2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
37 #include "helpers/ssltestlib.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 * If we don't have ec or dh then there are no built-in groups that are usable
52 # define OSSL_NO_USABLE_TLS1_3
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
61 static OSSL_LIB_CTX *libctx = NULL;
62 static OSSL_PROVIDER *defctxnull = NULL;
64 #ifndef OSSL_NO_USABLE_TLS1_3
66 static SSL_SESSION *clientpsk = NULL;
67 static SSL_SESSION *serverpsk = NULL;
68 static const char *pskid = "Identity";
69 static const char *srvid;
71 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73 static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
76 static int use_session_cb_cnt = 0;
77 static int find_session_cb_cnt = 0;
79 static SSL_SESSION *create_a_psk(SSL *ssl);
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
97 static char *dhfile = NULL;
99 static int is_fips = 0;
101 #define LOG_BUFFER_SIZE 2048
102 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
103 static size_t server_log_buffer_index = 0;
104 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t client_log_buffer_index = 0;
106 static int error_writing_log = 0;
108 #ifndef OPENSSL_NO_OCSP
109 static const unsigned char orespder[] = "Dummy OCSP Response";
110 static int ocsp_server_called = 0;
111 static int ocsp_client_called = 0;
113 static int cdummyarg = 1;
114 static X509 *ocspcert = NULL;
117 #define NUM_EXTRA_CERTS 40
118 #define CLIENT_VERSION_LEN 2
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
124 struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
127 unsigned int client_early_secret_count;
128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
132 unsigned int early_exporter_secret_count;
133 unsigned int exporter_secret_count;
137 static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
143 static unsigned char serverinfov2[] = {
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
151 static int hostname_cb(SSL *s, int *al, void *arg)
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
159 return SSL_TLSEXT_ERR_NOACK;
162 static void client_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
169 error_writing_log = 1;
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
175 client_log_buffer[client_log_buffer_index++] = '\n';
178 static void server_keylog_callback(const SSL *ssl, const char *line)
180 int line_length = strlen(line);
182 /* If the log doesn't fit, error out. */
183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
184 TEST_info("Server log too full");
185 error_writing_log = 1;
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
191 server_log_buffer[server_log_buffer_index++] = '\n';
194 static int compare_hex_encoded_buffer(const char *hex_encoded,
202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
206 sprintf(hexed, "%02x", raw[i]);
207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
215 static int test_keylog_output(char *buffer, const SSL *ssl,
216 const SSL_SESSION *session,
217 struct sslapitest_log_counts *expected)
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
226 unsigned int client_early_secret_count = 0;
227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
231 unsigned int early_exporter_secret_count = 0;
232 unsigned int exporter_secret_count = 0;
234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
236 if (strcmp(token, "RSA") == 0) {
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
239 * hex-encoded encrypted secret, then the hex-encoded pre-master
242 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 if (!TEST_size_t_eq(strlen(token), 16))
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
253 rsa_key_exchange_count++;
254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, then the hex-encoded master secret.
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
265 if (!TEST_ptr(token = strtok(NULL, " \n")))
267 if (!TEST_size_t_eq(strlen(token), 64))
269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
274 if (!TEST_ptr(token = strtok(NULL, " \n")))
276 master_key_size = SSL_SESSION_get_master_key(session,
279 if (!TEST_size_t_ne(master_key_size, 0))
281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
285 master_secret_count++;
286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
292 || strcmp(token, "EXPORTER_SECRET") == 0) {
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
320 if (!TEST_ptr(token = strtok(NULL, " \n")))
322 if (!TEST_size_t_eq(strlen(token), 64))
324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
329 if (!TEST_ptr(token = strtok(NULL, " \n")))
332 TEST_info("Unexpected token %s\n", token);
337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count,
339 expected->rsa_key_exchange_count)
340 || !TEST_size_t_eq(master_secret_count,
341 expected->master_secret_count)
342 || !TEST_size_t_eq(client_early_secret_count,
343 expected->client_early_secret_count)
344 || !TEST_size_t_eq(client_handshake_secret_count,
345 expected->client_handshake_secret_count)
346 || !TEST_size_t_eq(server_handshake_secret_count,
347 expected->server_handshake_secret_count)
348 || !TEST_size_t_eq(client_application_secret_count,
349 expected->client_application_secret_count)
350 || !TEST_size_t_eq(server_application_secret_count,
351 expected->server_application_secret_count)
352 || !TEST_size_t_eq(early_exporter_secret_count,
353 expected->early_exporter_secret_count)
354 || !TEST_size_t_eq(exporter_secret_count,
355 expected->exporter_secret_count))
360 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
361 static int test_keylog(void)
363 SSL_CTX *cctx = NULL, *sctx = NULL;
364 SSL *clientssl = NULL, *serverssl = NULL;
366 struct sslapitest_log_counts expected;
368 /* Clean up logging space */
369 memset(&expected, 0, sizeof(expected));
370 memset(client_log_buffer, 0, sizeof(client_log_buffer));
371 memset(server_log_buffer, 0, sizeof(server_log_buffer));
372 client_log_buffer_index = 0;
373 server_log_buffer_index = 0;
374 error_writing_log = 0;
376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
379 &sctx, &cctx, cert, privkey)))
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
384 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
386 /* We also want to ensure that we use RSA-based key exchange. */
387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 || !TEST_false(error_writing_log)
408 || !TEST_int_gt(client_log_buffer_index, 0)
409 || !TEST_int_gt(server_log_buffer_index, 0))
413 * Now we want to test that our output data was vaguely sensible. We
414 * do that by using strtok and confirming that we have more or less the
415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
418 expected.rsa_key_exchange_count = 1;
419 expected.master_secret_count = 1;
420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected)))
424 expected.rsa_key_exchange_count = 0;
425 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
426 SSL_get_session(serverssl), &expected)))
441 #ifndef OSSL_NO_USABLE_TLS1_3
442 static int test_keylog_no_master_key(void)
444 SSL_CTX *cctx = NULL, *sctx = NULL;
445 SSL *clientssl = NULL, *serverssl = NULL;
446 SSL_SESSION *sess = NULL;
448 struct sslapitest_log_counts expected;
449 unsigned char buf[1];
450 size_t readbytes, written;
452 /* Clean up logging space */
453 memset(&expected, 0, sizeof(expected));
454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458 error_writing_log = 0;
460 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION, 0,
462 &sctx, &cctx, cert, privkey))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
464 SSL3_RT_MAX_PLAIN_LENGTH)))
467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
471 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
473 == client_keylog_callback))
476 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
478 == server_keylog_callback))
481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
483 &clientssl, NULL, NULL))
484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 || !TEST_false(error_writing_log))
490 * Now we want to test that our output data was vaguely sensible. For this
491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
492 * TLSv1.3, but we do expect both client and server to emit keys.
494 expected.client_handshake_secret_count = 1;
495 expected.server_handshake_secret_count = 1;
496 expected.client_application_secret_count = 1;
497 expected.server_application_secret_count = 1;
498 expected.exporter_secret_count = 1;
499 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
500 SSL_get_session(clientssl), &expected))
501 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
502 SSL_get_session(serverssl),
506 /* Terminate old session and resume with early data. */
507 sess = SSL_get1_session(clientssl);
508 SSL_shutdown(clientssl);
509 SSL_shutdown(serverssl);
512 serverssl = clientssl = NULL;
515 memset(client_log_buffer, 0, sizeof(client_log_buffer));
516 memset(server_log_buffer, 0, sizeof(server_log_buffer));
517 client_log_buffer_index = 0;
518 server_log_buffer_index = 0;
520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
521 &clientssl, NULL, NULL))
522 || !TEST_true(SSL_set_session(clientssl, sess))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
527 SSL_READ_EARLY_DATA_ERROR)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
529 SSL_EARLY_DATA_ACCEPTED)
530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
532 || !TEST_true(SSL_session_reused(clientssl)))
535 /* In addition to the previous entries, expect early secrets. */
536 expected.client_early_secret_count = 1;
537 expected.early_exporter_secret_count = 1;
538 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
539 SSL_get_session(clientssl), &expected))
540 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
541 SSL_get_session(serverssl),
548 SSL_SESSION_free(sess);
558 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
560 int res = X509_verify_cert(ctx);
561 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
564 /* this should not happen but check anyway */
566 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
569 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl);
577 static int test_client_cert_verify_cb(void)
579 /* server key, cert, chain, and root */
580 char *skey = test_mk_file_path(certsdir, "leaf.key");
581 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
582 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
583 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
584 char *root = test_mk_file_path(certsdir, "rootCA.pem");
585 X509 *crt1 = NULL, *crt2 = NULL;
586 STACK_OF(X509) *server_chain;
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, NULL, NULL)))
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
597 SSL_FILETYPE_PEM), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
602 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
603 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
605 &clientssl, NULL, NULL)))
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_WANT_RETRY_VERIFY)))
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
615 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
616 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain, crt1)))
622 if (!TEST_true(sk_X509_push(server_chain, crt2)))
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
636 if (clientssl != NULL) {
637 SSL_shutdown(clientssl);
640 if (serverssl != NULL) {
641 SSL_shutdown(serverssl);
656 static int test_ssl_build_cert_chain(void)
659 SSL_CTX *ssl_ctx = NULL;
661 char *skey = test_mk_file_path(certsdir, "leaf.key");
662 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
664 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
666 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
673 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK)))
679 SSL_CTX_free(ssl_ctx);
680 OPENSSL_free(leaf_chain);
685 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
687 static const char pass[] = "testpass";
689 if (!TEST_int_eq(size, PEM_BUFSIZE))
692 memcpy(buf, pass, sizeof(pass) - 1);
693 return sizeof(pass) - 1;
696 static int test_ssl_ctx_build_cert_chain(void)
700 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
701 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
703 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
705 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
709 SSL_FILETYPE_PEM), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK)))
718 OPENSSL_free(leaf_chain);
723 #ifndef OPENSSL_NO_TLS1_2
724 static int full_client_hello_callback(SSL *s, int *al, void *arg)
727 const unsigned char *p;
729 /* We only configure two ciphers, but the SCSV is added automatically. */
731 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
733 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
736 const int expected_extensions[] = {
737 #ifndef OPENSSL_NO_EC
743 /* Make sure we can defer processing and get called back. */
745 return SSL_CLIENT_HELLO_RETRY;
747 len = SSL_client_hello_get0_ciphers(s, &p);
748 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
750 SSL_client_hello_get0_compression_methods(s, &p), 1)
751 || !TEST_int_eq(*p, 0))
752 return SSL_CLIENT_HELLO_ERROR;
753 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
754 return SSL_CLIENT_HELLO_ERROR;
755 if (len != OSSL_NELEM(expected_extensions) ||
756 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
757 printf("ClientHello callback expected extensions mismatch\n");
759 return SSL_CLIENT_HELLO_ERROR;
762 return SSL_CLIENT_HELLO_SUCCESS;
765 static int test_client_hello_cb(void)
767 SSL_CTX *cctx = NULL, *sctx = NULL;
768 SSL *clientssl = NULL, *serverssl = NULL;
769 int testctr = 0, testresult = 0;
771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION, 0,
773 &sctx, &cctx, cert, privkey)))
775 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
783 &clientssl, NULL, NULL))
784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
785 SSL_ERROR_WANT_CLIENT_HELLO_CB))
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
790 || !TEST_int_eq(SSL_get_error(serverssl, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB)
792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
807 static int test_no_ems(void)
809 SSL_CTX *cctx = NULL, *sctx = NULL;
810 SSL *clientssl = NULL, *serverssl = NULL;
813 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
814 TLS1_VERSION, TLS1_2_VERSION,
815 &sctx, &cctx, cert, privkey)) {
816 printf("Unable to create SSL_CTX pair\n");
820 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
822 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
823 printf("Unable to create SSL objects\n");
827 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
828 printf("Creating SSL connection failed\n");
832 if (SSL_get_extms_support(serverssl)) {
833 printf("Server reports Extended Master Secret support\n");
837 if (SSL_get_extms_support(clientssl)) {
838 printf("Client reports Extended Master Secret support\n");
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
856 * encryption to real encryption).
858 static int test_ccs_change_cipher(void)
860 SSL_CTX *cctx = NULL, *sctx = NULL;
861 SSL *clientssl = NULL, *serverssl = NULL;
862 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
869 * Create a connection so we can resume and potentially (but not) use
870 * a different cipher in the second connection.
872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
874 TLS1_VERSION, TLS1_2_VERSION,
875 &sctx, &cctx, cert, privkey))
876 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
882 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
883 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
886 shutdown_ssl_connection(serverssl, clientssl);
887 serverssl = clientssl = NULL;
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
893 || !TEST_true(SSL_set_session(clientssl, sess))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
897 || !TEST_true(SSL_session_reused(clientssl))
898 || !TEST_true(SSL_session_reused(serverssl))
899 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
900 || !TEST_ptr_eq(sesspre, sesspost)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
904 shutdown_ssl_connection(serverssl, clientssl);
905 serverssl = clientssl = NULL;
908 * Now create a fresh connection and try to renegotiate a different
911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
916 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
917 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl))
919 || !TEST_true(SSL_renegotiate_pending(clientssl)))
921 /* Actually drive the renegotiation. */
922 for (i = 0; i < 3; i++) {
923 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
926 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
927 SSL_ERROR_WANT_READ)) {
930 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
931 if (!TEST_ulong_eq(readbytes, 0))
933 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
934 SSL_ERROR_WANT_READ)) {
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl))
940 || !TEST_false(SSL_session_reused(clientssl))
941 || !TEST_false(SSL_session_reused(serverssl))
942 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
943 || !TEST_ptr_ne(sesspre, sesspost)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
948 shutdown_ssl_connection(serverssl, clientssl);
949 serverssl = clientssl = NULL;
958 SSL_SESSION_free(sess);
964 static int execute_test_large_message(const SSL_METHOD *smeth,
965 const SSL_METHOD *cmeth,
966 int min_version, int max_version,
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
974 X509 *chaincert = NULL;
977 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
980 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
983 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
988 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
989 max_version, &sctx, &cctx, cert,
993 #ifdef OPENSSL_NO_DTLS1_2
994 if (smeth == DTLS_server_method()) {
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1001 "DEFAULT:@SECLEVEL=0")))
1008 * Test that read_ahead works correctly when dealing with large
1011 SSL_CTX_set_read_ahead(cctx, 1);
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
1021 certlen = i2d_X509(chaincert, NULL);
1022 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1023 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1024 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1025 if (!X509_up_ref(chaincert))
1027 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1028 X509_free(chaincert);
1033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1043 if (!TEST_true(SSL_clear(serverssl)))
1049 X509_free(chaincert);
1050 SSL_free(serverssl);
1051 SSL_free(clientssl);
1058 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1060 /* sock must be connected */
1061 static int ktls_chk_platform(int sock)
1063 if (!ktls_enable(sock))
1068 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1070 static char count = 1;
1071 unsigned char cbuf[16000] = {0};
1072 unsigned char sbuf[16000];
1074 char crec_wseq_before[SEQ_NUM_SIZE];
1075 char crec_wseq_after[SEQ_NUM_SIZE];
1076 char crec_rseq_before[SEQ_NUM_SIZE];
1077 char crec_rseq_after[SEQ_NUM_SIZE];
1078 char srec_wseq_before[SEQ_NUM_SIZE];
1079 char srec_wseq_after[SEQ_NUM_SIZE];
1080 char srec_rseq_before[SEQ_NUM_SIZE];
1081 char srec_rseq_after[SEQ_NUM_SIZE];
1084 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1107 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1108 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1110 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1117 * If ktls is used then kernel sequences are used instead of
1120 if (!BIO_get_ktls_send(clientssl->wbio)) {
1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
1130 if (!BIO_get_ktls_send(serverssl->wbio)) {
1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
1140 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
1150 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
1165 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1166 int tls_version, const char *cipher)
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1174 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1177 /* Skip this test if the platform does not support ktls */
1178 if (!ktls_chk_platform(cfd)) {
1179 testresult = TEST_skip("Kernel does not support KTLS");
1183 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1184 testresult = TEST_skip("CHACHA is not supported in FIPS");
1188 /* Create a session based on SHA-256 */
1189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1190 TLS_client_method(),
1191 tls_version, tls_version,
1192 &sctx, &cctx, cert, privkey)))
1195 if (tls_version == TLS1_3_VERSION) {
1196 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1197 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1200 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1201 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1205 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1206 &clientssl, sfd, cfd)))
1210 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1215 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1223 * The running kernel may not support a given cipher suite
1224 * or direction, so just check that KTLS isn't used when it
1228 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1231 if (BIO_get_ktls_send(clientssl->wbio))
1236 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1239 if (BIO_get_ktls_send(serverssl->wbio))
1243 #if defined(OPENSSL_NO_KTLS_RX)
1248 if (!cis_ktls || !rx_supported) {
1249 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1252 if (BIO_get_ktls_send(clientssl->rbio))
1256 if (!sis_ktls || !rx_supported) {
1257 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1260 if (BIO_get_ktls_send(serverssl->rbio))
1264 if ((cis_ktls || sis_ktls) && !ktls_used) {
1265 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1266 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1271 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1277 SSL_shutdown(clientssl);
1278 SSL_free(clientssl);
1281 SSL_shutdown(serverssl);
1282 SSL_free(serverssl);
1286 serverssl = clientssl = NULL;
1294 #define SENDFILE_SZ (16 * 4096)
1295 #define SENDFILE_CHUNK (4 * 4096)
1296 #define min(a,b) ((a) > (b) ? (b) : (a))
1298 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1300 SSL_CTX *cctx = NULL, *sctx = NULL;
1301 SSL *clientssl = NULL, *serverssl = NULL;
1302 unsigned char *buf, *buf_dst;
1303 BIO *out = NULL, *in = NULL;
1304 int cfd = -1, sfd = -1, ffd, err;
1305 ssize_t chunk_size = 0;
1306 off_t chunk_off = 0;
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1348 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1351 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1355 if (!BIO_get_ktls_send(serverssl->wbio)) {
1356 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1357 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1362 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1365 out = BIO_new_file(tmpfilename, "wb");
1369 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1374 in = BIO_new_file(tmpfilename, "rb");
1375 BIO_get_fp(in, &ffdp);
1378 while (chunk_off < SENDFILE_SZ) {
1379 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1380 while ((err = SSL_sendfile(serverssl,
1384 0)) != chunk_size) {
1385 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1388 while ((err = SSL_read(clientssl,
1389 buf_dst + chunk_off,
1390 chunk_size)) != chunk_size) {
1391 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1395 /* verify the payload */
1396 if (!TEST_mem_eq(buf_dst + chunk_off,
1402 chunk_off += chunk_size;
1408 SSL_shutdown(clientssl);
1409 SSL_free(clientssl);
1412 SSL_shutdown(serverssl);
1413 SSL_free(serverssl);
1417 serverssl = clientssl = NULL;
1425 OPENSSL_free(buf_dst);
1429 static struct ktls_test_cipher {
1432 } ktls_test_ciphers[] = {
1433 # if !defined(OPENSSL_NO_TLS1_2)
1434 # ifdef OPENSSL_KTLS_AES_GCM_128
1435 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1437 # ifdef OPENSSL_KTLS_AES_CCM_128
1438 { TLS1_2_VERSION, "AES128-CCM"},
1440 # ifdef OPENSSL_KTLS_AES_GCM_256
1441 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1443 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1447 # if !defined(OSSL_NO_USABLE_TLS1_3)
1448 # ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451 # ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454 # ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1463 #define NUM_KTLS_TEST_CIPHERS \
1464 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466 static int test_ktls(int test)
1468 struct ktls_test_cipher *cipher;
1469 int cis_ktls, sis_ktls;
1471 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1472 cipher = &ktls_test_ciphers[test / 4];
1474 cis_ktls = (test & 1) != 0;
1475 sis_ktls = (test & 2) != 0;
1477 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1481 static int test_ktls_sendfile(int tst)
1483 struct ktls_test_cipher *cipher;
1485 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1486 cipher = &ktls_test_ciphers[tst];
1488 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1492 static int test_large_message_tls(void)
1494 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1495 TLS1_VERSION, 0, 0);
1498 static int test_large_message_tls_read_ahead(void)
1500 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1501 TLS1_VERSION, 0, 1);
1504 #ifndef OPENSSL_NO_DTLS
1505 static int test_large_message_dtls(void)
1507 # ifdef OPENSSL_NO_DTLS1_2
1508 /* Not supported in the FIPS provider */
1513 * read_ahead is not relevant to DTLS because DTLS always acts as if
1514 * read_ahead is set.
1516 return execute_test_large_message(DTLS_server_method(),
1517 DTLS_client_method(),
1518 DTLS1_VERSION, 0, 0);
1522 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1523 const SSL_METHOD *cmeth,
1524 int min_version, int max_version)
1527 SSL_CTX *cctx = NULL, *sctx = NULL;
1528 SSL *clientssl = NULL, *serverssl = NULL;
1533 static unsigned char cbuf[16000];
1534 static unsigned char sbuf[16000];
1536 if (!TEST_true(create_ssl_ctx_pair(libctx,
1538 min_version, max_version,
1543 #ifdef OPENSSL_NO_DTLS1_2
1544 if (smeth == DTLS_server_method()) {
1545 # ifdef OPENSSL_NO_DTLS1_2
1546 /* Not supported in the FIPS provider */
1553 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1556 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1557 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1558 "DEFAULT:@SECLEVEL=0")))
1563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1567 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1570 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1574 for (i = 0; i < sizeof(cbuf); i++) {
1578 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1581 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1584 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1588 * Since we called SSL_peek(), we know the data in the record
1589 * layer is a plaintext record. We can gather the pointer to check
1590 * for zeroization after SSL_read().
1592 rr = serverssl->rlayer.rrec;
1593 zbuf = &rr->data[rr->off];
1594 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1598 * After SSL_peek() the plaintext must still be stored in the
1601 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1604 memset(sbuf, 0, sizeof(sbuf));
1605 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1608 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1611 /* Check if rbuf is cleansed */
1612 memset(cbuf, 0, sizeof(cbuf));
1613 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1618 SSL_free(serverssl);
1619 SSL_free(clientssl);
1626 static int test_cleanse_plaintext(void)
1628 #if !defined(OPENSSL_NO_TLS1_2)
1629 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1630 TLS_client_method(),
1637 #if !defined(OSSL_NO_USABLE_TLS1_3)
1638 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1639 TLS_client_method(),
1645 #if !defined(OPENSSL_NO_DTLS)
1647 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1648 DTLS_client_method(),
1656 #ifndef OPENSSL_NO_OCSP
1657 static int ocsp_server_cb(SSL *s, void *arg)
1659 int *argi = (int *)arg;
1660 unsigned char *copy = NULL;
1661 STACK_OF(OCSP_RESPID) *ids = NULL;
1662 OCSP_RESPID *id = NULL;
1665 /* In this test we are expecting exactly 1 OCSP_RESPID */
1666 SSL_get_tlsext_status_ids(s, &ids);
1667 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1668 return SSL_TLSEXT_ERR_ALERT_FATAL;
1670 id = sk_OCSP_RESPID_value(ids, 0);
1671 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1672 return SSL_TLSEXT_ERR_ALERT_FATAL;
1673 } else if (*argi != 1) {
1674 return SSL_TLSEXT_ERR_ALERT_FATAL;
1677 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1678 return SSL_TLSEXT_ERR_ALERT_FATAL;
1680 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1681 sizeof(orespder)))) {
1683 return SSL_TLSEXT_ERR_ALERT_FATAL;
1685 ocsp_server_called = 1;
1686 return SSL_TLSEXT_ERR_OK;
1689 static int ocsp_client_cb(SSL *s, void *arg)
1691 int *argi = (int *)arg;
1692 const unsigned char *respderin;
1695 if (*argi != 1 && *argi != 2)
1698 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1699 if (!TEST_mem_eq(orespder, len, respderin, len))
1702 ocsp_client_called = 1;
1706 static int test_tlsext_status_type(void)
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1711 STACK_OF(OCSP_RESPID) *ids = NULL;
1712 OCSP_RESPID *id = NULL;
1713 BIO *certbio = NULL;
1715 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1717 &sctx, &cctx, cert, privkey))
1720 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1723 /* First just do various checks getting and setting tlsext_status_type */
1725 clientssl = SSL_new(cctx);
1726 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1727 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1728 TLSEXT_STATUSTYPE_ocsp))
1729 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1730 TLSEXT_STATUSTYPE_ocsp))
1733 SSL_free(clientssl);
1736 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1737 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1740 clientssl = SSL_new(cctx);
1741 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1743 SSL_free(clientssl);
1747 * Now actually do a handshake and check OCSP information is exchanged and
1748 * the callbacks get called
1750 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1751 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1752 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1753 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1755 &clientssl, NULL, NULL))
1756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1758 || !TEST_true(ocsp_client_called)
1759 || !TEST_true(ocsp_server_called))
1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1766 /* Try again but this time force the server side callback to fail */
1767 ocsp_client_called = 0;
1768 ocsp_server_called = 0;
1770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1771 &clientssl, NULL, NULL))
1772 /* This should fail because the callback will fail */
1773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1775 || !TEST_false(ocsp_client_called)
1776 || !TEST_false(ocsp_server_called))
1778 SSL_free(serverssl);
1779 SSL_free(clientssl);
1784 * This time we'll get the client to send an OCSP_RESPID that it will
1787 ocsp_client_called = 0;
1788 ocsp_server_called = 0;
1790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1791 &clientssl, NULL, NULL)))
1795 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1796 * specific one. We'll use the server cert.
1798 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1799 || !TEST_ptr(id = OCSP_RESPID_new())
1800 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1801 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1802 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1803 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1804 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1807 SSL_set_tlsext_status_ids(clientssl, ids);
1808 /* Control has been transferred */
1814 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1816 || !TEST_true(ocsp_client_called)
1817 || !TEST_true(ocsp_server_called))
1823 SSL_free(serverssl);
1824 SSL_free(clientssl);
1827 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1828 OCSP_RESPID_free(id);
1830 X509_free(ocspcert);
1837 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1838 static int new_called, remove_called, get_called;
1840 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1844 * sess has been up-refed for us, but we don't actually need it so free it
1847 SSL_SESSION_free(sess);
1851 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1856 static SSL_SESSION *get_sess_val = NULL;
1858 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1863 return get_sess_val;
1866 static int execute_test_session(int maxprot, int use_int_cache,
1867 int use_ext_cache, long s_options)
1869 SSL_CTX *sctx = NULL, *cctx = NULL;
1870 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1871 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1872 # ifndef OPENSSL_NO_TLS1_1
1873 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1875 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1876 int testresult = 0, numnewsesstick = 1;
1878 new_called = remove_called = 0;
1880 /* TLSv1.3 sends 2 NewSessionTickets */
1881 if (maxprot == TLS1_3_VERSION)
1884 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1885 TLS_client_method(), TLS1_VERSION, 0,
1886 &sctx, &cctx, cert, privkey)))
1890 * Only allow the max protocol version so we can force a connection failure
1893 SSL_CTX_set_min_proto_version(cctx, maxprot);
1894 SSL_CTX_set_max_proto_version(cctx, maxprot);
1896 /* Set up session cache */
1897 if (use_ext_cache) {
1898 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1899 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1901 if (use_int_cache) {
1902 /* Also covers instance where both are set */
1903 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1905 SSL_CTX_set_session_cache_mode(cctx,
1906 SSL_SESS_CACHE_CLIENT
1907 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1911 SSL_CTX_set_options(sctx, s_options);
1914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1916 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1918 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1921 /* Should fail because it should already be in the cache */
1922 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1925 && (!TEST_int_eq(new_called, numnewsesstick)
1927 || !TEST_int_eq(remove_called, 0)))
1930 new_called = remove_called = 0;
1931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1932 &clientssl2, NULL, NULL))
1933 || !TEST_true(SSL_set_session(clientssl2, sess1))
1934 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1936 || !TEST_true(SSL_session_reused(clientssl2)))
1939 if (maxprot == TLS1_3_VERSION) {
1941 * In TLSv1.3 we should have created a new session even though we have
1942 * resumed. Since we attempted a resume we should also have removed the
1943 * old ticket from the cache so that we try to only use tickets once.
1946 && (!TEST_int_eq(new_called, 1)
1947 || !TEST_int_eq(remove_called, 1)))
1951 * In TLSv1.2 we expect to have resumed so no sessions added or
1955 && (!TEST_int_eq(new_called, 0)
1956 || !TEST_int_eq(remove_called, 0)))
1960 SSL_SESSION_free(sess1);
1961 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1963 shutdown_ssl_connection(serverssl2, clientssl2);
1964 serverssl2 = clientssl2 = NULL;
1966 new_called = remove_called = 0;
1967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1968 &clientssl2, NULL, NULL))
1969 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1973 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1977 && (!TEST_int_eq(new_called, numnewsesstick)
1978 || !TEST_int_eq(remove_called, 0)))
1981 new_called = remove_called = 0;
1983 * This should clear sess2 from the cache because it is a "bad" session.
1984 * See SSL_set_session() documentation.
1986 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1989 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1991 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1994 if (use_int_cache) {
1995 /* Should succeeded because it should not already be in the cache */
1996 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1997 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2001 new_called = remove_called = 0;
2002 /* This shouldn't be in the cache so should fail */
2003 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2007 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2010 # if !defined(OPENSSL_NO_TLS1_1)
2011 new_called = remove_called = 0;
2012 /* Force a connection failure */
2013 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2015 &clientssl3, NULL, NULL))
2016 || !TEST_true(SSL_set_session(clientssl3, sess1))
2017 /* This should fail because of the mismatched protocol versions */
2018 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2022 /* We should have automatically removed the session from the cache */
2024 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2027 /* Should succeed because it should not already be in the cache */
2028 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2032 /* Now do some tests for server side caching */
2033 if (use_ext_cache) {
2034 SSL_CTX_sess_set_new_cb(cctx, NULL);
2035 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2036 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2037 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2038 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2039 get_sess_val = NULL;
2042 SSL_CTX_set_session_cache_mode(cctx, 0);
2043 /* Internal caching is the default on the server side */
2045 SSL_CTX_set_session_cache_mode(sctx,
2046 SSL_SESS_CACHE_SERVER
2047 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2049 SSL_free(serverssl1);
2050 SSL_free(clientssl1);
2051 serverssl1 = clientssl1 = NULL;
2052 SSL_free(serverssl2);
2053 SSL_free(clientssl2);
2054 serverssl2 = clientssl2 = NULL;
2055 SSL_SESSION_free(sess1);
2057 SSL_SESSION_free(sess2);
2060 SSL_CTX_set_max_proto_version(sctx, maxprot);
2061 if (maxprot == TLS1_2_VERSION)
2062 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2063 new_called = remove_called = get_called = 0;
2064 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2066 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2068 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2069 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2072 if (use_int_cache) {
2073 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2075 * In TLSv1.3 it should not have been added to the internal cache,
2076 * except in the case where we also have an external cache (in that
2077 * case it gets added to the cache in order to generate remove
2078 * events after timeout).
2080 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2083 /* Should fail because it should already be in the cache */
2084 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2089 if (use_ext_cache) {
2090 SSL_SESSION *tmp = sess2;
2092 if (!TEST_int_eq(new_called, numnewsesstick)
2093 || !TEST_int_eq(remove_called, 0)
2094 || !TEST_int_eq(get_called, 0))
2097 * Delete the session from the internal cache to force a lookup from
2098 * the external cache. We take a copy first because
2099 * SSL_CTX_remove_session() also marks the session as non-resumable.
2101 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2102 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2103 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2105 SSL_SESSION_free(sess2);
2110 new_called = remove_called = get_called = 0;
2111 get_sess_val = sess2;
2112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2113 &clientssl2, NULL, NULL))
2114 || !TEST_true(SSL_set_session(clientssl2, sess1))
2115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2117 || !TEST_true(SSL_session_reused(clientssl2)))
2120 if (use_ext_cache) {
2121 if (!TEST_int_eq(remove_called, 0))
2124 if (maxprot == TLS1_3_VERSION) {
2125 if (!TEST_int_eq(new_called, 1)
2126 || !TEST_int_eq(get_called, 0))
2129 if (!TEST_int_eq(new_called, 0)
2130 || !TEST_int_eq(get_called, 1))
2138 SSL_free(serverssl1);
2139 SSL_free(clientssl1);
2140 SSL_free(serverssl2);
2141 SSL_free(clientssl2);
2142 # ifndef OPENSSL_NO_TLS1_1
2143 SSL_free(serverssl3);
2144 SSL_free(clientssl3);
2146 SSL_SESSION_free(sess1);
2147 SSL_SESSION_free(sess2);
2153 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2155 static int test_session_with_only_int_cache(void)
2157 #ifndef OSSL_NO_USABLE_TLS1_3
2158 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2162 #ifndef OPENSSL_NO_TLS1_2
2163 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2169 static int test_session_with_only_ext_cache(void)
2171 #ifndef OSSL_NO_USABLE_TLS1_3
2172 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2176 #ifndef OPENSSL_NO_TLS1_2
2177 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2183 static int test_session_with_both_cache(void)
2185 #ifndef OSSL_NO_USABLE_TLS1_3
2186 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2190 #ifndef OPENSSL_NO_TLS1_2
2191 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2197 static int test_session_wo_ca_names(void)
2199 #ifndef OSSL_NO_USABLE_TLS1_3
2200 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2204 #ifndef OPENSSL_NO_TLS1_2
2205 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2212 #ifndef OSSL_NO_USABLE_TLS1_3
2213 static SSL_SESSION *sesscache[6];
2214 static int do_cache;
2216 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2219 sesscache[new_called] = sess;
2221 /* We don't need the reference to the session, so free it */
2222 SSL_SESSION_free(sess);
2229 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2231 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2232 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2235 /* Start handshake on the server and client */
2236 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2237 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2238 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2239 || !TEST_true(create_ssl_connection(sssl, cssl,
2246 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2249 int sess_id_ctx = 1;
2251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2252 TLS_client_method(), TLS1_VERSION, 0,
2253 sctx, cctx, cert, privkey))
2254 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2255 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2256 (void *)&sess_id_ctx,
2257 sizeof(sess_id_ctx))))
2261 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2263 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2264 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2265 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2270 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2272 SSL *serverssl = NULL, *clientssl = NULL;
2275 /* Test that we can resume with all the tickets we got given */
2276 for (i = 0; i < idx * 2; i++) {
2278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2279 &clientssl, NULL, NULL))
2280 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2283 SSL_set_post_handshake_auth(clientssl, 1);
2285 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2290 * Following a successful resumption we only get 1 ticket. After a
2291 * failed one we should get idx tickets.
2294 if (!TEST_true(SSL_session_reused(clientssl))
2295 || !TEST_int_eq(new_called, 1))
2298 if (!TEST_false(SSL_session_reused(clientssl))
2299 || !TEST_int_eq(new_called, idx))
2304 /* After a post-handshake authentication we should get 1 new ticket */
2306 && (!post_handshake_verify(serverssl, clientssl)
2307 || !TEST_int_eq(new_called, 1)))
2310 SSL_shutdown(clientssl);
2311 SSL_shutdown(serverssl);
2312 SSL_free(serverssl);
2313 SSL_free(clientssl);
2314 serverssl = clientssl = NULL;
2315 SSL_SESSION_free(sesscache[i]);
2316 sesscache[i] = NULL;
2322 SSL_free(clientssl);
2323 SSL_free(serverssl);
2327 static int test_tickets(int stateful, int idx)
2329 SSL_CTX *sctx = NULL, *cctx = NULL;
2330 SSL *serverssl = NULL, *clientssl = NULL;
2334 /* idx is the test number, but also the number of tickets we want */
2339 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2343 &clientssl, NULL, NULL)))
2346 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2348 /* Check we got the number of tickets we were expecting */
2349 || !TEST_int_eq(idx, new_called))
2352 SSL_shutdown(clientssl);
2353 SSL_shutdown(serverssl);
2354 SSL_free(serverssl);
2355 SSL_free(clientssl);
2358 clientssl = serverssl = NULL;
2362 * Now we try to resume with the tickets we previously created. The
2363 * resumption attempt is expected to fail (because we're now using a new
2364 * SSL_CTX). We should see idx number of tickets issued again.
2367 /* Stop caching sessions - just count them */
2370 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2373 if (!check_resumption(idx, sctx, cctx, 0))
2376 /* Start again with caching sessions */
2383 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL)))
2390 SSL_set_post_handshake_auth(clientssl, 1);
2392 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2394 /* Check we got the number of tickets we were expecting */
2395 || !TEST_int_eq(idx, new_called))
2398 /* After a post-handshake authentication we should get new tickets issued */
2399 if (!post_handshake_verify(serverssl, clientssl)
2400 || !TEST_int_eq(idx * 2, new_called))
2403 SSL_shutdown(clientssl);
2404 SSL_shutdown(serverssl);
2405 SSL_free(serverssl);
2406 SSL_free(clientssl);
2407 serverssl = clientssl = NULL;
2409 /* Stop caching sessions - just count them */
2413 * Check we can resume with all the tickets we created. This time around the
2414 * resumptions should all be successful.
2416 if (!check_resumption(idx, sctx, cctx, 1))
2422 SSL_free(serverssl);
2423 SSL_free(clientssl);
2424 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2425 SSL_SESSION_free(sesscache[j]);
2426 sesscache[j] = NULL;
2434 static int test_stateless_tickets(int idx)
2436 return test_tickets(0, idx);
2439 static int test_stateful_tickets(int idx)
2441 return test_tickets(1, idx);
2444 static int test_psk_tickets(void)
2446 SSL_CTX *sctx = NULL, *cctx = NULL;
2447 SSL *serverssl = NULL, *clientssl = NULL;
2449 int sess_id_ctx = 1;
2451 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2452 TLS_client_method(), TLS1_VERSION, 0,
2453 &sctx, &cctx, NULL, NULL))
2454 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2455 (void *)&sess_id_ctx,
2456 sizeof(sess_id_ctx))))
2459 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2460 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2461 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2462 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2463 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2464 use_session_cb_cnt = 0;
2465 find_session_cb_cnt = 0;
2469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2472 clientpsk = serverpsk = create_a_psk(clientssl);
2473 if (!TEST_ptr(clientpsk))
2475 SSL_SESSION_up_ref(clientpsk);
2477 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2479 || !TEST_int_eq(1, find_session_cb_cnt)
2480 || !TEST_int_eq(1, use_session_cb_cnt)
2481 /* We should always get 1 ticket when using external PSK */
2482 || !TEST_int_eq(1, new_called))
2488 SSL_free(serverssl);
2489 SSL_free(clientssl);
2492 SSL_SESSION_free(clientpsk);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2499 static int test_extra_tickets(int idx)
2501 SSL_CTX *sctx = NULL, *cctx = NULL;
2502 SSL *serverssl = NULL, *clientssl = NULL;
2503 BIO *bretry = BIO_new(bio_s_always_retry());
2508 unsigned char c, buf[1];
2518 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2520 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2521 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2522 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2525 &clientssl, NULL, NULL)))
2529 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2530 * incremented by both client and server.
2532 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2534 /* Check we got the number of tickets we were expecting */
2535 || !TEST_int_eq(idx * 2, new_called)
2536 || !TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_int_eq(idx * 2, new_called))
2541 /* Now try a (real) write to actually send the tickets */
2543 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2544 || !TEST_size_t_eq(1, nbytes)
2545 || !TEST_int_eq(idx * 2 + 2, new_called)
2546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2547 || !TEST_int_eq(idx * 2 + 4, new_called)
2548 || !TEST_int_eq(sizeof(buf), nbytes)
2549 || !TEST_int_eq(c, buf[0])
2550 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2553 /* Try with only requesting one new ticket, too */
2556 if (!TEST_true(SSL_new_session_ticket(serverssl))
2557 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2558 || !TEST_size_t_eq(sizeof(c), nbytes)
2559 || !TEST_int_eq(1, new_called)
2560 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2561 || !TEST_int_eq(2, new_called)
2562 || !TEST_size_t_eq(sizeof(buf), nbytes)
2563 || !TEST_int_eq(c, buf[0]))
2566 /* Do it again but use dummy writes to drive the ticket generation */
2569 if (!TEST_true(SSL_new_session_ticket(serverssl))
2570 || !TEST_true(SSL_new_session_ticket(serverssl))
2571 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2572 || !TEST_size_t_eq(0, nbytes)
2573 || !TEST_int_eq(2, new_called)
2574 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2575 || !TEST_int_eq(4, new_called))
2578 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2581 if (!TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_new_session_ticket(serverssl))
2583 || !TEST_true(SSL_do_handshake(serverssl))
2584 || !TEST_int_eq(2, new_called)
2585 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2586 || !TEST_int_eq(4, new_called))
2590 * Use the always-retry BIO to exercise the logic that forces ticket
2591 * generation to wait until a record boundary.
2595 tmp = SSL_get_wbio(serverssl);
2596 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2600 SSL_set0_wbio(serverssl, bretry);
2602 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2603 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2604 || !TEST_size_t_eq(nbytes, 0))
2606 /* Restore a BIO that will let the write succeed */
2607 SSL_set0_wbio(serverssl, tmp);
2610 * These calls should just queue the request and not send anything
2611 * even if we explicitly try to hit the state machine.
2613 if (!TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_new_session_ticket(serverssl))
2615 || !TEST_int_eq(0, new_called)
2616 || !TEST_true(SSL_do_handshake(serverssl))
2617 || !TEST_int_eq(0, new_called))
2619 /* Re-do the write; still no tickets sent */
2620 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2621 || !TEST_size_t_eq(1, nbytes)
2622 || !TEST_int_eq(0, new_called)
2623 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2624 || !TEST_int_eq(0, new_called)
2625 || !TEST_int_eq(sizeof(buf), nbytes)
2626 || !TEST_int_eq(c, buf[0])
2627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2629 /* Even trying to hit the state machine now will still not send tickets */
2630 if (!TEST_true(SSL_do_handshake(serverssl))
2631 || !TEST_int_eq(0, new_called))
2633 /* Now the *next* write should send the tickets */
2635 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2636 || !TEST_size_t_eq(1, nbytes)
2637 || !TEST_int_eq(2, new_called)
2638 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2639 || !TEST_int_eq(4, new_called)
2640 || !TEST_int_eq(sizeof(buf), nbytes)
2641 || !TEST_int_eq(c, buf[0])
2642 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2645 SSL_shutdown(clientssl);
2646 SSL_shutdown(serverssl);
2652 SSL_free(serverssl);
2653 SSL_free(clientssl);
2656 clientssl = serverssl = NULL;
2665 #define USE_DEFAULT 3
2667 #define CONNTYPE_CONNECTION_SUCCESS 0
2668 #define CONNTYPE_CONNECTION_FAIL 1
2669 #define CONNTYPE_NO_CONNECTION 2
2671 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2672 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2673 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2674 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2676 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2679 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2680 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2681 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2683 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2700 * Tests calls to SSL_set_bio() under various conditions.
2702 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2703 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2704 * then do more tests where we create a successful connection first using our
2705 * standard connection setup functions, and then call SSL_set_bio() with
2706 * various combinations of valid BIOs or NULL. We then repeat these tests
2707 * following a failed connection. In this last case we are looking to check that
2708 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2710 static int test_ssl_set_bio(int idx)
2712 SSL_CTX *sctx = NULL, *cctx = NULL;
2715 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2716 SSL *serverssl = NULL, *clientssl = NULL;
2717 int initrbio, initwbio, newrbio, newwbio, conntype;
2720 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2728 conntype = CONNTYPE_NO_CONNECTION;
2730 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2731 initrbio = initwbio = USE_DEFAULT;
2739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2740 TLS_client_method(), TLS1_VERSION, 0,
2741 &sctx, &cctx, cert, privkey)))
2744 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2746 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2747 * because we reduced the number of tests in the definition of
2748 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2749 * mismatched protocol versions we will force a connection failure.
2751 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2752 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2759 if (initrbio == USE_BIO_1
2760 || initwbio == USE_BIO_1
2761 || newrbio == USE_BIO_1
2762 || newwbio == USE_BIO_1) {
2763 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2767 if (initrbio == USE_BIO_2
2768 || initwbio == USE_BIO_2
2769 || newrbio == USE_BIO_2
2770 || newwbio == USE_BIO_2) {
2771 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2775 if (initrbio != USE_DEFAULT) {
2776 setupbio(&irbio, bio1, bio2, initrbio);
2777 setupbio(&iwbio, bio1, bio2, initwbio);
2778 SSL_set_bio(clientssl, irbio, iwbio);
2781 * We want to maintain our own refs to these BIO, so do an up ref for
2782 * each BIO that will have ownership transferred in the SSL_set_bio()
2787 if (iwbio != NULL && iwbio != irbio)
2791 if (conntype != CONNTYPE_NO_CONNECTION
2792 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2794 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2797 setupbio(&nrbio, bio1, bio2, newrbio);
2798 setupbio(&nwbio, bio1, bio2, newwbio);
2801 * We will (maybe) transfer ownership again so do more up refs.
2802 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2807 && (nwbio != iwbio || nrbio != nwbio))
2811 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2814 SSL_set_bio(clientssl, nrbio, nwbio);
2823 * This test is checking that the ref counting for SSL_set_bio is correct.
2824 * If we get here and we did too many frees then we will fail in the above
2827 SSL_free(serverssl);
2828 SSL_free(clientssl);
2834 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2836 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2838 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2843 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2844 || !TEST_ptr(ssl = SSL_new(ctx))
2845 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2846 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2849 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2852 * If anything goes wrong here then we could leak memory.
2854 BIO_push(sslbio, membio1);
2856 /* Verify changing the rbio/wbio directly does not cause leaks */
2857 if (change_bio != NO_BIO_CHANGE) {
2858 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2862 if (change_bio == CHANGE_RBIO)
2863 SSL_set0_rbio(ssl, membio2);
2865 SSL_set0_wbio(ssl, membio2);
2884 static int test_ssl_bio_pop_next_bio(void)
2886 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2889 static int test_ssl_bio_pop_ssl_bio(void)
2891 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2894 static int test_ssl_bio_change_rbio(void)
2896 return execute_test_ssl_bio(0, CHANGE_RBIO);
2899 static int test_ssl_bio_change_wbio(void)
2901 return execute_test_ssl_bio(0, CHANGE_WBIO);
2904 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2906 /* The list of sig algs */
2908 /* The length of the list */
2910 /* A sigalgs list in string format */
2911 const char *liststr;
2912 /* Whether setting the list should succeed */
2914 /* Whether creating a connection with the list should succeed */
2918 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2919 # ifndef OPENSSL_NO_EC
2920 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2921 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2923 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2924 static const int invalidlist2[] = {NID_sha256, NID_undef};
2925 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2926 static const int invalidlist4[] = {NID_sha256};
2927 static const sigalgs_list testsigalgs[] = {
2928 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2929 # ifndef OPENSSL_NO_EC
2930 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2931 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2933 {NULL, 0, "RSA+SHA256", 1, 1},
2934 # ifndef OPENSSL_NO_EC
2935 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2936 {NULL, 0, "ECDSA+SHA512", 1, 0},
2938 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2939 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2940 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2941 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2942 {NULL, 0, "RSA", 0, 0},
2943 {NULL, 0, "SHA256", 0, 0},
2944 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2945 {NULL, 0, "Invalid", 0, 0}
2948 static int test_set_sigalgs(int idx)
2950 SSL_CTX *cctx = NULL, *sctx = NULL;
2951 SSL *clientssl = NULL, *serverssl = NULL;
2953 const sigalgs_list *curr;
2956 /* Should never happen */
2957 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2960 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2961 curr = testctx ? &testsigalgs[idx]
2962 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2974 if (curr->list != NULL)
2975 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2977 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2981 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2987 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2993 &clientssl, NULL, NULL)))
2999 if (curr->list != NULL)
3000 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3002 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3005 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3014 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3022 SSL_free(serverssl);
3023 SSL_free(clientssl);
3031 #ifndef OSSL_NO_USABLE_TLS1_3
3032 static int psk_client_cb_cnt = 0;
3033 static int psk_server_cb_cnt = 0;
3035 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3036 size_t *idlen, SSL_SESSION **sess)
3038 switch (++use_session_cb_cnt) {
3040 /* The first call should always have a NULL md */
3046 /* The second call should always have an md */
3052 /* We should only be called a maximum of twice */
3056 if (clientpsk != NULL)
3057 SSL_SESSION_up_ref(clientpsk);
3060 *id = (const unsigned char *)pskid;
3061 *idlen = strlen(pskid);
3066 #ifndef OPENSSL_NO_PSK
3067 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3068 unsigned int max_id_len,
3070 unsigned int max_psk_len)
3072 unsigned int psklen = 0;
3074 psk_client_cb_cnt++;
3076 if (strlen(pskid) + 1 > max_id_len)
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (psk_client_cb_cnt > 2)
3083 if (clientpsk == NULL)
3086 /* We'll reuse the PSK we set up for TLSv1.3 */
3087 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3089 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3090 strncpy(id, pskid, max_id_len);
3094 #endif /* OPENSSL_NO_PSK */
3096 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3097 size_t identity_len, SSL_SESSION **sess)
3099 find_session_cb_cnt++;
3101 /* We should only ever be called a maximum of twice per connection */
3102 if (find_session_cb_cnt > 2)
3105 if (serverpsk == NULL)
3108 /* Identity should match that set by the client */
3109 if (strlen(srvid) != identity_len
3110 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3111 /* No PSK found, continue but without a PSK */
3116 SSL_SESSION_up_ref(serverpsk);
3122 #ifndef OPENSSL_NO_PSK
3123 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3124 unsigned char *psk, unsigned int max_psk_len)
3126 unsigned int psklen = 0;
3128 psk_server_cb_cnt++;
3130 /* We should only ever be called a maximum of twice per connection */
3131 if (find_session_cb_cnt > 2)
3134 if (serverpsk == NULL)
3137 /* Identity should match that set by the client */
3138 if (strcmp(srvid, identity) != 0) {
3142 /* We'll reuse the PSK we set up for TLSv1.3 */
3143 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3145 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3149 #endif /* OPENSSL_NO_PSK */
3151 #define MSG1 "Hello"
3152 #define MSG2 "World."
3157 #define MSG7 "message."
3159 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3160 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3161 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3162 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3163 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3166 static SSL_SESSION *create_a_psk(SSL *ssl)
3168 const SSL_CIPHER *cipher = NULL;
3169 const unsigned char key[] = {
3170 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3171 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3172 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3173 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3174 0x2c, 0x2d, 0x2e, 0x2f
3176 SSL_SESSION *sess = NULL;
3178 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3179 sess = SSL_SESSION_new();
3181 || !TEST_ptr(cipher)
3182 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3184 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3186 SSL_SESSION_set_protocol_version(sess,
3188 SSL_SESSION_free(sess);
3195 * Helper method to setup objects for early data test. Caller frees objects on
3198 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3199 SSL **serverssl, SSL_SESSION **sess, int idx)
3202 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3203 TLS_client_method(),
3205 sctx, cctx, cert, privkey)))
3208 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3212 /* When idx == 1 we repeat the tests with read_ahead set */
3213 SSL_CTX_set_read_ahead(*cctx, 1);
3214 SSL_CTX_set_read_ahead(*sctx, 1);
3215 } else if (idx == 2) {
3216 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3217 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3218 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3219 use_session_cb_cnt = 0;
3220 find_session_cb_cnt = 0;
3224 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3229 * For one of the run throughs (doesn't matter which one), we'll try sending
3230 * some SNI data in the initial ClientHello. This will be ignored (because
3231 * there is no SNI cb set up by the server), so it should not impact
3235 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3239 clientpsk = create_a_psk(*clientssl);
3240 if (!TEST_ptr(clientpsk)
3242 * We just choose an arbitrary value for max_early_data which
3243 * should be big enough for testing purposes.
3245 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3247 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3248 SSL_SESSION_free(clientpsk);
3252 serverpsk = clientpsk;
3255 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3256 SSL_SESSION_free(clientpsk);
3257 SSL_SESSION_free(serverpsk);
3258 clientpsk = serverpsk = NULL;
3269 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3273 *sess = SSL_get1_session(*clientssl);
3274 SSL_shutdown(*clientssl);
3275 SSL_shutdown(*serverssl);
3276 SSL_free(*serverssl);
3277 SSL_free(*clientssl);
3278 *serverssl = *clientssl = NULL;
3280 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3281 clientssl, NULL, NULL))
3282 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3288 static int test_early_data_read_write(int idx)
3290 SSL_CTX *cctx = NULL, *sctx = NULL;
3291 SSL *clientssl = NULL, *serverssl = NULL;
3293 SSL_SESSION *sess = NULL;
3294 unsigned char buf[20], data[1024];
3295 size_t readbytes, written, eoedlen, rawread, rawwritten;
3298 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3299 &serverssl, &sess, idx)))
3302 /* Write and read some early data */
3303 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3305 || !TEST_size_t_eq(written, strlen(MSG1))
3306 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3307 sizeof(buf), &readbytes),
3308 SSL_READ_EARLY_DATA_SUCCESS)
3309 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3310 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3311 SSL_EARLY_DATA_ACCEPTED))
3315 * Server should be able to write data, and client should be able to
3318 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3320 || !TEST_size_t_eq(written, strlen(MSG2))
3321 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3322 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3325 /* Even after reading normal data, client should be able write early data */
3326 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3328 || !TEST_size_t_eq(written, strlen(MSG3)))
3331 /* Server should still be able read early data after writing data */
3332 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3334 SSL_READ_EARLY_DATA_SUCCESS)
3335 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3338 /* Write more data from server and read it from client */
3339 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3341 || !TEST_size_t_eq(written, strlen(MSG4))
3342 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3347 * If client writes normal data it should mean writing early data is no
3350 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3351 || !TEST_size_t_eq(written, strlen(MSG5))
3352 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3353 SSL_EARLY_DATA_ACCEPTED))
3357 * At this point the client has written EndOfEarlyData, ClientFinished and
3358 * normal (fully protected) data. We are going to cause a delay between the
3359 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3360 * in the read BIO, and then just put back the EndOfEarlyData message.
3362 rbio = SSL_get_rbio(serverssl);
3363 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3364 || !TEST_size_t_lt(rawread, sizeof(data))
3365 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3368 /* Record length is in the 4th and 5th bytes of the record header */
3369 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3370 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3371 || !TEST_size_t_eq(rawwritten, eoedlen))
3374 /* Server should be told that there is no more early data */
3375 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3377 SSL_READ_EARLY_DATA_FINISH)
3378 || !TEST_size_t_eq(readbytes, 0))
3382 * Server has not finished init yet, so should still be able to write early
3385 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3387 || !TEST_size_t_eq(written, strlen(MSG6)))
3390 /* Push the ClientFinished and the normal data back into the server rbio */
3391 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3393 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3396 /* Server should be able to read normal data */
3397 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3401 /* Client and server should not be able to write/read early data now */
3402 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3408 SSL_READ_EARLY_DATA_ERROR))
3412 /* Client should be able to read the data sent by the server */
3413 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3414 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3418 * Make sure we process the two NewSessionTickets. These arrive
3419 * post-handshake. We attempt reads which we do not expect to return any
3422 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3423 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3427 /* Server should be able to write normal data */
3428 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3429 || !TEST_size_t_eq(written, strlen(MSG7))
3430 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3431 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3434 SSL_SESSION_free(sess);
3435 sess = SSL_get1_session(clientssl);
3436 use_session_cb_cnt = 0;
3437 find_session_cb_cnt = 0;
3439 SSL_shutdown(clientssl);
3440 SSL_shutdown(serverssl);
3441 SSL_free(serverssl);
3442 SSL_free(clientssl);
3443 serverssl = clientssl = NULL;
3444 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3445 &clientssl, NULL, NULL))
3446 || !TEST_true(SSL_set_session(clientssl, sess)))
3449 /* Write and read some early data */
3450 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3452 || !TEST_size_t_eq(written, strlen(MSG1))
3453 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3455 SSL_READ_EARLY_DATA_SUCCESS)
3456 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3459 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3460 || !TEST_int_gt(SSL_accept(serverssl), 0))
3463 /* Client and server should not be able to write/read early data now */
3464 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3468 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3470 SSL_READ_EARLY_DATA_ERROR))
3474 /* Client and server should be able to write/read normal data */
3475 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3476 || !TEST_size_t_eq(written, strlen(MSG5))
3477 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3478 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3484 SSL_SESSION_free(sess);
3485 SSL_SESSION_free(clientpsk);
3486 SSL_SESSION_free(serverpsk);
3487 clientpsk = serverpsk = NULL;
3488 SSL_free(serverssl);
3489 SSL_free(clientssl);
3495 static int allow_ed_cb_called = 0;
3497 static int allow_early_data_cb(SSL *s, void *arg)
3499 int *usecb = (int *)arg;
3501 allow_ed_cb_called++;
3510 * idx == 0: Standard early_data setup
3511 * idx == 1: early_data setup using read_ahead
3512 * usecb == 0: Don't use a custom early data callback
3513 * usecb == 1: Use a custom early data callback and reject the early data
3514 * usecb == 2: Use a custom early data callback and accept the early data
3515 * confopt == 0: Configure anti-replay directly
3516 * confopt == 1: Configure anti-replay using SSL_CONF
3518 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3520 SSL_CTX *cctx = NULL, *sctx = NULL;
3521 SSL *clientssl = NULL, *serverssl = NULL;
3523 SSL_SESSION *sess = NULL;
3524 size_t readbytes, written;
3525 unsigned char buf[20];
3527 allow_ed_cb_called = 0;
3529 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3530 TLS_client_method(), TLS1_VERSION, 0,
3531 &sctx, &cctx, cert, privkey)))
3536 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3538 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3540 if (!TEST_ptr(confctx))
3542 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3543 | SSL_CONF_FLAG_SERVER);
3544 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3545 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3547 SSL_CONF_CTX_free(confctx);
3550 SSL_CONF_CTX_free(confctx);
3552 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3555 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3556 &serverssl, &sess, idx)))
3560 * The server is configured to accept early data. Create a connection to
3561 * "use up" the ticket
3563 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3564 || !TEST_true(SSL_session_reused(clientssl)))
3567 SSL_shutdown(clientssl);
3568 SSL_shutdown(serverssl);
3569 SSL_free(serverssl);
3570 SSL_free(clientssl);
3571 serverssl = clientssl = NULL;
3573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3574 &clientssl, NULL, NULL))
3575 || !TEST_true(SSL_set_session(clientssl, sess)))
3578 /* Write and read some early data */
3579 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3581 || !TEST_size_t_eq(written, strlen(MSG1)))
3585 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3587 SSL_READ_EARLY_DATA_FINISH)
3589 * The ticket was reused, so the we should have rejected the
3592 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3593 SSL_EARLY_DATA_REJECTED))
3596 /* In this case the callback decides to accept the early data */
3597 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3599 SSL_READ_EARLY_DATA_SUCCESS)
3600 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3602 * Server will have sent its flight so client can now send
3603 * end of early data and complete its half of the handshake
3605 || !TEST_int_gt(SSL_connect(clientssl), 0)
3606 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3608 SSL_READ_EARLY_DATA_FINISH)
3609 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3610 SSL_EARLY_DATA_ACCEPTED))
3614 /* Complete the connection */
3615 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3616 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3617 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3623 SSL_SESSION_free(sess);
3624 SSL_SESSION_free(clientpsk);
3625 SSL_SESSION_free(serverpsk);
3626 clientpsk = serverpsk = NULL;
3627 SSL_free(serverssl);
3628 SSL_free(clientssl);
3634 static int test_early_data_replay(int idx)
3636 int ret = 1, usecb, confopt;
3638 for (usecb = 0; usecb < 3; usecb++) {
3639 for (confopt = 0; confopt < 2; confopt++)
3640 ret &= test_early_data_replay_int(idx, usecb, confopt);
3647 * Helper function to test that a server attempting to read early data can
3648 * handle a connection from a client where the early data should be skipped.
3649 * testtype: 0 == No HRR
3650 * testtype: 1 == HRR
3651 * testtype: 2 == HRR, invalid early_data sent after HRR
3652 * testtype: 3 == recv_max_early_data set to 0
3654 static int early_data_skip_helper(int testtype, int idx)
3656 SSL_CTX *cctx = NULL, *sctx = NULL;
3657 SSL *clientssl = NULL, *serverssl = NULL;
3659 SSL_SESSION *sess = NULL;
3660 unsigned char buf[20];
3661 size_t readbytes, written;
3663 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3664 &serverssl, &sess, idx)))
3667 if (testtype == 1 || testtype == 2) {
3668 /* Force an HRR to occur */
3669 #if defined(OPENSSL_NO_EC)
3670 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3673 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3676 } else if (idx == 2) {
3678 * We force early_data rejection by ensuring the PSK identity is
3681 srvid = "Dummy Identity";
3684 * Deliberately corrupt the creation time. We take 20 seconds off the
3685 * time. It could be any value as long as it is not within tolerance.
3686 * This should mean the ticket is rejected.
3688 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3693 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3696 /* Write some early data */
3697 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3699 || !TEST_size_t_eq(written, strlen(MSG1)))
3702 /* Server should reject the early data */
3703 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3705 SSL_READ_EARLY_DATA_FINISH)
3706 || !TEST_size_t_eq(readbytes, 0)
3707 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3708 SSL_EARLY_DATA_REJECTED))
3718 * Finish off the handshake. We perform the same writes and reads as
3719 * further down but we expect them to fail due to the incomplete
3722 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3723 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3730 BIO *wbio = SSL_get_wbio(clientssl);
3731 /* A record that will appear as bad early_data */
3732 const unsigned char bad_early_data[] = {
3733 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3737 * We force the client to attempt a write. This will fail because
3738 * we're still in the handshake. It will cause the second
3739 * ClientHello to be sent.
3741 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3746 * Inject some early_data after the second ClientHello. This should
3747 * cause the server to fail
3749 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3750 sizeof(bad_early_data), &written)))
3757 * This client has sent more early_data than we are willing to skip
3758 * (case 3) or sent invalid early_data (case 2) so the connection should
3761 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3762 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3765 /* Connection has failed - nothing more to do */
3770 TEST_error("Invalid test type");
3775 * Should be able to send normal data despite rejection of early data. The
3776 * early_data should be skipped.
3778 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3779 || !TEST_size_t_eq(written, strlen(MSG2))
3780 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3781 SSL_EARLY_DATA_REJECTED)
3782 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3783 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3789 SSL_SESSION_free(clientpsk);
3790 SSL_SESSION_free(serverpsk);
3791 clientpsk = serverpsk = NULL;
3792 SSL_SESSION_free(sess);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3801 * Test that a server attempting to read early data can handle a connection
3802 * from a client where the early data is not acceptable.
3804 static int test_early_data_skip(int idx)
3806 return early_data_skip_helper(0, idx);
3810 * Test that a server attempting to read early data can handle a connection
3811 * from a client where an HRR occurs.
3813 static int test_early_data_skip_hrr(int idx)
3815 return early_data_skip_helper(1, idx);
3819 * Test that a server attempting to read early data can handle a connection
3820 * from a client where an HRR occurs and correctly fails if early_data is sent
3823 static int test_early_data_skip_hrr_fail(int idx)
3825 return early_data_skip_helper(2, idx);
3829 * Test that a server attempting to read early data will abort if it tries to
3830 * skip over too much.
3832 static int test_early_data_skip_abort(int idx)
3834 return early_data_skip_helper(3, idx);
3838 * Test that a server attempting to read early data can handle a connection
3839 * from a client that doesn't send any.
3841 static int test_early_data_not_sent(int idx)
3843 SSL_CTX *cctx = NULL, *sctx = NULL;
3844 SSL *clientssl = NULL, *serverssl = NULL;
3846 SSL_SESSION *sess = NULL;
3847 unsigned char buf[20];
3848 size_t readbytes, written;
3850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3851 &serverssl, &sess, idx)))
3854 /* Write some data - should block due to handshake with server */
3855 SSL_set_connect_state(clientssl);
3856 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3859 /* Server should detect that early data has not been sent */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3862 SSL_READ_EARLY_DATA_FINISH)
3863 || !TEST_size_t_eq(readbytes, 0)
3864 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3865 SSL_EARLY_DATA_NOT_SENT)
3866 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3867 SSL_EARLY_DATA_NOT_SENT))
3870 /* Continue writing the message we started earlier */
3871 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3872 || !TEST_size_t_eq(written, strlen(MSG1))
3873 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3874 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3875 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3876 || !TEST_size_t_eq(written, strlen(MSG2)))
3879 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3880 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3886 SSL_SESSION_free(sess);
3887 SSL_SESSION_free(clientpsk);
3888 SSL_SESSION_free(serverpsk);
3889 clientpsk = serverpsk = NULL;
3890 SSL_free(serverssl);
3891 SSL_free(clientssl);
3897 static const char *servalpn;
3899 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3900 unsigned char *outlen, const unsigned char *in,
3901 unsigned int inlen, void *arg)
3903 unsigned int protlen = 0;
3904 const unsigned char *prot;
3906 for (prot = in; prot < in + inlen; prot += protlen) {
3908 if (in + inlen < prot + protlen)
3909 return SSL_TLSEXT_ERR_NOACK;
3911 if (protlen == strlen(servalpn)
3912 && memcmp(prot, servalpn, protlen) == 0) {
3915 return SSL_TLSEXT_ERR_OK;
3919 return SSL_TLSEXT_ERR_NOACK;
3922 /* Test that a PSK can be used to send early_data */
3923 static int test_early_data_psk(int idx)
3925 SSL_CTX *cctx = NULL, *sctx = NULL;
3926 SSL *clientssl = NULL, *serverssl = NULL;
3928 SSL_SESSION *sess = NULL;
3929 unsigned char alpnlist[] = {
3930 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3933 #define GOODALPNLEN 9
3934 #define BADALPNLEN 8
3935 #define GOODALPN (alpnlist)
3936 #define BADALPN (alpnlist + GOODALPNLEN)
3938 unsigned char buf[20];
3939 size_t readbytes, written;
3940 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3941 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3943 /* We always set this up with a final parameter of "2" for PSK */
3944 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3945 &serverssl, &sess, 2)))
3948 servalpn = "goodalpn";
3951 * Note: There is no test for inconsistent SNI with late client detection.
3952 * This is because servers do not acknowledge SNI even if they are using
3953 * it in a resumption handshake - so it is not actually possible for a
3954 * client to detect a problem.
3958 /* Set inconsistent SNI (early client detection) */
3959 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3960 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3961 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3966 /* Set inconsistent ALPN (early client detection) */
3967 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3968 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3969 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3971 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3978 * Set invalid protocol version. Technically this affects PSKs without
3979 * early_data too, but we test it here because it is similar to the
3980 * SNI/ALPN consistency tests.
3982 err = SSL_R_BAD_PSK;
3983 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3989 * Set inconsistent SNI (server side). In this case the connection
3990 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3991 * is associated with each handshake - not the session. Therefore it
3992 * should not matter that we used a different server name last time.
3994 SSL_SESSION_free(serverpsk);
3995 serverpsk = SSL_SESSION_dup(clientpsk);
3996 if (!TEST_ptr(serverpsk)
3997 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4001 /* Set consistent SNI */
4002 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4003 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4004 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4011 * Set inconsistent ALPN (server detected). In this case the connection
4012 * will succeed but reject early_data.
4014 servalpn = "badalpn";
4015 edstatus = SSL_EARLY_DATA_REJECTED;
4016 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4020 * Set consistent ALPN.
4021 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4022 * accepts a list of protos (each one length prefixed).
4023 * SSL_set1_alpn_selected accepts a single protocol (not length
4026 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4028 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4032 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4036 /* Set inconsistent ALPN (late client detection) */
4037 SSL_SESSION_free(serverpsk);
4038 serverpsk = SSL_SESSION_dup(clientpsk);
4039 if (!TEST_ptr(serverpsk)
4040 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4043 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4046 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4049 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4050 edstatus = SSL_EARLY_DATA_ACCEPTED;
4051 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4052 /* SSL_connect() call should fail */
4057 TEST_error("Bad test index");
4061 SSL_set_connect_state(clientssl);
4063 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4065 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4066 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4069 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4073 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4074 &readbytes), readearlyres)
4075 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4076 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4077 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4078 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4085 SSL_SESSION_free(sess);
4086 SSL_SESSION_free(clientpsk);
4087 SSL_SESSION_free(serverpsk);
4088 clientpsk = serverpsk = NULL;
4089 SSL_free(serverssl);
4090 SSL_free(clientssl);
4097 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4098 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4099 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4100 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4101 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4102 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4104 static int test_early_data_psk_with_all_ciphers(int idx)
4106 SSL_CTX *cctx = NULL, *sctx = NULL;
4107 SSL *clientssl = NULL, *serverssl = NULL;
4109 SSL_SESSION *sess = NULL;
4110 unsigned char buf[20];
4111 size_t readbytes, written;
4112 const SSL_CIPHER *cipher;
4113 const char *cipher_str[] = {
4114 TLS1_3_RFC_AES_128_GCM_SHA256,
4115 TLS1_3_RFC_AES_256_GCM_SHA384,
4116 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4117 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4121 TLS1_3_RFC_AES_128_CCM_SHA256,
4122 TLS1_3_RFC_AES_128_CCM_8_SHA256
4124 const unsigned char *cipher_bytes[] = {
4125 TLS13_AES_128_GCM_SHA256_BYTES,
4126 TLS13_AES_256_GCM_SHA384_BYTES,
4127 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4128 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4132 TLS13_AES_128_CCM_SHA256_BYTES,
4133 TLS13_AES_128_CCM_8_SHA256_BYTES
4136 if (cipher_str[idx] == NULL)
4138 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4139 if (idx == 2 && is_fips == 1)
4142 /* We always set this up with a final parameter of "2" for PSK */
4143 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4144 &serverssl, &sess, 2)))
4148 /* CCM8 ciphers are considered low security due to their short tag */
4149 SSL_set_security_level(clientssl, 0);
4150 SSL_set_security_level(serverssl, 0);
4153 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4154 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4158 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4159 * and assigns to both client and server with incremented reference
4160 * and the same instance is updated in 'sess'.
4161 * So updating ciphersuite in 'sess' which will get reflected in
4162 * PSK handshake using psk use sess and find sess cb.
4164 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4165 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4168 SSL_set_connect_state(clientssl);
4169 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4173 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4175 SSL_READ_EARLY_DATA_SUCCESS)
4176 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4177 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4178 SSL_EARLY_DATA_ACCEPTED)
4179 || !TEST_int_eq(SSL_connect(clientssl), 1)
4180 || !TEST_int_eq(SSL_accept(serverssl), 1))
4183 /* Send some normal data from client to server */
4184 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4185 || !TEST_size_t_eq(written, strlen(MSG2)))
4188 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4189 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4194 SSL_SESSION_free(sess);
4195 SSL_SESSION_free(clientpsk);
4196 SSL_SESSION_free(serverpsk);
4197 clientpsk = serverpsk = NULL;
4198 if (clientssl != NULL)
4199 SSL_shutdown(clientssl);
4200 if (serverssl != NULL)
4201 SSL_shutdown(serverssl);
4202 SSL_free(serverssl);
4203 SSL_free(clientssl);
4210 * Test that a server that doesn't try to read early data can handle a
4211 * client sending some.
4213 static int test_early_data_not_expected(int idx)
4215 SSL_CTX *cctx = NULL, *sctx = NULL;
4216 SSL *clientssl = NULL, *serverssl = NULL;
4218 SSL_SESSION *sess = NULL;
4219 unsigned char buf[20];
4220 size_t readbytes, written;
4222 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4223 &serverssl, &sess, idx)))
4226 /* Write some early data */
4227 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4232 * Server should skip over early data and then block waiting for client to
4233 * continue handshake
4235 if (!TEST_int_le(SSL_accept(serverssl), 0)
4236 || !TEST_int_gt(SSL_connect(clientssl), 0)
4237 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4238 SSL_EARLY_DATA_REJECTED)
4239 || !TEST_int_gt(SSL_accept(serverssl), 0)
4240 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4241 SSL_EARLY_DATA_REJECTED))
4244 /* Send some normal data from client to server */
4245 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4246 || !TEST_size_t_eq(written, strlen(MSG2)))
4249 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4250 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4256 SSL_SESSION_free(sess);
4257 SSL_SESSION_free(clientpsk);
4258 SSL_SESSION_free(serverpsk);
4259 clientpsk = serverpsk = NULL;
4260 SSL_free(serverssl);
4261 SSL_free(clientssl);
4268 # ifndef OPENSSL_NO_TLS1_2
4270 * Test that a server attempting to read early data can handle a connection
4271 * from a TLSv1.2 client.
4273 static int test_early_data_tls1_2(int idx)
4275 SSL_CTX *cctx = NULL, *sctx = NULL;
4276 SSL *clientssl = NULL, *serverssl = NULL;
4278 unsigned char buf[20];
4279 size_t readbytes, written;
4281 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4282 &serverssl, NULL, idx)))
4285 /* Write some data - should block due to handshake with server */
4286 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4287 SSL_set_connect_state(clientssl);
4288 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4292 * Server should do TLSv1.2 handshake. First it will block waiting for more
4293 * messages from client after ServerDone. Then SSL_read_early_data should
4294 * finish and detect that early data has not been sent
4296 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4298 SSL_READ_EARLY_DATA_ERROR))
4302 * Continue writing the message we started earlier. Will still block waiting
4303 * for the CCS/Finished from server
4305 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4306 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4308 SSL_READ_EARLY_DATA_FINISH)
4309 || !TEST_size_t_eq(readbytes, 0)
4310 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4311 SSL_EARLY_DATA_NOT_SENT))
4314 /* Continue writing the message we started earlier */
4315 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4316 || !TEST_size_t_eq(written, strlen(MSG1))
4317 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4318 SSL_EARLY_DATA_NOT_SENT)
4319 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4320 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4321 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4322 || !TEST_size_t_eq(written, strlen(MSG2))
4323 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4324 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4330 SSL_SESSION_free(clientpsk);
4331 SSL_SESSION_free(serverpsk);
4332 clientpsk = serverpsk = NULL;
4333 SSL_free(serverssl);
4334 SSL_free(clientssl);
4340 # endif /* OPENSSL_NO_TLS1_2 */
4343 * Test configuring the TLSv1.3 ciphersuites
4345 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4346 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4347 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4348 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4349 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4350 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4351 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4352 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4353 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4354 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4356 static int test_set_ciphersuite(int idx)
4358 SSL_CTX *cctx = NULL, *sctx = NULL;
4359 SSL *clientssl = NULL, *serverssl = NULL;
4362 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4363 TLS_client_method(), TLS1_VERSION, 0,
4364 &sctx, &cctx, cert, privkey))
4365 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4366 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4369 if (idx >=4 && idx <= 7) {
4370 /* SSL_CTX explicit cipher list */
4371 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4375 if (idx == 0 || idx == 4) {
4376 /* Default ciphersuite */
4377 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4378 "TLS_AES_128_GCM_SHA256")))
4380 } else if (idx == 1 || idx == 5) {
4381 /* Non default ciphersuite */
4382 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4383 "TLS_AES_128_CCM_SHA256")))
4387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4388 &clientssl, NULL, NULL)))
4391 if (idx == 8 || idx == 9) {
4392 /* SSL explicit cipher list */
4393 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4397 if (idx == 2 || idx == 6 || idx == 8) {
4398 /* Default ciphersuite */
4399 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4400 "TLS_AES_128_GCM_SHA256")))
4402 } else if (idx == 3 || idx == 7 || idx == 9) {
4403 /* Non default ciphersuite */
4404 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4405 "TLS_AES_128_CCM_SHA256")))
4409 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4415 SSL_free(serverssl);
4416 SSL_free(clientssl);
4423 static int test_ciphersuite_change(void)
4425 SSL_CTX *cctx = NULL, *sctx = NULL;
4426 SSL *clientssl = NULL, *serverssl = NULL;
4427 SSL_SESSION *clntsess = NULL;
4429 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4431 /* Create a session based on SHA-256 */
4432 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4433 TLS_client_method(), TLS1_VERSION, 0,
4434 &sctx, &cctx, cert, privkey))
4435 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4436 "TLS_AES_128_GCM_SHA256:"
4437 "TLS_AES_256_GCM_SHA384:"
4438 "TLS_AES_128_CCM_SHA256"))
4439 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4440 "TLS_AES_128_GCM_SHA256")))
4443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4449 clntsess = SSL_get1_session(clientssl);
4450 /* Save for later */
4451 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4452 SSL_shutdown(clientssl);
4453 SSL_shutdown(serverssl);
4454 SSL_free(serverssl);
4455 SSL_free(clientssl);
4456 serverssl = clientssl = NULL;
4458 /* Check we can resume a session with a different SHA-256 ciphersuite */
4459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4460 "TLS_AES_128_CCM_SHA256"))
4461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4462 &clientssl, NULL, NULL))
4463 || !TEST_true(SSL_set_session(clientssl, clntsess))
4464 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4466 || !TEST_true(SSL_session_reused(clientssl)))
4469 SSL_SESSION_free(clntsess);
4470 clntsess = SSL_get1_session(clientssl);
4471 SSL_shutdown(clientssl);
4472 SSL_shutdown(serverssl);
4473 SSL_free(serverssl);
4474 SSL_free(clientssl);
4475 serverssl = clientssl = NULL;
4478 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4479 * succeeds but does not resume.
4481 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4482 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4484 || !TEST_true(SSL_set_session(clientssl, clntsess))
4485 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4487 || !TEST_false(SSL_session_reused(clientssl)))
4490 SSL_SESSION_free(clntsess);
4492 SSL_shutdown(clientssl);
4493 SSL_shutdown(serverssl);
4494 SSL_free(serverssl);
4495 SSL_free(clientssl);
4496 serverssl = clientssl = NULL;
4498 /* Create a session based on SHA384 */
4499 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4500 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4501 &clientssl, NULL, NULL))
4502 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4506 clntsess = SSL_get1_session(clientssl);
4507 SSL_shutdown(clientssl);
4508 SSL_shutdown(serverssl);
4509 SSL_free(serverssl);
4510 SSL_free(clientssl);
4511 serverssl = clientssl = NULL;
4513 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4514 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4515 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4516 "TLS_AES_256_GCM_SHA384"))
4517 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4519 || !TEST_true(SSL_set_session(clientssl, clntsess))
4521 * We use SSL_ERROR_WANT_READ below so that we can pause the
4522 * connection after the initial ClientHello has been sent to
4523 * enable us to make some session changes.
4525 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4526 SSL_ERROR_WANT_READ)))
4529 /* Trick the client into thinking this session is for a different digest */
4530 clntsess->cipher = aes_128_gcm_sha256;
4531 clntsess->cipher_id = clntsess->cipher->id;
4534 * Continue the previously started connection. Server has selected a SHA-384
4535 * ciphersuite, but client thinks the session is for SHA-256, so it should
4538 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4540 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4541 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4547 SSL_SESSION_free(clntsess);
4548 SSL_free(serverssl);
4549 SSL_free(clientssl);
4557 * Test TLSv1.3 Key exchange
4558 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4559 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4560 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4561 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4562 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4563 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4564 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4565 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4566 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4567 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4568 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4569 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4570 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4571 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4573 # ifndef OPENSSL_NO_EC
4574 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4575 NID_secp521r1, NID_X25519, NID_X448};
4577 # ifndef OPENSSL_NO_DH
4578 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4579 NID_ffdhe6144, NID_ffdhe8192};
4581 static int test_key_exchange(int idx)
4583 SSL_CTX *sctx = NULL, *cctx = NULL;
4584 SSL *serverssl = NULL, *clientssl = NULL;
4587 int *kexch_groups = &kexch_alg;
4588 int kexch_groups_size = 1;
4589 int max_version = TLS1_3_VERSION;
4590 char *kexch_name0 = NULL;
4593 # ifndef OPENSSL_NO_EC
4594 # ifndef OPENSSL_NO_TLS1_2
4596 max_version = TLS1_2_VERSION;
4600 kexch_groups = ecdhe_kexch_groups;
4601 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4602 kexch_name0 = "secp256r1";
4605 kexch_alg = NID_X9_62_prime256v1;
4606 kexch_name0 = "secp256r1";
4609 kexch_alg = NID_secp384r1;
4610 kexch_name0 = "secp384r1";
4613 kexch_alg = NID_secp521r1;
4614 kexch_name0 = "secp521r1";
4617 kexch_alg = NID_X25519;
4618 kexch_name0 = "x25519";
4621 kexch_alg = NID_X448;
4622 kexch_name0 = "x448";
4625 # ifndef OPENSSL_NO_DH
4626 # ifndef OPENSSL_NO_TLS1_2
4628 max_version = TLS1_2_VERSION;
4629 kexch_name0 = "ffdhe2048";
4633 kexch_groups = ffdhe_kexch_groups;
4634 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4635 kexch_name0 = "ffdhe2048";
4638 kexch_alg = NID_ffdhe2048;
4639 kexch_name0 = "ffdhe2048";
4642 kexch_alg = NID_ffdhe3072;
4643 kexch_name0 = "ffdhe3072";
4646 kexch_alg = NID_ffdhe4096;
4647 kexch_name0 = "ffdhe4096";
4650 kexch_alg = NID_ffdhe6144;
4651 kexch_name0 = "ffdhe6144";
4654 kexch_alg = NID_ffdhe8192;
4655 kexch_name0 = "ffdhe8192";
4659 /* We're skipping this test */
4663 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4664 TLS_client_method(), TLS1_VERSION,
4665 max_version, &sctx, &cctx, cert,
4669 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4670 TLS1_3_RFC_AES_128_GCM_SHA256)))
4673 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4674 TLS1_3_RFC_AES_128_GCM_SHA256)))
4677 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4678 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4679 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4680 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4684 * Must include an EC ciphersuite so that we send supported groups in
4687 # ifndef OPENSSL_NO_TLS1_2
4688 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4689 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4690 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4694 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4698 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4699 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4702 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4706 * If Handshake succeeds the negotiated kexch alg should be the first one in
4707 * configured, except in the case of FFDHE groups (idx 13), which are
4708 * TLSv1.3 only so we expect no shared group to exist.
4710 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4711 idx == 13 ? 0 : kexch_groups[0]))
4714 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4718 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4720 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4722 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4728 SSL_free(serverssl);
4729 SSL_free(clientssl);
4735 # if !defined(OPENSSL_NO_TLS1_2) \
4736 && !defined(OPENSSL_NO_EC) \
4737 && !defined(OPENSSL_NO_DH)
4738 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4739 int isecdhe, int idx)
4742 int *kexch_groups = &kexch_alg;
4745 numec = OSSL_NELEM(ecdhe_kexch_groups);
4746 numff = OSSL_NELEM(ffdhe_kexch_groups);
4748 kexch_alg = ecdhe_kexch_groups[idx];
4750 kexch_alg = ffdhe_kexch_groups[idx];
4753 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4756 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4760 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4765 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4768 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4772 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4781 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4782 * Run through both the ECDHE and FFDHE group lists used in the previous
4783 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4784 * confirming the expected result; then perform a resumption handshake
4785 * while offering the same group list, and another resumption handshake
4786 * offering a different group list. The returned value should be the
4787 * negotiated group for the initial handshake; for TLS 1.3 resumption
4788 * handshakes the returned value will be negotiated on the resumption
4789 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4790 * be cached in the session from the original handshake, regardless of what
4791 * was offered in the resumption ClientHello.
4793 * Using E for the number of EC groups and F for the number of FF groups:
4794 * E tests of ECDHE with TLS 1.3, server only has one group
4795 * F tests of FFDHE with TLS 1.3, server only has one group
4796 * E tests of ECDHE with TLS 1.2, server only has one group
4797 * F tests of FFDHE with TLS 1.2, server only has one group
4798 * E tests of ECDHE with TLS 1.3, client sends only one group
4799 * F tests of FFDHE with TLS 1.3, client sends only one group
4800 * E tests of ECDHE with TLS 1.2, client sends only one group
4801 * F tests of FFDHE with TLS 1.2, client sends only one group
4803 static int test_negotiated_group(int idx)
4805 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4807 SSL_CTX *sctx = NULL, *cctx = NULL;
4808 SSL *serverssl = NULL, *clientssl = NULL;
4809 SSL_SESSION *origsess = NULL;
4812 int max_version = TLS1_3_VERSION;
4814 numec = OSSL_NELEM(ecdhe_kexch_groups);
4815 numff = OSSL_NELEM(ffdhe_kexch_groups);
4816 numgroups = numec + numff;
4817 clientmulti = (idx < 2 * numgroups);
4818 idx = idx % (2 * numgroups);
4819 istls13 = (idx < numgroups);
4820 idx = idx % numgroups;
4821 isecdhe = (idx < numec);
4824 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4826 kexch_alg = ecdhe_kexch_groups[idx];
4828 kexch_alg = ffdhe_kexch_groups[idx];
4829 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4830 if (!istls13 && !isecdhe)
4831 expectednid = NID_undef;
4833 expectednid = kexch_alg;
4836 max_version = TLS1_2_VERSION;
4838 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4839 TLS_client_method(), TLS1_VERSION,
4840 max_version, &sctx, &cctx, cert,
4845 * Force (EC)DHE ciphers for TLS 1.2.
4846 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4848 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4849 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4850 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4851 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4853 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4854 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4855 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4858 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4862 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4866 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4869 /* Initial handshake; always the configured one */
4870 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4871 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4874 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4877 SSL_shutdown(clientssl);
4878 SSL_shutdown(serverssl);
4879 SSL_free(serverssl);
4880 SSL_free(clientssl);
4881 serverssl = clientssl = NULL;
4883 /* First resumption attempt; use the same config as initial handshake */
4884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4886 || !TEST_true(SSL_set_session(clientssl, origsess))
4887 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4891 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4892 || !TEST_true(SSL_session_reused(clientssl)))
4895 /* Still had better agree, since nothing changed... */
4896 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4897 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4900 SSL_shutdown(clientssl);
4901 SSL_shutdown(serverssl);
4902 SSL_free(serverssl);
4903 SSL_free(clientssl);
4904 serverssl = clientssl = NULL;
4907 * Second resumption attempt
4908 * The party that picks one group changes it, which we effectuate by
4909 * changing 'idx' and updating what we expect.
4917 expectednid = ecdhe_kexch_groups[idx];
4919 expectednid = ffdhe_kexch_groups[idx];
4920 /* Verify that we are changing what we expect. */
4921 if (!TEST_int_ne(expectednid, kexch_alg))
4924 /* TLS 1.2 only supports named groups for ECDHE. */
4926 expectednid = kexch_alg;
4930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4932 || !TEST_true(SSL_set_session(clientssl, origsess))
4933 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4937 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4938 || !TEST_true(SSL_session_reused(clientssl)))
4941 /* Check that we get what we expected */
4942 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4943 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4948 SSL_free(serverssl);
4949 SSL_free(clientssl);
4952 SSL_SESSION_free(origsess);
4955 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4958 * Test TLSv1.3 Cipher Suite
4959 * Test 0 = Set TLS1.3 cipher on context
4960 * Test 1 = Set TLS1.3 cipher on SSL
4961 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4962 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4964 static int test_tls13_ciphersuite(int idx)
4966 SSL_CTX *sctx = NULL, *cctx = NULL;
4967 SSL *serverssl = NULL, *clientssl = NULL;
4968 static const struct {
4969 const char *ciphername;
4973 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
4974 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
4975 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
4976 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4977 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4978 { TLS1_3_RFC_AES_256_GCM_SHA384
4979 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4981 /* CCM8 ciphers are considered low security due to their short tag */
4982 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4983 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
4985 const char *t13_cipher = NULL;
4986 const char *t12_cipher = NULL;
4987 const char *negotiated_scipher;
4988 const char *negotiated_ccipher;
5004 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5008 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5012 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5013 # ifdef OPENSSL_NO_TLS1_2
5014 if (max_ver == TLS1_2_VERSION)
5017 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5018 if (is_fips && !t13_ciphers[i].fipscapable)
5020 t13_cipher = t13_ciphers[i].ciphername;
5021 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5022 TLS_client_method(),
5023 TLS1_VERSION, max_ver,
5024 &sctx, &cctx, cert, privkey)))
5027 if (t13_ciphers[i].low_security) {
5028 SSL_CTX_set_security_level(sctx, 0);
5029 SSL_CTX_set_security_level(cctx, 0);
5033 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5034 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5036 if (t12_cipher != NULL) {
5037 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5038 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5044 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5045 &clientssl, NULL, NULL)))
5049 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5050 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5052 if (t12_cipher != NULL) {
5053 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5054 || !TEST_true(SSL_set_cipher_list(clientssl,
5060 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5064 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5066 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5068 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5072 * TEST_strn_eq is used below because t13_cipher can contain
5073 * multiple ciphersuites
5075 if (max_ver == TLS1_3_VERSION
5076 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5077 strlen(negotiated_scipher)))
5080 # ifndef OPENSSL_NO_TLS1_2
5081 /* Below validation is not done when t12_cipher is NULL */
5082 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5083 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5087 SSL_free(serverssl);
5089 SSL_free(clientssl);
5100 SSL_free(serverssl);
5101 SSL_free(clientssl);
5109 * Test 0 = Test new style callbacks
5110 * Test 1 = Test both new and old style callbacks
5111 * Test 2 = Test old style callbacks
5112 * Test 3 = Test old style callbacks with no certificate
5114 static int test_tls13_psk(int idx)
5116 SSL_CTX *sctx = NULL, *cctx = NULL;
5117 SSL *serverssl = NULL, *clientssl = NULL;
5118 const SSL_CIPHER *cipher = NULL;
5119 const unsigned char key[] = {
5120 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5121 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5122 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5123 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5128 TLS_client_method(), TLS1_VERSION, 0,
5129 &sctx, &cctx, idx == 3 ? NULL : cert,
5130 idx == 3 ? NULL : privkey)))
5135 * We use a ciphersuite with SHA256 to ease testing old style PSK
5136 * callbacks which will always default to SHA256. This should not be
5137 * necessary if we have no cert/priv key. In that case the server should
5138 * prefer SHA256 automatically.
5140 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5141 "TLS_AES_128_GCM_SHA256")))
5145 * As noted above the server should prefer SHA256 automatically. However
5146 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5147 * code works even if we are testing with only the FIPS provider loaded.
5149 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5150 "TLS_AES_256_GCM_SHA384:"
5151 "TLS_AES_128_GCM_SHA256")))
5156 * Test 0: New style callbacks only
5157 * Test 1: New and old style callbacks (only the new ones should be used)
5158 * Test 2: Old style callbacks only
5160 if (idx == 0 || idx == 1) {
5161 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5162 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5164 #ifndef OPENSSL_NO_PSK
5166 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5167 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5171 use_session_cb_cnt = 0;
5172 find_session_cb_cnt = 0;
5173 psk_client_cb_cnt = 0;
5174 psk_server_cb_cnt = 0;
5178 * Check we can create a connection if callback decides not to send a
5181 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5183 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5185 || !TEST_false(SSL_session_reused(clientssl))
5186 || !TEST_false(SSL_session_reused(serverssl)))
5189 if (idx == 0 || idx == 1) {
5190 if (!TEST_true(use_session_cb_cnt == 1)
5191 || !TEST_true(find_session_cb_cnt == 0)
5193 * If no old style callback then below should be 0
5196 || !TEST_true(psk_client_cb_cnt == idx)
5197 || !TEST_true(psk_server_cb_cnt == 0))
5200 if (!TEST_true(use_session_cb_cnt == 0)
5201 || !TEST_true(find_session_cb_cnt == 0)
5202 || !TEST_true(psk_client_cb_cnt == 1)
5203 || !TEST_true(psk_server_cb_cnt == 0))
5207 shutdown_ssl_connection(serverssl, clientssl);
5208 serverssl = clientssl = NULL;
5209 use_session_cb_cnt = psk_client_cb_cnt = 0;
5212 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5216 /* Create the PSK */
5217 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5218 clientpsk = SSL_SESSION_new();
5219 if (!TEST_ptr(clientpsk)
5220 || !TEST_ptr(cipher)
5221 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5223 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5224 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5226 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5228 serverpsk = clientpsk;
5230 /* Check we can create a connection and the PSK is used */
5231 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5232 || !TEST_true(SSL_session_reused(clientssl))
5233 || !TEST_true(SSL_session_reused(serverssl)))
5236 if (idx == 0 || idx == 1) {
5237 if (!TEST_true(use_session_cb_cnt == 1)
5238 || !TEST_true(find_session_cb_cnt == 1)
5239 || !TEST_true(psk_client_cb_cnt == 0)
5240 || !TEST_true(psk_server_cb_cnt == 0))
5243 if (!TEST_true(use_session_cb_cnt == 0)
5244 || !TEST_true(find_session_cb_cnt == 0)
5245 || !TEST_true(psk_client_cb_cnt == 1)
5246 || !TEST_true(psk_server_cb_cnt == 1))
5250 shutdown_ssl_connection(serverssl, clientssl);
5251 serverssl = clientssl = NULL;
5252 use_session_cb_cnt = find_session_cb_cnt = 0;
5253 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5255 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5260 #if defined(OPENSSL_NO_EC)
5261 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5264 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5269 * Check we can create a connection, the PSK is used and the callbacks are
5272 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5273 || !TEST_true(SSL_session_reused(clientssl))
5274 || !TEST_true(SSL_session_reused(serverssl)))
5277 if (idx == 0 || idx == 1) {
5278 if (!TEST_true(use_session_cb_cnt == 2)
5279 || !TEST_true(find_session_cb_cnt == 2)
5280 || !TEST_true(psk_client_cb_cnt == 0)
5281 || !TEST_true(psk_server_cb_cnt == 0))
5284 if (!TEST_true(use_session_cb_cnt == 0)
5285 || !TEST_true(find_session_cb_cnt == 0)
5286 || !TEST_true(psk_client_cb_cnt == 2)
5287 || !TEST_true(psk_server_cb_cnt == 2))
5291 shutdown_ssl_connection(serverssl, clientssl);
5292 serverssl = clientssl = NULL;
5293 use_session_cb_cnt = find_session_cb_cnt = 0;
5294 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5298 * Check that if the server rejects the PSK we can still connect, but with
5301 srvid = "Dummy Identity";
5302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5306 || !TEST_false(SSL_session_reused(clientssl))
5307 || !TEST_false(SSL_session_reused(serverssl)))
5310 if (idx == 0 || idx == 1) {
5311 if (!TEST_true(use_session_cb_cnt == 1)
5312 || !TEST_true(find_session_cb_cnt == 1)
5313 || !TEST_true(psk_client_cb_cnt == 0)
5315 * If no old style callback then below should be 0
5318 || !TEST_true(psk_server_cb_cnt == idx))
5321 if (!TEST_true(use_session_cb_cnt == 0)
5322 || !TEST_true(find_session_cb_cnt == 0)
5323 || !TEST_true(psk_client_cb_cnt == 1)
5324 || !TEST_true(psk_server_cb_cnt == 1))
5328 shutdown_ssl_connection(serverssl, clientssl);
5329 serverssl = clientssl = NULL;
5334 SSL_SESSION_free(clientpsk);
5335 SSL_SESSION_free(serverpsk);
5336 clientpsk = serverpsk = NULL;
5337 SSL_free(serverssl);
5338 SSL_free(clientssl);
5344 static unsigned char cookie_magic_value[] = "cookie magic";
5346 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5347 unsigned int *cookie_len)
5350 * Not suitable as a real cookie generation function but good enough for
5353 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5354 *cookie_len = sizeof(cookie_magic_value) - 1;
5359 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5360 unsigned int cookie_len)
5362 if (cookie_len == sizeof(cookie_magic_value) - 1
5363 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5369 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5373 int res = generate_cookie_callback(ssl, cookie, &temp);
5378 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5381 return verify_cookie_callback(ssl, cookie, cookie_len);
5384 static int test_stateless(void)
5386 SSL_CTX *sctx = NULL, *cctx = NULL;
5387 SSL *serverssl = NULL, *clientssl = NULL;
5390 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5391 TLS_client_method(), TLS1_VERSION, 0,
5392 &sctx, &cctx, cert, privkey)))
5395 /* The arrival of CCS messages can confuse the test */
5396 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5398 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5400 /* Send the first ClientHello */
5401 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5402 SSL_ERROR_WANT_READ))
5404 * This should fail with a -1 return because we have no callbacks
5407 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5410 /* Fatal error so abandon the connection from this client */
5411 SSL_free(clientssl);
5414 /* Set up the cookie generation and verification callbacks */
5415 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5416 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5419 * Create a new connection from the client (we can reuse the server SSL
5422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5424 /* Send the first ClientHello */
5425 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5426 SSL_ERROR_WANT_READ))
5427 /* This should fail because there is no cookie */
5428 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5431 /* Abandon the connection from this client */
5432 SSL_free(clientssl);
5436 * Now create a connection from a new client but with the same server SSL
5439 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5441 /* Send the first ClientHello */
5442 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5443 SSL_ERROR_WANT_READ))
5444 /* This should fail because there is no cookie */
5445 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5446 /* Send the second ClientHello */
5447 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5448 SSL_ERROR_WANT_READ))
5449 /* This should succeed because a cookie is now present */
5450 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5451 /* Complete the connection */
5452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5456 shutdown_ssl_connection(serverssl, clientssl);
5457 serverssl = clientssl = NULL;
5461 SSL_free(serverssl);
5462 SSL_free(clientssl);
5468 #endif /* OSSL_NO_USABLE_TLS1_3 */
5470 static int clntaddoldcb = 0;
5471 static int clntparseoldcb = 0;
5472 static int srvaddoldcb = 0;
5473 static int srvparseoldcb = 0;
5474 static int clntaddnewcb = 0;
5475 static int clntparsenewcb = 0;
5476 static int srvaddnewcb = 0;
5477 static int srvparsenewcb = 0;
5478 static int snicb = 0;
5480 #define TEST_EXT_TYPE1 0xff00
5482 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5483 size_t *outlen, int *al, void *add_arg)
5485 int *server = (int *)add_arg;
5486 unsigned char *data;
5488 if (SSL_is_server(s))
5493 if (*server != SSL_is_server(s)
5494 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5499 *outlen = sizeof(char);
5503 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5506 OPENSSL_free((unsigned char *)out);
5509 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5510 size_t inlen, int *al, void *parse_arg)
5512 int *server = (int *)parse_arg;
5514 if (SSL_is_server(s))
5519 if (*server != SSL_is_server(s)
5520 || inlen != sizeof(char)
5527 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5528 const unsigned char **out, size_t *outlen, X509 *x,
5529 size_t chainidx, int *al, void *add_arg)
5531 int *server = (int *)add_arg;
5532 unsigned char *data;
5534 if (SSL_is_server(s))
5539 if (*server != SSL_is_server(s)
5540 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5545 *outlen = sizeof(*data);
5549 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5550 const unsigned char *out, void *add_arg)
5552 OPENSSL_free((unsigned char *)out);
5555 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5556 const unsigned char *in, size_t inlen, X509 *x,
5557 size_t chainidx, int *al, void *parse_arg)
5559 int *server = (int *)parse_arg;
5561 if (SSL_is_server(s))
5566 if (*server != SSL_is_server(s)
5567 || inlen != sizeof(char) || *in != 1)
5573 static int sni_cb(SSL *s, int *al, void *arg)
5575 SSL_CTX *ctx = (SSL_CTX *)arg;
5577 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5578 *al = SSL_AD_INTERNAL_ERROR;
5579 return SSL_TLSEXT_ERR_ALERT_FATAL;
5582 return SSL_TLSEXT_ERR_OK;
5585 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5591 * Custom call back tests.
5592 * Test 0: Old style callbacks in TLSv1.2
5593 * Test 1: New style callbacks in TLSv1.2
5594 * Test 2: New style callbacks in TLSv1.2 with SNI
5595 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5596 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5597 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5599 static int test_custom_exts(int tst)
5601 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5602 SSL *clientssl = NULL, *serverssl = NULL;
5604 static int server = 1;
5605 static int client = 0;
5606 SSL_SESSION *sess = NULL;
5607 unsigned int context;
5609 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5610 /* Skip tests for TLSv1.2 and below in this case */
5615 /* Reset callback counters */
5616 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5617 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5620 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5621 TLS_client_method(), TLS1_VERSION, 0,
5622 &sctx, &cctx, cert, privkey)))
5626 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5628 &sctx2, NULL, cert, privkey)))
5633 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5634 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5636 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5640 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5641 | SSL_EXT_TLS1_3_CERTIFICATE;
5642 SSL_CTX_set_verify(sctx,
5643 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5645 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5646 SSL_FILETYPE_PEM), 1)
5647 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5648 SSL_FILETYPE_PEM), 1)
5649 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5651 } else if (tst == 4) {
5652 context = SSL_EXT_CLIENT_HELLO
5653 | SSL_EXT_TLS1_2_SERVER_HELLO
5654 | SSL_EXT_TLS1_3_SERVER_HELLO
5655 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5656 | SSL_EXT_TLS1_3_CERTIFICATE
5657 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5659 context = SSL_EXT_CLIENT_HELLO
5660 | SSL_EXT_TLS1_2_SERVER_HELLO
5661 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5664 /* Create a client side custom extension */
5666 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5667 old_add_cb, old_free_cb,
5668 &client, old_parse_cb,
5672 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5673 new_add_cb, new_free_cb,
5674 &client, new_parse_cb, &client)))
5678 /* Should not be able to add duplicates */
5679 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5680 old_add_cb, old_free_cb,
5681 &client, old_parse_cb,
5683 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5684 context, new_add_cb,
5685 new_free_cb, &client,
5686 new_parse_cb, &client)))
5689 /* Create a server side custom extension */
5691 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5692 old_add_cb, old_free_cb,
5693 &server, old_parse_cb,
5697 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5698 new_add_cb, new_free_cb,
5699 &server, new_parse_cb, &server)))
5702 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5703 context, new_add_cb,
5704 new_free_cb, &server,
5705 new_parse_cb, &server)))
5709 /* Should not be able to add duplicates */
5710 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5711 old_add_cb, old_free_cb,
5712 &server, old_parse_cb,
5714 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5715 context, new_add_cb,
5716 new_free_cb, &server,
5717 new_parse_cb, &server)))
5722 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5723 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5728 &clientssl, NULL, NULL))
5729 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5734 if (clntaddoldcb != 1
5735 || clntparseoldcb != 1
5737 || srvparseoldcb != 1)
5739 } else if (tst == 1 || tst == 2 || tst == 3) {
5740 if (clntaddnewcb != 1
5741 || clntparsenewcb != 1
5743 || srvparsenewcb != 1
5744 || (tst != 2 && snicb != 0)
5745 || (tst == 2 && snicb != 1))
5747 } else if (tst == 5) {
5748 if (clntaddnewcb != 1
5749 || clntparsenewcb != 1
5751 || srvparsenewcb != 1)
5754 /* In this case there 2 NewSessionTicket messages created */
5755 if (clntaddnewcb != 1
5756 || clntparsenewcb != 5
5758 || srvparsenewcb != 1)
5762 sess = SSL_get1_session(clientssl);
5763 SSL_shutdown(clientssl);
5764 SSL_shutdown(serverssl);
5765 SSL_free(serverssl);
5766 SSL_free(clientssl);
5767 serverssl = clientssl = NULL;
5769 if (tst == 3 || tst == 5) {
5770 /* We don't bother with the resumption aspects for these tests */
5775 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5777 || !TEST_true(SSL_set_session(clientssl, sess))
5778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5783 * For a resumed session we expect to add the ClientHello extension. For the
5784 * old style callbacks we ignore it on the server side because they set
5785 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5789 if (clntaddoldcb != 2
5790 || clntparseoldcb != 1
5792 || srvparseoldcb != 1)
5794 } else if (tst == 1 || tst == 2 || tst == 3) {
5795 if (clntaddnewcb != 2
5796 || clntparsenewcb != 2
5798 || srvparsenewcb != 2)
5802 * No Certificate message extensions in the resumption handshake,
5803 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5805 if (clntaddnewcb != 2
5806 || clntparsenewcb != 8
5808 || srvparsenewcb != 2)
5815 SSL_SESSION_free(sess);
5816 SSL_free(serverssl);
5817 SSL_free(clientssl);
5818 SSL_CTX_free(sctx2);
5825 * Test loading of serverinfo data in various formats. test_sslmessages actually
5826 * tests to make sure the extensions appear in the handshake
5828 static int test_serverinfo(int tst)
5830 unsigned int version;
5831 unsigned char *sibuf;
5833 int ret, expected, testresult = 0;
5836 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5840 if ((tst & 0x01) == 0x01)
5841 version = SSL_SERVERINFOV2;
5843 version = SSL_SERVERINFOV1;
5845 if ((tst & 0x02) == 0x02) {
5846 sibuf = serverinfov2;
5847 sibuflen = sizeof(serverinfov2);
5848 expected = (version == SSL_SERVERINFOV2);
5850 sibuf = serverinfov1;
5851 sibuflen = sizeof(serverinfov1);
5852 expected = (version == SSL_SERVERINFOV1);
5855 if ((tst & 0x04) == 0x04) {
5856 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5858 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5861 * The version variable is irrelevant in this case - it's what is in the
5862 * buffer that matters
5864 if ((tst & 0x02) == 0x02)
5870 if (!TEST_true(ret == expected))
5882 * Test that SSL_export_keying_material() produces expected results. There are
5883 * no test vectors so all we do is test that both sides of the communication
5884 * produce the same results for different protocol versions.
5886 #define SMALL_LABEL_LEN 10
5887 #define LONG_LABEL_LEN 249
5888 static int test_export_key_mat(int tst)
5891 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5892 SSL *clientssl = NULL, *serverssl = NULL;
5893 const char label[LONG_LABEL_LEN + 1] = "test label";
5894 const unsigned char context[] = "context";
5895 const unsigned char *emptycontext = NULL;
5896 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5897 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5899 const int protocols[] = {
5908 #ifdef OPENSSL_NO_TLS1
5912 #ifdef OPENSSL_NO_TLS1_1
5916 if (is_fips && (tst == 0 || tst == 1))
5918 #ifdef OPENSSL_NO_TLS1_2
5922 #ifdef OSSL_NO_USABLE_TLS1_3
5926 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5927 TLS_client_method(), TLS1_VERSION, 0,
5928 &sctx, &cctx, cert, privkey)))
5931 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5932 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5933 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5934 if ((protocols[tst] < TLS1_2_VERSION) &&
5935 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5936 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5944 * Premature call of SSL_export_keying_material should just fail.
5946 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5947 sizeof(ckeymat1), label,
5948 SMALL_LABEL_LEN + 1, context,
5949 sizeof(context) - 1, 1), 0))
5952 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5958 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5961 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5962 sizeof(ckeymat1), label,
5963 LONG_LABEL_LEN + 1, context,
5964 sizeof(context) - 1, 1), 0))
5969 } else if (tst == 4) {
5970 labellen = LONG_LABEL_LEN;
5972 labellen = SMALL_LABEL_LEN;
5975 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5976 sizeof(ckeymat1), label,
5978 sizeof(context) - 1, 1), 1)
5979 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5980 sizeof(ckeymat2), label,
5984 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5985 sizeof(ckeymat3), label,
5988 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5989 sizeof(skeymat1), label,
5992 sizeof(context) -1, 1),
5994 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5995 sizeof(skeymat2), label,
5999 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6000 sizeof(skeymat3), label,
6004 * Check that both sides created the same key material with the
6007 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6010 * Check that both sides created the same key material with an
6013 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6016 * Check that both sides created the same key material without a
6019 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6021 /* Different contexts should produce different results */
6022 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6027 * Check that an empty context and no context produce different results in
6028 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6030 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6032 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6039 SSL_free(serverssl);
6040 SSL_free(clientssl);
6041 SSL_CTX_free(sctx2);
6048 #ifndef OSSL_NO_USABLE_TLS1_3
6050 * Test that SSL_export_keying_material_early() produces expected
6051 * results. There are no test vectors so all we do is test that both
6052 * sides of the communication produce the same results for different
6053 * protocol versions.
6055 static int test_export_key_mat_early(int idx)
6057 static const char label[] = "test label";
6058 static const unsigned char context[] = "context";
6060 SSL_CTX *cctx = NULL, *sctx = NULL;
6061 SSL *clientssl = NULL, *serverssl = NULL;
6062 SSL_SESSION *sess = NULL;
6063 const unsigned char *emptycontext = NULL;
6064 unsigned char ckeymat1[80], ckeymat2[80];
6065 unsigned char skeymat1[80], skeymat2[80];
6066 unsigned char buf[1];
6067 size_t readbytes, written;
6069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6073 /* Here writing 0 length early data is enough. */
6074 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6075 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6077 SSL_READ_EARLY_DATA_ERROR)
6078 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6079 SSL_EARLY_DATA_ACCEPTED))
6082 if (!TEST_int_eq(SSL_export_keying_material_early(
6083 clientssl, ckeymat1, sizeof(ckeymat1), label,
6084 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6085 || !TEST_int_eq(SSL_export_keying_material_early(
6086 clientssl, ckeymat2, sizeof(ckeymat2), label,
6087 sizeof(label) - 1, emptycontext, 0), 1)
6088 || !TEST_int_eq(SSL_export_keying_material_early(
6089 serverssl, skeymat1, sizeof(skeymat1), label,
6090 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6091 || !TEST_int_eq(SSL_export_keying_material_early(
6092 serverssl, skeymat2, sizeof(skeymat2), label,
6093 sizeof(label) - 1, emptycontext, 0), 1)
6095 * Check that both sides created the same key material with the
6098 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6101 * Check that both sides created the same key material with an
6104 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6106 /* Different contexts should produce different results */
6107 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6114 SSL_SESSION_free(sess);
6115 SSL_SESSION_free(clientpsk);
6116 SSL_SESSION_free(serverpsk);
6117 clientpsk = serverpsk = NULL;
6118 SSL_free(serverssl);
6119 SSL_free(clientssl);
6126 #define NUM_KEY_UPDATE_MESSAGES 40
6130 static int test_key_update(void)
6132 SSL_CTX *cctx = NULL, *sctx = NULL;
6133 SSL *clientssl = NULL, *serverssl = NULL;
6134 int testresult = 0, i, j;
6136 static char *mess = "A test message";
6138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6139 TLS_client_method(),
6142 &sctx, &cctx, cert, privkey))
6143 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6145 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6149 for (j = 0; j < 2; j++) {
6150 /* Send lots of KeyUpdate messages */
6151 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6152 if (!TEST_true(SSL_key_update(clientssl,
6154 ? SSL_KEY_UPDATE_NOT_REQUESTED
6155 : SSL_KEY_UPDATE_REQUESTED))
6156 || !TEST_true(SSL_do_handshake(clientssl)))
6160 /* Check that sending and receiving app data is ok */
6161 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6162 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6166 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6167 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6175 SSL_free(serverssl);
6176 SSL_free(clientssl);
6184 * Test we can handle a KeyUpdate (update requested) message while
6185 * write data is pending in peer.
6186 * Test 0: Client sends KeyUpdate while Server is writing
6187 * Test 1: Server sends KeyUpdate while Client is writing
6189 static int test_key_update_peer_in_write(int tst)
6191 SSL_CTX *cctx = NULL, *sctx = NULL;
6192 SSL *clientssl = NULL, *serverssl = NULL;
6195 static char *mess = "A test message";
6196 BIO *bretry = BIO_new(bio_s_always_retry());
6198 SSL *peerupdate = NULL, *peerwrite = NULL;
6200 if (!TEST_ptr(bretry)
6201 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6202 TLS_client_method(),
6205 &sctx, &cctx, cert, privkey))
6206 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6208 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6212 peerupdate = tst == 0 ? clientssl : serverssl;
6213 peerwrite = tst == 0 ? serverssl : clientssl;
6215 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6216 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6219 /* Swap the writing endpoint's write BIO to force a retry */
6220 tmp = SSL_get_wbio(peerwrite);
6221 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6225 SSL_set0_wbio(peerwrite, bretry);
6228 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6229 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6230 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6233 /* Reinstate the original writing endpoint's write BIO */
6234 SSL_set0_wbio(peerwrite, tmp);
6237 /* Now read some data - we will read the key update */
6238 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6239 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6243 * Complete the write we started previously and read it from the other
6246 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6247 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6250 /* Write more data to ensure we send the KeyUpdate message back */
6251 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6252 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6258 SSL_free(serverssl);
6259 SSL_free(clientssl);
6269 * Test we can handle a KeyUpdate (update requested) message while
6270 * peer read data is pending after peer accepted keyupdate(the msg header
6271 * had been read 5 bytes).
6272 * Test 0: Client sends KeyUpdate while Server is reading
6273 * Test 1: Server sends KeyUpdate while Client is reading
6275 static int test_key_update_peer_in_read(int tst)
6277 SSL_CTX *cctx = NULL, *sctx = NULL;
6278 SSL *clientssl = NULL, *serverssl = NULL;
6280 char prbuf[515], lwbuf[515] = {0};
6281 static char *mess = "A test message";
6282 BIO *lbio = NULL, *pbio = NULL;
6283 SSL *local = NULL, *peer = NULL;
6285 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6286 TLS_client_method(),
6289 &sctx, &cctx, cert, privkey))
6290 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6292 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6296 local = tst == 0 ? clientssl : serverssl;
6297 peer = tst == 0 ? serverssl : clientssl;
6299 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6302 SSL_set_bio(local, lbio, lbio);
6303 SSL_set_bio(peer, pbio, pbio);
6306 * we first write keyupdate msg then appdata in local
6307 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6308 * lwbuf app data msg size + key updata msg size > 512(the size of
6309 * the bio pair buffer)
6311 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6312 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6313 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6317 * first read keyupdate msg in peer in peer
6318 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6320 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6321 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6324 /* Now write some data in peer - we will write the key update */
6325 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6329 * write data in local previously that we will complete
6330 * read data in peer previously that we will complete
6332 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6333 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6336 /* check that sending and receiving appdata ok */
6337 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6338 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6344 SSL_free(serverssl);
6345 SSL_free(clientssl);
6353 * Test we can't send a KeyUpdate (update requested) message while
6354 * local write data is pending.
6355 * Test 0: Client sends KeyUpdate while Client is writing
6356 * Test 1: Server sends KeyUpdate while Server is writing
6358 static int test_key_update_local_in_write(int tst)
6360 SSL_CTX *cctx = NULL, *sctx = NULL;
6361 SSL *clientssl = NULL, *serverssl = NULL;
6364 static char *mess = "A test message";
6365 BIO *bretry = BIO_new(bio_s_always_retry());
6367 SSL *local = NULL, *peer = NULL;
6369 if (!TEST_ptr(bretry)
6370 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6371 TLS_client_method(),
6374 &sctx, &cctx, cert, privkey))
6375 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6381 local = tst == 0 ? clientssl : serverssl;
6382 peer = tst == 0 ? serverssl : clientssl;
6384 /* Swap the writing endpoint's write BIO to force a retry */
6385 tmp = SSL_get_wbio(local);
6386 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6390 SSL_set0_wbio(local, bretry);
6393 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6394 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6395 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6398 /* Reinstate the original writing endpoint's write BIO */
6399 SSL_set0_wbio(local, tmp);
6402 /* SSL_key_update will fail, because writing in local*/
6403 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6404 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6408 /* write data in local previously that we will complete */
6409 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6412 /* SSL_key_update will succeed because there is no pending write data */
6413 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6414 || !TEST_int_eq(SSL_do_handshake(local), 1))
6418 * we write some appdata in local
6419 * read data in peer - we will read the keyupdate msg
6421 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6422 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6425 /* Write more peer more data to ensure we send the keyupdate message back */
6426 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6427 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6433 SSL_free(serverssl);
6434 SSL_free(clientssl);
6444 * Test we can handle a KeyUpdate (update requested) message while
6445 * local read data is pending(the msg header had been read 5 bytes).
6446 * Test 0: Client sends KeyUpdate while Client is reading
6447 * Test 1: Server sends KeyUpdate while Server is reading
6449 static int test_key_update_local_in_read(int tst)
6451 SSL_CTX *cctx = NULL, *sctx = NULL;
6452 SSL *clientssl = NULL, *serverssl = NULL;
6454 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6455 static char *mess = "A test message";
6456 BIO *lbio = NULL, *pbio = NULL;
6457 SSL *local = NULL, *peer = NULL;
6459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6460 TLS_client_method(),
6463 &sctx, &cctx, cert, privkey))
6464 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6466 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6470 local = tst == 0 ? clientssl : serverssl;
6471 peer = tst == 0 ? serverssl : clientssl;
6473 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6476 SSL_set_bio(local, lbio, lbio);
6477 SSL_set_bio(peer, pbio, pbio);
6479 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6480 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6481 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6484 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6485 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6486 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6489 /* SSL_do_handshake will send keyupdate msg */
6490 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6491 || !TEST_int_eq(SSL_do_handshake(local), 1))
6495 * write data in peer previously that we will complete
6496 * read data in local previously that we will complete
6498 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6499 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6503 * write data in local
6504 * read data in peer - we will read the key update
6506 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6507 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6510 /* Write more peer data to ensure we send the keyupdate message back */
6511 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6512 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6518 SSL_free(serverssl);
6519 SSL_free(clientssl);
6525 #endif /* OSSL_NO_USABLE_TLS1_3 */
6527 static int test_ssl_clear(int idx)
6529 SSL_CTX *cctx = NULL, *sctx = NULL;
6530 SSL *clientssl = NULL, *serverssl = NULL;
6533 #ifdef OPENSSL_NO_TLS1_2
6538 /* Create an initial connection */
6539 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6540 TLS_client_method(), TLS1_VERSION, 0,
6541 &sctx, &cctx, cert, privkey))
6543 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6545 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6546 &clientssl, NULL, NULL))
6547 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6551 SSL_shutdown(clientssl);
6552 SSL_shutdown(serverssl);
6553 SSL_free(serverssl);
6556 /* Clear clientssl - we're going to reuse the object */
6557 if (!TEST_true(SSL_clear(clientssl)))
6560 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6562 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6564 || !TEST_true(SSL_session_reused(clientssl)))
6567 SSL_shutdown(clientssl);
6568 SSL_shutdown(serverssl);
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6581 /* Parse CH and retrieve any MFL extension value if present */
6582 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6585 unsigned char *data;
6586 PACKET pkt, pkt2, pkt3;
6587 unsigned int MFL_code = 0, type = 0;
6589 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6592 memset(&pkt, 0, sizeof(pkt));
6593 memset(&pkt2, 0, sizeof(pkt2));
6594 memset(&pkt3, 0, sizeof(pkt3));
6596 if (!TEST_long_gt(len, 0)
6597 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6598 /* Skip the record header */
6599 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6600 /* Skip the handshake message header */
6601 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6602 /* Skip client version and random */
6603 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6604 + SSL3_RANDOM_SIZE))
6605 /* Skip session id */
6606 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6608 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6609 /* Skip compression */
6610 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6611 /* Extensions len */
6612 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6615 /* Loop through all extensions */
6616 while (PACKET_remaining(&pkt2)) {
6617 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6618 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6621 if (type == TLSEXT_TYPE_max_fragment_length) {
6622 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6623 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6626 *mfl_codemfl_code = MFL_code;
6635 /* Maximum-Fragment-Length TLS extension mode to test */
6636 static const unsigned char max_fragment_len_test[] = {
6637 TLSEXT_max_fragment_length_512,
6638 TLSEXT_max_fragment_length_1024,
6639 TLSEXT_max_fragment_length_2048,
6640 TLSEXT_max_fragment_length_4096
6643 static int test_max_fragment_len_ext(int idx_tst)
6645 SSL_CTX *ctx = NULL;
6647 int testresult = 0, MFL_mode = 0;
6650 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6651 TLS1_VERSION, 0, NULL, &ctx, NULL,
6655 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6656 ctx, max_fragment_len_test[idx_tst])))
6663 rbio = BIO_new(BIO_s_mem());
6664 wbio = BIO_new(BIO_s_mem());
6665 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6671 SSL_set_bio(con, rbio, wbio);
6673 if (!TEST_int_le(SSL_connect(con), 0)) {
6674 /* This shouldn't succeed because we don't have a server! */
6678 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6679 /* no MFL in client hello */
6681 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6693 #ifndef OSSL_NO_USABLE_TLS1_3
6694 static int test_pha_key_update(void)
6696 SSL_CTX *cctx = NULL, *sctx = NULL;
6697 SSL *clientssl = NULL, *serverssl = NULL;
6700 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6701 TLS_client_method(), TLS1_VERSION, 0,
6702 &sctx, &cctx, cert, privkey)))
6705 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6706 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6707 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6708 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6711 SSL_CTX_set_post_handshake_auth(cctx, 1);
6713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6721 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6722 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6725 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6728 /* Start handshake on the server */
6729 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6732 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6733 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6737 SSL_shutdown(clientssl);
6738 SSL_shutdown(serverssl);
6743 SSL_free(serverssl);
6744 SSL_free(clientssl);
6751 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6753 static SRP_VBASE *vbase = NULL;
6755 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6757 int ret = SSL3_AL_FATAL;
6759 SRP_user_pwd *user = NULL;
6761 username = SSL_get_srp_username(s);
6762 if (username == NULL) {
6763 *ad = SSL_AD_INTERNAL_ERROR;
6767 user = SRP_VBASE_get1_by_user(vbase, username);
6769 *ad = SSL_AD_INTERNAL_ERROR;
6773 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6775 *ad = SSL_AD_INTERNAL_ERROR;
6782 SRP_user_pwd_free(user);
6786 static int create_new_vfile(char *userid, char *password, const char *filename)
6789 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6792 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6795 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6798 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6799 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6800 if (!TEST_ptr(gNid))
6804 * The only way to create an empty TXT_DB is to provide a BIO with no data
6807 db = TXT_DB_read(dummy, DB_NUMBER);
6811 out = BIO_new_file(filename, "w");
6815 row[DB_srpid] = OPENSSL_strdup(userid);
6816 row[DB_srptype] = OPENSSL_strdup("V");
6817 row[DB_srpgN] = OPENSSL_strdup(gNid);
6819 if (!TEST_ptr(row[DB_srpid])
6820 || !TEST_ptr(row[DB_srptype])
6821 || !TEST_ptr(row[DB_srpgN])
6822 || !TEST_true(TXT_DB_insert(db, row)))
6827 if (TXT_DB_write(out, db) <= 0)
6833 for (i = 0; i < DB_NUMBER; i++)
6834 OPENSSL_free(row[i]);
6844 static int create_new_vbase(char *userid, char *password)
6846 BIGNUM *verifier = NULL, *salt = NULL;
6847 const SRP_gN *lgN = NULL;
6848 SRP_user_pwd *user_pwd = NULL;
6851 lgN = SRP_get_default_gN(NULL);
6855 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6856 lgN->N, lgN->g, libctx, NULL)))
6859 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6860 if (!TEST_ptr(user_pwd))
6863 user_pwd->N = lgN->N;
6864 user_pwd->g = lgN->g;
6865 user_pwd->id = OPENSSL_strdup(userid);
6866 if (!TEST_ptr(user_pwd->id))
6869 user_pwd->v = verifier;
6871 verifier = salt = NULL;
6873 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6879 SRP_user_pwd_free(user_pwd);
6889 * Test 0: Simple successful SRP connection, new vbase
6890 * Test 1: Connection failure due to bad password, new vbase
6891 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6892 * Test 3: Connection failure due to bad password, vbase loaded from existing
6894 * Test 4: Simple successful SRP connection, vbase loaded from new file
6895 * Test 5: Connection failure due to bad password, vbase loaded from new file
6897 static int test_srp(int tst)
6899 char *userid = "test", *password = "password", *tstsrpfile;
6900 SSL_CTX *cctx = NULL, *sctx = NULL;
6901 SSL *clientssl = NULL, *serverssl = NULL;
6902 int ret, testresult = 0;
6904 vbase = SRP_VBASE_new(NULL);
6905 if (!TEST_ptr(vbase))
6908 if (tst == 0 || tst == 1) {
6909 if (!TEST_true(create_new_vbase(userid, password)))
6912 if (tst == 4 || tst == 5) {
6913 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6915 tstsrpfile = tmpfilename;
6917 tstsrpfile = srpvfile;
6919 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6923 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6924 TLS_client_method(), TLS1_VERSION, 0,
6925 &sctx, &cctx, cert, privkey)))
6928 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6929 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6930 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6931 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6932 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6936 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6939 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6947 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6949 if (!TEST_true(tst % 2 == 0))
6952 if (!TEST_true(tst % 2 == 1))
6959 SRP_VBASE_free(vbase);
6961 SSL_free(serverssl);
6962 SSL_free(clientssl);
6970 static int info_cb_failed = 0;
6971 static int info_cb_offset = 0;
6972 static int info_cb_this_state = -1;
6974 static struct info_cb_states_st {
6976 const char *statestr;
6977 } info_cb_states[][60] = {
6979 /* TLSv1.2 server followed by resumption */
6980 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6981 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6982 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6983 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6984 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6985 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6986 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6987 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6988 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6989 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6990 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6991 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6992 {SSL_CB_EXIT, NULL}, {0, NULL},
6994 /* TLSv1.2 client followed by resumption */
6995 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6996 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6997 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6998 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6999 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7000 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7001 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7002 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7003 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7004 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7005 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7006 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7008 /* TLSv1.3 server followed by resumption */
7009 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7010 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7011 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7012 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7013 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7014 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7015 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7016 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7017 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7018 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7019 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7020 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7021 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7023 /* TLSv1.3 client followed by resumption */
7024 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7025 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7026 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7027 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7028 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7029 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7030 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7031 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7032 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7033 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7034 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7035 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7036 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7037 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7038 {SSL_CB_EXIT, NULL}, {0, NULL},
7040 /* TLSv1.3 server, early_data */
7041 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7042 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7043 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7044 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7045 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7046 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7047 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7048 {SSL_CB_EXIT, NULL}, {0, NULL},
7050 /* TLSv1.3 client, early_data */
7051 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7052 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7053 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7054 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7055 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7056 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7057 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7058 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7059 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7065 static void sslapi_info_callback(const SSL *s, int where, int ret)
7067 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7069 /* We do not ever expect a connection to fail in this test */
7070 if (!TEST_false(ret == 0)) {
7076 * Do some sanity checks. We never expect these things to happen in this
7079 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7080 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7081 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7086 /* Now check we're in the right state */
7087 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7091 if ((where & SSL_CB_LOOP) != 0
7092 && !TEST_int_eq(strcmp(SSL_state_string(s),
7093 state[info_cb_this_state].statestr), 0)) {
7099 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7101 if ((where & SSL_CB_HANDSHAKE_DONE)
7102 && SSL_in_init((SSL *)s) != 0) {
7109 * Test the info callback gets called when we expect it to.
7111 * Test 0: TLSv1.2, server
7112 * Test 1: TLSv1.2, client
7113 * Test 2: TLSv1.3, server
7114 * Test 3: TLSv1.3, client
7115 * Test 4: TLSv1.3, server, early_data
7116 * Test 5: TLSv1.3, client, early_data
7118 static int test_info_callback(int tst)
7120 SSL_CTX *cctx = NULL, *sctx = NULL;
7121 SSL *clientssl = NULL, *serverssl = NULL;
7122 SSL_SESSION *clntsess = NULL;
7127 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7128 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7129 || !defined(OPENSSL_NO_DH))
7130 tlsvers = TLS1_2_VERSION;
7135 #ifndef OSSL_NO_USABLE_TLS1_3
7136 tlsvers = TLS1_3_VERSION;
7144 info_cb_this_state = -1;
7145 info_cb_offset = tst;
7147 #ifndef OSSL_NO_USABLE_TLS1_3
7149 SSL_SESSION *sess = NULL;
7150 size_t written, readbytes;
7151 unsigned char buf[80];
7153 /* early_data tests */
7154 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7155 &serverssl, &sess, 0)))
7158 /* We don't actually need this reference */
7159 SSL_SESSION_free(sess);
7161 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7162 sslapi_info_callback);
7164 /* Write and read some early data and then complete the connection */
7165 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7167 || !TEST_size_t_eq(written, strlen(MSG1))
7168 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7169 sizeof(buf), &readbytes),
7170 SSL_READ_EARLY_DATA_SUCCESS)
7171 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7172 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7173 SSL_EARLY_DATA_ACCEPTED)
7174 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7176 || !TEST_false(info_cb_failed))
7184 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7185 TLS_client_method(),
7186 tlsvers, tlsvers, &sctx, &cctx, cert,
7190 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7194 * For even numbered tests we check the server callbacks. For odd numbers we
7197 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7198 sslapi_info_callback);
7200 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7201 &clientssl, NULL, NULL))
7202 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7204 || !TEST_false(info_cb_failed))
7209 clntsess = SSL_get1_session(clientssl);
7210 SSL_shutdown(clientssl);
7211 SSL_shutdown(serverssl);
7212 SSL_free(serverssl);
7213 SSL_free(clientssl);
7214 serverssl = clientssl = NULL;
7216 /* Now do a resumption */
7217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7219 || !TEST_true(SSL_set_session(clientssl, clntsess))
7220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7222 || !TEST_true(SSL_session_reused(clientssl))
7223 || !TEST_false(info_cb_failed))
7229 SSL_free(serverssl);
7230 SSL_free(clientssl);
7231 SSL_SESSION_free(clntsess);
7237 static int test_ssl_pending(int tst)
7239 SSL_CTX *cctx = NULL, *sctx = NULL;
7240 SSL *clientssl = NULL, *serverssl = NULL;
7242 char msg[] = "A test message";
7244 size_t written, readbytes;
7247 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7248 TLS_client_method(),
7250 &sctx, &cctx, cert, privkey)))
7253 #ifndef OPENSSL_NO_DTLS
7254 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7255 DTLS_client_method(),
7257 &sctx, &cctx, cert, privkey)))
7260 # ifdef OPENSSL_NO_DTLS1_2
7261 /* Not supported in the FIPS provider */
7267 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7270 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7271 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7272 "DEFAULT:@SECLEVEL=0")))
7280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7286 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7287 || !TEST_false(SSL_has_pending(clientssl))
7288 || !TEST_int_eq(SSL_pending(serverssl), 0)
7289 || !TEST_false(SSL_has_pending(serverssl))
7290 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7291 || !TEST_size_t_eq(written, sizeof(msg))
7292 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7293 || !TEST_size_t_eq(readbytes, sizeof(buf))
7294 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7295 || !TEST_true(SSL_has_pending(clientssl)))
7301 SSL_free(serverssl);
7302 SSL_free(clientssl);
7310 unsigned int maxprot;
7311 const char *clntciphers;
7312 const char *clnttls13ciphers;
7313 const char *srvrciphers;
7314 const char *srvrtls13ciphers;
7316 const char *fipsshared;
7317 } shared_ciphers_data[] = {
7319 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7320 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7322 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7325 "AES128-SHA:AES256-SHA",
7327 "AES256-SHA:DHE-RSA-AES128-SHA",
7332 # if !defined(OPENSSL_NO_CHACHA) \
7333 && !defined(OPENSSL_NO_POLY1305) \
7334 && !defined(OPENSSL_NO_EC)
7337 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7339 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7341 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7347 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7349 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7351 "AES128-SHA:AES256-SHA",
7352 "AES128-SHA:AES256-SHA"
7356 "AES128-SHA:AES256-SHA",
7358 "AES128-SHA:DHE-RSA-AES128-SHA",
7365 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7368 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7369 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7372 "AES128-SHA:AES256-SHA",
7374 "AES256-SHA:AES128-SHA256",
7376 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7377 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7378 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7381 #ifndef OSSL_NO_USABLE_TLS1_3
7385 "TLS_AES_256_GCM_SHA384",
7387 "TLS_AES_256_GCM_SHA384",
7388 "TLS_AES_256_GCM_SHA384",
7389 "TLS_AES_256_GCM_SHA384"
7394 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7396 SSL_CTX *cctx = NULL, *sctx = NULL;
7397 SSL *clientssl = NULL, *serverssl = NULL;
7400 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7402 if (!TEST_ptr(tmplibctx))
7406 * Regardless of whether we're testing with the FIPS provider loaded into
7407 * libctx, we want one peer to always use the full set of ciphersuites
7408 * available. Therefore we use a separate libctx with the default provider
7409 * loaded into it. We run the same tests twice - once with the client side
7410 * having the full set of ciphersuites and once with the server side.
7413 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7414 if (!TEST_ptr(cctx))
7417 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7418 if (!TEST_ptr(sctx))
7422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7423 TLS_client_method(),
7425 shared_ciphers_data[tst].maxprot,
7426 &sctx, &cctx, cert, privkey)))
7429 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7430 shared_ciphers_data[tst].clntciphers))
7431 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7432 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7433 shared_ciphers_data[tst].clnttls13ciphers)))
7434 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7435 shared_ciphers_data[tst].srvrciphers))
7436 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7437 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7438 shared_ciphers_data[tst].srvrtls13ciphers))))
7442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7444 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7448 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7449 || !TEST_int_eq(strcmp(buf,
7451 ? shared_ciphers_data[tst].fipsshared
7452 : shared_ciphers_data[tst].shared),
7454 TEST_info("Shared ciphers are: %s\n", buf);
7461 SSL_free(serverssl);
7462 SSL_free(clientssl);
7465 OSSL_LIB_CTX_free(tmplibctx);
7470 static int test_ssl_get_shared_ciphers(int tst)
7472 return int_test_ssl_get_shared_ciphers(tst, 0)
7473 && int_test_ssl_get_shared_ciphers(tst, 1);
7477 static const char *appdata = "Hello World";
7478 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7479 static int tick_key_renew = 0;
7480 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7482 static int gen_tick_cb(SSL *s, void *arg)
7484 gen_tick_called = 1;
7486 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7490 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7491 const unsigned char *keyname,
7492 size_t keyname_length,
7493 SSL_TICKET_STATUS status,
7499 dec_tick_called = 1;
7501 if (status == SSL_TICKET_EMPTY)
7502 return SSL_TICKET_RETURN_IGNORE_RENEW;
7504 if (!TEST_true(status == SSL_TICKET_SUCCESS
7505 || status == SSL_TICKET_SUCCESS_RENEW))
7506 return SSL_TICKET_RETURN_ABORT;
7508 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7510 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7511 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7512 return SSL_TICKET_RETURN_ABORT;
7514 if (tick_key_cb_called) {
7515 /* Don't change what the ticket key callback wanted to do */
7517 case SSL_TICKET_NO_DECRYPT:
7518 return SSL_TICKET_RETURN_IGNORE_RENEW;
7520 case SSL_TICKET_SUCCESS:
7521 return SSL_TICKET_RETURN_USE;
7523 case SSL_TICKET_SUCCESS_RENEW:
7524 return SSL_TICKET_RETURN_USE_RENEW;
7527 return SSL_TICKET_RETURN_ABORT;
7530 return tick_dec_ret;
7534 #ifndef OPENSSL_NO_DEPRECATED_3_0
7535 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7536 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7537 HMAC_CTX *hctx, int enc)
7539 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7540 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7541 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7542 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7545 tick_key_cb_called = 1;
7546 memset(iv, 0, AES_BLOCK_SIZE);
7547 memset(key_name, 0, 16);
7548 if (aes128cbc == NULL
7550 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7551 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7555 ret = tick_key_renew ? 2 : 1;
7557 EVP_CIPHER_free(aes128cbc);
7558 EVP_MD_free(sha256);
7564 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7565 unsigned char iv[EVP_MAX_IV_LENGTH],
7566 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7568 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7569 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7570 OSSL_PARAM params[2];
7571 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7574 tick_key_cb_called = 1;
7575 memset(iv, 0, AES_BLOCK_SIZE);
7576 memset(key_name, 0, 16);
7577 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7579 params[1] = OSSL_PARAM_construct_end();
7580 if (aes128cbc == NULL
7581 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7582 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7586 ret = tick_key_renew ? 2 : 1;
7588 EVP_CIPHER_free(aes128cbc);
7594 * Test the various ticket callbacks
7595 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7596 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7597 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7598 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7599 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7600 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7601 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7602 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7603 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7604 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7605 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7606 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7607 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7608 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7609 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7610 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7612 static int test_ticket_callbacks(int tst)
7614 SSL_CTX *cctx = NULL, *sctx = NULL;
7615 SSL *clientssl = NULL, *serverssl = NULL;
7616 SSL_SESSION *clntsess = NULL;
7619 #ifdef OPENSSL_NO_TLS1_2
7623 #ifdef OSSL_NO_USABLE_TLS1_3
7627 #ifdef OPENSSL_NO_DEPRECATED_3_0
7628 if (tst >= 8 && tst <= 11)
7632 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7634 /* Which tests the ticket key callback should request renewal for */
7635 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7640 /* Which tests the decrypt ticket callback should request renewal for */
7644 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7649 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7654 tick_dec_ret = SSL_TICKET_RETURN_USE;
7659 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7663 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7666 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7667 TLS_client_method(),
7669 ((tst % 2) == 0) ? TLS1_2_VERSION
7671 &sctx, &cctx, cert, privkey)))
7675 * We only want sessions to resume from tickets - not the session cache. So
7676 * switch the cache off.
7678 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7681 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7686 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7688 #ifndef OPENSSL_NO_DEPRECATED_3_0
7689 } else if (tst >= 8) {
7690 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7702 * The decrypt ticket key callback in TLSv1.2 should be called even though
7703 * we have no ticket yet, because it gets called with a status of
7704 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7705 * actually send any ticket data). This does not happen in TLSv1.3 because
7706 * it is not valid to send empty ticket data in TLSv1.3.
7708 if (!TEST_int_eq(gen_tick_called, 1)
7709 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7712 gen_tick_called = dec_tick_called = 0;
7714 clntsess = SSL_get1_session(clientssl);
7715 SSL_shutdown(clientssl);
7716 SSL_shutdown(serverssl);
7717 SSL_free(serverssl);
7718 SSL_free(clientssl);
7719 serverssl = clientssl = NULL;
7721 /* Now do a resumption */
7722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7724 || !TEST_true(SSL_set_session(clientssl, clntsess))
7725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7729 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7730 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7731 if (!TEST_false(SSL_session_reused(clientssl)))
7734 if (!TEST_true(SSL_session_reused(clientssl)))
7738 if (!TEST_int_eq(gen_tick_called,
7740 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7741 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7743 || !TEST_int_eq(dec_tick_called, 1))
7749 SSL_SESSION_free(clntsess);
7750 SSL_free(serverssl);
7751 SSL_free(clientssl);
7759 * Test incorrect shutdown.
7760 * Test 0: client does not shutdown properly,
7761 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7762 * server should get SSL_ERROR_SSL
7763 * Test 1: client does not shutdown properly,
7764 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7765 * server should get SSL_ERROR_ZERO_RETURN
7767 static int test_incorrect_shutdown(int tst)
7769 SSL_CTX *cctx = NULL, *sctx = NULL;
7770 SSL *clientssl = NULL, *serverssl = NULL;
7775 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7776 TLS_client_method(), 0, 0,
7777 &sctx, &cctx, cert, privkey)))
7781 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7783 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7787 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7791 c2s = SSL_get_rbio(serverssl);
7792 BIO_set_mem_eof_return(c2s, 0);
7794 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7797 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7799 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7805 SSL_free(serverssl);
7806 SSL_free(clientssl);
7814 * Test bi-directional shutdown.
7816 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7817 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7818 * Test 3: TLSv1.3, pending NewSessionTicket messages
7819 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7820 * sends key update, client reads it
7821 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7822 * sends CertificateRequest, client reads and ignores it
7823 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7826 static int test_shutdown(int tst)
7828 SSL_CTX *cctx = NULL, *sctx = NULL;
7829 SSL *clientssl = NULL, *serverssl = NULL;
7831 char msg[] = "A test message";
7833 size_t written, readbytes;
7836 #ifdef OPENSSL_NO_TLS1_2
7840 #ifdef OSSL_NO_USABLE_TLS1_3
7845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7846 TLS_client_method(),
7848 (tst <= 1) ? TLS1_2_VERSION
7850 &sctx, &cctx, cert, privkey)))
7854 SSL_CTX_set_post_handshake_auth(cctx, 1);
7856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7861 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7863 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7864 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7866 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7868 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7869 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7873 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7878 * Reading on the server after the client has sent close_notify should
7879 * fail and provide SSL_ERROR_ZERO_RETURN
7881 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7882 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7883 SSL_ERROR_ZERO_RETURN)
7884 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7885 SSL_RECEIVED_SHUTDOWN)
7887 * Even though we're shutdown on receive we should still be
7890 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7893 && !TEST_true(SSL_key_update(serverssl,
7894 SSL_KEY_UPDATE_REQUESTED)))
7897 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7898 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7901 if ((tst == 4 || tst == 5)
7902 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7904 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7906 if (tst == 4 || tst == 5) {
7907 /* Should still be able to read data from server */
7908 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7910 || !TEST_size_t_eq(readbytes, sizeof(msg))
7911 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7912 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7914 || !TEST_size_t_eq(readbytes, sizeof(msg))
7915 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7920 /* Writing on the client after sending close_notify shouldn't be possible */
7921 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7926 * For these tests the client has sent close_notify but it has not yet
7927 * been received by the server. The server has not sent close_notify
7930 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7932 * Writing on the server after sending close_notify shouldn't
7935 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7936 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7937 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7938 || !TEST_true(SSL_SESSION_is_resumable(sess))
7939 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7941 } else if (tst == 4 || tst == 5) {
7943 * In this test the client has sent close_notify and it has been
7944 * received by the server which has responded with a close_notify. The
7945 * client needs to read the close_notify sent by the server.
7947 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7948 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7949 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7955 * The client has sent close_notify and is expecting a close_notify
7956 * back, but instead there is application data first. The shutdown
7957 * should fail with a fatal error.
7959 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7960 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7967 SSL_free(serverssl);
7968 SSL_free(clientssl);
7975 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7976 static int cert_cb_cnt;
7978 static int cert_cb(SSL *s, void *arg)
7980 SSL_CTX *ctx = (SSL_CTX *)arg;
7982 EVP_PKEY *pkey = NULL;
7983 X509 *x509 = NULL, *rootx = NULL;
7984 STACK_OF(X509) *chain = NULL;
7985 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7988 if (cert_cb_cnt == 0) {
7989 /* Suspend the handshake */
7992 } else if (cert_cb_cnt == 1) {
7994 * Update the SSL_CTX, set the certificate and private key and then
7995 * continue the handshake normally.
7997 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8000 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8001 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8003 || !TEST_true(SSL_check_private_key(s)))
8007 } else if (cert_cb_cnt == 3) {
8010 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8011 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8012 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8013 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8015 chain = sk_X509_new_null();
8016 if (!TEST_ptr(chain))
8018 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8019 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8020 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8021 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8022 || !TEST_true(sk_X509_push(chain, rootx)))
8026 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8027 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8028 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8029 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8032 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8033 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8034 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8038 rv = SSL_check_chain(s, x509, pkey, chain);
8040 * If the cert doesn't show as valid here (e.g., because we don't
8041 * have any shared sigalgs), then we will not set it, and there will
8042 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8043 * will cause tls_choose_sigalgs() to fail the connection.
8045 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8046 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8047 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8054 /* Abort the handshake */
8056 OPENSSL_free(ecdsacert);
8057 OPENSSL_free(ecdsakey);
8058 OPENSSL_free(rootfile);
8060 EVP_PKEY_free(pkey);
8063 OSSL_STACK_OF_X509_free(chain);
8068 * Test the certificate callback.
8069 * Test 0: Callback fails
8070 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8071 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8072 * Test 3: Success - Call SSL_check_chain from the callback
8073 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8075 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8077 static int test_cert_cb_int(int prot, int tst)
8079 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8080 SSL *clientssl = NULL, *serverssl = NULL;
8081 int testresult = 0, ret;
8083 #ifdef OPENSSL_NO_EC
8084 /* We use an EC cert in these tests, so we skip in a no-ec build */
8089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8090 TLS_client_method(),
8093 &sctx, &cctx, NULL, NULL)))
8104 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8105 if (!TEST_ptr(snictx))
8109 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8117 * We cause SSL_check_chain() to fail by specifying sig_algs that
8118 * the chain doesn't meet (the root uses an RSA cert)
8120 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8121 "ecdsa_secp256r1_sha256")))
8123 } else if (tst == 5) {
8125 * We cause SSL_check_chain() to fail by specifying sig_algs that
8126 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8128 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8129 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8133 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8134 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8136 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8143 SSL_free(serverssl);
8144 SSL_free(clientssl);
8147 SSL_CTX_free(snictx);
8153 static int test_cert_cb(int tst)
8157 #ifndef OPENSSL_NO_TLS1_2
8158 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8160 #ifndef OSSL_NO_USABLE_TLS1_3
8161 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8167 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8172 BIO *priv_in = NULL;
8174 /* Check that SSL_get0_peer_certificate() returns something sensible */
8175 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8178 in = BIO_new_file(cert, "r");
8182 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8183 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8184 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8185 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8203 static int test_client_cert_cb(int tst)
8205 SSL_CTX *cctx = NULL, *sctx = NULL;
8206 SSL *clientssl = NULL, *serverssl = NULL;
8209 #ifdef OPENSSL_NO_TLS1_2
8213 #ifdef OSSL_NO_USABLE_TLS1_3
8218 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8219 TLS_client_method(),
8221 tst == 0 ? TLS1_2_VERSION
8223 &sctx, &cctx, cert, privkey)))
8227 * Test that setting a client_cert_cb results in a client certificate being
8230 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8231 SSL_CTX_set_verify(sctx,
8232 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8235 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8244 SSL_free(serverssl);
8245 SSL_free(clientssl);
8252 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8254 * Test setting certificate authorities on both client and server.
8256 * Test 0: SSL_CTX_set0_CA_list() only
8257 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8258 * Test 2: Only SSL_CTX_set_client_CA_list()
8260 static int test_ca_names_int(int prot, int tst)
8262 SSL_CTX *cctx = NULL, *sctx = NULL;
8263 SSL *clientssl = NULL, *serverssl = NULL;
8266 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8267 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8268 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8269 const STACK_OF(X509_NAME) *sktmp = NULL;
8271 for (i = 0; i < OSSL_NELEM(name); i++) {
8272 name[i] = X509_NAME_new();
8273 if (!TEST_ptr(name[i])
8274 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8283 TLS_client_method(),
8286 &sctx, &cctx, cert, privkey)))
8289 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8291 if (tst == 0 || tst == 1) {
8292 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8293 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8294 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8295 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8296 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8297 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8300 SSL_CTX_set0_CA_list(sctx, sk1);
8301 SSL_CTX_set0_CA_list(cctx, sk2);
8304 if (tst == 1 || tst == 2) {
8305 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8306 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8307 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8308 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8309 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8310 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8313 SSL_CTX_set_client_CA_list(sctx, sk1);
8314 SSL_CTX_set_client_CA_list(cctx, sk2);
8318 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8320 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8325 * We only expect certificate authorities to have been sent to the server
8326 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8328 sktmp = SSL_get0_peer_CA_list(serverssl);
8329 if (prot == TLS1_3_VERSION
8330 && (tst == 0 || tst == 1)) {
8331 if (!TEST_ptr(sktmp)
8332 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8333 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8335 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8338 } else if (!TEST_ptr_null(sktmp)) {
8343 * In all tests we expect certificate authorities to have been sent to the
8344 * client. However, SSL_set_client_CA_list() should override
8345 * SSL_set0_CA_list()
8347 sktmp = SSL_get0_peer_CA_list(clientssl);
8348 if (!TEST_ptr(sktmp)
8349 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8350 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8351 name[tst == 0 ? 0 : 2]), 0)
8352 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8353 name[tst == 0 ? 1 : 3]), 0))
8359 SSL_free(serverssl);
8360 SSL_free(clientssl);
8363 for (i = 0; i < OSSL_NELEM(name); i++)
8364 X509_NAME_free(name[i]);
8365 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8366 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8372 static int test_ca_names(int tst)
8376 #ifndef OPENSSL_NO_TLS1_2
8377 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8379 #ifndef OSSL_NO_USABLE_TLS1_3
8380 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8386 #ifndef OPENSSL_NO_TLS1_2
8387 static const char *multiblock_cipherlist_data[]=
8395 /* Reduce the fragment size - so the multiblock test buffer can be small */
8396 # define MULTIBLOCK_FRAGSIZE 512
8398 static int test_multiblock_write(int test_index)
8400 static const char *fetchable_ciphers[]=
8402 "AES-128-CBC-HMAC-SHA1",
8403 "AES-128-CBC-HMAC-SHA256",
8404 "AES-256-CBC-HMAC-SHA1",
8405 "AES-256-CBC-HMAC-SHA256"
8407 const char *cipherlist = multiblock_cipherlist_data[test_index];
8408 const SSL_METHOD *smeth = TLS_server_method();
8409 const SSL_METHOD *cmeth = TLS_client_method();
8410 int min_version = TLS1_VERSION;
8411 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8412 SSL_CTX *cctx = NULL, *sctx = NULL;
8413 SSL *clientssl = NULL, *serverssl = NULL;
8417 * Choose a buffer large enough to perform a multi-block operation
8418 * i.e: write_len >= 4 * frag_size
8419 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8421 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8422 unsigned char buf[sizeof(msg)], *p = buf;
8423 size_t readbytes, written, len;
8424 EVP_CIPHER *ciph = NULL;
8427 * Check if the cipher exists before attempting to use it since it only has
8428 * a hardware specific implementation.
8430 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8432 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8435 EVP_CIPHER_free(ciph);
8437 /* Set up a buffer with some data that will be sent to the client */
8438 RAND_bytes(msg, sizeof(msg));
8440 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8441 max_version, &sctx, &cctx, cert,
8445 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8452 /* settings to force it to use AES-CBC-HMAC_SHA */
8453 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8454 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8457 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8460 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8461 || !TEST_size_t_eq(written, sizeof(msg)))
8466 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8471 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8476 SSL_free(serverssl);
8477 SSL_free(clientssl);
8483 #endif /* OPENSSL_NO_TLS1_2 */
8485 static int test_session_timeout(int test)
8488 * Test session ordering and timeout
8489 * Can't explicitly test performance of the new code,
8490 * but can test to see if the ordering of the sessions
8491 * are correct, and they they are removed as expected
8493 SSL_SESSION *early = NULL;
8494 SSL_SESSION *middle = NULL;
8495 SSL_SESSION *late = NULL;
8498 long now = (long)time(NULL);
8501 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8502 || !TEST_ptr(early = SSL_SESSION_new())
8503 || !TEST_ptr(middle = SSL_SESSION_new())
8504 || !TEST_ptr(late = SSL_SESSION_new()))
8507 /* assign unique session ids */
8508 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8509 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8510 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8511 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8512 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8513 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8515 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8516 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8517 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8520 /* Make sure they are all added */
8521 if (!TEST_ptr(early->prev)
8522 || !TEST_ptr(middle->prev)
8523 || !TEST_ptr(late->prev))
8526 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8527 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8528 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8531 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8532 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8533 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8536 /* Make sure they are all still there */
8537 if (!TEST_ptr(early->prev)
8538 || !TEST_ptr(middle->prev)
8539 || !TEST_ptr(late->prev))
8542 /* Make sure they are in the expected order */
8543 if (!TEST_ptr_eq(late->next, middle)
8544 || !TEST_ptr_eq(middle->next, early)
8545 || !TEST_ptr_eq(early->prev, middle)
8546 || !TEST_ptr_eq(middle->prev, late))
8549 /* This should remove "early" */
8550 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8551 if (!TEST_ptr_null(early->prev)
8552 || !TEST_ptr(middle->prev)
8553 || !TEST_ptr(late->prev))
8556 /* This should remove "middle" */
8557 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8558 if (!TEST_ptr_null(early->prev)
8559 || !TEST_ptr_null(middle->prev)
8560 || !TEST_ptr(late->prev))
8563 /* This should remove "late" */
8564 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8565 if (!TEST_ptr_null(early->prev)
8566 || !TEST_ptr_null(middle->prev)
8567 || !TEST_ptr_null(late->prev))
8570 /* Add them back in again */
8571 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8572 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8573 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8576 /* Make sure they are all added */
8577 if (!TEST_ptr(early->prev)
8578 || !TEST_ptr(middle->prev)
8579 || !TEST_ptr(late->prev))
8582 /* This should remove all of them */
8583 SSL_CTX_flush_sessions(ctx, 0);
8584 if (!TEST_ptr_null(early->prev)
8585 || !TEST_ptr_null(middle->prev)
8586 || !TEST_ptr_null(late->prev))
8589 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8590 | SSL_CTX_get_session_cache_mode(ctx));
8592 /* make sure |now| is NOT equal to the current time */
8594 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8595 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8596 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8602 SSL_SESSION_free(early);
8603 SSL_SESSION_free(middle);
8604 SSL_SESSION_free(late);
8609 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8610 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8611 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8612 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8613 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8614 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8615 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8616 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8617 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8618 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8620 static int test_servername(int tst)
8622 SSL_CTX *cctx = NULL, *sctx = NULL;
8623 SSL *clientssl = NULL, *serverssl = NULL;
8625 SSL_SESSION *sess = NULL;
8626 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8628 #ifdef OPENSSL_NO_TLS1_2
8632 #ifdef OSSL_NO_USABLE_TLS1_3
8637 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8638 TLS_client_method(),
8640 (tst <= 4) ? TLS1_2_VERSION
8642 &sctx, &cctx, cert, privkey))
8643 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8647 if (tst != 1 && tst != 6) {
8648 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8653 if (tst != 3 && tst != 8) {
8654 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8656 sexpectedhost = cexpectedhost = "goodhost";
8659 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8662 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8664 || !TEST_str_eq(SSL_get_servername(serverssl,
8665 TLSEXT_NAMETYPE_host_name),
8669 /* Now repeat with a resumption handshake */
8671 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8672 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8673 || !TEST_true(SSL_SESSION_is_resumable(sess))
8674 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8677 SSL_free(clientssl);
8678 SSL_free(serverssl);
8679 clientssl = serverssl = NULL;
8681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8685 if (!TEST_true(SSL_set_session(clientssl, sess)))
8688 sexpectedhost = cexpectedhost = "goodhost";
8689 if (tst == 2 || tst == 7) {
8690 /* Set an inconsistent hostname */
8691 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8694 * In TLSv1.2 we expect the hostname from the original handshake, in
8695 * TLSv1.3 we expect the hostname from this handshake
8698 sexpectedhost = cexpectedhost = "altgoodhost";
8700 if (!TEST_str_eq(SSL_get_servername(clientssl,
8701 TLSEXT_NAMETYPE_host_name),
8704 } else if (tst == 4 || tst == 9) {
8706 * A TLSv1.3 session does not associate a session with a servername,
8707 * but a TLSv1.2 session does.
8710 sexpectedhost = cexpectedhost = NULL;
8712 if (!TEST_str_eq(SSL_get_servername(clientssl,
8713 TLSEXT_NAMETYPE_host_name),
8717 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8720 * In a TLSv1.2 resumption where the hostname was not acknowledged
8721 * we expect the hostname on the server to be empty. On the client we
8722 * return what was requested in this case.
8724 * Similarly if the client didn't set a hostname on an original TLSv1.2
8725 * session but is now, the server hostname will be empty, but the client
8728 if (tst == 1 || tst == 3)
8729 sexpectedhost = NULL;
8731 if (!TEST_str_eq(SSL_get_servername(clientssl,
8732 TLSEXT_NAMETYPE_host_name),
8737 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8740 if (!TEST_true(SSL_session_reused(clientssl))
8741 || !TEST_true(SSL_session_reused(serverssl))
8742 || !TEST_str_eq(SSL_get_servername(clientssl,
8743 TLSEXT_NAMETYPE_host_name),
8745 || !TEST_str_eq(SSL_get_servername(serverssl,
8746 TLSEXT_NAMETYPE_host_name),
8753 SSL_SESSION_free(sess);
8754 SSL_free(serverssl);
8755 SSL_free(clientssl);
8762 #if !defined(OPENSSL_NO_EC) \
8763 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8765 * Test that if signature algorithms are not available, then we do not offer or
8767 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8768 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8769 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8770 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8771 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8772 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8774 static int test_sigalgs_available(int idx)
8776 SSL_CTX *cctx = NULL, *sctx = NULL;
8777 SSL *clientssl = NULL, *serverssl = NULL;
8779 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8780 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8781 OSSL_PROVIDER *filterprov = NULL;
8784 if (!TEST_ptr(tmpctx))
8787 if (idx != 0 && idx != 3) {
8788 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8789 filter_provider_init)))
8792 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8793 if (!TEST_ptr(filterprov))
8798 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8799 * or accepted for the peer that uses this libctx. Note that libssl
8800 * *requires* SHA2-256 to be available so we cannot disable that. We
8801 * also need SHA1 for our certificate.
8803 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8807 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8809 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8814 if (idx == 1 || idx == 4)
8820 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8821 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8822 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8826 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8827 TLS_client_method(),
8830 &sctx, &cctx, cert, privkey)))
8833 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8834 TLS_client_method(),
8837 &sctx, &cctx, cert2, privkey2)))
8841 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8843 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8844 "ECDHE-RSA-AES128-GCM-SHA256")))
8847 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8848 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8853 if (!SSL_CTX_set1_sigalgs_list(cctx,
8854 "rsa_pss_rsae_sha384"
8855 ":rsa_pss_rsae_sha256")
8856 || !SSL_CTX_set1_sigalgs_list(sctx,
8857 "rsa_pss_rsae_sha384"
8858 ":rsa_pss_rsae_sha256"))
8861 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8862 || !SSL_CTX_set1_sigalgs_list(sctx,
8863 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8868 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8869 SSL_FILETYPE_PEM), 1)
8870 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8872 SSL_FILETYPE_PEM), 1)
8873 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8880 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8883 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8884 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8886 (idx == 0 || idx == 3) ? 2 : 1))
8889 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8892 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8896 testresult = filter_provider_check_clean_finish();
8899 SSL_free(serverssl);
8900 SSL_free(clientssl);
8903 OSSL_PROVIDER_unload(filterprov);
8904 OSSL_LIB_CTX_free(tmpctx);
8909 * !defined(OPENSSL_NO_EC) \
8910 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8913 #ifndef OPENSSL_NO_TLS1_3
8914 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8915 static int test_pluggable_group(int idx)
8917 SSL_CTX *cctx = NULL, *sctx = NULL;
8918 SSL *clientssl = NULL, *serverssl = NULL;
8920 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8921 /* Check that we are not impacted by a provider without any groups */
8922 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8923 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8925 if (!TEST_ptr(tlsprov))
8928 if (legacyprov == NULL) {
8930 * In this case we assume we've been built with "no-legacy" and skip
8931 * this test (there is no OPENSSL_NO_LEGACY)
8937 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8938 TLS_client_method(),
8941 &sctx, &cctx, cert, privkey))
8942 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8946 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8947 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8950 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8953 if (!TEST_str_eq(group_name,
8954 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8960 SSL_free(serverssl);
8961 SSL_free(clientssl);
8964 OSSL_PROVIDER_unload(tlsprov);
8965 OSSL_PROVIDER_unload(legacyprov);
8971 #ifndef OPENSSL_NO_TLS1_2
8972 static int test_ssl_dup(void)
8974 SSL_CTX *cctx = NULL, *sctx = NULL;
8975 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8977 BIO *rbio = NULL, *wbio = NULL;
8979 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8980 TLS_client_method(),
8983 &sctx, &cctx, cert, privkey)))
8986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8990 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8991 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8994 client2ssl = SSL_dup(clientssl);
8995 rbio = SSL_get_rbio(clientssl);
8997 || !TEST_true(BIO_up_ref(rbio)))
8999 SSL_set0_rbio(client2ssl, rbio);
9002 wbio = SSL_get_wbio(clientssl);
9003 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9005 SSL_set0_wbio(client2ssl, wbio);
9008 if (!TEST_ptr(client2ssl)
9009 /* Handshake not started so pointers should be different */
9010 || !TEST_ptr_ne(clientssl, client2ssl))
9013 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9014 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9017 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9020 SSL_free(clientssl);
9021 clientssl = SSL_dup(client2ssl);
9022 if (!TEST_ptr(clientssl)
9023 /* Handshake has finished so pointers should be the same */
9024 || !TEST_ptr_eq(clientssl, client2ssl))
9030 SSL_free(serverssl);
9031 SSL_free(clientssl);
9032 SSL_free(client2ssl);
9039 # ifndef OPENSSL_NO_DH
9041 static EVP_PKEY *tmp_dh_params = NULL;
9043 /* Helper function for the test_set_tmp_dh() tests */
9044 static EVP_PKEY *get_tmp_dh_params(void)
9046 if (tmp_dh_params == NULL) {
9048 OSSL_PARAM_BLD *tmpl = NULL;
9049 EVP_PKEY_CTX *pctx = NULL;
9050 OSSL_PARAM *params = NULL;
9051 EVP_PKEY *dhpkey = NULL;
9053 p = BN_get_rfc3526_prime_2048(NULL);
9057 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9059 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9062 tmpl = OSSL_PARAM_BLD_new();
9064 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9065 OSSL_PKEY_PARAM_FFC_P,
9067 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9068 OSSL_PKEY_PARAM_FFC_G,
9072 params = OSSL_PARAM_BLD_to_param(tmpl);
9073 if (!TEST_ptr(params)
9074 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9075 EVP_PKEY_KEY_PARAMETERS,
9079 tmp_dh_params = dhpkey;
9082 EVP_PKEY_CTX_free(pctx);
9083 OSSL_PARAM_BLD_free(tmpl);
9084 OSSL_PARAM_free(params);
9087 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9090 return tmp_dh_params;
9093 # ifndef OPENSSL_NO_DEPRECATED_3_0
9094 /* Callback used by test_set_tmp_dh() */
9095 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9097 EVP_PKEY *dhpkey = get_tmp_dh_params();
9100 if (!TEST_ptr(dhpkey))
9104 * libssl does not free the returned DH, so we free it now knowing that even
9105 * after we free dhpkey, there will still be a reference to the owning
9106 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9107 * of time we need it for.
9109 ret = EVP_PKEY_get1_DH(dhpkey);
9112 EVP_PKEY_free(dhpkey);
9119 * Test the various methods for setting temporary DH parameters
9121 * Test 0: Default (no auto) setting
9122 * Test 1: Explicit SSL_CTX auto off
9123 * Test 2: Explicit SSL auto off
9124 * Test 3: Explicit SSL_CTX auto on
9125 * Test 4: Explicit SSL auto on
9126 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9127 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9129 * The following are testing deprecated APIs, so we only run them if available
9130 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9131 * Test 8: Explicit SSL auto off, custom DH params via DH
9132 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9133 * Test 10: Explicit SSL auto off, custom DH params via callback
9135 static int test_set_tmp_dh(int idx)
9137 SSL_CTX *cctx = NULL, *sctx = NULL;
9138 SSL *clientssl = NULL, *serverssl = NULL;
9140 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9141 int expected = (idx <= 2) ? 0 : 1;
9142 EVP_PKEY *dhpkey = NULL;
9143 # ifndef OPENSSL_NO_DEPRECATED_3_0
9151 if (idx >= 5 && idx <= 8) {
9152 dhpkey = get_tmp_dh_params();
9153 if (!TEST_ptr(dhpkey))
9156 # ifndef OPENSSL_NO_DEPRECATED_3_0
9157 if (idx == 7 || idx == 8) {
9158 dh = EVP_PKEY_get1_DH(dhpkey);
9164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9165 TLS_client_method(),
9168 &sctx, &cctx, cert, privkey)))
9171 if ((idx & 1) == 1) {
9172 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9177 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9181 # ifndef OPENSSL_NO_DEPRECATED_3_0
9182 else if (idx == 7) {
9183 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9185 } else if (idx == 9) {
9186 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9194 if ((idx & 1) == 0 && idx != 0) {
9195 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9199 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9203 # ifndef OPENSSL_NO_DEPRECATED_3_0
9204 else if (idx == 8) {
9205 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9207 } else if (idx == 10) {
9208 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9212 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9213 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9214 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9218 * If autoon then we should succeed. Otherwise we expect failure because
9219 * there are no parameters
9221 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9222 SSL_ERROR_NONE), expected))
9228 # ifndef OPENSSL_NO_DEPRECATED_3_0
9231 SSL_free(serverssl);
9232 SSL_free(clientssl);
9235 EVP_PKEY_free(dhpkey);
9241 * Test the auto DH keys are appropriately sized
9243 static int test_dh_auto(int idx)
9245 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9246 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9247 SSL *clientssl = NULL, *serverssl = NULL;
9249 EVP_PKEY *tmpkey = NULL;
9250 char *thiscert = NULL, *thiskey = NULL;
9251 size_t expdhsize = 0;
9252 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9254 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9259 /* The FIPS provider doesn't support this DH size - so we ignore it */
9264 thiscert = cert1024;
9265 thiskey = privkey1024;
9267 SSL_CTX_set_security_level(sctx, 1);
9268 SSL_CTX_set_security_level(cctx, 1);
9271 /* 2048 bit prime */
9277 thiscert = cert3072;
9278 thiskey = privkey3072;
9282 thiscert = cert4096;
9283 thiskey = privkey4096;
9287 thiscert = cert8192;
9288 thiskey = privkey8192;
9291 /* No certificate cases */
9293 /* The FIPS provider doesn't support this DH size - so we ignore it */
9298 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9302 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9306 TEST_error("Invalid text index");
9310 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9314 &sctx, &cctx, thiscert, thiskey)))
9317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9321 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9322 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9323 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9324 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9325 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9329 * Send the server's first flight. At this point the server has created the
9330 * temporary DH key but hasn't finished using it yet. Once used it is
9331 * removed, so we cannot test it.
9333 if (!TEST_int_le(SSL_connect(clientssl), 0)
9334 || !TEST_int_le(SSL_accept(serverssl), 0))
9337 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9339 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9342 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9348 SSL_free(serverssl);
9349 SSL_free(clientssl);
9352 EVP_PKEY_free(tmpkey);
9357 # endif /* OPENSSL_NO_DH */
9358 #endif /* OPENSSL_NO_TLS1_2 */
9360 #ifndef OSSL_NO_USABLE_TLS1_3
9362 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9363 * that it works even without a certificate configured for the original
9366 static int test_sni_tls13(void)
9368 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9369 SSL *clientssl = NULL, *serverssl = NULL;
9372 /* Reset callback counter */
9375 /* Create an initial SSL_CTX with no certificate configured */
9376 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9377 if (!TEST_ptr(sctx))
9379 /* Require TLSv1.3 as a minimum */
9380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9381 TLS_client_method(), TLS1_3_VERSION, 0,
9382 &sctx2, &cctx, cert, privkey)))
9386 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9387 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9391 * Connection should still succeed because the final SSL_CTX has the right
9392 * certificates configured.
9394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9395 &clientssl, NULL, NULL))
9396 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9400 /* We should have had the SNI callback called exactly once */
9401 if (!TEST_int_eq(snicb, 1))
9407 SSL_free(serverssl);
9408 SSL_free(clientssl);
9409 SSL_CTX_free(sctx2);
9416 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9420 static int test_ticket_lifetime(int idx)
9422 SSL_CTX *cctx = NULL, *sctx = NULL;
9423 SSL *clientssl = NULL, *serverssl = NULL;
9425 int version = TLS1_3_VERSION;
9427 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9428 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9431 #ifdef OPENSSL_NO_TLS1_2
9432 return TEST_skip("TLS 1.2 is disabled.");
9434 version = TLS1_2_VERSION;
9438 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9439 TLS_client_method(), version, version,
9440 &sctx, &cctx, cert, privkey)))
9443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9444 &clientssl, NULL, NULL)))
9448 * Set the timeout to be more than 1 week
9449 * make sure the returned value is the default
9451 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9452 SSL_get_default_timeout(serverssl)))
9455 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9459 /* TLSv1.2 uses the set value */
9460 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9463 /* TLSv1.3 uses the limited value */
9464 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9470 SSL_free(serverssl);
9471 SSL_free(clientssl);
9478 * Test that setting an ALPN does not violate RFC
9480 static int test_set_alpn(void)
9482 SSL_CTX *ctx = NULL;
9486 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9487 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9488 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9489 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9490 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9491 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9493 /* Create an initial SSL_CTX with no certificate configured */
9494 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9498 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9499 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9501 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9503 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9505 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9507 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9509 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9511 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9513 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9515 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9522 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9524 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9526 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9528 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9530 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9532 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9534 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9536 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9538 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9550 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9552 static int test_set_verify_cert_store_ssl_ctx(void)
9554 SSL_CTX *ctx = NULL;
9556 X509_STORE *store = NULL, *new_store = NULL,
9557 *cstore = NULL, *new_cstore = NULL;
9559 /* Create an initial SSL_CTX. */
9560 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9564 /* Retrieve verify store pointer. */
9565 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9568 /* Retrieve chain store pointer. */
9569 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9572 /* We haven't set any yet, so this should be NULL. */
9573 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9576 /* Create stores. We use separate stores so pointers are different. */
9577 new_store = X509_STORE_new();
9578 if (!TEST_ptr(new_store))
9581 new_cstore = X509_STORE_new();
9582 if (!TEST_ptr(new_cstore))
9586 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9589 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9592 /* Should be able to retrieve the same pointer. */
9593 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9596 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9599 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9602 /* Should be able to unset again. */
9603 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9606 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9609 /* Should now be NULL. */
9610 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9613 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9616 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9622 X509_STORE_free(new_store);
9623 X509_STORE_free(new_cstore);
9629 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9631 static int test_set_verify_cert_store_ssl(void)
9633 SSL_CTX *ctx = NULL;
9636 X509_STORE *store = NULL, *new_store = NULL,
9637 *cstore = NULL, *new_cstore = NULL;
9639 /* Create an initial SSL_CTX. */
9640 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9644 /* Create an SSL object. */
9649 /* Retrieve verify store pointer. */
9650 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9653 /* Retrieve chain store pointer. */
9654 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9657 /* We haven't set any yet, so this should be NULL. */
9658 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9661 /* Create stores. We use separate stores so pointers are different. */
9662 new_store = X509_STORE_new();
9663 if (!TEST_ptr(new_store))
9666 new_cstore = X509_STORE_new();
9667 if (!TEST_ptr(new_cstore))
9671 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9674 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9677 /* Should be able to retrieve the same pointer. */
9678 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9681 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9684 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9687 /* Should be able to unset again. */
9688 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9691 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9694 /* Should now be NULL. */
9695 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9698 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9701 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9707 X509_STORE_free(new_store);
9708 X509_STORE_free(new_cstore);
9715 static int test_inherit_verify_param(void)
9719 SSL_CTX *ctx = NULL;
9720 X509_VERIFY_PARAM *cp = NULL;
9722 X509_VERIFY_PARAM *sp = NULL;
9723 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9725 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9729 cp = SSL_CTX_get0_param(ctx);
9732 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9735 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9741 sp = SSL_get0_param(ssl);
9744 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9756 static int test_load_dhfile(void)
9758 #ifndef OPENSSL_NO_DH
9761 SSL_CTX *ctx = NULL;
9762 SSL_CONF_CTX *cctx = NULL;
9767 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9768 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9771 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9772 SSL_CONF_CTX_set_flags(cctx,
9773 SSL_CONF_FLAG_CERTIFICATE
9774 | SSL_CONF_FLAG_SERVER
9775 | SSL_CONF_FLAG_FILE);
9777 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9782 SSL_CONF_CTX_free(cctx);
9787 return TEST_skip("DH not supported by this build");
9791 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
9793 int setup_tests(void)
9798 libctx = OSSL_LIB_CTX_new();
9799 if (!TEST_ptr(libctx))
9802 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9805 * Verify that the default and fips providers in the default libctx are not
9808 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9809 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9812 if (!test_skip_common_options()) {
9813 TEST_error("Error parsing test options\n");
9817 if (!TEST_ptr(certsdir = test_get_argument(0))
9818 || !TEST_ptr(srpvfile = test_get_argument(1))
9819 || !TEST_ptr(tmpfilename = test_get_argument(2))
9820 || !TEST_ptr(modulename = test_get_argument(3))
9821 || !TEST_ptr(configfile = test_get_argument(4))
9822 || !TEST_ptr(dhfile = test_get_argument(5)))
9825 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9828 /* Check we have the expected provider available */
9829 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9832 /* Check the default provider is not available */
9833 if (strcmp(modulename, "default") != 0
9834 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9837 if (strcmp(modulename, "fips") == 0)
9841 * We add, but don't load the test "tls-provider". We'll load it when we
9844 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9845 tls_provider_init)))
9849 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9850 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9851 TEST_error("not supported in this build");
9854 int i, mcount, rcount, fcount;
9856 for (i = 0; i < 4; i++)
9857 test_export_key_mat(i);
9858 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9859 test_printf_stdout("malloc %d realloc %d free %d\n",
9860 mcount, rcount, fcount);
9865 cert = test_mk_file_path(certsdir, "servercert.pem");
9869 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9870 if (privkey == NULL)
9873 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9877 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9878 if (privkey2 == NULL)
9881 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9882 if (cert1024 == NULL)
9885 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9886 if (privkey1024 == NULL)
9889 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9890 if (cert3072 == NULL)
9893 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9894 if (privkey3072 == NULL)
9897 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9898 if (cert4096 == NULL)
9901 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9902 if (privkey4096 == NULL)
9905 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9906 if (cert8192 == NULL)
9909 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9910 if (privkey8192 == NULL)
9913 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9914 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9915 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9916 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9919 ADD_TEST(test_large_message_tls);
9920 ADD_TEST(test_large_message_tls_read_ahead);
9921 #ifndef OPENSSL_NO_DTLS
9922 ADD_TEST(test_large_message_dtls);
9924 ADD_TEST(test_cleanse_plaintext);
9925 #ifndef OPENSSL_NO_OCSP
9926 ADD_TEST(test_tlsext_status_type);
9928 ADD_TEST(test_session_with_only_int_cache);
9929 ADD_TEST(test_session_with_only_ext_cache);
9930 ADD_TEST(test_session_with_both_cache);
9931 ADD_TEST(test_session_wo_ca_names);
9932 #ifndef OSSL_NO_USABLE_TLS1_3
9933 ADD_ALL_TESTS(test_stateful_tickets, 3);
9934 ADD_ALL_TESTS(test_stateless_tickets, 3);
9935 ADD_TEST(test_psk_tickets);
9936 ADD_ALL_TESTS(test_extra_tickets, 6);
9938 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9939 ADD_TEST(test_ssl_bio_pop_next_bio);
9940 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9941 ADD_TEST(test_ssl_bio_change_rbio);
9942 ADD_TEST(test_ssl_bio_change_wbio);
9943 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9944 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9945 ADD_TEST(test_keylog);
9947 #ifndef OSSL_NO_USABLE_TLS1_3
9948 ADD_TEST(test_keylog_no_master_key);
9950 ADD_TEST(test_client_cert_verify_cb);
9951 ADD_TEST(test_ssl_build_cert_chain);
9952 ADD_TEST(test_ssl_ctx_build_cert_chain);
9953 #ifndef OPENSSL_NO_TLS1_2
9954 ADD_TEST(test_client_hello_cb);
9955 ADD_TEST(test_no_ems);
9956 ADD_TEST(test_ccs_change_cipher);
9958 #ifndef OSSL_NO_USABLE_TLS1_3
9959 ADD_ALL_TESTS(test_early_data_read_write, 3);
9961 * We don't do replay tests for external PSK. Replay protection isn't used
9964 ADD_ALL_TESTS(test_early_data_replay, 2);
9965 ADD_ALL_TESTS(test_early_data_skip, 3);
9966 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9967 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9968 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9969 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9970 ADD_ALL_TESTS(test_early_data_psk, 8);
9971 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9972 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9973 # ifndef OPENSSL_NO_TLS1_2
9974 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9977 #ifndef OSSL_NO_USABLE_TLS1_3
9978 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9979 ADD_TEST(test_ciphersuite_change);
9980 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9981 # ifdef OPENSSL_NO_PSK
9982 ADD_ALL_TESTS(test_tls13_psk, 1);
9984 ADD_ALL_TESTS(test_tls13_psk, 4);
9985 # endif /* OPENSSL_NO_PSK */
9986 # ifndef OPENSSL_NO_TLS1_2
9987 /* Test with both TLSv1.3 and 1.2 versions */
9988 ADD_ALL_TESTS(test_key_exchange, 14);
9989 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9990 ADD_ALL_TESTS(test_negotiated_group,
9991 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9992 + OSSL_NELEM(ffdhe_kexch_groups)));
9995 /* Test with only TLSv1.3 versions */
9996 ADD_ALL_TESTS(test_key_exchange, 12);
9998 ADD_ALL_TESTS(test_custom_exts, 6);
9999 ADD_TEST(test_stateless);
10000 ADD_TEST(test_pha_key_update);
10002 ADD_ALL_TESTS(test_custom_exts, 3);
10004 ADD_ALL_TESTS(test_serverinfo, 8);
10005 ADD_ALL_TESTS(test_export_key_mat, 6);
10006 #ifndef OSSL_NO_USABLE_TLS1_3
10007 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10008 ADD_TEST(test_key_update);
10009 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10010 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10011 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10012 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10014 ADD_ALL_TESTS(test_ssl_clear, 2);
10015 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10016 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10017 ADD_ALL_TESTS(test_srp, 6);
10019 ADD_ALL_TESTS(test_info_callback, 6);
10020 ADD_ALL_TESTS(test_ssl_pending, 2);
10021 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10022 ADD_ALL_TESTS(test_ticket_callbacks, 16);
10023 ADD_ALL_TESTS(test_shutdown, 7);
10024 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10025 ADD_ALL_TESTS(test_cert_cb, 6);
10026 ADD_ALL_TESTS(test_client_cert_cb, 2);
10027 ADD_ALL_TESTS(test_ca_names, 3);
10028 #ifndef OPENSSL_NO_TLS1_2
10029 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10031 ADD_ALL_TESTS(test_servername, 10);
10032 #if !defined(OPENSSL_NO_EC) \
10033 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10034 ADD_ALL_TESTS(test_sigalgs_available, 6);
10036 #ifndef OPENSSL_NO_TLS1_3
10037 ADD_ALL_TESTS(test_pluggable_group, 2);
10039 #ifndef OPENSSL_NO_TLS1_2
10040 ADD_TEST(test_ssl_dup);
10041 # ifndef OPENSSL_NO_DH
10042 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10043 ADD_ALL_TESTS(test_dh_auto, 7);
10046 #ifndef OSSL_NO_USABLE_TLS1_3
10047 ADD_TEST(test_sni_tls13);
10048 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10050 ADD_TEST(test_inherit_verify_param);
10051 ADD_TEST(test_set_alpn);
10052 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10053 ADD_TEST(test_set_verify_cert_store_ssl);
10054 ADD_ALL_TESTS(test_session_timeout, 1);
10055 ADD_TEST(test_load_dhfile);
10059 OPENSSL_free(cert);
10060 OPENSSL_free(privkey);
10061 OPENSSL_free(cert2);
10062 OPENSSL_free(privkey2);
10066 void cleanup_tests(void)
10068 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10069 EVP_PKEY_free(tmp_dh_params);
10071 OPENSSL_free(cert);
10072 OPENSSL_free(privkey);
10073 OPENSSL_free(cert2);
10074 OPENSSL_free(privkey2);
10075 OPENSSL_free(cert1024);
10076 OPENSSL_free(privkey1024);
10077 OPENSSL_free(cert3072);
10078 OPENSSL_free(privkey3072);
10079 OPENSSL_free(cert4096);
10080 OPENSSL_free(privkey4096);
10081 OPENSSL_free(cert8192);
10082 OPENSSL_free(privkey8192);
10083 bio_s_mempacket_test_free();
10084 bio_s_always_retry_free();
10085 OSSL_PROVIDER_unload(defctxnull);
10086 OSSL_LIB_CTX_free(libctx);
projects / openssl.git / blob