is_fips == 1)
4183 /* We always set this up with a final parameter of "2" for PSK */
4184 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4185 &serverssl, &sess, 2)))
4189 /* CCM8 ciphers are considered low security due to their short tag */
4190 SSL_set_security_level(clientssl, 0);
4191 SSL_set_security_level(serverssl, 0);
4194 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4195 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4199 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4200 * and assigns to both client and server with incremented reference
4201 * and the same instance is updated in 'sess'.
4202 * So updating ciphersuite in 'sess' which will get reflected in
4203 * PSK handshake using psk use sess and find sess cb.
4205 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4206 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4209 SSL_set_connect_state(clientssl);
4210 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4214 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4216 SSL_READ_EARLY_DATA_SUCCESS)
4217 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4218 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4219 SSL_EARLY_DATA_ACCEPTED)
4220 || !TEST_int_eq(SSL_connect(clientssl), 1)
4221 || !TEST_int_eq(SSL_accept(serverssl), 1))
4224 /* Send some normal data from client to server */
4225 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4226 || !TEST_size_t_eq(written, strlen(MSG2)))
4229 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4230 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4235 SSL_SESSION_free(sess);
4236 SSL_SESSION_free(clientpsk);
4237 SSL_SESSION_free(serverpsk);
4238 clientpsk = serverpsk = NULL;
4239 if (clientssl != NULL)
4240 SSL_shutdown(clientssl);
4241 if (serverssl != NULL)
4242 SSL_shutdown(serverssl);
4243 SSL_free(serverssl);
4244 SSL_free(clientssl);
4251 * Test that a server that doesn't try to read early data can handle a
4252 * client sending some.
4254 static int test_early_data_not_expected(int idx)
4256 SSL_CTX *cctx = NULL, *sctx = NULL;
4257 SSL *clientssl = NULL, *serverssl = NULL;
4259 SSL_SESSION *sess = NULL;
4260 unsigned char buf[20];
4261 size_t readbytes, written;
4263 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4264 &serverssl, &sess, idx)))
4267 /* Write some early data */
4268 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4273 * Server should skip over early data and then block waiting for client to
4274 * continue handshake
4276 if (!TEST_int_le(SSL_accept(serverssl), 0)
4277 || !TEST_int_gt(SSL_connect(clientssl), 0)
4278 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4279 SSL_EARLY_DATA_REJECTED)
4280 || !TEST_int_gt(SSL_accept(serverssl), 0)
4281 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4282 SSL_EARLY_DATA_REJECTED))
4285 /* Send some normal data from client to server */
4286 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4287 || !TEST_size_t_eq(written, strlen(MSG2)))
4290 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4291 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4297 SSL_SESSION_free(sess);
4298 SSL_SESSION_free(clientpsk);
4299 SSL_SESSION_free(serverpsk);
4300 clientpsk = serverpsk = NULL;
4301 SSL_free(serverssl);
4302 SSL_free(clientssl);
4309 # ifndef OPENSSL_NO_TLS1_2
4311 * Test that a server attempting to read early data can handle a connection
4312 * from a TLSv1.2 client.
4314 static int test_early_data_tls1_2(int idx)
4316 SSL_CTX *cctx = NULL, *sctx = NULL;
4317 SSL *clientssl = NULL, *serverssl = NULL;
4319 unsigned char buf[20];
4320 size_t readbytes, written;
4322 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4323 &serverssl, NULL, idx)))
4326 /* Write some data - should block due to handshake with server */
4327 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4328 SSL_set_connect_state(clientssl);
4329 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4333 * Server should do TLSv1.2 handshake. First it will block waiting for more
4334 * messages from client after ServerDone. Then SSL_read_early_data should
4335 * finish and detect that early data has not been sent
4337 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4339 SSL_READ_EARLY_DATA_ERROR))
4343 * Continue writing the message we started earlier. Will still block waiting
4344 * for the CCS/Finished from server
4346 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4347 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4349 SSL_READ_EARLY_DATA_FINISH)
4350 || !TEST_size_t_eq(readbytes, 0)
4351 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4352 SSL_EARLY_DATA_NOT_SENT))
4355 /* Continue writing the message we started earlier */
4356 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4357 || !TEST_size_t_eq(written, strlen(MSG1))
4358 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4359 SSL_EARLY_DATA_NOT_SENT)
4360 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4361 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4362 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4363 || !TEST_size_t_eq(written, strlen(MSG2))
4364 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4365 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4371 SSL_SESSION_free(clientpsk);
4372 SSL_SESSION_free(serverpsk);
4373 clientpsk = serverpsk = NULL;
4374 SSL_free(serverssl);
4375 SSL_free(clientssl);
4381 # endif /* OPENSSL_NO_TLS1_2 */
4384 * Test configuring the TLSv1.3 ciphersuites
4386 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4387 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4388 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4389 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4390 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4391 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4392 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4393 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4394 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4395 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4397 static int test_set_ciphersuite(int idx)
4399 SSL_CTX *cctx = NULL, *sctx = NULL;
4400 SSL *clientssl = NULL, *serverssl = NULL;
4403 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4404 TLS_client_method(), TLS1_VERSION, 0,
4405 &sctx, &cctx, cert, privkey))
4406 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4407 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4410 if (idx >=4 && idx <= 7) {
4411 /* SSL_CTX explicit cipher list */
4412 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4416 if (idx == 0 || idx == 4) {
4417 /* Default ciphersuite */
4418 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4419 "TLS_AES_128_GCM_SHA256")))
4421 } else if (idx == 1 || idx == 5) {
4422 /* Non default ciphersuite */
4423 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4424 "TLS_AES_128_CCM_SHA256")))
4428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4429 &clientssl, NULL, NULL)))
4432 if (idx == 8 || idx == 9) {
4433 /* SSL explicit cipher list */
4434 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4438 if (idx == 2 || idx == 6 || idx == 8) {
4439 /* Default ciphersuite */
4440 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4441 "TLS_AES_128_GCM_SHA256")))
4443 } else if (idx == 3 || idx == 7 || idx == 9) {
4444 /* Non default ciphersuite */
4445 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4446 "TLS_AES_128_CCM_SHA256")))
4450 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4456 SSL_free(serverssl);
4457 SSL_free(clientssl);
4464 static int test_ciphersuite_change(void)
4466 SSL_CTX *cctx = NULL, *sctx = NULL;
4467 SSL *clientssl = NULL, *serverssl = NULL;
4468 SSL_SESSION *clntsess = NULL;
4470 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4472 /* Create a session based on SHA-256 */
4473 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4474 TLS_client_method(), TLS1_VERSION, 0,
4475 &sctx, &cctx, cert, privkey))
4476 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4477 "TLS_AES_128_GCM_SHA256:"
4478 "TLS_AES_256_GCM_SHA384:"
4479 "TLS_AES_128_CCM_SHA256"))
4480 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4481 "TLS_AES_128_GCM_SHA256")))
4484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4490 clntsess = SSL_get1_session(clientssl);
4491 /* Save for later */
4492 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4493 SSL_shutdown(clientssl);
4494 SSL_shutdown(serverssl);
4495 SSL_free(serverssl);
4496 SSL_free(clientssl);
4497 serverssl = clientssl = NULL;
4499 /* Check we can resume a session with a different SHA-256 ciphersuite */
4500 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4501 "TLS_AES_128_CCM_SHA256"))
4502 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4503 &clientssl, NULL, NULL))
4504 || !TEST_true(SSL_set_session(clientssl, clntsess))
4505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4507 || !TEST_true(SSL_session_reused(clientssl)))
4510 SSL_SESSION_free(clntsess);
4511 clntsess = SSL_get1_session(clientssl);
4512 SSL_shutdown(clientssl);
4513 SSL_shutdown(serverssl);
4514 SSL_free(serverssl);
4515 SSL_free(clientssl);
4516 serverssl = clientssl = NULL;
4519 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4520 * succeeds but does not resume.
4522 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4523 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4525 || !TEST_true(SSL_set_session(clientssl, clntsess))
4526 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4528 || !TEST_false(SSL_session_reused(clientssl)))
4531 SSL_SESSION_free(clntsess);
4533 SSL_shutdown(clientssl);
4534 SSL_shutdown(serverssl);
4535 SSL_free(serverssl);
4536 SSL_free(clientssl);
4537 serverssl = clientssl = NULL;
4539 /* Create a session based on SHA384 */
4540 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4541 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4542 &clientssl, NULL, NULL))
4543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4547 clntsess = SSL_get1_session(clientssl);
4548 SSL_shutdown(clientssl);
4549 SSL_shutdown(serverssl);
4550 SSL_free(serverssl);
4551 SSL_free(clientssl);
4552 serverssl = clientssl = NULL;
4554 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4555 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4556 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4557 "TLS_AES_256_GCM_SHA384"))
4558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4560 || !TEST_true(SSL_set_session(clientssl, clntsess))
4562 * We use SSL_ERROR_WANT_READ below so that we can pause the
4563 * connection after the initial ClientHello has been sent to
4564 * enable us to make some session changes.
4566 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4567 SSL_ERROR_WANT_READ)))
4570 /* Trick the client into thinking this session is for a different digest */
4571 clntsess->cipher = aes_128_gcm_sha256;
4572 clntsess->cipher_id = clntsess->cipher->id;
4575 * Continue the previously started connection. Server has selected a SHA-384
4576 * ciphersuite, but client thinks the session is for SHA-256, so it should
4579 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4581 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4582 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4588 SSL_SESSION_free(clntsess);
4589 SSL_free(serverssl);
4590 SSL_free(clientssl);
4598 * Test TLSv1.3 Key exchange
4599 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4600 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4601 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4602 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4603 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4604 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4605 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4606 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4607 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4608 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4609 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4610 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4611 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4612 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4614 # ifndef OPENSSL_NO_EC
4615 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4616 NID_secp521r1, NID_X25519, NID_X448};
4618 # ifndef OPENSSL_NO_DH
4619 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4620 NID_ffdhe6144, NID_ffdhe8192};
4622 static int test_key_exchange(int idx)
4624 SSL_CTX *sctx = NULL, *cctx = NULL;
4625 SSL *serverssl = NULL, *clientssl = NULL;
4628 int *kexch_groups = &kexch_alg;
4629 int kexch_groups_size = 1;
4630 int max_version = TLS1_3_VERSION;
4631 char *kexch_name0 = NULL;
4634 # ifndef OPENSSL_NO_EC
4635 # ifndef OPENSSL_NO_TLS1_2
4637 max_version = TLS1_2_VERSION;
4641 kexch_groups = ecdhe_kexch_groups;
4642 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4643 kexch_name0 = "secp256r1";
4646 kexch_alg = NID_X9_62_prime256v1;
4647 kexch_name0 = "secp256r1";
4650 kexch_alg = NID_secp384r1;
4651 kexch_name0 = "secp384r1";
4654 kexch_alg = NID_secp521r1;
4655 kexch_name0 = "secp521r1";
4658 kexch_alg = NID_X25519;
4659 kexch_name0 = "x25519";
4662 kexch_alg = NID_X448;
4663 kexch_name0 = "x448";
4666 # ifndef OPENSSL_NO_DH
4667 # ifndef OPENSSL_NO_TLS1_2
4669 max_version = TLS1_2_VERSION;
4670 kexch_name0 = "ffdhe2048";
4674 kexch_groups = ffdhe_kexch_groups;
4675 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4676 kexch_name0 = "ffdhe2048";
4679 kexch_alg = NID_ffdhe2048;
4680 kexch_name0 = "ffdhe2048";
4683 kexch_alg = NID_ffdhe3072;
4684 kexch_name0 = "ffdhe3072";
4687 kexch_alg = NID_ffdhe4096;
4688 kexch_name0 = "ffdhe4096";
4691 kexch_alg = NID_ffdhe6144;
4692 kexch_name0 = "ffdhe6144";
4695 kexch_alg = NID_ffdhe8192;
4696 kexch_name0 = "ffdhe8192";
4700 /* We're skipping this test */
4704 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4705 TLS_client_method(), TLS1_VERSION,
4706 max_version, &sctx, &cctx, cert,
4710 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4711 TLS1_3_RFC_AES_128_GCM_SHA256)))
4714 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4715 TLS1_3_RFC_AES_128_GCM_SHA256)))
4718 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4719 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4720 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4721 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4725 * Must include an EC ciphersuite so that we send supported groups in
4728 # ifndef OPENSSL_NO_TLS1_2
4729 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4730 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4731 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4739 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4740 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4743 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4747 * If Handshake succeeds the negotiated kexch alg should be the first one in
4748 * configured, except in the case of FFDHE groups (idx 13), which are
4749 * TLSv1.3 only so we expect no shared group to exist.
4751 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4752 idx == 13 ? 0 : kexch_groups[0]))
4755 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4759 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4761 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4763 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4769 SSL_free(serverssl);
4770 SSL_free(clientssl);
4776 # if !defined(OPENSSL_NO_TLS1_2) \
4777 && !defined(OPENSSL_NO_EC) \
4778 && !defined(OPENSSL_NO_DH)
4779 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4780 int isecdhe, int idx)
4783 int *kexch_groups = &kexch_alg;
4786 numec = OSSL_NELEM(ecdhe_kexch_groups);
4787 numff = OSSL_NELEM(ffdhe_kexch_groups);
4789 kexch_alg = ecdhe_kexch_groups[idx];
4791 kexch_alg = ffdhe_kexch_groups[idx];
4794 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4797 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4801 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4806 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4809 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4813 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4822 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4823 * Run through both the ECDHE and FFDHE group lists used in the previous
4824 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4825 * confirming the expected result; then perform a resumption handshake
4826 * while offering the same group list, and another resumption handshake
4827 * offering a different group list. The returned value should be the
4828 * negotiated group for the initial handshake; for TLS 1.3 resumption
4829 * handshakes the returned value will be negotiated on the resumption
4830 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4831 * be cached in the session from the original handshake, regardless of what
4832 * was offered in the resumption ClientHello.
4834 * Using E for the number of EC groups and F for the number of FF groups:
4835 * E tests of ECDHE with TLS 1.3, server only has one group
4836 * F tests of FFDHE with TLS 1.3, server only has one group
4837 * E tests of ECDHE with TLS 1.2, server only has one group
4838 * F tests of FFDHE with TLS 1.2, server only has one group
4839 * E tests of ECDHE with TLS 1.3, client sends only one group
4840 * F tests of FFDHE with TLS 1.3, client sends only one group
4841 * E tests of ECDHE with TLS 1.2, client sends only one group
4842 * F tests of FFDHE with TLS 1.2, client sends only one group
4844 static int test_negotiated_group(int idx)
4846 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4848 SSL_CTX *sctx = NULL, *cctx = NULL;
4849 SSL *serverssl = NULL, *clientssl = NULL;
4850 SSL_SESSION *origsess = NULL;
4853 int max_version = TLS1_3_VERSION;
4855 numec = OSSL_NELEM(ecdhe_kexch_groups);
4856 numff = OSSL_NELEM(ffdhe_kexch_groups);
4857 numgroups = numec + numff;
4858 clientmulti = (idx < 2 * numgroups);
4859 idx = idx % (2 * numgroups);
4860 istls13 = (idx < numgroups);
4861 idx = idx % numgroups;
4862 isecdhe = (idx < numec);
4865 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4867 kexch_alg = ecdhe_kexch_groups[idx];
4869 kexch_alg = ffdhe_kexch_groups[idx];
4870 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4871 if (!istls13 && !isecdhe)
4872 expectednid = NID_undef;
4874 expectednid = kexch_alg;
4877 max_version = TLS1_2_VERSION;
4879 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4880 TLS_client_method(), TLS1_VERSION,
4881 max_version, &sctx, &cctx, cert,
4886 * Force (EC)DHE ciphers for TLS 1.2.
4887 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4889 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4890 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4891 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4892 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4894 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4895 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4896 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4903 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4907 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4910 /* Initial handshake; always the configured one */
4911 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4912 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4915 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4918 SSL_shutdown(clientssl);
4919 SSL_shutdown(serverssl);
4920 SSL_free(serverssl);
4921 SSL_free(clientssl);
4922 serverssl = clientssl = NULL;
4924 /* First resumption attempt; use the same config as initial handshake */
4925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4927 || !TEST_true(SSL_set_session(clientssl, origsess))
4928 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4932 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4933 || !TEST_true(SSL_session_reused(clientssl)))
4936 /* Still had better agree, since nothing changed... */
4937 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4938 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4941 SSL_shutdown(clientssl);
4942 SSL_shutdown(serverssl);
4943 SSL_free(serverssl);
4944 SSL_free(clientssl);
4945 serverssl = clientssl = NULL;
4948 * Second resumption attempt
4949 * The party that picks one group changes it, which we effectuate by
4950 * changing 'idx' and updating what we expect.
4958 expectednid = ecdhe_kexch_groups[idx];
4960 expectednid = ffdhe_kexch_groups[idx];
4961 /* Verify that we are changing what we expect. */
4962 if (!TEST_int_ne(expectednid, kexch_alg))
4965 /* TLS 1.2 only supports named groups for ECDHE. */
4967 expectednid = kexch_alg;
4971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4973 || !TEST_true(SSL_set_session(clientssl, origsess))
4974 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4978 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4979 || !TEST_true(SSL_session_reused(clientssl)))
4982 /* Check that we get what we expected */
4983 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4984 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4989 SSL_free(serverssl);
4990 SSL_free(clientssl);
4993 SSL_SESSION_free(origsess);
4996 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4999 * Test TLSv1.3 Cipher Suite
5000 * Test 0 = Set TLS1.3 cipher on context
5001 * Test 1 = Set TLS1.3 cipher on SSL
5002 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5003 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5005 static int test_tls13_ciphersuite(int idx)
5007 SSL_CTX *sctx = NULL, *cctx = NULL;
5008 SSL *serverssl = NULL, *clientssl = NULL;
5009 static const struct {
5010 const char *ciphername;
5014 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5015 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5016 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5017 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5018 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5019 { TLS1_3_RFC_AES_256_GCM_SHA384
5020 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5022 /* CCM8 ciphers are considered low security due to their short tag */
5023 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5024 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5026 const char *t13_cipher = NULL;
5027 const char *t12_cipher = NULL;
5028 const char *negotiated_scipher;
5029 const char *negotiated_ccipher;
5045 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5049 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5053 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5054 # ifdef OPENSSL_NO_TLS1_2
5055 if (max_ver == TLS1_2_VERSION)
5058 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5059 if (is_fips && !t13_ciphers[i].fipscapable)
5061 t13_cipher = t13_ciphers[i].ciphername;
5062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5063 TLS_client_method(),
5064 TLS1_VERSION, max_ver,
5065 &sctx, &cctx, cert, privkey)))
5068 if (t13_ciphers[i].low_security) {
5069 SSL_CTX_set_security_level(sctx, 0);
5070 SSL_CTX_set_security_level(cctx, 0);
5074 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5075 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5077 if (t12_cipher != NULL) {
5078 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5079 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5085 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5086 &clientssl, NULL, NULL)))
5090 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5091 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5093 if (t12_cipher != NULL) {
5094 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5095 || !TEST_true(SSL_set_cipher_list(clientssl,
5101 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5105 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5107 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5109 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5113 * TEST_strn_eq is used below because t13_cipher can contain
5114 * multiple ciphersuites
5116 if (max_ver == TLS1_3_VERSION
5117 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5118 strlen(negotiated_scipher)))
5121 # ifndef OPENSSL_NO_TLS1_2
5122 /* Below validation is not done when t12_cipher is NULL */
5123 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5124 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5128 SSL_free(serverssl);
5130 SSL_free(clientssl);
5141 SSL_free(serverssl);
5142 SSL_free(clientssl);
5150 * Test 0 = Test new style callbacks
5151 * Test 1 = Test both new and old style callbacks
5152 * Test 2 = Test old style callbacks
5153 * Test 3 = Test old style callbacks with no certificate
5155 static int test_tls13_psk(int idx)
5157 SSL_CTX *sctx = NULL, *cctx = NULL;
5158 SSL *serverssl = NULL, *clientssl = NULL;
5159 const SSL_CIPHER *cipher = NULL;
5160 const unsigned char key[] = {
5161 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5162 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5163 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5164 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5169 TLS_client_method(), TLS1_VERSION, 0,
5170 &sctx, &cctx, idx == 3 ? NULL : cert,
5171 idx == 3 ? NULL : privkey)))
5176 * We use a ciphersuite with SHA256 to ease testing old style PSK
5177 * callbacks which will always default to SHA256. This should not be
5178 * necessary if we have no cert/priv key. In that case the server should
5179 * prefer SHA256 automatically.
5181 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5182 "TLS_AES_128_GCM_SHA256")))
5186 * As noted above the server should prefer SHA256 automatically. However
5187 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5188 * code works even if we are testing with only the FIPS provider loaded.
5190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5191 "TLS_AES_256_GCM_SHA384:"
5192 "TLS_AES_128_GCM_SHA256")))
5197 * Test 0: New style callbacks only
5198 * Test 1: New and old style callbacks (only the new ones should be used)
5199 * Test 2: Old style callbacks only
5201 if (idx == 0 || idx == 1) {
5202 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5203 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5205 #ifndef OPENSSL_NO_PSK
5207 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5208 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5212 use_session_cb_cnt = 0;
5213 find_session_cb_cnt = 0;
5214 psk_client_cb_cnt = 0;
5215 psk_server_cb_cnt = 0;
5219 * Check we can create a connection if callback decides not to send a
5222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5226 || !TEST_false(SSL_session_reused(clientssl))
5227 || !TEST_false(SSL_session_reused(serverssl)))
5230 if (idx == 0 || idx == 1) {
5231 if (!TEST_true(use_session_cb_cnt == 1)
5232 || !TEST_true(find_session_cb_cnt == 0)
5234 * If no old style callback then below should be 0
5237 || !TEST_true(psk_client_cb_cnt == idx)
5238 || !TEST_true(psk_server_cb_cnt == 0))
5241 if (!TEST_true(use_session_cb_cnt == 0)
5242 || !TEST_true(find_session_cb_cnt == 0)
5243 || !TEST_true(psk_client_cb_cnt == 1)
5244 || !TEST_true(psk_server_cb_cnt == 0))
5248 shutdown_ssl_connection(serverssl, clientssl);
5249 serverssl = clientssl = NULL;
5250 use_session_cb_cnt = psk_client_cb_cnt = 0;
5253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5257 /* Create the PSK */
5258 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5259 clientpsk = SSL_SESSION_new();
5260 if (!TEST_ptr(clientpsk)
5261 || !TEST_ptr(cipher)
5262 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5264 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5265 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5267 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5269 serverpsk = clientpsk;
5271 /* Check we can create a connection and the PSK is used */
5272 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5273 || !TEST_true(SSL_session_reused(clientssl))
5274 || !TEST_true(SSL_session_reused(serverssl)))
5277 if (idx == 0 || idx == 1) {
5278 if (!TEST_true(use_session_cb_cnt == 1)
5279 || !TEST_true(find_session_cb_cnt == 1)
5280 || !TEST_true(psk_client_cb_cnt == 0)
5281 || !TEST_true(psk_server_cb_cnt == 0))
5284 if (!TEST_true(use_session_cb_cnt == 0)
5285 || !TEST_true(find_session_cb_cnt == 0)
5286 || !TEST_true(psk_client_cb_cnt == 1)
5287 || !TEST_true(psk_server_cb_cnt == 1))
5291 shutdown_ssl_connection(serverssl, clientssl);
5292 serverssl = clientssl = NULL;
5293 use_session_cb_cnt = find_session_cb_cnt = 0;
5294 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5301 #if defined(OPENSSL_NO_EC)
5302 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5305 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5310 * Check we can create a connection, the PSK is used and the callbacks are
5313 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5314 || !TEST_true(SSL_session_reused(clientssl))
5315 || !TEST_true(SSL_session_reused(serverssl)))
5318 if (idx == 0 || idx == 1) {
5319 if (!TEST_true(use_session_cb_cnt == 2)
5320 || !TEST_true(find_session_cb_cnt == 2)
5321 || !TEST_true(psk_client_cb_cnt == 0)
5322 || !TEST_true(psk_server_cb_cnt == 0))
5325 if (!TEST_true(use_session_cb_cnt == 0)
5326 || !TEST_true(find_session_cb_cnt == 0)
5327 || !TEST_true(psk_client_cb_cnt == 2)
5328 || !TEST_true(psk_server_cb_cnt == 2))
5332 shutdown_ssl_connection(serverssl, clientssl);
5333 serverssl = clientssl = NULL;
5334 use_session_cb_cnt = find_session_cb_cnt = 0;
5335 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5339 * Check that if the server rejects the PSK we can still connect, but with
5342 srvid = "Dummy Identity";
5343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5345 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5347 || !TEST_false(SSL_session_reused(clientssl))
5348 || !TEST_false(SSL_session_reused(serverssl)))
5351 if (idx == 0 || idx == 1) {
5352 if (!TEST_true(use_session_cb_cnt == 1)
5353 || !TEST_true(find_session_cb_cnt == 1)
5354 || !TEST_true(psk_client_cb_cnt == 0)
5356 * If no old style callback then below should be 0
5359 || !TEST_true(psk_server_cb_cnt == idx))
5362 if (!TEST_true(use_session_cb_cnt == 0)
5363 || !TEST_true(find_session_cb_cnt == 0)
5364 || !TEST_true(psk_client_cb_cnt == 1)
5365 || !TEST_true(psk_server_cb_cnt == 1))
5369 shutdown_ssl_connection(serverssl, clientssl);
5370 serverssl = clientssl = NULL;
5375 SSL_SESSION_free(clientpsk);
5376 SSL_SESSION_free(serverpsk);
5377 clientpsk = serverpsk = NULL;
5378 SSL_free(serverssl);
5379 SSL_free(clientssl);
5385 static unsigned char cookie_magic_value[] = "cookie magic";
5387 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5388 unsigned int *cookie_len)
5391 * Not suitable as a real cookie generation function but good enough for
5394 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5395 *cookie_len = sizeof(cookie_magic_value) - 1;
5400 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5401 unsigned int cookie_len)
5403 if (cookie_len == sizeof(cookie_magic_value) - 1
5404 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5410 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5414 int res = generate_cookie_callback(ssl, cookie, &temp);
5419 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5422 return verify_cookie_callback(ssl, cookie, cookie_len);
5425 static int test_stateless(void)
5427 SSL_CTX *sctx = NULL, *cctx = NULL;
5428 SSL *serverssl = NULL, *clientssl = NULL;
5431 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5432 TLS_client_method(), TLS1_VERSION, 0,
5433 &sctx, &cctx, cert, privkey)))
5436 /* The arrival of CCS messages can confuse the test */
5437 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5439 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5441 /* Send the first ClientHello */
5442 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5443 SSL_ERROR_WANT_READ))
5445 * This should fail with a -1 return because we have no callbacks
5448 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5451 /* Fatal error so abandon the connection from this client */
5452 SSL_free(clientssl);
5455 /* Set up the cookie generation and verification callbacks */
5456 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5457 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5460 * Create a new connection from the client (we can reuse the server SSL
5463 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5465 /* Send the first ClientHello */
5466 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5467 SSL_ERROR_WANT_READ))
5468 /* This should fail because there is no cookie */
5469 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5472 /* Abandon the connection from this client */
5473 SSL_free(clientssl);
5477 * Now create a connection from a new client but with the same server SSL
5480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5482 /* Send the first ClientHello */
5483 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5484 SSL_ERROR_WANT_READ))
5485 /* This should fail because there is no cookie */
5486 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5487 /* Send the second ClientHello */
5488 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5489 SSL_ERROR_WANT_READ))
5490 /* This should succeed because a cookie is now present */
5491 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5492 /* Complete the connection */
5493 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5497 shutdown_ssl_connection(serverssl, clientssl);
5498 serverssl = clientssl = NULL;
5502 SSL_free(serverssl);
5503 SSL_free(clientssl);
5509 #endif /* OSSL_NO_USABLE_TLS1_3 */
5511 static int clntaddoldcb = 0;
5512 static int clntparseoldcb = 0;
5513 static int srvaddoldcb = 0;
5514 static int srvparseoldcb = 0;
5515 static int clntaddnewcb = 0;
5516 static int clntparsenewcb = 0;
5517 static int srvaddnewcb = 0;
5518 static int srvparsenewcb = 0;
5519 static int snicb = 0;
5521 #define TEST_EXT_TYPE1 0xff00
5523 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5524 size_t *outlen, int *al, void *add_arg)
5526 int *server = (int *)add_arg;
5527 unsigned char *data;
5529 if (SSL_is_server(s))
5534 if (*server != SSL_is_server(s)
5535 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5540 *outlen = sizeof(char);
5544 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5547 OPENSSL_free((unsigned char *)out);
5550 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5551 size_t inlen, int *al, void *parse_arg)
5553 int *server = (int *)parse_arg;
5555 if (SSL_is_server(s))
5560 if (*server != SSL_is_server(s)
5561 || inlen != sizeof(char)
5568 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5569 const unsigned char **out, size_t *outlen, X509 *x,
5570 size_t chainidx, int *al, void *add_arg)
5572 int *server = (int *)add_arg;
5573 unsigned char *data;
5575 if (SSL_is_server(s))
5580 if (*server != SSL_is_server(s)
5581 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5586 *outlen = sizeof(*data);
5590 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5591 const unsigned char *out, void *add_arg)
5593 OPENSSL_free((unsigned char *)out);
5596 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5597 const unsigned char *in, size_t inlen, X509 *x,
5598 size_t chainidx, int *al, void *parse_arg)
5600 int *server = (int *)parse_arg;
5602 if (SSL_is_server(s))
5607 if (*server != SSL_is_server(s)
5608 || inlen != sizeof(char) || *in != 1)
5614 static int sni_cb(SSL *s, int *al, void *arg)
5616 SSL_CTX *ctx = (SSL_CTX *)arg;
5618 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5619 *al = SSL_AD_INTERNAL_ERROR;
5620 return SSL_TLSEXT_ERR_ALERT_FATAL;
5623 return SSL_TLSEXT_ERR_OK;
5626 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5632 * Custom call back tests.
5633 * Test 0: Old style callbacks in TLSv1.2
5634 * Test 1: New style callbacks in TLSv1.2
5635 * Test 2: New style callbacks in TLSv1.2 with SNI
5636 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5637 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5638 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5640 static int test_custom_exts(int tst)
5642 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5643 SSL *clientssl = NULL, *serverssl = NULL;
5645 static int server = 1;
5646 static int client = 0;
5647 SSL_SESSION *sess = NULL;
5648 unsigned int context;
5650 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5651 /* Skip tests for TLSv1.2 and below in this case */
5656 /* Reset callback counters */
5657 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5658 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5661 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5662 TLS_client_method(), TLS1_VERSION, 0,
5663 &sctx, &cctx, cert, privkey)))
5667 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5669 &sctx2, NULL, cert, privkey)))
5674 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5675 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5677 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5681 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5682 | SSL_EXT_TLS1_3_CERTIFICATE;
5683 SSL_CTX_set_verify(sctx,
5684 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5686 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5687 SSL_FILETYPE_PEM), 1)
5688 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5689 SSL_FILETYPE_PEM), 1)
5690 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5692 } else if (tst == 4) {
5693 context = SSL_EXT_CLIENT_HELLO
5694 | SSL_EXT_TLS1_2_SERVER_HELLO
5695 | SSL_EXT_TLS1_3_SERVER_HELLO
5696 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5697 | SSL_EXT_TLS1_3_CERTIFICATE
5698 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5700 context = SSL_EXT_CLIENT_HELLO
5701 | SSL_EXT_TLS1_2_SERVER_HELLO
5702 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5705 /* Create a client side custom extension */
5707 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5708 old_add_cb, old_free_cb,
5709 &client, old_parse_cb,
5713 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5714 new_add_cb, new_free_cb,
5715 &client, new_parse_cb, &client)))
5719 /* Should not be able to add duplicates */
5720 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5721 old_add_cb, old_free_cb,
5722 &client, old_parse_cb,
5724 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5725 context, new_add_cb,
5726 new_free_cb, &client,
5727 new_parse_cb, &client)))
5730 /* Create a server side custom extension */
5732 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5733 old_add_cb, old_free_cb,
5734 &server, old_parse_cb,
5738 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5739 new_add_cb, new_free_cb,
5740 &server, new_parse_cb, &server)))
5743 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5744 context, new_add_cb,
5745 new_free_cb, &server,
5746 new_parse_cb, &server)))
5750 /* Should not be able to add duplicates */
5751 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5752 old_add_cb, old_free_cb,
5753 &server, old_parse_cb,
5755 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5756 context, new_add_cb,
5757 new_free_cb, &server,
5758 new_parse_cb, &server)))
5763 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5764 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5769 &clientssl, NULL, NULL))
5770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5775 if (clntaddoldcb != 1
5776 || clntparseoldcb != 1
5778 || srvparseoldcb != 1)
5780 } else if (tst == 1 || tst == 2 || tst == 3) {
5781 if (clntaddnewcb != 1
5782 || clntparsenewcb != 1
5784 || srvparsenewcb != 1
5785 || (tst != 2 && snicb != 0)
5786 || (tst == 2 && snicb != 1))
5788 } else if (tst == 5) {
5789 if (clntaddnewcb != 1
5790 || clntparsenewcb != 1
5792 || srvparsenewcb != 1)
5795 /* In this case there 2 NewSessionTicket messages created */
5796 if (clntaddnewcb != 1
5797 || clntparsenewcb != 5
5799 || srvparsenewcb != 1)
5803 sess = SSL_get1_session(clientssl);
5804 SSL_shutdown(clientssl);
5805 SSL_shutdown(serverssl);
5806 SSL_free(serverssl);
5807 SSL_free(clientssl);
5808 serverssl = clientssl = NULL;
5810 if (tst == 3 || tst == 5) {
5811 /* We don't bother with the resumption aspects for these tests */
5816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5818 || !TEST_true(SSL_set_session(clientssl, sess))
5819 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5824 * For a resumed session we expect to add the ClientHello extension. For the
5825 * old style callbacks we ignore it on the server side because they set
5826 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5830 if (clntaddoldcb != 2
5831 || clntparseoldcb != 1
5833 || srvparseoldcb != 1)
5835 } else if (tst == 1 || tst == 2 || tst == 3) {
5836 if (clntaddnewcb != 2
5837 || clntparsenewcb != 2
5839 || srvparsenewcb != 2)
5843 * No Certificate message extensions in the resumption handshake,
5844 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5846 if (clntaddnewcb != 2
5847 || clntparsenewcb != 8
5849 || srvparsenewcb != 2)
5856 SSL_SESSION_free(sess);
5857 SSL_free(serverssl);
5858 SSL_free(clientssl);
5859 SSL_CTX_free(sctx2);
5865 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5867 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
5868 | SSL_EXT_CLIENT_HELLO \
5869 | SSL_EXT_TLS1_2_SERVER_HELLO \
5870 | SSL_EXT_IGNORE_ON_RESUMPTION)
5872 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
5873 | SSL_EXT_TLS1_2_SERVER_HELLO \
5874 | SSL_EXT_CLIENT_HELLO)
5876 #define SERVERINFO_CUSTOM \
5877 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
5881 static const unsigned char serverinfo_custom_tls13[] = {
5882 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
5885 static const unsigned char serverinfo_custom_v2[] = {
5886 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
5889 static const unsigned char serverinfo_custom_v1[] = {
5892 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
5893 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
5894 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
5896 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
5897 unsigned int context,
5898 const unsigned char *in,
5899 size_t inlen, X509 *x,
5900 size_t chainidx, int *al,
5903 const size_t len = serverinfo_custom_v1_len;
5904 const unsigned char *si = &serverinfo_custom_v1[len - 3];
5905 int *p_cb_result = (int*)parse_arg;
5906 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
5910 static int test_serverinfo_custom(const int idx)
5912 SSL_CTX *sctx = NULL, *cctx = NULL;
5913 SSL *clientssl = NULL, *serverssl = NULL;
5918 * Following variables are set in the switch statement
5919 * according to the test iteration.
5920 * Default values do not make much sense: test would fail with them.
5922 int serverinfo_version = 0;
5923 int protocol_version = 0;
5924 unsigned int extension_context = 0;
5925 const unsigned char *si = NULL;
5928 const int call_use_serverinfo_ex = idx > 0;
5930 case 0: /* FALLTHROUGH */
5932 serverinfo_version = SSL_SERVERINFOV1;
5933 protocol_version = TLS1_2_VERSION;
5934 extension_context = SYNTHV1CONTEXT;
5935 si = serverinfo_custom_v1;
5936 si_len = serverinfo_custom_v1_len;
5939 serverinfo_version = SSL_SERVERINFOV2;
5940 protocol_version = TLS1_2_VERSION;
5941 extension_context = SYNTHV1CONTEXT;
5942 si = serverinfo_custom_v2;
5943 si_len = serverinfo_custom_v2_len;
5946 serverinfo_version = SSL_SERVERINFOV2;
5947 protocol_version = TLS1_3_VERSION;
5948 extension_context = TLS13CONTEXT;
5949 si = serverinfo_custom_tls13;
5950 si_len = serverinfo_custom_tls13_len;
5954 if (!TEST_true(create_ssl_ctx_pair(libctx,
5959 &sctx, &cctx, cert, privkey)))
5962 if (call_use_serverinfo_ex) {
5963 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
5967 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
5971 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
5974 serverinfo_custom_parse_cb,
5976 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5978 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5980 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
5983 if (!TEST_true(cb_result))
5989 SSL_free(serverssl);
5990 SSL_free(clientssl);
5999 * Test that SSL_export_keying_material() produces expected results. There are
6000 * no test vectors so all we do is test that both sides of the communication
6001 * produce the same results for different protocol versions.
6003 #define SMALL_LABEL_LEN 10
6004 #define LONG_LABEL_LEN 249
6005 static int test_export_key_mat(int tst)
6008 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 const char label[LONG_LABEL_LEN + 1] = "test label";
6011 const unsigned char context[] = "context";
6012 const unsigned char *emptycontext = NULL;
6013 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6014 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6016 const int protocols[] = {
6025 #ifdef OPENSSL_NO_TLS1
6029 #ifdef OPENSSL_NO_TLS1_1
6033 if (is_fips && (tst == 0 || tst == 1))
6035 #ifdef OPENSSL_NO_TLS1_2
6039 #ifdef OSSL_NO_USABLE_TLS1_3
6043 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6044 TLS_client_method(), TLS1_VERSION, 0,
6045 &sctx, &cctx, cert, privkey)))
6048 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6049 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6050 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6051 if ((protocols[tst] < TLS1_2_VERSION) &&
6052 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6053 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6061 * Premature call of SSL_export_keying_material should just fail.
6063 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6064 sizeof(ckeymat1), label,
6065 SMALL_LABEL_LEN + 1, context,
6066 sizeof(context) - 1, 1), 0))
6069 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6075 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6078 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6079 sizeof(ckeymat1), label,
6080 LONG_LABEL_LEN + 1, context,
6081 sizeof(context) - 1, 1), 0))
6086 } else if (tst == 4) {
6087 labellen = LONG_LABEL_LEN;
6089 labellen = SMALL_LABEL_LEN;
6092 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6093 sizeof(ckeymat1), label,
6095 sizeof(context) - 1, 1), 1)
6096 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6097 sizeof(ckeymat2), label,
6101 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6102 sizeof(ckeymat3), label,
6105 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6106 sizeof(skeymat1), label,
6109 sizeof(context) -1, 1),
6111 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6112 sizeof(skeymat2), label,
6116 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6117 sizeof(skeymat3), label,
6121 * Check that both sides created the same key material with the
6124 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6127 * Check that both sides created the same key material with an
6130 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6133 * Check that both sides created the same key material without a
6136 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6138 /* Different contexts should produce different results */
6139 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6144 * Check that an empty context and no context produce different results in
6145 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6147 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6149 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6156 SSL_free(serverssl);
6157 SSL_free(clientssl);
6158 SSL_CTX_free(sctx2);
6165 #ifndef OSSL_NO_USABLE_TLS1_3
6167 * Test that SSL_export_keying_material_early() produces expected
6168 * results. There are no test vectors so all we do is test that both
6169 * sides of the communication produce the same results for different
6170 * protocol versions.
6172 static int test_export_key_mat_early(int idx)
6174 static const char label[] = "test label";
6175 static const unsigned char context[] = "context";
6177 SSL_CTX *cctx = NULL, *sctx = NULL;
6178 SSL *clientssl = NULL, *serverssl = NULL;
6179 SSL_SESSION *sess = NULL;
6180 const unsigned char *emptycontext = NULL;
6181 unsigned char ckeymat1[80], ckeymat2[80];
6182 unsigned char skeymat1[80], skeymat2[80];
6183 unsigned char buf[1];
6184 size_t readbytes, written;
6186 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6190 /* Here writing 0 length early data is enough. */
6191 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6192 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6194 SSL_READ_EARLY_DATA_ERROR)
6195 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6196 SSL_EARLY_DATA_ACCEPTED))
6199 if (!TEST_int_eq(SSL_export_keying_material_early(
6200 clientssl, ckeymat1, sizeof(ckeymat1), label,
6201 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6202 || !TEST_int_eq(SSL_export_keying_material_early(
6203 clientssl, ckeymat2, sizeof(ckeymat2), label,
6204 sizeof(label) - 1, emptycontext, 0), 1)
6205 || !TEST_int_eq(SSL_export_keying_material_early(
6206 serverssl, skeymat1, sizeof(skeymat1), label,
6207 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6208 || !TEST_int_eq(SSL_export_keying_material_early(
6209 serverssl, skeymat2, sizeof(skeymat2), label,
6210 sizeof(label) - 1, emptycontext, 0), 1)
6212 * Check that both sides created the same key material with the
6215 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6218 * Check that both sides created the same key material with an
6221 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6223 /* Different contexts should produce different results */
6224 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6231 SSL_SESSION_free(sess);
6232 SSL_SESSION_free(clientpsk);
6233 SSL_SESSION_free(serverpsk);
6234 clientpsk = serverpsk = NULL;
6235 SSL_free(serverssl);
6236 SSL_free(clientssl);
6243 #define NUM_KEY_UPDATE_MESSAGES 40
6247 static int test_key_update(void)
6249 SSL_CTX *cctx = NULL, *sctx = NULL;
6250 SSL *clientssl = NULL, *serverssl = NULL;
6251 int testresult = 0, i, j;
6253 static char *mess = "A test message";
6255 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6256 TLS_client_method(),
6259 &sctx, &cctx, cert, privkey))
6260 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6262 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6266 for (j = 0; j < 2; j++) {
6267 /* Send lots of KeyUpdate messages */
6268 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6269 if (!TEST_true(SSL_key_update(clientssl,
6271 ? SSL_KEY_UPDATE_NOT_REQUESTED
6272 : SSL_KEY_UPDATE_REQUESTED))
6273 || !TEST_true(SSL_do_handshake(clientssl)))
6277 /* Check that sending and receiving app data is ok */
6278 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6279 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6283 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6284 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6292 SSL_free(serverssl);
6293 SSL_free(clientssl);
6301 * Test we can handle a KeyUpdate (update requested) message while
6302 * write data is pending in peer.
6303 * Test 0: Client sends KeyUpdate while Server is writing
6304 * Test 1: Server sends KeyUpdate while Client is writing
6306 static int test_key_update_peer_in_write(int tst)
6308 SSL_CTX *cctx = NULL, *sctx = NULL;
6309 SSL *clientssl = NULL, *serverssl = NULL;
6312 static char *mess = "A test message";
6313 BIO *bretry = BIO_new(bio_s_always_retry());
6315 SSL *peerupdate = NULL, *peerwrite = NULL;
6317 if (!TEST_ptr(bretry)
6318 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6319 TLS_client_method(),
6322 &sctx, &cctx, cert, privkey))
6323 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6325 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6329 peerupdate = tst == 0 ? clientssl : serverssl;
6330 peerwrite = tst == 0 ? serverssl : clientssl;
6332 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6333 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6336 /* Swap the writing endpoint's write BIO to force a retry */
6337 tmp = SSL_get_wbio(peerwrite);
6338 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6342 SSL_set0_wbio(peerwrite, bretry);
6345 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6346 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6347 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6350 /* Reinstate the original writing endpoint's write BIO */
6351 SSL_set0_wbio(peerwrite, tmp);
6354 /* Now read some data - we will read the key update */
6355 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6356 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6360 * Complete the write we started previously and read it from the other
6363 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6364 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6367 /* Write more data to ensure we send the KeyUpdate message back */
6368 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6369 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6375 SSL_free(serverssl);
6376 SSL_free(clientssl);
6386 * Test we can handle a KeyUpdate (update requested) message while
6387 * peer read data is pending after peer accepted keyupdate(the msg header
6388 * had been read 5 bytes).
6389 * Test 0: Client sends KeyUpdate while Server is reading
6390 * Test 1: Server sends KeyUpdate while Client is reading
6392 static int test_key_update_peer_in_read(int tst)
6394 SSL_CTX *cctx = NULL, *sctx = NULL;
6395 SSL *clientssl = NULL, *serverssl = NULL;
6397 char prbuf[515], lwbuf[515] = {0};
6398 static char *mess = "A test message";
6399 BIO *lbio = NULL, *pbio = NULL;
6400 SSL *local = NULL, *peer = NULL;
6402 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6403 TLS_client_method(),
6406 &sctx, &cctx, cert, privkey))
6407 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6413 local = tst == 0 ? clientssl : serverssl;
6414 peer = tst == 0 ? serverssl : clientssl;
6416 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6419 SSL_set_bio(local, lbio, lbio);
6420 SSL_set_bio(peer, pbio, pbio);
6423 * we first write keyupdate msg then appdata in local
6424 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6425 * lwbuf app data msg size + key updata msg size > 512(the size of
6426 * the bio pair buffer)
6428 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6429 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6430 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6434 * first read keyupdate msg in peer in peer
6435 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6437 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6438 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6441 /* Now write some data in peer - we will write the key update */
6442 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6446 * write data in local previously that we will complete
6447 * read data in peer previously that we will complete
6449 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6450 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6453 /* check that sending and receiving appdata ok */
6454 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6455 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6461 SSL_free(serverssl);
6462 SSL_free(clientssl);
6470 * Test we can't send a KeyUpdate (update requested) message while
6471 * local write data is pending.
6472 * Test 0: Client sends KeyUpdate while Client is writing
6473 * Test 1: Server sends KeyUpdate while Server is writing
6475 static int test_key_update_local_in_write(int tst)
6477 SSL_CTX *cctx = NULL, *sctx = NULL;
6478 SSL *clientssl = NULL, *serverssl = NULL;
6481 static char *mess = "A test message";
6482 BIO *bretry = BIO_new(bio_s_always_retry());
6484 SSL *local = NULL, *peer = NULL;
6486 if (!TEST_ptr(bretry)
6487 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6488 TLS_client_method(),
6491 &sctx, &cctx, cert, privkey))
6492 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6498 local = tst == 0 ? clientssl : serverssl;
6499 peer = tst == 0 ? serverssl : clientssl;
6501 /* Swap the writing endpoint's write BIO to force a retry */
6502 tmp = SSL_get_wbio(local);
6503 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6507 SSL_set0_wbio(local, bretry);
6510 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6511 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6512 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6515 /* Reinstate the original writing endpoint's write BIO */
6516 SSL_set0_wbio(local, tmp);
6519 /* SSL_key_update will fail, because writing in local*/
6520 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6521 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6525 /* write data in local previously that we will complete */
6526 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6529 /* SSL_key_update will succeed because there is no pending write data */
6530 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6531 || !TEST_int_eq(SSL_do_handshake(local), 1))
6535 * we write some appdata in local
6536 * read data in peer - we will read the keyupdate msg
6538 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6539 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6542 /* Write more peer more data to ensure we send the keyupdate message back */
6543 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6544 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6550 SSL_free(serverssl);
6551 SSL_free(clientssl);
6561 * Test we can handle a KeyUpdate (update requested) message while
6562 * local read data is pending(the msg header had been read 5 bytes).
6563 * Test 0: Client sends KeyUpdate while Client is reading
6564 * Test 1: Server sends KeyUpdate while Server is reading
6566 static int test_key_update_local_in_read(int tst)
6568 SSL_CTX *cctx = NULL, *sctx = NULL;
6569 SSL *clientssl = NULL, *serverssl = NULL;
6571 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6572 static char *mess = "A test message";
6573 BIO *lbio = NULL, *pbio = NULL;
6574 SSL *local = NULL, *peer = NULL;
6576 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6577 TLS_client_method(),
6580 &sctx, &cctx, cert, privkey))
6581 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6583 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6587 local = tst == 0 ? clientssl : serverssl;
6588 peer = tst == 0 ? serverssl : clientssl;
6590 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6593 SSL_set_bio(local, lbio, lbio);
6594 SSL_set_bio(peer, pbio, pbio);
6596 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6597 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6598 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6601 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6602 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6603 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6606 /* SSL_do_handshake will send keyupdate msg */
6607 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6608 || !TEST_int_eq(SSL_do_handshake(local), 1))
6612 * write data in peer previously that we will complete
6613 * read data in local previously that we will complete
6615 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6616 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6620 * write data in local
6621 * read data in peer - we will read the key update
6623 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6624 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6627 /* Write more peer data to ensure we send the keyupdate message back */
6628 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6629 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6635 SSL_free(serverssl);
6636 SSL_free(clientssl);
6642 #endif /* OSSL_NO_USABLE_TLS1_3 */
6644 static int test_ssl_clear(int idx)
6646 SSL_CTX *cctx = NULL, *sctx = NULL;
6647 SSL *clientssl = NULL, *serverssl = NULL;
6650 #ifdef OPENSSL_NO_TLS1_2
6655 /* Create an initial connection */
6656 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6657 TLS_client_method(), TLS1_VERSION, 0,
6658 &sctx, &cctx, cert, privkey))
6660 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6662 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6663 &clientssl, NULL, NULL))
6664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6668 SSL_shutdown(clientssl);
6669 SSL_shutdown(serverssl);
6670 SSL_free(serverssl);
6673 /* Clear clientssl - we're going to reuse the object */
6674 if (!TEST_true(SSL_clear(clientssl)))
6677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6681 || !TEST_true(SSL_session_reused(clientssl)))
6684 SSL_shutdown(clientssl);
6685 SSL_shutdown(serverssl);
6690 SSL_free(serverssl);
6691 SSL_free(clientssl);
6698 /* Parse CH and retrieve any MFL extension value if present */
6699 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6702 unsigned char *data;
6703 PACKET pkt, pkt2, pkt3;
6704 unsigned int MFL_code = 0, type = 0;
6706 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6709 memset(&pkt, 0, sizeof(pkt));
6710 memset(&pkt2, 0, sizeof(pkt2));
6711 memset(&pkt3, 0, sizeof(pkt3));
6713 if (!TEST_long_gt(len, 0)
6714 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6715 /* Skip the record header */
6716 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6717 /* Skip the handshake message header */
6718 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6719 /* Skip client version and random */
6720 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6721 + SSL3_RANDOM_SIZE))
6722 /* Skip session id */
6723 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6725 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6726 /* Skip compression */
6727 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6728 /* Extensions len */
6729 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6732 /* Loop through all extensions */
6733 while (PACKET_remaining(&pkt2)) {
6734 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6735 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6738 if (type == TLSEXT_TYPE_max_fragment_length) {
6739 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6740 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6743 *mfl_codemfl_code = MFL_code;
6752 /* Maximum-Fragment-Length TLS extension mode to test */
6753 static const unsigned char max_fragment_len_test[] = {
6754 TLSEXT_max_fragment_length_512,
6755 TLSEXT_max_fragment_length_1024,
6756 TLSEXT_max_fragment_length_2048,
6757 TLSEXT_max_fragment_length_4096
6760 static int test_max_fragment_len_ext(int idx_tst)
6762 SSL_CTX *ctx = NULL;
6764 int testresult = 0, MFL_mode = 0;
6767 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6768 TLS1_VERSION, 0, NULL, &ctx, NULL,
6772 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6773 ctx, max_fragment_len_test[idx_tst])))
6780 rbio = BIO_new(BIO_s_mem());
6781 wbio = BIO_new(BIO_s_mem());
6782 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6788 SSL_set_bio(con, rbio, wbio);
6790 if (!TEST_int_le(SSL_connect(con), 0)) {
6791 /* This shouldn't succeed because we don't have a server! */
6795 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6796 /* no MFL in client hello */
6798 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6810 #ifndef OSSL_NO_USABLE_TLS1_3
6811 static int test_pha_key_update(void)
6813 SSL_CTX *cctx = NULL, *sctx = NULL;
6814 SSL *clientssl = NULL, *serverssl = NULL;
6817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6818 TLS_client_method(), TLS1_VERSION, 0,
6819 &sctx, &cctx, cert, privkey)))
6822 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6823 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6824 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6825 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6828 SSL_CTX_set_post_handshake_auth(cctx, 1);
6830 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6834 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6838 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6839 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6842 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6845 /* Start handshake on the server */
6846 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6849 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6850 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6854 SSL_shutdown(clientssl);
6855 SSL_shutdown(serverssl);
6860 SSL_free(serverssl);
6861 SSL_free(clientssl);
6868 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6870 static SRP_VBASE *vbase = NULL;
6872 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6874 int ret = SSL3_AL_FATAL;
6876 SRP_user_pwd *user = NULL;
6878 username = SSL_get_srp_username(s);
6879 if (username == NULL) {
6880 *ad = SSL_AD_INTERNAL_ERROR;
6884 user = SRP_VBASE_get1_by_user(vbase, username);
6886 *ad = SSL_AD_INTERNAL_ERROR;
6890 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6892 *ad = SSL_AD_INTERNAL_ERROR;
6899 SRP_user_pwd_free(user);
6903 static int create_new_vfile(char *userid, char *password, const char *filename)
6906 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6909 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6912 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6915 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6916 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6917 if (!TEST_ptr(gNid))
6921 * The only way to create an empty TXT_DB is to provide a BIO with no data
6924 db = TXT_DB_read(dummy, DB_NUMBER);
6928 out = BIO_new_file(filename, "w");
6932 row[DB_srpid] = OPENSSL_strdup(userid);
6933 row[DB_srptype] = OPENSSL_strdup("V");
6934 row[DB_srpgN] = OPENSSL_strdup(gNid);
6936 if (!TEST_ptr(row[DB_srpid])
6937 || !TEST_ptr(row[DB_srptype])
6938 || !TEST_ptr(row[DB_srpgN])
6939 || !TEST_true(TXT_DB_insert(db, row)))
6944 if (TXT_DB_write(out, db) <= 0)
6950 for (i = 0; i < DB_NUMBER; i++)
6951 OPENSSL_free(row[i]);
6961 static int create_new_vbase(char *userid, char *password)
6963 BIGNUM *verifier = NULL, *salt = NULL;
6964 const SRP_gN *lgN = NULL;
6965 SRP_user_pwd *user_pwd = NULL;
6968 lgN = SRP_get_default_gN(NULL);
6972 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6973 lgN->N, lgN->g, libctx, NULL)))
6976 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6977 if (!TEST_ptr(user_pwd))
6980 user_pwd->N = lgN->N;
6981 user_pwd->g = lgN->g;
6982 user_pwd->id = OPENSSL_strdup(userid);
6983 if (!TEST_ptr(user_pwd->id))
6986 user_pwd->v = verifier;
6988 verifier = salt = NULL;
6990 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6996 SRP_user_pwd_free(user_pwd);
7006 * Test 0: Simple successful SRP connection, new vbase
7007 * Test 1: Connection failure due to bad password, new vbase
7008 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7009 * Test 3: Connection failure due to bad password, vbase loaded from existing
7011 * Test 4: Simple successful SRP connection, vbase loaded from new file
7012 * Test 5: Connection failure due to bad password, vbase loaded from new file
7014 static int test_srp(int tst)
7016 char *userid = "test", *password = "password", *tstsrpfile;
7017 SSL_CTX *cctx = NULL, *sctx = NULL;
7018 SSL *clientssl = NULL, *serverssl = NULL;
7019 int ret, testresult = 0;
7021 vbase = SRP_VBASE_new(NULL);
7022 if (!TEST_ptr(vbase))
7025 if (tst == 0 || tst == 1) {
7026 if (!TEST_true(create_new_vbase(userid, password)))
7029 if (tst == 4 || tst == 5) {
7030 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7032 tstsrpfile = tmpfilename;
7034 tstsrpfile = srpvfile;
7036 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7040 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7041 TLS_client_method(), TLS1_VERSION, 0,
7042 &sctx, &cctx, cert, privkey)))
7045 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7046 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7047 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7048 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7049 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7053 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7056 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7064 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7066 if (!TEST_true(tst % 2 == 0))
7069 if (!TEST_true(tst % 2 == 1))
7076 SRP_VBASE_free(vbase);
7078 SSL_free(serverssl);
7079 SSL_free(clientssl);
7087 static int info_cb_failed = 0;
7088 static int info_cb_offset = 0;
7089 static int info_cb_this_state = -1;
7091 static struct info_cb_states_st {
7093 const char *statestr;
7094 } info_cb_states[][60] = {
7096 /* TLSv1.2 server followed by resumption */
7097 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7098 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7099 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7100 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7101 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7102 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7103 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7104 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7105 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7106 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7107 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7108 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7109 {SSL_CB_EXIT, NULL}, {0, NULL},
7111 /* TLSv1.2 client followed by resumption */
7112 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7113 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7114 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7115 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7116 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7117 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7118 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7119 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7120 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7121 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7122 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7123 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7125 /* TLSv1.3 server followed by resumption */
7126 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7127 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7128 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7129 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7130 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7131 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7132 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7133 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7134 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7135 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7136 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7137 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7138 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7140 /* TLSv1.3 client followed by resumption */
7141 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7142 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7143 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7144 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7145 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7146 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7147 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7148 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7149 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7150 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7151 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7152 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7153 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7154 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7155 {SSL_CB_EXIT, NULL}, {0, NULL},
7157 /* TLSv1.3 server, early_data */
7158 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7159 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7160 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7161 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7162 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7163 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7164 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7165 {SSL_CB_EXIT, NULL}, {0, NULL},
7167 /* TLSv1.3 client, early_data */
7168 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7169 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7170 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7171 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7172 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7173 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7174 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7175 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7176 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7178 /* TLSv1.3 server, certificate compression, followed by resumption */
7179 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7180 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7181 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7182 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7183 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7184 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7185 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7186 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7187 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7188 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7189 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7190 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7191 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7193 /* TLSv1.3 client, certificate compression, followed by resumption */
7194 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7195 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7196 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7197 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7198 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7199 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7200 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7201 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7202 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7203 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7204 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7205 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7206 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7207 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7208 {SSL_CB_EXIT, NULL}, {0, NULL},
7214 static void sslapi_info_callback(const SSL *s, int where, int ret)
7216 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7218 /* We do not ever expect a connection to fail in this test */
7219 if (!TEST_false(ret == 0)) {
7225 * Do some sanity checks. We never expect these things to happen in this
7228 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7229 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7230 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7235 /* Now check we're in the right state */
7236 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7240 if ((where & SSL_CB_LOOP) != 0
7241 && !TEST_int_eq(strcmp(SSL_state_string(s),
7242 state[info_cb_this_state].statestr), 0)) {
7248 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7250 if ((where & SSL_CB_HANDSHAKE_DONE)
7251 && SSL_in_init((SSL *)s) != 0) {
7258 * Test the info callback gets called when we expect it to.
7260 * Test 0: TLSv1.2, server
7261 * Test 1: TLSv1.2, client
7262 * Test 2: TLSv1.3, server
7263 * Test 3: TLSv1.3, client
7264 * Test 4: TLSv1.3, server, early_data
7265 * Test 5: TLSv1.3, client, early_data
7266 * Test 6: TLSv1.3, server, compressed certificate
7267 * Test 7: TLSv1.3, client, compressed certificate
7269 static int test_info_callback(int tst)
7271 SSL_CTX *cctx = NULL, *sctx = NULL;
7272 SSL *clientssl = NULL, *serverssl = NULL;
7273 SSL_SESSION *clntsess = NULL;
7278 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7279 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7280 || !defined(OPENSSL_NO_DH))
7281 tlsvers = TLS1_2_VERSION;
7286 #ifndef OSSL_NO_USABLE_TLS1_3
7287 tlsvers = TLS1_3_VERSION;
7295 info_cb_this_state = -1;
7296 info_cb_offset = tst;
7298 #ifndef OSSL_NO_USABLE_TLS1_3
7299 if (tst >= 4 && tst < 6) {
7300 SSL_SESSION *sess = NULL;
7301 size_t written, readbytes;
7302 unsigned char buf[80];
7304 /* early_data tests */
7305 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7306 &serverssl, &sess, 0)))
7309 /* We don't actually need this reference */
7310 SSL_SESSION_free(sess);
7312 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7313 sslapi_info_callback);
7315 /* Write and read some early data and then complete the connection */
7316 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7318 || !TEST_size_t_eq(written, strlen(MSG1))
7319 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7320 sizeof(buf), &readbytes),
7321 SSL_READ_EARLY_DATA_SUCCESS)
7322 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7323 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7324 SSL_EARLY_DATA_ACCEPTED)
7325 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7327 || !TEST_false(info_cb_failed))
7335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7336 TLS_client_method(),
7337 tlsvers, tlsvers, &sctx, &cctx, cert,
7341 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7345 * For even numbered tests we check the server callbacks. For odd numbers we
7348 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7349 sslapi_info_callback);
7351 if (!SSL_CTX_compress_certs(sctx, 0))
7355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7356 &clientssl, NULL, NULL))
7357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7359 || !TEST_false(info_cb_failed))
7364 clntsess = SSL_get1_session(clientssl);
7365 SSL_shutdown(clientssl);
7366 SSL_shutdown(serverssl);
7367 SSL_free(serverssl);
7368 SSL_free(clientssl);
7369 serverssl = clientssl = NULL;
7371 /* Now do a resumption */
7372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7374 || !TEST_true(SSL_set_session(clientssl, clntsess))
7375 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7377 || !TEST_true(SSL_session_reused(clientssl))
7378 || !TEST_false(info_cb_failed))
7384 SSL_free(serverssl);
7385 SSL_free(clientssl);
7386 SSL_SESSION_free(clntsess);
7392 static int test_ssl_pending(int tst)
7394 SSL_CTX *cctx = NULL, *sctx = NULL;
7395 SSL *clientssl = NULL, *serverssl = NULL;
7397 char msg[] = "A test message";
7399 size_t written, readbytes;
7402 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7403 TLS_client_method(),
7405 &sctx, &cctx, cert, privkey)))
7408 #ifndef OPENSSL_NO_DTLS
7409 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7410 DTLS_client_method(),
7412 &sctx, &cctx, cert, privkey)))
7415 # ifdef OPENSSL_NO_DTLS1_2
7416 /* Not supported in the FIPS provider */
7422 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7425 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7426 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7427 "DEFAULT:@SECLEVEL=0")))
7435 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7437 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7441 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7442 || !TEST_false(SSL_has_pending(clientssl))
7443 || !TEST_int_eq(SSL_pending(serverssl), 0)
7444 || !TEST_false(SSL_has_pending(serverssl))
7445 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7446 || !TEST_size_t_eq(written, sizeof(msg))
7447 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7448 || !TEST_size_t_eq(readbytes, sizeof(buf))
7449 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7450 || !TEST_true(SSL_has_pending(clientssl)))
7456 SSL_free(serverssl);
7457 SSL_free(clientssl);
7465 unsigned int maxprot;
7466 const char *clntciphers;
7467 const char *clnttls13ciphers;
7468 const char *srvrciphers;
7469 const char *srvrtls13ciphers;
7471 const char *fipsshared;
7472 } shared_ciphers_data[] = {
7474 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7475 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7477 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7480 "AES128-SHA:AES256-SHA",
7482 "AES256-SHA:DHE-RSA-AES128-SHA",
7487 # if !defined(OPENSSL_NO_CHACHA) \
7488 && !defined(OPENSSL_NO_POLY1305) \
7489 && !defined(OPENSSL_NO_EC)
7492 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7494 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7496 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7502 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7504 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7506 "AES128-SHA:AES256-SHA",
7507 "AES128-SHA:AES256-SHA"
7511 "AES128-SHA:AES256-SHA",
7513 "AES128-SHA:DHE-RSA-AES128-SHA",
7520 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7523 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7524 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7527 "AES128-SHA:AES256-SHA",
7529 "AES256-SHA:AES128-SHA256",
7531 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7532 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7533 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7536 #ifndef OSSL_NO_USABLE_TLS1_3
7540 "TLS_AES_256_GCM_SHA384",
7542 "TLS_AES_256_GCM_SHA384",
7543 "TLS_AES_256_GCM_SHA384",
7544 "TLS_AES_256_GCM_SHA384"
7549 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7551 SSL_CTX *cctx = NULL, *sctx = NULL;
7552 SSL *clientssl = NULL, *serverssl = NULL;
7555 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7557 if (!TEST_ptr(tmplibctx))
7561 * Regardless of whether we're testing with the FIPS provider loaded into
7562 * libctx, we want one peer to always use the full set of ciphersuites
7563 * available. Therefore we use a separate libctx with the default provider
7564 * loaded into it. We run the same tests twice - once with the client side
7565 * having the full set of ciphersuites and once with the server side.
7568 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7569 if (!TEST_ptr(cctx))
7572 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7573 if (!TEST_ptr(sctx))
7577 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7578 TLS_client_method(),
7580 shared_ciphers_data[tst].maxprot,
7581 &sctx, &cctx, cert, privkey)))
7584 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7585 shared_ciphers_data[tst].clntciphers))
7586 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7587 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7588 shared_ciphers_data[tst].clnttls13ciphers)))
7589 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7590 shared_ciphers_data[tst].srvrciphers))
7591 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7592 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7593 shared_ciphers_data[tst].srvrtls13ciphers))))
7597 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7599 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7603 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7604 || !TEST_int_eq(strcmp(buf,
7606 ? shared_ciphers_data[tst].fipsshared
7607 : shared_ciphers_data[tst].shared),
7609 TEST_info("Shared ciphers are: %s\n", buf);
7616 SSL_free(serverssl);
7617 SSL_free(clientssl);
7620 OSSL_LIB_CTX_free(tmplibctx);
7625 static int test_ssl_get_shared_ciphers(int tst)
7627 return int_test_ssl_get_shared_ciphers(tst, 0)
7628 && int_test_ssl_get_shared_ciphers(tst, 1);
7632 static const char *appdata = "Hello World";
7633 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7634 static int tick_key_renew = 0;
7635 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7637 static int gen_tick_cb(SSL *s, void *arg)
7639 gen_tick_called = 1;
7641 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7645 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7646 const unsigned char *keyname,
7647 size_t keyname_length,
7648 SSL_TICKET_STATUS status,
7654 dec_tick_called = 1;
7656 if (status == SSL_TICKET_EMPTY)
7657 return SSL_TICKET_RETURN_IGNORE_RENEW;
7659 if (!TEST_true(status == SSL_TICKET_SUCCESS
7660 || status == SSL_TICKET_SUCCESS_RENEW))
7661 return SSL_TICKET_RETURN_ABORT;
7663 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7665 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7666 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7667 return SSL_TICKET_RETURN_ABORT;
7669 if (tick_key_cb_called) {
7670 /* Don't change what the ticket key callback wanted to do */
7672 case SSL_TICKET_NO_DECRYPT:
7673 return SSL_TICKET_RETURN_IGNORE_RENEW;
7675 case SSL_TICKET_SUCCESS:
7676 return SSL_TICKET_RETURN_USE;
7678 case SSL_TICKET_SUCCESS_RENEW:
7679 return SSL_TICKET_RETURN_USE_RENEW;
7682 return SSL_TICKET_RETURN_ABORT;
7685 return tick_dec_ret;
7689 #ifndef OPENSSL_NO_DEPRECATED_3_0
7690 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7691 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7692 HMAC_CTX *hctx, int enc)
7694 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7695 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7696 EVP_CIPHER *aes128cbc;
7700 tick_key_cb_called = 1;
7702 if (tick_key_renew == -1)
7705 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7706 if (!TEST_ptr(aes128cbc))
7708 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7709 if (!TEST_ptr(sha256)) {
7710 EVP_CIPHER_free(aes128cbc);
7714 memset(iv, 0, AES_BLOCK_SIZE);
7715 memset(key_name, 0, 16);
7716 if (aes128cbc == NULL
7718 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7719 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7723 ret = tick_key_renew ? 2 : 1;
7725 EVP_CIPHER_free(aes128cbc);
7726 EVP_MD_free(sha256);
7732 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7733 unsigned char iv[EVP_MAX_IV_LENGTH],
7734 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7736 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7737 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7738 OSSL_PARAM params[2];
7739 EVP_CIPHER *aes128cbc;
7742 tick_key_cb_called = 1;
7744 if (tick_key_renew == -1)
7747 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7748 if (!TEST_ptr(aes128cbc))
7751 memset(iv, 0, AES_BLOCK_SIZE);
7752 memset(key_name, 0, 16);
7753 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7755 params[1] = OSSL_PARAM_construct_end();
7756 if (aes128cbc == NULL
7757 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7758 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7762 ret = tick_key_renew ? 2 : 1;
7764 EVP_CIPHER_free(aes128cbc);
7770 * Test the various ticket callbacks
7771 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7772 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7773 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7774 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7775 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7776 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7777 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7778 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7779 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7780 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7781 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7782 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7783 * Test 12: TLSv1.2, old ticket key callback, no ticket
7784 * Test 13: TLSv1.3, old ticket key callback, no ticket
7785 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7786 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7787 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7788 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7789 * Test 18: TLSv1.2, ticket key callback, no ticket
7790 * Test 19: TLSv1.3, ticket key callback, no ticket
7792 static int test_ticket_callbacks(int tst)
7794 SSL_CTX *cctx = NULL, *sctx = NULL;
7795 SSL *clientssl = NULL, *serverssl = NULL;
7796 SSL_SESSION *clntsess = NULL;
7799 #ifdef OPENSSL_NO_TLS1_2
7803 #ifdef OSSL_NO_USABLE_TLS1_3
7807 #ifdef OPENSSL_NO_DEPRECATED_3_0
7808 if (tst >= 8 && tst <= 13)
7812 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7814 /* Which tests the ticket key callback should request renewal for */
7816 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7818 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7819 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7823 /* Which tests the decrypt ticket callback should request renewal for */
7827 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7832 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7837 tick_dec_ret = SSL_TICKET_RETURN_USE;
7842 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7846 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7850 TLS_client_method(),
7852 ((tst % 2) == 0) ? TLS1_2_VERSION
7854 &sctx, &cctx, cert, privkey)))
7858 * We only want sessions to resume from tickets - not the session cache. So
7859 * switch the cache off.
7861 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7864 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7869 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7871 #ifndef OPENSSL_NO_DEPRECATED_3_0
7872 } else if (tst >= 8) {
7873 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7885 * The decrypt ticket key callback in TLSv1.2 should be called even though
7886 * we have no ticket yet, because it gets called with a status of
7887 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7888 * actually send any ticket data). This does not happen in TLSv1.3 because
7889 * it is not valid to send empty ticket data in TLSv1.3.
7891 if (!TEST_int_eq(gen_tick_called, 1)
7892 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7895 gen_tick_called = dec_tick_called = 0;
7897 clntsess = SSL_get1_session(clientssl);
7898 SSL_shutdown(clientssl);
7899 SSL_shutdown(serverssl);
7900 SSL_free(serverssl);
7901 SSL_free(clientssl);
7902 serverssl = clientssl = NULL;
7904 /* Now do a resumption */
7905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7907 || !TEST_true(SSL_set_session(clientssl, clntsess))
7908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7912 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7913 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7914 || tick_key_renew == -1) {
7915 if (!TEST_false(SSL_session_reused(clientssl)))
7918 if (!TEST_true(SSL_session_reused(clientssl)))
7922 if (!TEST_int_eq(gen_tick_called,
7924 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7925 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7927 /* There is no ticket to decrypt in tests 13 and 19 */
7928 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
7934 SSL_SESSION_free(clntsess);
7935 SSL_free(serverssl);
7936 SSL_free(clientssl);
7944 * Test incorrect shutdown.
7945 * Test 0: client does not shutdown properly,
7946 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7947 * server should get SSL_ERROR_SSL
7948 * Test 1: client does not shutdown properly,
7949 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7950 * server should get SSL_ERROR_ZERO_RETURN
7952 static int test_incorrect_shutdown(int tst)
7954 SSL_CTX *cctx = NULL, *sctx = NULL;
7955 SSL *clientssl = NULL, *serverssl = NULL;
7960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7961 TLS_client_method(), 0, 0,
7962 &sctx, &cctx, cert, privkey)))
7966 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7972 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7976 c2s = SSL_get_rbio(serverssl);
7977 BIO_set_mem_eof_return(c2s, 0);
7979 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7982 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7984 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7990 SSL_free(serverssl);
7991 SSL_free(clientssl);
7999 * Test bi-directional shutdown.
8001 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8002 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8003 * Test 3: TLSv1.3, pending NewSessionTicket messages
8004 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8005 * sends key update, client reads it
8006 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8007 * sends CertificateRequest, client reads and ignores it
8008 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8011 static int test_shutdown(int tst)
8013 SSL_CTX *cctx = NULL, *sctx = NULL;
8014 SSL *clientssl = NULL, *serverssl = NULL;
8016 char msg[] = "A test message";
8018 size_t written, readbytes;
8021 #ifdef OPENSSL_NO_TLS1_2
8025 #ifdef OSSL_NO_USABLE_TLS1_3
8030 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8031 TLS_client_method(),
8033 (tst <= 1) ? TLS1_2_VERSION
8035 &sctx, &cctx, cert, privkey)))
8039 SSL_CTX_set_post_handshake_auth(cctx, 1);
8041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8046 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8047 SSL_ERROR_NONE, 1, 0))
8048 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8049 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8051 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8053 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8054 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8058 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8063 * Reading on the server after the client has sent close_notify should
8064 * fail and provide SSL_ERROR_ZERO_RETURN
8066 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8067 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8068 SSL_ERROR_ZERO_RETURN)
8069 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8070 SSL_RECEIVED_SHUTDOWN)
8072 * Even though we're shutdown on receive we should still be
8075 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8078 && !TEST_true(SSL_key_update(serverssl,
8079 SSL_KEY_UPDATE_REQUESTED)))
8082 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8083 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8086 if ((tst == 4 || tst == 5)
8087 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8089 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8091 if (tst == 4 || tst == 5) {
8092 /* Should still be able to read data from server */
8093 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8095 || !TEST_size_t_eq(readbytes, sizeof(msg))
8096 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8097 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8099 || !TEST_size_t_eq(readbytes, sizeof(msg))
8100 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8105 /* Writing on the client after sending close_notify shouldn't be possible */
8106 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8111 * For these tests the client has sent close_notify but it has not yet
8112 * been received by the server. The server has not sent close_notify
8115 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8117 * Writing on the server after sending close_notify shouldn't
8120 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8121 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8122 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8123 || !TEST_true(SSL_SESSION_is_resumable(sess))
8124 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8126 } else if (tst == 4 || tst == 5) {
8128 * In this test the client has sent close_notify and it has been
8129 * received by the server which has responded with a close_notify. The
8130 * client needs to read the close_notify sent by the server.
8132 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8133 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8134 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8140 * The client has sent close_notify and is expecting a close_notify
8141 * back, but instead there is application data first. The shutdown
8142 * should fail with a fatal error.
8144 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8145 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8152 SSL_free(serverssl);
8153 SSL_free(clientssl);
8161 * Test that sending close_notify alerts works correctly in the case of a
8162 * retryable write failure.
8164 static int test_async_shutdown(void)
8166 SSL_CTX *cctx = NULL, *sctx = NULL;
8167 SSL *clientssl = NULL, *serverssl = NULL;
8169 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8171 if (!TEST_ptr(bretry))
8174 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8175 TLS_client_method(),
8177 &sctx, &cctx, cert, privkey)))
8180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8184 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8187 /* Close write side of clientssl */
8188 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8191 tmp = SSL_get_wbio(serverssl);
8192 if (!TEST_true(BIO_up_ref(tmp))) {
8196 SSL_set0_wbio(serverssl, bretry);
8199 /* First server shutdown should fail because of a retrable write failure */
8200 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8201 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8204 /* Second server shutdown should fail for the same reason */
8205 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8206 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8209 SSL_set0_wbio(serverssl, tmp);
8212 /* Third server shutdown should send close_notify */
8213 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8216 /* Fourth server shutdown should read close_notify from client and finish */
8217 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8220 /* Client should also successfully fully shutdown */
8221 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8226 SSL_free(serverssl);
8227 SSL_free(clientssl);
8236 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8237 static int cert_cb_cnt;
8239 static int cert_cb(SSL *s, void *arg)
8241 SSL_CTX *ctx = (SSL_CTX *)arg;
8243 EVP_PKEY *pkey = NULL;
8244 X509 *x509 = NULL, *rootx = NULL;
8245 STACK_OF(X509) *chain = NULL;
8246 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8249 if (cert_cb_cnt == 0) {
8250 /* Suspend the handshake */
8253 } else if (cert_cb_cnt == 1) {
8255 * Update the SSL_CTX, set the certificate and private key and then
8256 * continue the handshake normally.
8258 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8261 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8262 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8264 || !TEST_true(SSL_check_private_key(s)))
8268 } else if (cert_cb_cnt == 3) {
8271 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8272 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8273 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8274 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8276 chain = sk_X509_new_null();
8277 if (!TEST_ptr(chain))
8279 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8280 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8281 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8282 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8283 || !TEST_true(sk_X509_push(chain, rootx)))
8287 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8288 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8289 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8290 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8293 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8294 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8295 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8299 rv = SSL_check_chain(s, x509, pkey, chain);
8301 * If the cert doesn't show as valid here (e.g., because we don't
8302 * have any shared sigalgs), then we will not set it, and there will
8303 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8304 * will cause tls_choose_sigalgs() to fail the connection.
8306 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8307 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8308 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8315 /* Abort the handshake */
8317 OPENSSL_free(ecdsacert);
8318 OPENSSL_free(ecdsakey);
8319 OPENSSL_free(rootfile);
8321 EVP_PKEY_free(pkey);
8324 OSSL_STACK_OF_X509_free(chain);
8329 * Test the certificate callback.
8330 * Test 0: Callback fails
8331 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8332 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8333 * Test 3: Success - Call SSL_check_chain from the callback
8334 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8336 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8338 static int test_cert_cb_int(int prot, int tst)
8340 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8341 SSL *clientssl = NULL, *serverssl = NULL;
8342 int testresult = 0, ret;
8344 #ifdef OPENSSL_NO_EC
8345 /* We use an EC cert in these tests, so we skip in a no-ec build */
8350 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8351 TLS_client_method(),
8354 &sctx, &cctx, NULL, NULL)))
8365 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8366 if (!TEST_ptr(snictx))
8370 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8378 * We cause SSL_check_chain() to fail by specifying sig_algs that
8379 * the chain doesn't meet (the root uses an RSA cert)
8381 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8382 "ecdsa_secp256r1_sha256")))
8384 } else if (tst == 5) {
8386 * We cause SSL_check_chain() to fail by specifying sig_algs that
8387 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8389 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8390 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8394 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8395 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8397 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8404 SSL_free(serverssl);
8405 SSL_free(clientssl);
8408 SSL_CTX_free(snictx);
8414 static int test_cert_cb(int tst)
8418 #ifndef OPENSSL_NO_TLS1_2
8419 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8421 #ifndef OSSL_NO_USABLE_TLS1_3
8422 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8428 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8433 BIO *priv_in = NULL;
8435 /* Check that SSL_get0_peer_certificate() returns something sensible */
8436 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8439 in = BIO_new_file(cert, "r");
8443 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8444 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8445 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8446 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8464 static int test_client_cert_cb(int tst)
8466 SSL_CTX *cctx = NULL, *sctx = NULL;
8467 SSL *clientssl = NULL, *serverssl = NULL;
8470 #ifdef OPENSSL_NO_TLS1_2
8474 #ifdef OSSL_NO_USABLE_TLS1_3
8479 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8480 TLS_client_method(),
8482 tst == 0 ? TLS1_2_VERSION
8484 &sctx, &cctx, cert, privkey)))
8488 * Test that setting a client_cert_cb results in a client certificate being
8491 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8492 SSL_CTX_set_verify(sctx,
8493 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8498 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8505 SSL_free(serverssl);
8506 SSL_free(clientssl);
8513 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8515 * Test setting certificate authorities on both client and server.
8517 * Test 0: SSL_CTX_set0_CA_list() only
8518 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8519 * Test 2: Only SSL_CTX_set_client_CA_list()
8521 static int test_ca_names_int(int prot, int tst)
8523 SSL_CTX *cctx = NULL, *sctx = NULL;
8524 SSL *clientssl = NULL, *serverssl = NULL;
8527 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8528 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8529 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8530 const STACK_OF(X509_NAME) *sktmp = NULL;
8532 for (i = 0; i < OSSL_NELEM(name); i++) {
8533 name[i] = X509_NAME_new();
8534 if (!TEST_ptr(name[i])
8535 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8544 TLS_client_method(),
8547 &sctx, &cctx, cert, privkey)))
8550 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8552 if (tst == 0 || tst == 1) {
8553 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8554 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8555 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8556 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8557 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8558 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8561 SSL_CTX_set0_CA_list(sctx, sk1);
8562 SSL_CTX_set0_CA_list(cctx, sk2);
8565 if (tst == 1 || tst == 2) {
8566 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8567 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8568 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8569 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8570 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8571 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8574 SSL_CTX_set_client_CA_list(sctx, sk1);
8575 SSL_CTX_set_client_CA_list(cctx, sk2);
8579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8586 * We only expect certificate authorities to have been sent to the server
8587 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8589 sktmp = SSL_get0_peer_CA_list(serverssl);
8590 if (prot == TLS1_3_VERSION
8591 && (tst == 0 || tst == 1)) {
8592 if (!TEST_ptr(sktmp)
8593 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8594 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8596 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8599 } else if (!TEST_ptr_null(sktmp)) {
8604 * In all tests we expect certificate authorities to have been sent to the
8605 * client. However, SSL_set_client_CA_list() should override
8606 * SSL_set0_CA_list()
8608 sktmp = SSL_get0_peer_CA_list(clientssl);
8609 if (!TEST_ptr(sktmp)
8610 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8611 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8612 name[tst == 0 ? 0 : 2]), 0)
8613 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8614 name[tst == 0 ? 1 : 3]), 0))
8620 SSL_free(serverssl);
8621 SSL_free(clientssl);
8624 for (i = 0; i < OSSL_NELEM(name); i++)
8625 X509_NAME_free(name[i]);
8626 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8627 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8633 static int test_ca_names(int tst)
8637 #ifndef OPENSSL_NO_TLS1_2
8638 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8640 #ifndef OSSL_NO_USABLE_TLS1_3
8641 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8647 #ifndef OPENSSL_NO_TLS1_2
8648 static const char *multiblock_cipherlist_data[]=
8656 /* Reduce the fragment size - so the multiblock test buffer can be small */
8657 # define MULTIBLOCK_FRAGSIZE 512
8659 static int test_multiblock_write(int test_index)
8661 static const char *fetchable_ciphers[]=
8663 "AES-128-CBC-HMAC-SHA1",
8664 "AES-128-CBC-HMAC-SHA256",
8665 "AES-256-CBC-HMAC-SHA1",
8666 "AES-256-CBC-HMAC-SHA256"
8668 const char *cipherlist = multiblock_cipherlist_data[test_index];
8669 const SSL_METHOD *smeth = TLS_server_method();
8670 const SSL_METHOD *cmeth = TLS_client_method();
8671 int min_version = TLS1_VERSION;
8672 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8673 SSL_CTX *cctx = NULL, *sctx = NULL;
8674 SSL *clientssl = NULL, *serverssl = NULL;
8678 * Choose a buffer large enough to perform a multi-block operation
8679 * i.e: write_len >= 4 * frag_size
8680 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8682 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8683 unsigned char buf[sizeof(msg)], *p = buf;
8684 size_t readbytes, written, len;
8685 EVP_CIPHER *ciph = NULL;
8688 * Check if the cipher exists before attempting to use it since it only has
8689 * a hardware specific implementation.
8691 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8693 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8696 EVP_CIPHER_free(ciph);
8698 /* Set up a buffer with some data that will be sent to the client */
8699 RAND_bytes(msg, sizeof(msg));
8701 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8702 max_version, &sctx, &cctx, cert,
8706 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8713 /* settings to force it to use AES-CBC-HMAC_SHA */
8714 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8715 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8718 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8721 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8722 || !TEST_size_t_eq(written, sizeof(msg)))
8727 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8732 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8737 SSL_free(serverssl);
8738 SSL_free(clientssl);
8744 #endif /* OPENSSL_NO_TLS1_2 */
8746 static int test_session_timeout(int test)
8749 * Test session ordering and timeout
8750 * Can't explicitly test performance of the new code,
8751 * but can test to see if the ordering of the sessions
8752 * are correct, and they they are removed as expected
8754 SSL_SESSION *early = NULL;
8755 SSL_SESSION *middle = NULL;
8756 SSL_SESSION *late = NULL;
8759 long now = (long)time(NULL);
8762 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8763 || !TEST_ptr(early = SSL_SESSION_new())
8764 || !TEST_ptr(middle = SSL_SESSION_new())
8765 || !TEST_ptr(late = SSL_SESSION_new()))
8768 /* assign unique session ids */
8769 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8770 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8771 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8772 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8773 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8774 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8776 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8777 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8778 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8781 /* Make sure they are all added */
8782 if (!TEST_ptr(early->prev)
8783 || !TEST_ptr(middle->prev)
8784 || !TEST_ptr(late->prev))
8787 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8788 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8789 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8792 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8793 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8794 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8797 /* Make sure they are all still there */
8798 if (!TEST_ptr(early->prev)
8799 || !TEST_ptr(middle->prev)
8800 || !TEST_ptr(late->prev))
8803 /* Make sure they are in the expected order */
8804 if (!TEST_ptr_eq(late->next, middle)
8805 || !TEST_ptr_eq(middle->next, early)
8806 || !TEST_ptr_eq(early->prev, middle)
8807 || !TEST_ptr_eq(middle->prev, late))
8810 /* This should remove "early" */
8811 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8812 if (!TEST_ptr_null(early->prev)
8813 || !TEST_ptr(middle->prev)
8814 || !TEST_ptr(late->prev))
8817 /* This should remove "middle" */
8818 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8819 if (!TEST_ptr_null(early->prev)
8820 || !TEST_ptr_null(middle->prev)
8821 || !TEST_ptr(late->prev))
8824 /* This should remove "late" */
8825 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8826 if (!TEST_ptr_null(early->prev)
8827 || !TEST_ptr_null(middle->prev)
8828 || !TEST_ptr_null(late->prev))
8831 /* Add them back in again */
8832 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8833 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8834 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8837 /* Make sure they are all added */
8838 if (!TEST_ptr(early->prev)
8839 || !TEST_ptr(middle->prev)
8840 || !TEST_ptr(late->prev))
8843 /* This should remove all of them */
8844 SSL_CTX_flush_sessions(ctx, 0);
8845 if (!TEST_ptr_null(early->prev)
8846 || !TEST_ptr_null(middle->prev)
8847 || !TEST_ptr_null(late->prev))
8850 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8851 | SSL_CTX_get_session_cache_mode(ctx));
8853 /* make sure |now| is NOT equal to the current time */
8855 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8856 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8857 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8863 SSL_SESSION_free(early);
8864 SSL_SESSION_free(middle);
8865 SSL_SESSION_free(late);
8870 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8871 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8872 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8873 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8874 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8875 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8876 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8877 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8878 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8879 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8881 static int test_servername(int tst)
8883 SSL_CTX *cctx = NULL, *sctx = NULL;
8884 SSL *clientssl = NULL, *serverssl = NULL;
8886 SSL_SESSION *sess = NULL;
8887 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8889 #ifdef OPENSSL_NO_TLS1_2
8893 #ifdef OSSL_NO_USABLE_TLS1_3
8898 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8899 TLS_client_method(),
8901 (tst <= 4) ? TLS1_2_VERSION
8903 &sctx, &cctx, cert, privkey))
8904 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8908 if (tst != 1 && tst != 6) {
8909 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8914 if (tst != 3 && tst != 8) {
8915 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8917 sexpectedhost = cexpectedhost = "goodhost";
8920 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8923 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8925 || !TEST_str_eq(SSL_get_servername(serverssl,
8926 TLSEXT_NAMETYPE_host_name),
8930 /* Now repeat with a resumption handshake */
8932 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8933 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8934 || !TEST_true(SSL_SESSION_is_resumable(sess))
8935 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8938 SSL_free(clientssl);
8939 SSL_free(serverssl);
8940 clientssl = serverssl = NULL;
8942 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8946 if (!TEST_true(SSL_set_session(clientssl, sess)))
8949 sexpectedhost = cexpectedhost = "goodhost";
8950 if (tst == 2 || tst == 7) {
8951 /* Set an inconsistent hostname */
8952 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8955 * In TLSv1.2 we expect the hostname from the original handshake, in
8956 * TLSv1.3 we expect the hostname from this handshake
8959 sexpectedhost = cexpectedhost = "altgoodhost";
8961 if (!TEST_str_eq(SSL_get_servername(clientssl,
8962 TLSEXT_NAMETYPE_host_name),
8965 } else if (tst == 4 || tst == 9) {
8967 * A TLSv1.3 session does not associate a session with a servername,
8968 * but a TLSv1.2 session does.
8971 sexpectedhost = cexpectedhost = NULL;
8973 if (!TEST_str_eq(SSL_get_servername(clientssl,
8974 TLSEXT_NAMETYPE_host_name),
8978 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8981 * In a TLSv1.2 resumption where the hostname was not acknowledged
8982 * we expect the hostname on the server to be empty. On the client we
8983 * return what was requested in this case.
8985 * Similarly if the client didn't set a hostname on an original TLSv1.2
8986 * session but is now, the server hostname will be empty, but the client
8989 if (tst == 1 || tst == 3)
8990 sexpectedhost = NULL;
8992 if (!TEST_str_eq(SSL_get_servername(clientssl,
8993 TLSEXT_NAMETYPE_host_name),
8998 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9001 if (!TEST_true(SSL_session_reused(clientssl))
9002 || !TEST_true(SSL_session_reused(serverssl))
9003 || !TEST_str_eq(SSL_get_servername(clientssl,
9004 TLSEXT_NAMETYPE_host_name),
9006 || !TEST_str_eq(SSL_get_servername(serverssl,
9007 TLSEXT_NAMETYPE_host_name),
9014 SSL_SESSION_free(sess);
9015 SSL_free(serverssl);
9016 SSL_free(clientssl);
9023 #if !defined(OPENSSL_NO_EC) \
9024 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9026 * Test that if signature algorithms are not available, then we do not offer or
9028 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9029 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9030 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9031 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9032 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9033 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9035 static int test_sigalgs_available(int idx)
9037 SSL_CTX *cctx = NULL, *sctx = NULL;
9038 SSL *clientssl = NULL, *serverssl = NULL;
9040 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9041 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9042 OSSL_PROVIDER *filterprov = NULL;
9045 if (!TEST_ptr(tmpctx))
9048 if (idx != 0 && idx != 3) {
9049 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9050 filter_provider_init)))
9053 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9054 if (!TEST_ptr(filterprov))
9059 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9060 * or accepted for the peer that uses this libctx. Note that libssl
9061 * *requires* SHA2-256 to be available so we cannot disable that. We
9062 * also need SHA1 for our certificate.
9064 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9068 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9070 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9075 if (idx == 1 || idx == 4)
9081 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9082 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9083 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9087 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9088 TLS_client_method(),
9091 &sctx, &cctx, cert, privkey)))
9094 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9095 TLS_client_method(),
9098 &sctx, &cctx, cert2, privkey2)))
9102 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9105 "ECDHE-RSA-AES128-GCM-SHA256")))
9108 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9109 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9114 if (!SSL_CTX_set1_sigalgs_list(cctx,
9115 "rsa_pss_rsae_sha384"
9116 ":rsa_pss_rsae_sha256")
9117 || !SSL_CTX_set1_sigalgs_list(sctx,
9118 "rsa_pss_rsae_sha384"
9119 ":rsa_pss_rsae_sha256"))
9122 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9123 || !SSL_CTX_set1_sigalgs_list(sctx,
9124 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9129 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9130 SSL_FILETYPE_PEM), 1)
9131 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9133 SSL_FILETYPE_PEM), 1)
9134 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9137 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9144 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9145 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9147 (idx == 0 || idx == 3) ? 2 : 1))
9150 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9153 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9157 testresult = filter_provider_check_clean_finish();
9160 SSL_free(serverssl);
9161 SSL_free(clientssl);
9164 OSSL_PROVIDER_unload(filterprov);
9165 OSSL_LIB_CTX_free(tmpctx);
9170 * !defined(OPENSSL_NO_EC) \
9171 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9174 #ifndef OPENSSL_NO_TLS1_3
9175 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9176 static int test_pluggable_group(int idx)
9178 SSL_CTX *cctx = NULL, *sctx = NULL;
9179 SSL *clientssl = NULL, *serverssl = NULL;
9181 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9182 /* Check that we are not impacted by a provider without any groups */
9183 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9184 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9186 if (!TEST_ptr(tlsprov))
9189 if (legacyprov == NULL) {
9191 * In this case we assume we've been built with "no-legacy" and skip
9192 * this test (there is no OPENSSL_NO_LEGACY)
9198 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9199 TLS_client_method(),
9202 &sctx, &cctx, cert, privkey))
9203 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9207 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9208 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9214 if (!TEST_str_eq(group_name,
9215 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9221 SSL_free(serverssl);
9222 SSL_free(clientssl);
9225 OSSL_PROVIDER_unload(tlsprov);
9226 OSSL_PROVIDER_unload(legacyprov);
9232 #ifndef OPENSSL_NO_TLS1_2
9233 static int test_ssl_dup(void)
9235 SSL_CTX *cctx = NULL, *sctx = NULL;
9236 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9238 BIO *rbio = NULL, *wbio = NULL;
9240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9241 TLS_client_method(),
9244 &sctx, &cctx, cert, privkey)))
9247 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9251 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9252 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9255 client2ssl = SSL_dup(clientssl);
9256 rbio = SSL_get_rbio(clientssl);
9258 || !TEST_true(BIO_up_ref(rbio)))
9260 SSL_set0_rbio(client2ssl, rbio);
9263 wbio = SSL_get_wbio(clientssl);
9264 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9266 SSL_set0_wbio(client2ssl, wbio);
9269 if (!TEST_ptr(client2ssl)
9270 /* Handshake not started so pointers should be different */
9271 || !TEST_ptr_ne(clientssl, client2ssl))
9274 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9275 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9278 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9281 SSL_free(clientssl);
9282 clientssl = SSL_dup(client2ssl);
9283 if (!TEST_ptr(clientssl)
9284 /* Handshake has finished so pointers should be the same */
9285 || !TEST_ptr_eq(clientssl, client2ssl))
9291 SSL_free(serverssl);
9292 SSL_free(clientssl);
9293 SSL_free(client2ssl);
9300 # ifndef OPENSSL_NO_DH
9302 static EVP_PKEY *tmp_dh_params = NULL;
9304 /* Helper function for the test_set_tmp_dh() tests */
9305 static EVP_PKEY *get_tmp_dh_params(void)
9307 if (tmp_dh_params == NULL) {
9309 OSSL_PARAM_BLD *tmpl = NULL;
9310 EVP_PKEY_CTX *pctx = NULL;
9311 OSSL_PARAM *params = NULL;
9312 EVP_PKEY *dhpkey = NULL;
9314 p = BN_get_rfc3526_prime_2048(NULL);
9318 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9320 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9323 tmpl = OSSL_PARAM_BLD_new();
9325 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9326 OSSL_PKEY_PARAM_FFC_P,
9328 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9329 OSSL_PKEY_PARAM_FFC_G,
9333 params = OSSL_PARAM_BLD_to_param(tmpl);
9334 if (!TEST_ptr(params)
9335 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9336 EVP_PKEY_KEY_PARAMETERS,
9340 tmp_dh_params = dhpkey;
9343 EVP_PKEY_CTX_free(pctx);
9344 OSSL_PARAM_BLD_free(tmpl);
9345 OSSL_PARAM_free(params);
9348 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9351 return tmp_dh_params;
9354 # ifndef OPENSSL_NO_DEPRECATED_3_0
9355 /* Callback used by test_set_tmp_dh() */
9356 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9358 EVP_PKEY *dhpkey = get_tmp_dh_params();
9361 if (!TEST_ptr(dhpkey))
9365 * libssl does not free the returned DH, so we free it now knowing that even
9366 * after we free dhpkey, there will still be a reference to the owning
9367 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9368 * of time we need it for.
9370 ret = EVP_PKEY_get1_DH(dhpkey);
9373 EVP_PKEY_free(dhpkey);
9380 * Test the various methods for setting temporary DH parameters
9382 * Test 0: Default (no auto) setting
9383 * Test 1: Explicit SSL_CTX auto off
9384 * Test 2: Explicit SSL auto off
9385 * Test 3: Explicit SSL_CTX auto on
9386 * Test 4: Explicit SSL auto on
9387 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9388 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9390 * The following are testing deprecated APIs, so we only run them if available
9391 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9392 * Test 8: Explicit SSL auto off, custom DH params via DH
9393 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9394 * Test 10: Explicit SSL auto off, custom DH params via callback
9396 static int test_set_tmp_dh(int idx)
9398 SSL_CTX *cctx = NULL, *sctx = NULL;
9399 SSL *clientssl = NULL, *serverssl = NULL;
9401 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9402 int expected = (idx <= 2) ? 0 : 1;
9403 EVP_PKEY *dhpkey = NULL;
9404 # ifndef OPENSSL_NO_DEPRECATED_3_0
9412 if (idx >= 5 && idx <= 8) {
9413 dhpkey = get_tmp_dh_params();
9414 if (!TEST_ptr(dhpkey))
9417 # ifndef OPENSSL_NO_DEPRECATED_3_0
9418 if (idx == 7 || idx == 8) {
9419 dh = EVP_PKEY_get1_DH(dhpkey);
9425 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9426 TLS_client_method(),
9429 &sctx, &cctx, cert, privkey)))
9432 if ((idx & 1) == 1) {
9433 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9438 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9442 # ifndef OPENSSL_NO_DEPRECATED_3_0
9443 else if (idx == 7) {
9444 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9446 } else if (idx == 9) {
9447 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9455 if ((idx & 1) == 0 && idx != 0) {
9456 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9460 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9464 # ifndef OPENSSL_NO_DEPRECATED_3_0
9465 else if (idx == 8) {
9466 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9468 } else if (idx == 10) {
9469 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9473 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9474 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9475 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9479 * If autoon then we should succeed. Otherwise we expect failure because
9480 * there are no parameters
9482 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9483 SSL_ERROR_NONE), expected))
9489 # ifndef OPENSSL_NO_DEPRECATED_3_0
9492 SSL_free(serverssl);
9493 SSL_free(clientssl);
9496 EVP_PKEY_free(dhpkey);
9502 * Test the auto DH keys are appropriately sized
9504 static int test_dh_auto(int idx)
9506 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9507 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9508 SSL *clientssl = NULL, *serverssl = NULL;
9510 EVP_PKEY *tmpkey = NULL;
9511 char *thiscert = NULL, *thiskey = NULL;
9512 size_t expdhsize = 0;
9513 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9515 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9520 /* The FIPS provider doesn't support this DH size - so we ignore it */
9525 thiscert = cert1024;
9526 thiskey = privkey1024;
9528 SSL_CTX_set_security_level(sctx, 1);
9529 SSL_CTX_set_security_level(cctx, 1);
9532 /* 2048 bit prime */
9538 thiscert = cert3072;
9539 thiskey = privkey3072;
9543 thiscert = cert4096;
9544 thiskey = privkey4096;
9548 thiscert = cert8192;
9549 thiskey = privkey8192;
9552 /* No certificate cases */
9554 /* The FIPS provider doesn't support this DH size - so we ignore it */
9559 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9563 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9567 TEST_error("Invalid text index");
9571 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9575 &sctx, &cctx, thiscert, thiskey)))
9578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9582 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9583 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9584 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9585 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9586 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9590 * Send the server's first flight. At this point the server has created the
9591 * temporary DH key but hasn't finished using it yet. Once used it is
9592 * removed, so we cannot test it.
9594 if (!TEST_int_le(SSL_connect(clientssl), 0)
9595 || !TEST_int_le(SSL_accept(serverssl), 0))
9598 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9600 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9603 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9609 SSL_free(serverssl);
9610 SSL_free(clientssl);
9613 EVP_PKEY_free(tmpkey);
9618 # endif /* OPENSSL_NO_DH */
9619 #endif /* OPENSSL_NO_TLS1_2 */
9621 #ifndef OSSL_NO_USABLE_TLS1_3
9623 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9624 * that it works even without a certificate configured for the original
9627 static int test_sni_tls13(void)
9629 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9630 SSL *clientssl = NULL, *serverssl = NULL;
9633 /* Reset callback counter */
9636 /* Create an initial SSL_CTX with no certificate configured */
9637 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9638 if (!TEST_ptr(sctx))
9640 /* Require TLSv1.3 as a minimum */
9641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9642 TLS_client_method(), TLS1_3_VERSION, 0,
9643 &sctx2, &cctx, cert, privkey)))
9647 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9648 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9652 * Connection should still succeed because the final SSL_CTX has the right
9653 * certificates configured.
9655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9656 &clientssl, NULL, NULL))
9657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9661 /* We should have had the SNI callback called exactly once */
9662 if (!TEST_int_eq(snicb, 1))
9668 SSL_free(serverssl);
9669 SSL_free(clientssl);
9670 SSL_CTX_free(sctx2);
9677 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9681 static int test_ticket_lifetime(int idx)
9683 SSL_CTX *cctx = NULL, *sctx = NULL;
9684 SSL *clientssl = NULL, *serverssl = NULL;
9686 int version = TLS1_3_VERSION;
9688 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9689 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9692 #ifdef OPENSSL_NO_TLS1_2
9693 return TEST_skip("TLS 1.2 is disabled.");
9695 version = TLS1_2_VERSION;
9699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9700 TLS_client_method(), version, version,
9701 &sctx, &cctx, cert, privkey)))
9704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9705 &clientssl, NULL, NULL)))
9709 * Set the timeout to be more than 1 week
9710 * make sure the returned value is the default
9712 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9713 SSL_get_default_timeout(serverssl)))
9716 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9720 /* TLSv1.2 uses the set value */
9721 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9724 /* TLSv1.3 uses the limited value */
9725 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9731 SSL_free(serverssl);
9732 SSL_free(clientssl);
9739 * Test that setting an ALPN does not violate RFC
9741 static int test_set_alpn(void)
9743 SSL_CTX *ctx = NULL;
9747 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9748 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9749 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9750 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9751 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9752 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9754 /* Create an initial SSL_CTX with no certificate configured */
9755 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9759 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9760 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9762 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9764 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9766 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9768 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9770 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9772 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9774 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9776 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9783 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9785 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9787 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9789 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9791 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9793 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9795 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9797 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9799 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9811 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9813 static int test_set_verify_cert_store_ssl_ctx(void)
9815 SSL_CTX *ctx = NULL;
9817 X509_STORE *store = NULL, *new_store = NULL,
9818 *cstore = NULL, *new_cstore = NULL;
9820 /* Create an initial SSL_CTX. */
9821 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9825 /* Retrieve verify store pointer. */
9826 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9829 /* Retrieve chain store pointer. */
9830 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9833 /* We haven't set any yet, so this should be NULL. */
9834 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9837 /* Create stores. We use separate stores so pointers are different. */
9838 new_store = X509_STORE_new();
9839 if (!TEST_ptr(new_store))
9842 new_cstore = X509_STORE_new();
9843 if (!TEST_ptr(new_cstore))
9847 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9850 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9853 /* Should be able to retrieve the same pointer. */
9854 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9857 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9860 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9863 /* Should be able to unset again. */
9864 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9867 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9870 /* Should now be NULL. */
9871 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9874 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9877 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9883 X509_STORE_free(new_store);
9884 X509_STORE_free(new_cstore);
9890 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9892 static int test_set_verify_cert_store_ssl(void)
9894 SSL_CTX *ctx = NULL;
9897 X509_STORE *store = NULL, *new_store = NULL,
9898 *cstore = NULL, *new_cstore = NULL;
9900 /* Create an initial SSL_CTX. */
9901 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9905 /* Create an SSL object. */
9910 /* Retrieve verify store pointer. */
9911 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9914 /* Retrieve chain store pointer. */
9915 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9918 /* We haven't set any yet, so this should be NULL. */
9919 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9922 /* Create stores. We use separate stores so pointers are different. */
9923 new_store = X509_STORE_new();
9924 if (!TEST_ptr(new_store))
9927 new_cstore = X509_STORE_new();
9928 if (!TEST_ptr(new_cstore))
9932 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9935 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9938 /* Should be able to retrieve the same pointer. */
9939 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9942 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9945 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9948 /* Should be able to unset again. */
9949 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9952 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9955 /* Should now be NULL. */
9956 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9959 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9962 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9968 X509_STORE_free(new_store);
9969 X509_STORE_free(new_cstore);
9976 static int test_inherit_verify_param(void)
9980 SSL_CTX *ctx = NULL;
9981 X509_VERIFY_PARAM *cp = NULL;
9983 X509_VERIFY_PARAM *sp = NULL;
9984 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9986 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9990 cp = SSL_CTX_get0_param(ctx);
9993 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9996 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10002 sp = SSL_get0_param(ssl);
10005 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10017 static int test_load_dhfile(void)
10019 #ifndef OPENSSL_NO_DH
10020 int testresult = 0;
10022 SSL_CTX *ctx = NULL;
10023 SSL_CONF_CTX *cctx = NULL;
10025 if (dhfile == NULL)
10028 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10029 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10032 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10033 SSL_CONF_CTX_set_flags(cctx,
10034 SSL_CONF_FLAG_CERTIFICATE
10035 | SSL_CONF_FLAG_SERVER
10036 | SSL_CONF_FLAG_FILE);
10038 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10043 SSL_CONF_CTX_free(cctx);
10048 return TEST_skip("DH not supported by this build");
10052 #ifndef OSSL_NO_USABLE_TLS1_3
10053 /* Test that read_ahead works across a key change */
10054 static int test_read_ahead_key_change(void)
10056 SSL_CTX *cctx = NULL, *sctx = NULL;
10057 SSL *clientssl = NULL, *serverssl = NULL;
10058 int testresult = 0;
10059 char *msg = "Hello World";
10060 size_t written, readbytes;
10064 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10065 TLS_client_method(), TLS1_3_VERSION, 0,
10066 &sctx, &cctx, cert, privkey)))
10069 SSL_CTX_set_read_ahead(sctx, 1);
10071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10072 &clientssl, NULL, NULL)))
10075 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10078 /* Write some data, send a key update, write more data */
10079 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10080 || !TEST_size_t_eq(written, strlen(msg)))
10083 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10086 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10087 || !TEST_size_t_eq(written, strlen(msg)))
10091 * Since read_ahead is on the first read below should read the record with
10092 * the first app data, the second record with the key update message, and
10093 * the third record with the app data all in one go. We should be able to
10094 * still process the read_ahead data correctly even though it crosses
10097 for (i = 0; i < 2; i++) {
10098 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10102 buf[readbytes] = '\0';
10103 if (!TEST_str_eq(buf, msg))
10110 SSL_free(serverssl);
10111 SSL_free(clientssl);
10112 SSL_CTX_free(sctx);
10113 SSL_CTX_free(cctx);
10117 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10121 switch ((*called)++) {
10123 /* Add some padding to first record */
10126 /* Maximally pad the second record */
10127 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10130 * Exceeding the maximum padding should be fine. It should just pad to
10131 * the maximum anyway
10133 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10136 * Very large padding should also be ok. Should just pad to the maximum
10146 * Test that setting record padding in TLSv1.3 works as expected
10147 * Test 0: Record padding callback on the SSL_CTX
10148 * Test 1: Record padding callback on the SSL
10149 * Test 2: Record block padding on the SSL_CTX
10150 * Test 3: Record block padding on the SSL
10152 static int test_tls13_record_padding(int idx)
10154 SSL_CTX *cctx = NULL, *sctx = NULL;
10155 SSL *clientssl = NULL, *serverssl = NULL;
10156 int testresult = 0;
10157 char *msg = "Hello World";
10158 size_t written, readbytes;
10163 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10164 TLS_client_method(), TLS1_3_VERSION, 0,
10165 &sctx, &cctx, cert, privkey)))
10169 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10170 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10171 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10173 } else if (idx == 2) {
10174 /* Exceeding the max plain length should fail */
10175 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10176 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10178 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10183 &clientssl, NULL, NULL)))
10187 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10188 SSL_set_record_padding_callback_arg(clientssl, &called);
10189 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10191 } else if (idx == 3) {
10192 /* Exceeding the max plain length should fail */
10193 if (!TEST_false(SSL_set_block_padding(clientssl,
10194 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10196 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10200 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10205 * Write some data, then check we can read it. Do this four times to check
10206 * we can continue to write and read padded data after the initial record
10207 * padding has been added. We don't actually check that the padding has
10208 * been applied to the record - just that we can continue to communicate
10209 * normally and that the callback has been called (if appropriate).
10211 for (i = 0; i < 4; i++) {
10212 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10213 || !TEST_size_t_eq(written, strlen(msg)))
10216 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10218 || !TEST_size_t_eq(written, readbytes))
10221 buf[readbytes] = '\0';
10222 if (!TEST_str_eq(buf, msg))
10226 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10231 SSL_free(serverssl);
10232 SSL_free(clientssl);
10233 SSL_CTX_free(sctx);
10234 SSL_CTX_free(cctx);
10237 #endif /* OSSL_NO_USABLE_TLS1_3 */
10239 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10241 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10242 * support this yet. The only pipeline capable cipher that we have is in the
10243 * dasync engine (providers don't support this yet), so we have to use
10244 * deprecated APIs for this test.
10246 * Test 0: Client has pipelining enabled, server does not
10247 * Test 1: Server has pipelining enabled, client does not
10248 * Test 2: Client has pipelining enabled, server does not: not enough data to
10249 * fill all the pipelines
10250 * Test 3: Client has pipelining enabled, server does not: not enough data to
10251 * fill all the pipelines by more than a full pipeline's worth
10252 * Test 4: Client has pipelining enabled, server does not: more data than all
10253 * the available pipelines can take
10254 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10256 static int test_pipelining(int idx)
10258 SSL_CTX *cctx = NULL, *sctx = NULL;
10259 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10260 int testresult = 0, numreads;
10261 /* A 55 byte message */
10262 unsigned char *msg = (unsigned char *)
10263 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10264 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10265 size_t expectedreads;
10266 unsigned char *buf = NULL;
10269 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10272 if (!TEST_true(ENGINE_init(e))) {
10277 if (!TEST_true(ENGINE_register_ciphers(e)))
10280 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10281 TLS_client_method(), 0,
10282 TLS1_2_VERSION, &sctx, &cctx, cert,
10286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10287 &clientssl, NULL, NULL)))
10290 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10293 /* peera is always configured for pipelining, while peerb is not. */
10305 /* Maximum allowed fragment size */
10306 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10307 msglen = fragsize * numpipes;
10308 msg = OPENSSL_malloc(msglen);
10309 if (!TEST_ptr(msg))
10311 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10313 } else if (idx == 4) {
10319 msglen -= 2; /* Send 2 less bytes */
10321 msglen -= 12; /* Send 12 less bytes */
10323 buf = OPENSSL_malloc(msglen);
10324 if (!TEST_ptr(buf))
10329 * Test that setting a split send fragment longer than the maximum
10332 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10337 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10338 * (50 bytes in total). This is a ridiculously small number of bytes -
10339 * but sufficient for our purposes
10341 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10342 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10345 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10348 /* Write some data from peera to peerb */
10349 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10350 || !TEST_size_t_eq(written, msglen))
10354 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10355 * have been used - except in test 3 where only |numpipes - 1| pipelines
10356 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10357 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10358 * expect this to be read in |numpipes| or |numpipes - 1| separate
10359 * SSL_read_ex calls. In the case of test 4, there is then one additional
10360 * read for left over data that couldn't fit in the previous pipelines
10362 for (offset = 0, numreads = 0;
10364 offset += readbytes, numreads++) {
10365 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10366 msglen - offset, &readbytes)))
10370 expectedreads = idx == 4 ? numpipes + 1
10371 : (idx == 3 ? numpipes - 1 : numpipes);
10372 if (!TEST_mem_eq(msg, msglen, buf, offset)
10373 || !TEST_int_eq(numreads, expectedreads))
10377 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10378 * chunks to exercise the read pipelining code on peera.
10380 for (offset = 0; offset < msglen; offset += fragsize) {
10381 size_t sendlen = msglen - offset;
10383 if (sendlen > fragsize)
10384 sendlen = fragsize;
10385 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10386 || !TEST_size_t_eq(written, sendlen))
10391 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10392 * separate chunks (depending on which test we are running). If the
10393 * pipelining is working then we expect peera to read up to numpipes chunks
10394 * and process them in parallel, giving back the complete result in a single
10395 * call to SSL_read_ex
10397 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10398 || !TEST_size_t_le(readbytes, msglen))
10404 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10405 msglen - readbytes, &readbytes2)))
10407 readbytes += readbytes2;
10408 if (!TEST_size_t_le(readbytes, msglen))
10412 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10417 SSL_free(serverssl);
10418 SSL_free(clientssl);
10419 SSL_CTX_free(sctx);
10420 SSL_CTX_free(cctx);
10421 ENGINE_unregister_ciphers(e);
10429 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10431 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10433 int setup_tests(void)
10438 libctx = OSSL_LIB_CTX_new();
10439 if (!TEST_ptr(libctx))
10442 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10445 * Verify that the default and fips providers in the default libctx are not
10448 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10449 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10452 if (!test_skip_common_options()) {
10453 TEST_error("Error parsing test options\n");
10457 if (!TEST_ptr(certsdir = test_get_argument(0))
10458 || !TEST_ptr(srpvfile = test_get_argument(1))
10459 || !TEST_ptr(tmpfilename = test_get_argument(2))
10460 || !TEST_ptr(modulename = test_get_argument(3))
10461 || !TEST_ptr(configfile = test_get_argument(4))
10462 || !TEST_ptr(dhfile = test_get_argument(5)))
10465 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10468 /* Check we have the expected provider available */
10469 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10472 /* Check the default provider is not available */
10473 if (strcmp(modulename, "default") != 0
10474 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10477 if (strcmp(modulename, "fips") == 0)
10481 * We add, but don't load the test "tls-provider". We'll load it when we
10484 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10485 tls_provider_init)))
10489 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10490 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10491 TEST_error("not supported in this build");
10494 int i, mcount, rcount, fcount;
10496 for (i = 0; i < 4; i++)
10497 test_export_key_mat(i);
10498 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10499 test_printf_stdout("malloc %d realloc %d free %d\n",
10500 mcount, rcount, fcount);
10505 cert = test_mk_file_path(certsdir, "servercert.pem");
10509 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10510 if (privkey == NULL)
10513 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10517 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10518 if (privkey2 == NULL)
10521 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10522 if (cert1024 == NULL)
10525 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10526 if (privkey1024 == NULL)
10529 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10530 if (cert3072 == NULL)
10533 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10534 if (privkey3072 == NULL)
10537 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10538 if (cert4096 == NULL)
10541 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10542 if (privkey4096 == NULL)
10545 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10546 if (cert8192 == NULL)
10549 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10550 if (privkey8192 == NULL)
10553 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10554 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10555 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10556 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
10559 ADD_TEST(test_large_message_tls);
10560 ADD_TEST(test_large_message_tls_read_ahead);
10561 #ifndef OPENSSL_NO_DTLS
10562 ADD_TEST(test_large_message_dtls);
10564 ADD_TEST(test_cleanse_plaintext);
10565 #ifndef OPENSSL_NO_OCSP
10566 ADD_TEST(test_tlsext_status_type);
10568 ADD_TEST(test_session_with_only_int_cache);
10569 ADD_TEST(test_session_with_only_ext_cache);
10570 ADD_TEST(test_session_with_both_cache);
10571 ADD_TEST(test_session_wo_ca_names);
10572 #ifndef OSSL_NO_USABLE_TLS1_3
10573 ADD_ALL_TESTS(test_stateful_tickets, 3);
10574 ADD_ALL_TESTS(test_stateless_tickets, 3);
10575 ADD_TEST(test_psk_tickets);
10576 ADD_ALL_TESTS(test_extra_tickets, 6);
10578 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10579 ADD_TEST(test_ssl_bio_pop_next_bio);
10580 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10581 ADD_TEST(test_ssl_bio_change_rbio);
10582 ADD_TEST(test_ssl_bio_change_wbio);
10583 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10584 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10585 ADD_TEST(test_keylog);
10587 #ifndef OSSL_NO_USABLE_TLS1_3
10588 ADD_TEST(test_keylog_no_master_key);
10590 ADD_TEST(test_client_cert_verify_cb);
10591 ADD_TEST(test_ssl_build_cert_chain);
10592 ADD_TEST(test_ssl_ctx_build_cert_chain);
10593 #ifndef OPENSSL_NO_TLS1_2
10594 ADD_TEST(test_client_hello_cb);
10595 ADD_TEST(test_no_ems);
10596 ADD_TEST(test_ccs_change_cipher);
10598 #ifndef OSSL_NO_USABLE_TLS1_3
10599 ADD_ALL_TESTS(test_early_data_read_write, 3);
10601 * We don't do replay tests for external PSK. Replay protection isn't used
10602 * in that scenario.
10604 ADD_ALL_TESTS(test_early_data_replay, 2);
10605 ADD_ALL_TESTS(test_early_data_skip, 3);
10606 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
10607 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
10608 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
10609 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10610 ADD_ALL_TESTS(test_early_data_psk, 8);
10611 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10612 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10613 # ifndef OPENSSL_NO_TLS1_2
10614 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10617 #ifndef OSSL_NO_USABLE_TLS1_3
10618 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10619 ADD_TEST(test_ciphersuite_change);
10620 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10621 # ifdef OPENSSL_NO_PSK
10622 ADD_ALL_TESTS(test_tls13_psk, 1);
10624 ADD_ALL_TESTS(test_tls13_psk, 4);
10625 # endif /* OPENSSL_NO_PSK */
10626 # ifndef OPENSSL_NO_TLS1_2
10627 /* Test with both TLSv1.3 and 1.2 versions */
10628 ADD_ALL_TESTS(test_key_exchange, 14);
10629 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10630 ADD_ALL_TESTS(test_negotiated_group,
10631 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10632 + OSSL_NELEM(ffdhe_kexch_groups)));
10635 /* Test with only TLSv1.3 versions */
10636 ADD_ALL_TESTS(test_key_exchange, 12);
10638 ADD_ALL_TESTS(test_custom_exts, 6);
10639 ADD_TEST(test_stateless);
10640 ADD_TEST(test_pha_key_update);
10642 ADD_ALL_TESTS(test_custom_exts, 3);
10644 ADD_ALL_TESTS(test_export_key_mat, 6);
10645 #ifndef OSSL_NO_USABLE_TLS1_3
10646 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10647 ADD_TEST(test_key_update);
10648 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10649 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10650 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10651 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10653 ADD_ALL_TESTS(test_ssl_clear, 2);
10654 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10655 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10656 ADD_ALL_TESTS(test_srp, 6);
10658 #if !defined(OPENSSL_NO_COMP_ALG)
10659 /* Add compression case */
10660 ADD_ALL_TESTS(test_info_callback, 8);
10662 ADD_ALL_TESTS(test_info_callback, 6);
10664 ADD_ALL_TESTS(test_ssl_pending, 2);
10665 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10666 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10667 ADD_ALL_TESTS(test_shutdown, 7);
10668 ADD_TEST(test_async_shutdown);
10669 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10670 ADD_ALL_TESTS(test_cert_cb, 6);
10671 ADD_ALL_TESTS(test_client_cert_cb, 2);
10672 ADD_ALL_TESTS(test_ca_names, 3);
10673 #ifndef OPENSSL_NO_TLS1_2
10674 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10676 ADD_ALL_TESTS(test_servername, 10);
10677 #if !defined(OPENSSL_NO_EC) \
10678 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10679 ADD_ALL_TESTS(test_sigalgs_available, 6);
10681 #ifndef OPENSSL_NO_TLS1_3
10682 ADD_ALL_TESTS(test_pluggable_group, 2);
10684 #ifndef OPENSSL_NO_TLS1_2
10685 ADD_TEST(test_ssl_dup);
10686 # ifndef OPENSSL_NO_DH
10687 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10688 ADD_ALL_TESTS(test_dh_auto, 7);
10691 #ifndef OSSL_NO_USABLE_TLS1_3
10692 ADD_TEST(test_sni_tls13);
10693 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10695 ADD_TEST(test_inherit_verify_param);
10696 ADD_TEST(test_set_alpn);
10697 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10698 ADD_TEST(test_set_verify_cert_store_ssl);
10699 ADD_ALL_TESTS(test_session_timeout, 1);
10700 ADD_TEST(test_load_dhfile);
10701 #ifndef OSSL_NO_USABLE_TLS1_3
10702 ADD_TEST(test_read_ahead_key_change);
10703 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10705 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10706 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10708 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10709 ADD_ALL_TESTS(test_pipelining, 6);
10714 OPENSSL_free(cert);
10715 OPENSSL_free(privkey);
10716 OPENSSL_free(cert2);
10717 OPENSSL_free(privkey2);
10721 void cleanup_tests(void)
10723 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10724 EVP_PKEY_free(tmp_dh_params);
10726 OPENSSL_free(cert);
10727 OPENSSL_free(privkey);
10728 OPENSSL_free(cert2);
10729 OPENSSL_free(privkey2);
10730 OPENSSL_free(cert1024);
10731 OPENSSL_free(privkey1024);
10732 OPENSSL_free(cert3072);
10733 OPENSSL_free(privkey3072);
10734 OPENSSL_free(cert4096);
10735 OPENSSL_free(privkey4096);
10736 OPENSSL_free(cert8192);
10737 OPENSSL_free(privkey8192);
10738 bio_s_mempacket_test_free();
10739 bio_s_always_retry_free();
10740 OSSL_PROVIDER_unload(defctxnull);
10741 OSSL_LIB_CTX_free(libctx);