2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
34 #include "ssltestlib.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
45 /* Defined in tls-provider.c */
46 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
50 DEFINE_STACK_OF(OCSP_RESPID)
52 DEFINE_STACK_OF(X509_NAME)
54 static OPENSSL_CTX *libctx = NULL;
55 static OSSL_PROVIDER *defctxnull = NULL;
57 #ifndef OPENSSL_NO_TLS1_3
59 static SSL_SESSION *clientpsk = NULL;
60 static SSL_SESSION *serverpsk = NULL;
61 static const char *pskid = "Identity";
62 static const char *srvid;
64 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
65 size_t *idlen, SSL_SESSION **sess);
66 static int find_session_cb(SSL *ssl, const unsigned char *identity,
67 size_t identity_len, SSL_SESSION **sess);
69 static int use_session_cb_cnt = 0;
70 static int find_session_cb_cnt = 0;
72 static SSL_SESSION *create_a_psk(SSL *ssl);
75 static char *certsdir = NULL;
76 static char *cert = NULL;
77 static char *privkey = NULL;
78 static char *cert2 = NULL;
79 static char *privkey2 = NULL;
80 static char *srpvfile = NULL;
81 static char *tmpfilename = NULL;
83 static int is_fips = 0;
85 #define LOG_BUFFER_SIZE 2048
86 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
87 static size_t server_log_buffer_index = 0;
88 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
89 static size_t client_log_buffer_index = 0;
90 static int error_writing_log = 0;
92 #ifndef OPENSSL_NO_OCSP
93 static const unsigned char orespder[] = "Dummy OCSP Response";
94 static int ocsp_server_called = 0;
95 static int ocsp_client_called = 0;
97 static int cdummyarg = 1;
98 static X509 *ocspcert = NULL;
101 #define NUM_EXTRA_CERTS 40
102 #define CLIENT_VERSION_LEN 2
105 * This structure is used to validate that the correct number of log messages
106 * of various types are emitted when emitting secret logs.
108 struct sslapitest_log_counts {
109 unsigned int rsa_key_exchange_count;
110 unsigned int master_secret_count;
111 unsigned int client_early_secret_count;
112 unsigned int client_handshake_secret_count;
113 unsigned int server_handshake_secret_count;
114 unsigned int client_application_secret_count;
115 unsigned int server_application_secret_count;
116 unsigned int early_exporter_secret_count;
117 unsigned int exporter_secret_count;
121 static unsigned char serverinfov1[] = {
122 0xff, 0xff, /* Dummy extension type */
123 0x00, 0x01, /* Extension length is 1 byte */
124 0xff /* Dummy extension data */
127 static unsigned char serverinfov2[] = {
129 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
130 0xff, 0xff, /* Dummy extension type */
131 0x00, 0x01, /* Extension length is 1 byte */
132 0xff /* Dummy extension data */
135 static int hostname_cb(SSL *s, int *al, void *arg)
137 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
139 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
140 || strcmp(hostname, "altgoodhost") == 0))
141 return SSL_TLSEXT_ERR_OK;
143 return SSL_TLSEXT_ERR_NOACK;
146 static void client_keylog_callback(const SSL *ssl, const char *line)
148 int line_length = strlen(line);
150 /* If the log doesn't fit, error out. */
151 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
152 TEST_info("Client log too full");
153 error_writing_log = 1;
157 strcat(client_log_buffer, line);
158 client_log_buffer_index += line_length;
159 client_log_buffer[client_log_buffer_index++] = '\n';
162 static void server_keylog_callback(const SSL *ssl, const char *line)
164 int line_length = strlen(line);
166 /* If the log doesn't fit, error out. */
167 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
168 TEST_info("Server log too full");
169 error_writing_log = 1;
173 strcat(server_log_buffer, line);
174 server_log_buffer_index += line_length;
175 server_log_buffer[server_log_buffer_index++] = '\n';
178 static int compare_hex_encoded_buffer(const char *hex_encoded,
186 if (!TEST_size_t_eq(raw_length * 2, hex_length))
189 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
190 sprintf(hexed, "%02x", raw[i]);
191 if (!TEST_int_eq(hexed[0], hex_encoded[j])
192 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
199 static int test_keylog_output(char *buffer, const SSL *ssl,
200 const SSL_SESSION *session,
201 struct sslapitest_log_counts *expected)
204 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
205 size_t client_random_size = SSL3_RANDOM_SIZE;
206 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
207 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
208 unsigned int rsa_key_exchange_count = 0;
209 unsigned int master_secret_count = 0;
210 unsigned int client_early_secret_count = 0;
211 unsigned int client_handshake_secret_count = 0;
212 unsigned int server_handshake_secret_count = 0;
213 unsigned int client_application_secret_count = 0;
214 unsigned int server_application_secret_count = 0;
215 unsigned int early_exporter_secret_count = 0;
216 unsigned int exporter_secret_count = 0;
218 for (token = strtok(buffer, " \n"); token != NULL;
219 token = strtok(NULL, " \n")) {
220 if (strcmp(token, "RSA") == 0) {
222 * Premaster secret. Tokens should be: 16 ASCII bytes of
223 * hex-encoded encrypted secret, then the hex-encoded pre-master
226 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 if (!TEST_size_t_eq(strlen(token), 16))
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
233 * We can't sensibly check the log because the premaster secret is
234 * transient, and OpenSSL doesn't keep hold of it once the master
235 * secret is generated.
237 rsa_key_exchange_count++;
238 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
240 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
241 * client random, then the hex-encoded master secret.
243 client_random_size = SSL_get_client_random(ssl,
244 actual_client_random,
246 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
249 if (!TEST_ptr(token = strtok(NULL, " \n")))
251 if (!TEST_size_t_eq(strlen(token), 64))
253 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
254 actual_client_random,
255 client_random_size)))
258 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 master_key_size = SSL_SESSION_get_master_key(session,
263 if (!TEST_size_t_ne(master_key_size, 0))
265 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 master_secret_count++;
270 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
271 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
272 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
274 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
275 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
276 || strcmp(token, "EXPORTER_SECRET") == 0) {
278 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
279 * client random, and then the hex-encoded secret. In this case,
280 * we treat all of these secrets identically and then just
281 * distinguish between them when counting what we saw.
283 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
284 client_early_secret_count++;
285 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
286 client_handshake_secret_count++;
287 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 server_handshake_secret_count++;
289 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
290 client_application_secret_count++;
291 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
292 server_application_secret_count++;
293 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
294 early_exporter_secret_count++;
295 else if (strcmp(token, "EXPORTER_SECRET") == 0)
296 exporter_secret_count++;
298 client_random_size = SSL_get_client_random(ssl,
299 actual_client_random,
301 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
304 if (!TEST_ptr(token = strtok(NULL, " \n")))
306 if (!TEST_size_t_eq(strlen(token), 64))
308 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
309 actual_client_random,
310 client_random_size)))
313 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 * TODO(TLS1.3): test that application traffic secrets are what
320 TEST_info("Unexpected token %s\n", token);
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
349 static int test_keylog(void)
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
354 struct sslapitest_log_counts expected;
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
367 &sctx, &cctx, cert, privkey)))
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
429 #ifndef OPENSSL_NO_TLS1_3
430 static int test_keylog_no_master_key(void)
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 || !TEST_false(error_writing_log))
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
500 serverssl = clientssl = NULL;
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 || !TEST_true(SSL_session_reused(clientssl)))
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
536 SSL_SESSION_free(sess);
546 #ifndef OPENSSL_NO_TLS1_2
547 static int full_client_hello_callback(SSL *s, int *al, void *arg)
550 const unsigned char *p;
552 /* We only configure two ciphers, but the SCSV is added automatically. */
554 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
556 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
559 const int expected_extensions[] = {
560 #ifndef OPENSSL_NO_EC
566 /* Make sure we can defer processing and get called back. */
568 return SSL_CLIENT_HELLO_RETRY;
570 len = SSL_client_hello_get0_ciphers(s, &p);
571 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
573 SSL_client_hello_get0_compression_methods(s, &p), 1)
574 || !TEST_int_eq(*p, 0))
575 return SSL_CLIENT_HELLO_ERROR;
576 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
577 return SSL_CLIENT_HELLO_ERROR;
578 if (len != OSSL_NELEM(expected_extensions) ||
579 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
580 printf("ClientHello callback expected extensions mismatch\n");
582 return SSL_CLIENT_HELLO_ERROR;
585 return SSL_CLIENT_HELLO_SUCCESS;
588 static int test_client_hello_cb(void)
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testctr = 0, testresult = 0;
594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
595 TLS_client_method(), TLS1_VERSION, 0,
596 &sctx, &cctx, cert, privkey)))
598 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
600 /* The gimpy cipher list we configure can't do TLS 1.3. */
601 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
604 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
606 &clientssl, NULL, NULL))
607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
608 SSL_ERROR_WANT_CLIENT_HELLO_CB))
610 * Passing a -1 literal is a hack since
611 * the real value was lost.
613 || !TEST_int_eq(SSL_get_error(serverssl, -1),
614 SSL_ERROR_WANT_CLIENT_HELLO_CB)
615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
630 static int test_no_ems(void)
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
636 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
637 TLS1_VERSION, TLS1_2_VERSION,
638 &sctx, &cctx, cert, privkey)) {
639 printf("Unable to create SSL_CTX pair\n");
643 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
645 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
646 printf("Unable to create SSL objects\n");
650 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
651 printf("Creating SSL connection failed\n");
655 if (SSL_get_extms_support(serverssl)) {
656 printf("Server reports Extended Master Secret support\n");
660 if (SSL_get_extms_support(clientssl)) {
661 printf("Client reports Extended Master Secret support\n");
676 * Very focused test to exercise a single case in the server-side state
677 * machine, when the ChangeCipherState message needs to actually change
678 * from one cipher to a different cipher (i.e., not changing from null
679 * encryption to real encryption).
681 static int test_ccs_change_cipher(void)
683 SSL_CTX *cctx = NULL, *sctx = NULL;
684 SSL *clientssl = NULL, *serverssl = NULL;
685 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
692 * Create a conection so we can resume and potentially (but not) use
693 * a different cipher in the second connection.
695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
697 TLS1_VERSION, TLS1_2_VERSION,
698 &sctx, &cctx, cert, privkey))
699 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
705 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
706 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
709 shutdown_ssl_connection(serverssl, clientssl);
710 serverssl = clientssl = NULL;
712 /* Resume, preferring a different cipher. Our server will force the
713 * same cipher to be used as the initial handshake. */
714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
716 || !TEST_true(SSL_set_session(clientssl, sess))
717 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
718 || !TEST_true(create_ssl_connection(serverssl, clientssl,
720 || !TEST_true(SSL_session_reused(clientssl))
721 || !TEST_true(SSL_session_reused(serverssl))
722 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
723 || !TEST_ptr_eq(sesspre, sesspost)
724 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
725 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
727 shutdown_ssl_connection(serverssl, clientssl);
728 serverssl = clientssl = NULL;
731 * Now create a fresh connection and try to renegotiate a different
734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
736 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
737 || !TEST_true(create_ssl_connection(serverssl, clientssl,
739 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
740 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
741 || !TEST_true(SSL_renegotiate(clientssl))
742 || !TEST_true(SSL_renegotiate_pending(clientssl)))
744 /* Actually drive the renegotiation. */
745 for (i = 0; i < 3; i++) {
746 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
747 if (!TEST_ulong_eq(readbytes, 0))
749 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
750 SSL_ERROR_WANT_READ)) {
753 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
754 if (!TEST_ulong_eq(readbytes, 0))
756 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
757 SSL_ERROR_WANT_READ)) {
761 /* sesspre and sesspost should be different since the cipher changed. */
762 if (!TEST_false(SSL_renegotiate_pending(clientssl))
763 || !TEST_false(SSL_session_reused(clientssl))
764 || !TEST_false(SSL_session_reused(serverssl))
765 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
766 || !TEST_ptr_ne(sesspre, sesspost)
767 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
768 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
771 shutdown_ssl_connection(serverssl, clientssl);
772 serverssl = clientssl = NULL;
781 SSL_SESSION_free(sess);
787 static int execute_test_large_message(const SSL_METHOD *smeth,
788 const SSL_METHOD *cmeth,
789 int min_version, int max_version,
792 SSL_CTX *cctx = NULL, *sctx = NULL;
793 SSL *clientssl = NULL, *serverssl = NULL;
797 X509 *chaincert = NULL;
800 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
803 if (!TEST_ptr(chaincert = X509_new_with_libctx(libctx, NULL)))
806 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
811 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
812 max_version, &sctx, &cctx, cert,
818 * Test that read_ahead works correctly when dealing with large
821 SSL_CTX_set_read_ahead(cctx, 1);
825 * We assume the supplied certificate is big enough so that if we add
826 * NUM_EXTRA_CERTS it will make the overall message large enough. The
827 * default buffer size is requested to be 16k, but due to the way BUF_MEM
828 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
829 * test we need to have a message larger than that.
831 certlen = i2d_X509(chaincert, NULL);
832 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
833 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
834 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
835 if (!X509_up_ref(chaincert))
837 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
838 X509_free(chaincert);
843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
845 || !TEST_true(create_ssl_connection(serverssl, clientssl,
850 * Calling SSL_clear() first is not required but this tests that SSL_clear()
853 if (!TEST_true(SSL_clear(serverssl)))
859 X509_free(chaincert);
868 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
869 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
870 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
871 /* sock must be connected */
872 static int ktls_chk_platform(int sock)
874 if (!ktls_enable(sock))
879 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
881 static char count = 1;
882 unsigned char cbuf[16000] = {0};
883 unsigned char sbuf[16000];
885 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
889 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
890 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
891 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
895 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
896 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
897 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
898 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
900 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
903 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
904 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
909 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
912 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
913 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
918 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
919 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
920 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
921 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
923 /* verify the payload */
924 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
927 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
928 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
929 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
930 crec_wseq_after, rec_seq_size))
933 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
934 crec_wseq_after, rec_seq_size))
938 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
939 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
940 srec_wseq_after, rec_seq_size))
943 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
944 srec_wseq_after, rec_seq_size))
948 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
949 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
950 crec_rseq_after, rec_seq_size))
953 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
954 crec_rseq_after, rec_seq_size))
958 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
959 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
960 srec_rseq_after, rec_seq_size))
963 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
964 srec_rseq_after, rec_seq_size))
973 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
974 int sis_ktls_tx, int sis_ktls_rx,
975 int tls_version, const char *cipher,
978 SSL_CTX *cctx = NULL, *sctx = NULL;
979 SSL *clientssl = NULL, *serverssl = NULL;
983 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
986 /* Skip this test if the platform does not support ktls */
987 if (!ktls_chk_platform(cfd))
990 /* Create a session based on SHA-256 */
991 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
993 tls_version, tls_version,
994 &sctx, &cctx, cert, privkey))
995 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
996 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
997 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
998 &clientssl, sfd, cfd)))
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1012 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1017 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1021 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1026 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1029 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1034 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1037 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1042 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1045 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1050 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1053 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1057 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1064 SSL_shutdown(clientssl);
1065 SSL_free(clientssl);
1068 SSL_shutdown(serverssl);
1069 SSL_free(serverssl);
1073 serverssl = clientssl = NULL;
1077 #define SENDFILE_SZ (16 * 4096)
1078 #define SENDFILE_CHUNK (4 * 4096)
1079 #define min(a,b) ((a) > (b) ? (b) : (a))
1081 static int test_ktls_sendfile(int tls_version, const char *cipher)
1083 SSL_CTX *cctx = NULL, *sctx = NULL;
1084 SSL *clientssl = NULL, *serverssl = NULL;
1085 unsigned char *buf, *buf_dst;
1086 BIO *out = NULL, *in = NULL;
1087 int cfd, sfd, ffd, err;
1088 ssize_t chunk_size = 0;
1089 off_t chunk_off = 0;
1093 buf = OPENSSL_zalloc(SENDFILE_SZ);
1094 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1095 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1096 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1099 /* Skip this test if the platform does not support ktls */
1100 if (!ktls_chk_platform(sfd)) {
1105 /* Create a session based on SHA-256 */
1106 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1107 TLS_client_method(),
1108 tls_version, tls_version,
1109 &sctx, &cctx, cert, privkey))
1110 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1111 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
1112 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1113 &clientssl, sfd, cfd)))
1116 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1118 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1121 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1124 out = BIO_new_file(tmpfilename, "wb");
1128 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1133 in = BIO_new_file(tmpfilename, "rb");
1134 BIO_get_fp(in, &ffdp);
1137 while (chunk_off < SENDFILE_SZ) {
1138 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1139 while ((err = SSL_sendfile(serverssl,
1143 0)) != chunk_size) {
1144 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1147 while ((err = SSL_read(clientssl,
1148 buf_dst + chunk_off,
1149 chunk_size)) != chunk_size) {
1150 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1154 /* verify the payload */
1155 if (!TEST_mem_eq(buf_dst + chunk_off,
1161 chunk_off += chunk_size;
1167 SSL_shutdown(clientssl);
1168 SSL_free(clientssl);
1171 SSL_shutdown(serverssl);
1172 SSL_free(serverssl);
1176 serverssl = clientssl = NULL;
1180 OPENSSL_free(buf_dst);
1184 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1185 static int test_ktls(int test)
1187 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1188 int tlsver, testresult;
1191 #if defined(OPENSSL_NO_TLS1_3)
1195 tlsver = TLS1_3_VERSION;
1198 #if defined(OPENSSL_NO_TLS1_2)
1201 tlsver = TLS1_2_VERSION;
1205 cis_ktls_tx = (test & 1) != 0;
1206 cis_ktls_rx = (test & 2) != 0;
1207 sis_ktls_tx = (test & 4) != 0;
1208 sis_ktls_rx = (test & 8) != 0;
1210 #if defined(OPENSSL_NO_KTLS_RX)
1211 if (cis_ktls_rx || sis_ktls_rx)
1214 #if !defined(OPENSSL_NO_TLS1_3)
1215 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1220 #ifdef OPENSSL_KTLS_AES_GCM_128
1221 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1222 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1223 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1225 #ifdef OPENSSL_KTLS_AES_CCM_128
1226 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1227 sis_ktls_rx, tlsver, "AES128-CCM",
1228 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1230 #ifdef OPENSSL_KTLS_AES_GCM_256
1231 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1232 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1233 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1238 static int test_ktls_sendfile_anytls(int tst)
1240 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
1244 #if defined(OPENSSL_NO_TLS1_3)
1248 tlsver = TLS1_3_VERSION;
1251 #if defined(OPENSSL_NO_TLS1_2)
1254 tlsver = TLS1_2_VERSION;
1258 #ifndef OPENSSL_KTLS_AES_GCM_128
1259 if(tst == 0) return 1;
1261 #ifndef OPENSSL_KTLS_AES_CCM_128
1262 if(tst == 1) return 1;
1264 #ifndef OPENSSL_KTLS_AES_GCM_256
1265 if(tst == 2) return 1;
1267 return test_ktls_sendfile(tlsver, cipher[tst]);
1273 static int test_large_message_tls(void)
1275 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1276 TLS1_VERSION, 0, 0);
1279 static int test_large_message_tls_read_ahead(void)
1281 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1282 TLS1_VERSION, 0, 1);
1285 #ifndef OPENSSL_NO_DTLS
1286 static int test_large_message_dtls(void)
1289 * read_ahead is not relevant to DTLS because DTLS always acts as if
1290 * read_ahead is set.
1292 return execute_test_large_message(DTLS_server_method(),
1293 DTLS_client_method(),
1294 DTLS1_VERSION, 0, 0);
1298 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1299 const SSL_METHOD *cmeth,
1300 int min_version, int max_version)
1303 SSL_CTX *cctx = NULL, *sctx = NULL;
1304 SSL *clientssl = NULL, *serverssl = NULL;
1309 static unsigned char cbuf[16000];
1310 static unsigned char sbuf[16000];
1312 if (!TEST_true(create_ssl_ctx_pair(libctx,
1314 min_version, max_version,
1319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1323 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1326 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1330 for (i = 0; i < sizeof(cbuf); i++) {
1334 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1337 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1340 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1344 * Since we called SSL_peek(), we know the data in the record
1345 * layer is a plaintext record. We can gather the pointer to check
1346 * for zeroization after SSL_read().
1348 rr = serverssl->rlayer.rrec;
1349 zbuf = &rr->data[rr->off];
1350 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1354 * After SSL_peek() the plaintext must still be stored in the
1357 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1360 memset(sbuf, 0, sizeof(sbuf));
1361 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1364 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1367 /* Check if rbuf is cleansed */
1368 memset(cbuf, 0, sizeof(cbuf));
1369 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1374 SSL_free(serverssl);
1375 SSL_free(clientssl);
1382 static int test_cleanse_plaintext(void)
1384 #if !defined(OPENSSL_NO_TLS1_2)
1385 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1386 TLS_client_method(),
1393 #if !defined(OPENSSL_NO_TLS1_3)
1394 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1395 TLS_client_method(),
1401 #if !defined(OPENSSL_NO_DTLS)
1402 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1403 DTLS_client_method(),
1411 #ifndef OPENSSL_NO_OCSP
1412 static int ocsp_server_cb(SSL *s, void *arg)
1414 int *argi = (int *)arg;
1415 unsigned char *copy = NULL;
1416 STACK_OF(OCSP_RESPID) *ids = NULL;
1417 OCSP_RESPID *id = NULL;
1420 /* In this test we are expecting exactly 1 OCSP_RESPID */
1421 SSL_get_tlsext_status_ids(s, &ids);
1422 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1423 return SSL_TLSEXT_ERR_ALERT_FATAL;
1425 id = sk_OCSP_RESPID_value(ids, 0);
1426 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1427 return SSL_TLSEXT_ERR_ALERT_FATAL;
1428 } else if (*argi != 1) {
1429 return SSL_TLSEXT_ERR_ALERT_FATAL;
1432 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1433 return SSL_TLSEXT_ERR_ALERT_FATAL;
1435 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1436 ocsp_server_called = 1;
1437 return SSL_TLSEXT_ERR_OK;
1440 static int ocsp_client_cb(SSL *s, void *arg)
1442 int *argi = (int *)arg;
1443 const unsigned char *respderin;
1446 if (*argi != 1 && *argi != 2)
1449 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1450 if (!TEST_mem_eq(orespder, len, respderin, len))
1453 ocsp_client_called = 1;
1457 static int test_tlsext_status_type(void)
1459 SSL_CTX *cctx = NULL, *sctx = NULL;
1460 SSL *clientssl = NULL, *serverssl = NULL;
1462 STACK_OF(OCSP_RESPID) *ids = NULL;
1463 OCSP_RESPID *id = NULL;
1464 BIO *certbio = NULL;
1466 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1468 &sctx, &cctx, cert, privkey))
1471 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1474 /* First just do various checks getting and setting tlsext_status_type */
1476 clientssl = SSL_new(cctx);
1477 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1478 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1479 TLSEXT_STATUSTYPE_ocsp))
1480 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1481 TLSEXT_STATUSTYPE_ocsp))
1484 SSL_free(clientssl);
1487 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1488 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1491 clientssl = SSL_new(cctx);
1492 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1494 SSL_free(clientssl);
1498 * Now actually do a handshake and check OCSP information is exchanged and
1499 * the callbacks get called
1501 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1502 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1503 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1504 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1506 &clientssl, NULL, NULL))
1507 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1509 || !TEST_true(ocsp_client_called)
1510 || !TEST_true(ocsp_server_called))
1512 SSL_free(serverssl);
1513 SSL_free(clientssl);
1517 /* Try again but this time force the server side callback to fail */
1518 ocsp_client_called = 0;
1519 ocsp_server_called = 0;
1521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1522 &clientssl, NULL, NULL))
1523 /* This should fail because the callback will fail */
1524 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1526 || !TEST_false(ocsp_client_called)
1527 || !TEST_false(ocsp_server_called))
1529 SSL_free(serverssl);
1530 SSL_free(clientssl);
1535 * This time we'll get the client to send an OCSP_RESPID that it will
1538 ocsp_client_called = 0;
1539 ocsp_server_called = 0;
1541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1542 &clientssl, NULL, NULL)))
1546 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1547 * specific one. We'll use the server cert.
1549 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1550 || !TEST_ptr(id = OCSP_RESPID_new())
1551 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1552 || !TEST_ptr(ocspcert = X509_new_with_libctx(libctx, NULL))
1553 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1554 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1555 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1558 SSL_set_tlsext_status_ids(clientssl, ids);
1559 /* Control has been transferred */
1565 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1567 || !TEST_true(ocsp_client_called)
1568 || !TEST_true(ocsp_server_called))
1574 SSL_free(serverssl);
1575 SSL_free(clientssl);
1578 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1579 OCSP_RESPID_free(id);
1581 X509_free(ocspcert);
1588 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1589 static int new_called, remove_called, get_called;
1591 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1595 * sess has been up-refed for us, but we don't actually need it so free it
1598 SSL_SESSION_free(sess);
1602 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1607 static SSL_SESSION *get_sess_val = NULL;
1609 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1614 return get_sess_val;
1617 static int execute_test_session(int maxprot, int use_int_cache,
1618 int use_ext_cache, long s_options)
1620 SSL_CTX *sctx = NULL, *cctx = NULL;
1621 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1622 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1623 # ifndef OPENSSL_NO_TLS1_1
1624 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1626 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1627 int testresult = 0, numnewsesstick = 1;
1629 new_called = remove_called = 0;
1631 /* TLSv1.3 sends 2 NewSessionTickets */
1632 if (maxprot == TLS1_3_VERSION)
1635 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1636 TLS_client_method(), TLS1_VERSION, 0,
1637 &sctx, &cctx, cert, privkey)))
1641 * Only allow the max protocol version so we can force a connection failure
1644 SSL_CTX_set_min_proto_version(cctx, maxprot);
1645 SSL_CTX_set_max_proto_version(cctx, maxprot);
1647 /* Set up session cache */
1648 if (use_ext_cache) {
1649 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1652 if (use_int_cache) {
1653 /* Also covers instance where both are set */
1654 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1656 SSL_CTX_set_session_cache_mode(cctx,
1657 SSL_SESS_CACHE_CLIENT
1658 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1662 SSL_CTX_set_options(sctx, s_options);
1665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1667 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1669 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1672 /* Should fail because it should already be in the cache */
1673 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1676 && (!TEST_int_eq(new_called, numnewsesstick)
1678 || !TEST_int_eq(remove_called, 0)))
1681 new_called = remove_called = 0;
1682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1683 &clientssl2, NULL, NULL))
1684 || !TEST_true(SSL_set_session(clientssl2, sess1))
1685 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1687 || !TEST_true(SSL_session_reused(clientssl2)))
1690 if (maxprot == TLS1_3_VERSION) {
1692 * In TLSv1.3 we should have created a new session even though we have
1693 * resumed. Since we attempted a resume we should also have removed the
1694 * old ticket from the cache so that we try to only use tickets once.
1697 && (!TEST_int_eq(new_called, 1)
1698 || !TEST_int_eq(remove_called, 1)))
1702 * In TLSv1.2 we expect to have resumed so no sessions added or
1706 && (!TEST_int_eq(new_called, 0)
1707 || !TEST_int_eq(remove_called, 0)))
1711 SSL_SESSION_free(sess1);
1712 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1714 shutdown_ssl_connection(serverssl2, clientssl2);
1715 serverssl2 = clientssl2 = NULL;
1717 new_called = remove_called = 0;
1718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1719 &clientssl2, NULL, NULL))
1720 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1724 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1728 && (!TEST_int_eq(new_called, numnewsesstick)
1729 || !TEST_int_eq(remove_called, 0)))
1732 new_called = remove_called = 0;
1734 * This should clear sess2 from the cache because it is a "bad" session.
1735 * See SSL_set_session() documentation.
1737 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1740 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1742 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1745 if (use_int_cache) {
1746 /* Should succeeded because it should not already be in the cache */
1747 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1748 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1752 new_called = remove_called = 0;
1753 /* This shouldn't be in the cache so should fail */
1754 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1758 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1761 # if !defined(OPENSSL_NO_TLS1_1)
1762 new_called = remove_called = 0;
1763 /* Force a connection failure */
1764 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1766 &clientssl3, NULL, NULL))
1767 || !TEST_true(SSL_set_session(clientssl3, sess1))
1768 /* This should fail because of the mismatched protocol versions */
1769 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1773 /* We should have automatically removed the session from the cache */
1775 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1778 /* Should succeed because it should not already be in the cache */
1779 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1783 /* Now do some tests for server side caching */
1784 if (use_ext_cache) {
1785 SSL_CTX_sess_set_new_cb(cctx, NULL);
1786 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1787 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1788 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1789 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1790 get_sess_val = NULL;
1793 SSL_CTX_set_session_cache_mode(cctx, 0);
1794 /* Internal caching is the default on the server side */
1796 SSL_CTX_set_session_cache_mode(sctx,
1797 SSL_SESS_CACHE_SERVER
1798 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1800 SSL_free(serverssl1);
1801 SSL_free(clientssl1);
1802 serverssl1 = clientssl1 = NULL;
1803 SSL_free(serverssl2);
1804 SSL_free(clientssl2);
1805 serverssl2 = clientssl2 = NULL;
1806 SSL_SESSION_free(sess1);
1808 SSL_SESSION_free(sess2);
1811 SSL_CTX_set_max_proto_version(sctx, maxprot);
1812 if (maxprot == TLS1_2_VERSION)
1813 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1814 new_called = remove_called = get_called = 0;
1815 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1817 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1819 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1820 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1823 if (use_int_cache) {
1824 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1826 * In TLSv1.3 it should not have been added to the internal cache,
1827 * except in the case where we also have an external cache (in that
1828 * case it gets added to the cache in order to generate remove
1829 * events after timeout).
1831 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1834 /* Should fail because it should already be in the cache */
1835 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1840 if (use_ext_cache) {
1841 SSL_SESSION *tmp = sess2;
1843 if (!TEST_int_eq(new_called, numnewsesstick)
1844 || !TEST_int_eq(remove_called, 0)
1845 || !TEST_int_eq(get_called, 0))
1848 * Delete the session from the internal cache to force a lookup from
1849 * the external cache. We take a copy first because
1850 * SSL_CTX_remove_session() also marks the session as non-resumable.
1852 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1853 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1854 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1856 SSL_SESSION_free(sess2);
1861 new_called = remove_called = get_called = 0;
1862 get_sess_val = sess2;
1863 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1864 &clientssl2, NULL, NULL))
1865 || !TEST_true(SSL_set_session(clientssl2, sess1))
1866 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1868 || !TEST_true(SSL_session_reused(clientssl2)))
1871 if (use_ext_cache) {
1872 if (!TEST_int_eq(remove_called, 0))
1875 if (maxprot == TLS1_3_VERSION) {
1876 if (!TEST_int_eq(new_called, 1)
1877 || !TEST_int_eq(get_called, 0))
1880 if (!TEST_int_eq(new_called, 0)
1881 || !TEST_int_eq(get_called, 1))
1889 SSL_free(serverssl1);
1890 SSL_free(clientssl1);
1891 SSL_free(serverssl2);
1892 SSL_free(clientssl2);
1893 # ifndef OPENSSL_NO_TLS1_1
1894 SSL_free(serverssl3);
1895 SSL_free(clientssl3);
1897 SSL_SESSION_free(sess1);
1898 SSL_SESSION_free(sess2);
1904 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1906 static int test_session_with_only_int_cache(void)
1908 #ifndef OPENSSL_NO_TLS1_3
1909 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1913 #ifndef OPENSSL_NO_TLS1_2
1914 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1920 static int test_session_with_only_ext_cache(void)
1922 #ifndef OPENSSL_NO_TLS1_3
1923 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1927 #ifndef OPENSSL_NO_TLS1_2
1928 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1934 static int test_session_with_both_cache(void)
1936 #ifndef OPENSSL_NO_TLS1_3
1937 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1941 #ifndef OPENSSL_NO_TLS1_2
1942 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1948 static int test_session_wo_ca_names(void)
1950 #ifndef OPENSSL_NO_TLS1_3
1951 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1955 #ifndef OPENSSL_NO_TLS1_2
1956 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1963 #ifndef OPENSSL_NO_TLS1_3
1964 static SSL_SESSION *sesscache[6];
1965 static int do_cache;
1967 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1970 sesscache[new_called] = sess;
1972 /* We don't need the reference to the session, so free it */
1973 SSL_SESSION_free(sess);
1980 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1982 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1983 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1986 /* Start handshake on the server and client */
1987 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1988 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1989 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1990 || !TEST_true(create_ssl_connection(sssl, cssl,
1997 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2000 int sess_id_ctx = 1;
2002 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2003 TLS_client_method(), TLS1_VERSION, 0,
2004 sctx, cctx, cert, privkey))
2005 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2006 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2007 (void *)&sess_id_ctx,
2008 sizeof(sess_id_ctx))))
2012 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2014 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2015 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2016 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2021 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2023 SSL *serverssl = NULL, *clientssl = NULL;
2026 /* Test that we can resume with all the tickets we got given */
2027 for (i = 0; i < idx * 2; i++) {
2029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2030 &clientssl, NULL, NULL))
2031 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2034 SSL_set_post_handshake_auth(clientssl, 1);
2036 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2041 * Following a successful resumption we only get 1 ticket. After a
2042 * failed one we should get idx tickets.
2045 if (!TEST_true(SSL_session_reused(clientssl))
2046 || !TEST_int_eq(new_called, 1))
2049 if (!TEST_false(SSL_session_reused(clientssl))
2050 || !TEST_int_eq(new_called, idx))
2055 /* After a post-handshake authentication we should get 1 new ticket */
2057 && (!post_handshake_verify(serverssl, clientssl)
2058 || !TEST_int_eq(new_called, 1)))
2061 SSL_shutdown(clientssl);
2062 SSL_shutdown(serverssl);
2063 SSL_free(serverssl);
2064 SSL_free(clientssl);
2065 serverssl = clientssl = NULL;
2066 SSL_SESSION_free(sesscache[i]);
2067 sesscache[i] = NULL;
2073 SSL_free(clientssl);
2074 SSL_free(serverssl);
2078 static int test_tickets(int stateful, int idx)
2080 SSL_CTX *sctx = NULL, *cctx = NULL;
2081 SSL *serverssl = NULL, *clientssl = NULL;
2085 /* idx is the test number, but also the number of tickets we want */
2090 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2093 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2094 &clientssl, NULL, NULL)))
2097 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2099 /* Check we got the number of tickets we were expecting */
2100 || !TEST_int_eq(idx, new_called))
2103 SSL_shutdown(clientssl);
2104 SSL_shutdown(serverssl);
2105 SSL_free(serverssl);
2106 SSL_free(clientssl);
2109 clientssl = serverssl = NULL;
2113 * Now we try to resume with the tickets we previously created. The
2114 * resumption attempt is expected to fail (because we're now using a new
2115 * SSL_CTX). We should see idx number of tickets issued again.
2118 /* Stop caching sessions - just count them */
2121 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2124 if (!check_resumption(idx, sctx, cctx, 0))
2127 /* Start again with caching sessions */
2134 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2137 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2138 &clientssl, NULL, NULL)))
2141 SSL_set_post_handshake_auth(clientssl, 1);
2143 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2145 /* Check we got the number of tickets we were expecting */
2146 || !TEST_int_eq(idx, new_called))
2149 /* After a post-handshake authentication we should get new tickets issued */
2150 if (!post_handshake_verify(serverssl, clientssl)
2151 || !TEST_int_eq(idx * 2, new_called))
2154 SSL_shutdown(clientssl);
2155 SSL_shutdown(serverssl);
2156 SSL_free(serverssl);
2157 SSL_free(clientssl);
2158 serverssl = clientssl = NULL;
2160 /* Stop caching sessions - just count them */
2164 * Check we can resume with all the tickets we created. This time around the
2165 * resumptions should all be successful.
2167 if (!check_resumption(idx, sctx, cctx, 1))
2173 SSL_free(serverssl);
2174 SSL_free(clientssl);
2175 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2176 SSL_SESSION_free(sesscache[j]);
2177 sesscache[j] = NULL;
2185 static int test_stateless_tickets(int idx)
2187 return test_tickets(0, idx);
2190 static int test_stateful_tickets(int idx)
2192 return test_tickets(1, idx);
2195 static int test_psk_tickets(void)
2197 SSL_CTX *sctx = NULL, *cctx = NULL;
2198 SSL *serverssl = NULL, *clientssl = NULL;
2200 int sess_id_ctx = 1;
2202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2203 TLS_client_method(), TLS1_VERSION, 0,
2204 &sctx, &cctx, NULL, NULL))
2205 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2206 (void *)&sess_id_ctx,
2207 sizeof(sess_id_ctx))))
2210 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2211 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2212 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2213 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2214 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2215 use_session_cb_cnt = 0;
2216 find_session_cb_cnt = 0;
2220 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2223 clientpsk = serverpsk = create_a_psk(clientssl);
2224 if (!TEST_ptr(clientpsk))
2226 SSL_SESSION_up_ref(clientpsk);
2228 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2230 || !TEST_int_eq(1, find_session_cb_cnt)
2231 || !TEST_int_eq(1, use_session_cb_cnt)
2232 /* We should always get 1 ticket when using external PSK */
2233 || !TEST_int_eq(1, new_called))
2239 SSL_free(serverssl);
2240 SSL_free(clientssl);
2243 SSL_SESSION_free(clientpsk);
2244 SSL_SESSION_free(serverpsk);
2245 clientpsk = serverpsk = NULL;
2250 static int test_extra_tickets(int idx)
2252 SSL_CTX *sctx = NULL, *cctx = NULL;
2253 SSL *serverssl = NULL, *clientssl = NULL;
2254 BIO *bretry = BIO_new(bio_s_always_retry());
2259 unsigned char c, buf[1];
2269 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2271 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2272 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2273 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2276 &clientssl, NULL, NULL)))
2280 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2281 * incremented by both client and server.
2283 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2285 /* Check we got the number of tickets we were expecting */
2286 || !TEST_int_eq(idx * 2, new_called)
2287 || !TEST_true(SSL_new_session_ticket(serverssl))
2288 || !TEST_true(SSL_new_session_ticket(serverssl))
2289 || !TEST_int_eq(idx * 2, new_called))
2292 /* Now try a (real) write to actually send the tickets */
2294 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2295 || !TEST_size_t_eq(1, nbytes)
2296 || !TEST_int_eq(idx * 2 + 2, new_called)
2297 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2298 || !TEST_int_eq(idx * 2 + 4, new_called)
2299 || !TEST_int_eq(sizeof(buf), nbytes)
2300 || !TEST_int_eq(c, buf[0])
2301 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2304 /* Try with only requesting one new ticket, too */
2307 if (!TEST_true(SSL_new_session_ticket(serverssl))
2308 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2309 || !TEST_size_t_eq(sizeof(c), nbytes)
2310 || !TEST_int_eq(1, new_called)
2311 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2312 || !TEST_int_eq(2, new_called)
2313 || !TEST_size_t_eq(sizeof(buf), nbytes)
2314 || !TEST_int_eq(c, buf[0]))
2317 /* Do it again but use dummy writes to drive the ticket generation */
2320 if (!TEST_true(SSL_new_session_ticket(serverssl))
2321 || !TEST_true(SSL_new_session_ticket(serverssl))
2322 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2323 || !TEST_size_t_eq(0, nbytes)
2324 || !TEST_int_eq(2, new_called)
2325 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2326 || !TEST_int_eq(4, new_called))
2330 * Use the always-retry BIO to exercise the logic that forces ticket
2331 * generation to wait until a record boundary.
2335 tmp = SSL_get_wbio(serverssl);
2336 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2340 SSL_set0_wbio(serverssl, bretry);
2342 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2343 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2344 || !TEST_size_t_eq(nbytes, 0))
2346 /* Restore a BIO that will let the write succeed */
2347 SSL_set0_wbio(serverssl, tmp);
2349 /* These calls should just queue the request and not send anything. */
2350 if (!TEST_true(SSL_new_session_ticket(serverssl))
2351 || !TEST_true(SSL_new_session_ticket(serverssl))
2352 || !TEST_int_eq(0, new_called))
2354 /* Re-do the write; still no tickets sent */
2355 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2356 || !TEST_size_t_eq(1, nbytes)
2357 || !TEST_int_eq(0, new_called)
2358 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2359 || !TEST_int_eq(0, new_called)
2360 || !TEST_int_eq(sizeof(buf), nbytes)
2361 || !TEST_int_eq(c, buf[0])
2362 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2364 /* Now the *next* write should send the tickets */
2366 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2367 || !TEST_size_t_eq(1, nbytes)
2368 || !TEST_int_eq(2, new_called)
2369 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2370 || !TEST_int_eq(4, new_called)
2371 || !TEST_int_eq(sizeof(buf), nbytes)
2372 || !TEST_int_eq(c, buf[0])
2373 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2376 SSL_shutdown(clientssl);
2377 SSL_shutdown(serverssl);
2383 SSL_free(serverssl);
2384 SSL_free(clientssl);
2387 clientssl = serverssl = NULL;
2396 #define USE_DEFAULT 3
2398 #define CONNTYPE_CONNECTION_SUCCESS 0
2399 #define CONNTYPE_CONNECTION_FAIL 1
2400 #define CONNTYPE_NO_CONNECTION 2
2402 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2403 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2404 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2405 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2407 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2410 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2411 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2412 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2414 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2431 * Tests calls to SSL_set_bio() under various conditions.
2433 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2434 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2435 * then do more tests where we create a successful connection first using our
2436 * standard connection setup functions, and then call SSL_set_bio() with
2437 * various combinations of valid BIOs or NULL. We then repeat these tests
2438 * following a failed connection. In this last case we are looking to check that
2439 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2441 static int test_ssl_set_bio(int idx)
2443 SSL_CTX *sctx = NULL, *cctx = NULL;
2446 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2447 SSL *serverssl = NULL, *clientssl = NULL;
2448 int initrbio, initwbio, newrbio, newwbio, conntype;
2451 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2459 conntype = CONNTYPE_NO_CONNECTION;
2461 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2462 initrbio = initwbio = USE_DEFAULT;
2470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2471 TLS_client_method(), TLS1_VERSION, 0,
2472 &sctx, &cctx, cert, privkey)))
2475 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2477 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2478 * because we reduced the number of tests in the definition of
2479 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2480 * mismatched protocol versions we will force a connection failure.
2482 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2483 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2490 if (initrbio == USE_BIO_1
2491 || initwbio == USE_BIO_1
2492 || newrbio == USE_BIO_1
2493 || newwbio == USE_BIO_1) {
2494 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2498 if (initrbio == USE_BIO_2
2499 || initwbio == USE_BIO_2
2500 || newrbio == USE_BIO_2
2501 || newwbio == USE_BIO_2) {
2502 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2506 if (initrbio != USE_DEFAULT) {
2507 setupbio(&irbio, bio1, bio2, initrbio);
2508 setupbio(&iwbio, bio1, bio2, initwbio);
2509 SSL_set_bio(clientssl, irbio, iwbio);
2512 * We want to maintain our own refs to these BIO, so do an up ref for
2513 * each BIO that will have ownership transferred in the SSL_set_bio()
2518 if (iwbio != NULL && iwbio != irbio)
2522 if (conntype != CONNTYPE_NO_CONNECTION
2523 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2525 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2528 setupbio(&nrbio, bio1, bio2, newrbio);
2529 setupbio(&nwbio, bio1, bio2, newwbio);
2532 * We will (maybe) transfer ownership again so do more up refs.
2533 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2538 && (nwbio != iwbio || nrbio != nwbio))
2542 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2545 SSL_set_bio(clientssl, nrbio, nwbio);
2554 * This test is checking that the ref counting for SSL_set_bio is correct.
2555 * If we get here and we did too many frees then we will fail in the above
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2565 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2567 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2569 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2574 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2575 || !TEST_ptr(ssl = SSL_new(ctx))
2576 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2577 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2580 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2583 * If anything goes wrong here then we could leak memory.
2585 BIO_push(sslbio, membio1);
2587 /* Verify changing the rbio/wbio directly does not cause leaks */
2588 if (change_bio != NO_BIO_CHANGE) {
2589 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2591 if (change_bio == CHANGE_RBIO)
2592 SSL_set0_rbio(ssl, membio2);
2594 SSL_set0_wbio(ssl, membio2);
2613 static int test_ssl_bio_pop_next_bio(void)
2615 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2618 static int test_ssl_bio_pop_ssl_bio(void)
2620 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2623 static int test_ssl_bio_change_rbio(void)
2625 return execute_test_ssl_bio(0, CHANGE_RBIO);
2628 static int test_ssl_bio_change_wbio(void)
2630 return execute_test_ssl_bio(0, CHANGE_WBIO);
2633 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2635 /* The list of sig algs */
2637 /* The length of the list */
2639 /* A sigalgs list in string format */
2640 const char *liststr;
2641 /* Whether setting the list should succeed */
2643 /* Whether creating a connection with the list should succeed */
2647 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2648 # ifndef OPENSSL_NO_EC
2649 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2650 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2652 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2653 static const int invalidlist2[] = {NID_sha256, NID_undef};
2654 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2655 static const int invalidlist4[] = {NID_sha256};
2656 static const sigalgs_list testsigalgs[] = {
2657 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2658 # ifndef OPENSSL_NO_EC
2659 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2660 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2662 {NULL, 0, "RSA+SHA256", 1, 1},
2663 # ifndef OPENSSL_NO_EC
2664 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2665 {NULL, 0, "ECDSA+SHA512", 1, 0},
2667 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2668 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2669 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2670 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2671 {NULL, 0, "RSA", 0, 0},
2672 {NULL, 0, "SHA256", 0, 0},
2673 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2674 {NULL, 0, "Invalid", 0, 0}
2677 static int test_set_sigalgs(int idx)
2679 SSL_CTX *cctx = NULL, *sctx = NULL;
2680 SSL *clientssl = NULL, *serverssl = NULL;
2682 const sigalgs_list *curr;
2685 /* Should never happen */
2686 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2689 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2690 curr = testctx ? &testsigalgs[idx]
2691 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2694 TLS_client_method(), TLS1_VERSION, 0,
2695 &sctx, &cctx, cert, privkey)))
2699 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2700 * for TLSv1.2 for now until we add a new API.
2702 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2707 if (curr->list != NULL)
2708 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2710 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2714 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2720 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2726 &clientssl, NULL, NULL)))
2732 if (curr->list != NULL)
2733 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2735 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2738 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2747 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2755 SSL_free(serverssl);
2756 SSL_free(clientssl);
2764 #ifndef OPENSSL_NO_TLS1_3
2765 static int psk_client_cb_cnt = 0;
2766 static int psk_server_cb_cnt = 0;
2768 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2769 size_t *idlen, SSL_SESSION **sess)
2771 switch (++use_session_cb_cnt) {
2773 /* The first call should always have a NULL md */
2779 /* The second call should always have an md */
2785 /* We should only be called a maximum of twice */
2789 if (clientpsk != NULL)
2790 SSL_SESSION_up_ref(clientpsk);
2793 *id = (const unsigned char *)pskid;
2794 *idlen = strlen(pskid);
2799 #ifndef OPENSSL_NO_PSK
2800 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2801 unsigned int max_id_len,
2803 unsigned int max_psk_len)
2805 unsigned int psklen = 0;
2807 psk_client_cb_cnt++;
2809 if (strlen(pskid) + 1 > max_id_len)
2812 /* We should only ever be called a maximum of twice per connection */
2813 if (psk_client_cb_cnt > 2)
2816 if (clientpsk == NULL)
2819 /* We'll reuse the PSK we set up for TLSv1.3 */
2820 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2822 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2823 strncpy(id, pskid, max_id_len);
2827 #endif /* OPENSSL_NO_PSK */
2829 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2830 size_t identity_len, SSL_SESSION **sess)
2832 find_session_cb_cnt++;
2834 /* We should only ever be called a maximum of twice per connection */
2835 if (find_session_cb_cnt > 2)
2838 if (serverpsk == NULL)
2841 /* Identity should match that set by the client */
2842 if (strlen(srvid) != identity_len
2843 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2844 /* No PSK found, continue but without a PSK */
2849 SSL_SESSION_up_ref(serverpsk);
2855 #ifndef OPENSSL_NO_PSK
2856 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2857 unsigned char *psk, unsigned int max_psk_len)
2859 unsigned int psklen = 0;
2861 psk_server_cb_cnt++;
2863 /* We should only ever be called a maximum of twice per connection */
2864 if (find_session_cb_cnt > 2)
2867 if (serverpsk == NULL)
2870 /* Identity should match that set by the client */
2871 if (strcmp(srvid, identity) != 0) {
2875 /* We'll reuse the PSK we set up for TLSv1.3 */
2876 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2878 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2882 #endif /* OPENSSL_NO_PSK */
2884 #define MSG1 "Hello"
2885 #define MSG2 "World."
2890 #define MSG7 "message."
2892 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2893 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2894 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2895 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2896 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2899 static SSL_SESSION *create_a_psk(SSL *ssl)
2901 const SSL_CIPHER *cipher = NULL;
2902 const unsigned char key[] = {
2903 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2904 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2905 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2906 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2907 0x2c, 0x2d, 0x2e, 0x2f
2909 SSL_SESSION *sess = NULL;
2911 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2912 sess = SSL_SESSION_new();
2914 || !TEST_ptr(cipher)
2915 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2917 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2919 SSL_SESSION_set_protocol_version(sess,
2921 SSL_SESSION_free(sess);
2928 * Helper method to setup objects for early data test. Caller frees objects on
2931 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2932 SSL **serverssl, SSL_SESSION **sess, int idx)
2935 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2936 TLS_client_method(),
2938 sctx, cctx, cert, privkey)))
2941 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2945 /* When idx == 1 we repeat the tests with read_ahead set */
2946 SSL_CTX_set_read_ahead(*cctx, 1);
2947 SSL_CTX_set_read_ahead(*sctx, 1);
2948 } else if (idx == 2) {
2949 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2950 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2951 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2952 use_session_cb_cnt = 0;
2953 find_session_cb_cnt = 0;
2957 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2962 * For one of the run throughs (doesn't matter which one), we'll try sending
2963 * some SNI data in the initial ClientHello. This will be ignored (because
2964 * there is no SNI cb set up by the server), so it should not impact
2968 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2972 clientpsk = create_a_psk(*clientssl);
2973 if (!TEST_ptr(clientpsk)
2975 * We just choose an arbitrary value for max_early_data which
2976 * should be big enough for testing purposes.
2978 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2980 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2981 SSL_SESSION_free(clientpsk);
2985 serverpsk = clientpsk;
2988 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2989 SSL_SESSION_free(clientpsk);
2990 SSL_SESSION_free(serverpsk);
2991 clientpsk = serverpsk = NULL;
3002 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3006 *sess = SSL_get1_session(*clientssl);
3007 SSL_shutdown(*clientssl);
3008 SSL_shutdown(*serverssl);
3009 SSL_free(*serverssl);
3010 SSL_free(*clientssl);
3011 *serverssl = *clientssl = NULL;
3013 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3014 clientssl, NULL, NULL))
3015 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3021 static int test_early_data_read_write(int idx)
3023 SSL_CTX *cctx = NULL, *sctx = NULL;
3024 SSL *clientssl = NULL, *serverssl = NULL;
3026 SSL_SESSION *sess = NULL;
3027 unsigned char buf[20], data[1024];
3028 size_t readbytes, written, eoedlen, rawread, rawwritten;
3031 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3032 &serverssl, &sess, idx)))
3035 /* Write and read some early data */
3036 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3038 || !TEST_size_t_eq(written, strlen(MSG1))
3039 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3040 sizeof(buf), &readbytes),
3041 SSL_READ_EARLY_DATA_SUCCESS)
3042 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3043 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3044 SSL_EARLY_DATA_ACCEPTED))
3048 * Server should be able to write data, and client should be able to
3051 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3053 || !TEST_size_t_eq(written, strlen(MSG2))
3054 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3055 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3058 /* Even after reading normal data, client should be able write early data */
3059 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3061 || !TEST_size_t_eq(written, strlen(MSG3)))
3064 /* Server should still be able read early data after writing data */
3065 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3067 SSL_READ_EARLY_DATA_SUCCESS)
3068 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3071 /* Write more data from server and read it from client */
3072 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3074 || !TEST_size_t_eq(written, strlen(MSG4))
3075 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3076 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3080 * If client writes normal data it should mean writing early data is no
3083 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3084 || !TEST_size_t_eq(written, strlen(MSG5))
3085 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3086 SSL_EARLY_DATA_ACCEPTED))
3090 * At this point the client has written EndOfEarlyData, ClientFinished and
3091 * normal (fully protected) data. We are going to cause a delay between the
3092 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3093 * in the read BIO, and then just put back the EndOfEarlyData message.
3095 rbio = SSL_get_rbio(serverssl);
3096 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3097 || !TEST_size_t_lt(rawread, sizeof(data))
3098 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3101 /* Record length is in the 4th and 5th bytes of the record header */
3102 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3103 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3104 || !TEST_size_t_eq(rawwritten, eoedlen))
3107 /* Server should be told that there is no more early data */
3108 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3110 SSL_READ_EARLY_DATA_FINISH)
3111 || !TEST_size_t_eq(readbytes, 0))
3115 * Server has not finished init yet, so should still be able to write early
3118 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3120 || !TEST_size_t_eq(written, strlen(MSG6)))
3123 /* Push the ClientFinished and the normal data back into the server rbio */
3124 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3126 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3129 /* Server should be able to read normal data */
3130 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3131 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3134 /* Client and server should not be able to write/read early data now */
3135 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3139 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3141 SSL_READ_EARLY_DATA_ERROR))
3145 /* Client should be able to read the data sent by the server */
3146 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3147 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3151 * Make sure we process the two NewSessionTickets. These arrive
3152 * post-handshake. We attempt reads which we do not expect to return any
3155 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3156 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3160 /* Server should be able to write normal data */
3161 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3162 || !TEST_size_t_eq(written, strlen(MSG7))
3163 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3164 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3167 SSL_SESSION_free(sess);
3168 sess = SSL_get1_session(clientssl);
3169 use_session_cb_cnt = 0;
3170 find_session_cb_cnt = 0;
3172 SSL_shutdown(clientssl);
3173 SSL_shutdown(serverssl);
3174 SSL_free(serverssl);
3175 SSL_free(clientssl);
3176 serverssl = clientssl = NULL;
3177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3178 &clientssl, NULL, NULL))
3179 || !TEST_true(SSL_set_session(clientssl, sess)))
3182 /* Write and read some early data */
3183 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3185 || !TEST_size_t_eq(written, strlen(MSG1))
3186 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3188 SSL_READ_EARLY_DATA_SUCCESS)
3189 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3192 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3193 || !TEST_int_gt(SSL_accept(serverssl), 0))
3196 /* Client and server should not be able to write/read early data now */
3197 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3201 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3203 SSL_READ_EARLY_DATA_ERROR))
3207 /* Client and server should be able to write/read normal data */
3208 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3209 || !TEST_size_t_eq(written, strlen(MSG5))
3210 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3211 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3217 SSL_SESSION_free(sess);
3218 SSL_SESSION_free(clientpsk);
3219 SSL_SESSION_free(serverpsk);
3220 clientpsk = serverpsk = NULL;
3221 SSL_free(serverssl);
3222 SSL_free(clientssl);
3228 static int allow_ed_cb_called = 0;
3230 static int allow_early_data_cb(SSL *s, void *arg)
3232 int *usecb = (int *)arg;
3234 allow_ed_cb_called++;
3243 * idx == 0: Standard early_data setup
3244 * idx == 1: early_data setup using read_ahead
3245 * usecb == 0: Don't use a custom early data callback
3246 * usecb == 1: Use a custom early data callback and reject the early data
3247 * usecb == 2: Use a custom early data callback and accept the early data
3248 * confopt == 0: Configure anti-replay directly
3249 * confopt == 1: Configure anti-replay using SSL_CONF
3251 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3253 SSL_CTX *cctx = NULL, *sctx = NULL;
3254 SSL *clientssl = NULL, *serverssl = NULL;
3256 SSL_SESSION *sess = NULL;
3257 size_t readbytes, written;
3258 unsigned char buf[20];
3260 allow_ed_cb_called = 0;
3262 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3263 TLS_client_method(), TLS1_VERSION, 0,
3264 &sctx, &cctx, cert, privkey)))
3269 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3271 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3273 if (!TEST_ptr(confctx))
3275 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3276 | SSL_CONF_FLAG_SERVER);
3277 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3278 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3280 SSL_CONF_CTX_free(confctx);
3283 SSL_CONF_CTX_free(confctx);
3285 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3288 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3289 &serverssl, &sess, idx)))
3293 * The server is configured to accept early data. Create a connection to
3294 * "use up" the ticket
3296 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3297 || !TEST_true(SSL_session_reused(clientssl)))
3300 SSL_shutdown(clientssl);
3301 SSL_shutdown(serverssl);
3302 SSL_free(serverssl);
3303 SSL_free(clientssl);
3304 serverssl = clientssl = NULL;
3306 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3307 &clientssl, NULL, NULL))
3308 || !TEST_true(SSL_set_session(clientssl, sess)))
3311 /* Write and read some early data */
3312 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3314 || !TEST_size_t_eq(written, strlen(MSG1)))
3318 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3320 SSL_READ_EARLY_DATA_FINISH)
3322 * The ticket was reused, so the we should have rejected the
3325 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3326 SSL_EARLY_DATA_REJECTED))
3329 /* In this case the callback decides to accept the early data */
3330 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3332 SSL_READ_EARLY_DATA_SUCCESS)
3333 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3335 * Server will have sent its flight so client can now send
3336 * end of early data and complete its half of the handshake
3338 || !TEST_int_gt(SSL_connect(clientssl), 0)
3339 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3341 SSL_READ_EARLY_DATA_FINISH)
3342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3343 SSL_EARLY_DATA_ACCEPTED))
3347 /* Complete the connection */
3348 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3349 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3350 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3356 SSL_SESSION_free(sess);
3357 SSL_SESSION_free(clientpsk);
3358 SSL_SESSION_free(serverpsk);
3359 clientpsk = serverpsk = NULL;
3360 SSL_free(serverssl);
3361 SSL_free(clientssl);
3367 static int test_early_data_replay(int idx)
3369 int ret = 1, usecb, confopt;
3371 for (usecb = 0; usecb < 3; usecb++) {
3372 for (confopt = 0; confopt < 2; confopt++)
3373 ret &= test_early_data_replay_int(idx, usecb, confopt);
3380 * Helper function to test that a server attempting to read early data can
3381 * handle a connection from a client where the early data should be skipped.
3382 * testtype: 0 == No HRR
3383 * testtype: 1 == HRR
3384 * testtype: 2 == HRR, invalid early_data sent after HRR
3385 * testtype: 3 == recv_max_early_data set to 0
3387 static int early_data_skip_helper(int testtype, int idx)
3389 SSL_CTX *cctx = NULL, *sctx = NULL;
3390 SSL *clientssl = NULL, *serverssl = NULL;
3392 SSL_SESSION *sess = NULL;
3393 unsigned char buf[20];
3394 size_t readbytes, written;
3396 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3397 &serverssl, &sess, idx)))
3400 if (testtype == 1 || testtype == 2) {
3401 /* Force an HRR to occur */
3402 #if defined(OPENSSL_NO_EC)
3403 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3406 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3409 } else if (idx == 2) {
3411 * We force early_data rejection by ensuring the PSK identity is
3414 srvid = "Dummy Identity";
3417 * Deliberately corrupt the creation time. We take 20 seconds off the
3418 * time. It could be any value as long as it is not within tolerance.
3419 * This should mean the ticket is rejected.
3421 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3426 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3429 /* Write some early data */
3430 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3432 || !TEST_size_t_eq(written, strlen(MSG1)))
3435 /* Server should reject the early data */
3436 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3438 SSL_READ_EARLY_DATA_FINISH)
3439 || !TEST_size_t_eq(readbytes, 0)
3440 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3441 SSL_EARLY_DATA_REJECTED))
3451 * Finish off the handshake. We perform the same writes and reads as
3452 * further down but we expect them to fail due to the incomplete
3455 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3456 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3463 BIO *wbio = SSL_get_wbio(clientssl);
3464 /* A record that will appear as bad early_data */
3465 const unsigned char bad_early_data[] = {
3466 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3470 * We force the client to attempt a write. This will fail because
3471 * we're still in the handshake. It will cause the second
3472 * ClientHello to be sent.
3474 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3479 * Inject some early_data after the second ClientHello. This should
3480 * cause the server to fail
3482 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3483 sizeof(bad_early_data), &written)))
3490 * This client has sent more early_data than we are willing to skip
3491 * (case 3) or sent invalid early_data (case 2) so the connection should
3494 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3495 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3498 /* Connection has failed - nothing more to do */
3503 TEST_error("Invalid test type");
3508 * Should be able to send normal data despite rejection of early data. The
3509 * early_data should be skipped.
3511 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3512 || !TEST_size_t_eq(written, strlen(MSG2))
3513 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3514 SSL_EARLY_DATA_REJECTED)
3515 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
3525 SSL_SESSION_free(sess);
3526 SSL_free(serverssl);
3527 SSL_free(clientssl);
3534 * Test that a server attempting to read early data can handle a connection
3535 * from a client where the early data is not acceptable.
3537 static int test_early_data_skip(int idx)
3539 return early_data_skip_helper(0, idx);
3543 * Test that a server attempting to read early data can handle a connection
3544 * from a client where an HRR occurs.
3546 static int test_early_data_skip_hrr(int idx)
3548 return early_data_skip_helper(1, idx);
3552 * Test that a server attempting to read early data can handle a connection
3553 * from a client where an HRR occurs and correctly fails if early_data is sent
3556 static int test_early_data_skip_hrr_fail(int idx)
3558 return early_data_skip_helper(2, idx);
3562 * Test that a server attempting to read early data will abort if it tries to
3563 * skip over too much.
3565 static int test_early_data_skip_abort(int idx)
3567 return early_data_skip_helper(3, idx);
3571 * Test that a server attempting to read early data can handle a connection
3572 * from a client that doesn't send any.
3574 static int test_early_data_not_sent(int idx)
3576 SSL_CTX *cctx = NULL, *sctx = NULL;
3577 SSL *clientssl = NULL, *serverssl = NULL;
3579 SSL_SESSION *sess = NULL;
3580 unsigned char buf[20];
3581 size_t readbytes, written;
3583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3584 &serverssl, &sess, idx)))
3587 /* Write some data - should block due to handshake with server */
3588 SSL_set_connect_state(clientssl);
3589 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3592 /* Server should detect that early data has not been sent */
3593 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3595 SSL_READ_EARLY_DATA_FINISH)
3596 || !TEST_size_t_eq(readbytes, 0)
3597 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3598 SSL_EARLY_DATA_NOT_SENT)
3599 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3600 SSL_EARLY_DATA_NOT_SENT))
3603 /* Continue writing the message we started earlier */
3604 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3605 || !TEST_size_t_eq(written, strlen(MSG1))
3606 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3607 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3608 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3609 || !TEST_size_t_eq(written, strlen(MSG2)))
3612 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3613 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3619 SSL_SESSION_free(sess);
3620 SSL_SESSION_free(clientpsk);
3621 SSL_SESSION_free(serverpsk);
3622 clientpsk = serverpsk = NULL;
3623 SSL_free(serverssl);
3624 SSL_free(clientssl);
3630 static const char *servalpn;
3632 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3633 unsigned char *outlen, const unsigned char *in,
3634 unsigned int inlen, void *arg)
3636 unsigned int protlen = 0;
3637 const unsigned char *prot;
3639 for (prot = in; prot < in + inlen; prot += protlen) {
3641 if (in + inlen < prot + protlen)
3642 return SSL_TLSEXT_ERR_NOACK;
3644 if (protlen == strlen(servalpn)
3645 && memcmp(prot, servalpn, protlen) == 0) {
3648 return SSL_TLSEXT_ERR_OK;
3652 return SSL_TLSEXT_ERR_NOACK;
3655 /* Test that a PSK can be used to send early_data */
3656 static int test_early_data_psk(int idx)
3658 SSL_CTX *cctx = NULL, *sctx = NULL;
3659 SSL *clientssl = NULL, *serverssl = NULL;
3661 SSL_SESSION *sess = NULL;
3662 unsigned char alpnlist[] = {
3663 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3666 #define GOODALPNLEN 9
3667 #define BADALPNLEN 8
3668 #define GOODALPN (alpnlist)
3669 #define BADALPN (alpnlist + GOODALPNLEN)
3671 unsigned char buf[20];
3672 size_t readbytes, written;
3673 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3674 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3676 /* We always set this up with a final parameter of "2" for PSK */
3677 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3678 &serverssl, &sess, 2)))
3681 servalpn = "goodalpn";
3684 * Note: There is no test for inconsistent SNI with late client detection.
3685 * This is because servers do not acknowledge SNI even if they are using
3686 * it in a resumption handshake - so it is not actually possible for a
3687 * client to detect a problem.
3691 /* Set inconsistent SNI (early client detection) */
3692 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3693 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3694 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3699 /* Set inconsistent ALPN (early client detection) */
3700 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3701 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3702 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3704 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3711 * Set invalid protocol version. Technically this affects PSKs without
3712 * early_data too, but we test it here because it is similar to the
3713 * SNI/ALPN consistency tests.
3715 err = SSL_R_BAD_PSK;
3716 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3722 * Set inconsistent SNI (server side). In this case the connection
3723 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3724 * is associated with each handshake - not the session. Therefore it
3725 * should not matter that we used a different server name last time.
3727 SSL_SESSION_free(serverpsk);
3728 serverpsk = SSL_SESSION_dup(clientpsk);
3729 if (!TEST_ptr(serverpsk)
3730 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3734 /* Set consistent SNI */
3735 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3736 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3737 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3744 * Set inconsistent ALPN (server detected). In this case the connection
3745 * will succeed but reject early_data.
3747 servalpn = "badalpn";
3748 edstatus = SSL_EARLY_DATA_REJECTED;
3749 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3753 * Set consistent ALPN.
3754 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3755 * accepts a list of protos (each one length prefixed).
3756 * SSL_set1_alpn_selected accepts a single protocol (not length
3759 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3761 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3765 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3769 /* Set inconsistent ALPN (late client detection) */
3770 SSL_SESSION_free(serverpsk);
3771 serverpsk = SSL_SESSION_dup(clientpsk);
3772 if (!TEST_ptr(serverpsk)
3773 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3776 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3779 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3782 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3783 edstatus = SSL_EARLY_DATA_ACCEPTED;
3784 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3785 /* SSL_connect() call should fail */
3790 TEST_error("Bad test index");
3794 SSL_set_connect_state(clientssl);
3796 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3798 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3799 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3802 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3806 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3807 &readbytes), readearlyres)
3808 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3809 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3810 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3811 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3818 SSL_SESSION_free(sess);
3819 SSL_SESSION_free(clientpsk);
3820 SSL_SESSION_free(serverpsk);
3821 clientpsk = serverpsk = NULL;
3822 SSL_free(serverssl);
3823 SSL_free(clientssl);
3830 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3831 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3832 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3833 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3834 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3835 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3837 static int test_early_data_psk_with_all_ciphers(int idx)
3839 SSL_CTX *cctx = NULL, *sctx = NULL;
3840 SSL *clientssl = NULL, *serverssl = NULL;
3842 SSL_SESSION *sess = NULL;
3843 unsigned char buf[20];
3844 size_t readbytes, written;
3845 const SSL_CIPHER *cipher;
3846 const char *cipher_str[] = {
3847 TLS1_3_RFC_AES_128_GCM_SHA256,
3848 TLS1_3_RFC_AES_256_GCM_SHA384,
3849 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3850 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3854 TLS1_3_RFC_AES_128_CCM_SHA256,
3855 TLS1_3_RFC_AES_128_CCM_8_SHA256
3857 const unsigned char *cipher_bytes[] = {
3858 TLS13_AES_128_GCM_SHA256_BYTES,
3859 TLS13_AES_256_GCM_SHA384_BYTES,
3860 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3861 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3865 TLS13_AES_128_CCM_SHA256_BYTES,
3866 TLS13_AES_128_CCM_8_SHA256_BYTES
3869 if (cipher_str[idx] == NULL)
3871 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3872 if (idx == 2 && is_fips == 1)
3875 /* We always set this up with a final parameter of "2" for PSK */
3876 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3877 &serverssl, &sess, 2)))
3880 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3881 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3885 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3886 * and assigns to both client and server with incremented reference
3887 * and the same instance is updated in 'sess'.
3888 * So updating ciphersuite in 'sess' which will get reflected in
3889 * PSK handshake using psk use sess and find sess cb.
3891 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3892 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3895 SSL_set_connect_state(clientssl);
3896 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3900 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3902 SSL_READ_EARLY_DATA_SUCCESS)
3903 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3905 SSL_EARLY_DATA_ACCEPTED)
3906 || !TEST_int_eq(SSL_connect(clientssl), 1)
3907 || !TEST_int_eq(SSL_accept(serverssl), 1))
3910 /* Send some normal data from client to server */
3911 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3912 || !TEST_size_t_eq(written, strlen(MSG2)))
3915 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3916 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3921 SSL_SESSION_free(sess);
3922 SSL_SESSION_free(clientpsk);
3923 SSL_SESSION_free(serverpsk);
3924 clientpsk = serverpsk = NULL;
3925 if (clientssl != NULL)
3926 SSL_shutdown(clientssl);
3927 if (serverssl != NULL)
3928 SSL_shutdown(serverssl);
3929 SSL_free(serverssl);
3930 SSL_free(clientssl);
3937 * Test that a server that doesn't try to read early data can handle a
3938 * client sending some.
3940 static int test_early_data_not_expected(int idx)
3942 SSL_CTX *cctx = NULL, *sctx = NULL;
3943 SSL *clientssl = NULL, *serverssl = NULL;
3945 SSL_SESSION *sess = NULL;
3946 unsigned char buf[20];
3947 size_t readbytes, written;
3949 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3950 &serverssl, &sess, idx)))
3953 /* Write some early data */
3954 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3959 * Server should skip over early data and then block waiting for client to
3960 * continue handshake
3962 if (!TEST_int_le(SSL_accept(serverssl), 0)
3963 || !TEST_int_gt(SSL_connect(clientssl), 0)
3964 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3965 SSL_EARLY_DATA_REJECTED)
3966 || !TEST_int_gt(SSL_accept(serverssl), 0)
3967 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3968 SSL_EARLY_DATA_REJECTED))
3971 /* Send some normal data from client to server */
3972 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3973 || !TEST_size_t_eq(written, strlen(MSG2)))
3976 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3977 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3983 SSL_SESSION_free(sess);
3984 SSL_SESSION_free(clientpsk);
3985 SSL_SESSION_free(serverpsk);
3986 clientpsk = serverpsk = NULL;
3987 SSL_free(serverssl);
3988 SSL_free(clientssl);
3995 # ifndef OPENSSL_NO_TLS1_2
3997 * Test that a server attempting to read early data can handle a connection
3998 * from a TLSv1.2 client.
4000 static int test_early_data_tls1_2(int idx)
4002 SSL_CTX *cctx = NULL, *sctx = NULL;
4003 SSL *clientssl = NULL, *serverssl = NULL;
4005 unsigned char buf[20];
4006 size_t readbytes, written;
4008 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4009 &serverssl, NULL, idx)))
4012 /* Write some data - should block due to handshake with server */
4013 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4014 SSL_set_connect_state(clientssl);
4015 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4019 * Server should do TLSv1.2 handshake. First it will block waiting for more
4020 * messages from client after ServerDone. Then SSL_read_early_data should
4021 * finish and detect that early data has not been sent
4023 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4025 SSL_READ_EARLY_DATA_ERROR))
4029 * Continue writing the message we started earlier. Will still block waiting
4030 * for the CCS/Finished from server
4032 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4033 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4035 SSL_READ_EARLY_DATA_FINISH)
4036 || !TEST_size_t_eq(readbytes, 0)
4037 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4038 SSL_EARLY_DATA_NOT_SENT))
4041 /* Continue writing the message we started earlier */
4042 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4043 || !TEST_size_t_eq(written, strlen(MSG1))
4044 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4045 SSL_EARLY_DATA_NOT_SENT)
4046 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4047 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4048 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4049 || !TEST_size_t_eq(written, strlen(MSG2))
4050 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4051 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4057 SSL_SESSION_free(clientpsk);
4058 SSL_SESSION_free(serverpsk);
4059 clientpsk = serverpsk = NULL;
4060 SSL_free(serverssl);
4061 SSL_free(clientssl);
4067 # endif /* OPENSSL_NO_TLS1_2 */
4070 * Test configuring the TLSv1.3 ciphersuites
4072 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4073 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4074 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4075 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4076 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4077 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4078 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4079 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4080 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4081 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4083 static int test_set_ciphersuite(int idx)
4085 SSL_CTX *cctx = NULL, *sctx = NULL;
4086 SSL *clientssl = NULL, *serverssl = NULL;
4089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4090 TLS_client_method(), TLS1_VERSION, 0,
4091 &sctx, &cctx, cert, privkey))
4092 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4093 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4096 if (idx >=4 && idx <= 7) {
4097 /* SSL_CTX explicit cipher list */
4098 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4102 if (idx == 0 || idx == 4) {
4103 /* Default ciphersuite */
4104 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4105 "TLS_AES_128_GCM_SHA256")))
4107 } else if (idx == 1 || idx == 5) {
4108 /* Non default ciphersuite */
4109 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4110 "TLS_AES_128_CCM_SHA256")))
4114 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4115 &clientssl, NULL, NULL)))
4118 if (idx == 8 || idx == 9) {
4119 /* SSL explicit cipher list */
4120 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4124 if (idx == 2 || idx == 6 || idx == 8) {
4125 /* Default ciphersuite */
4126 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4127 "TLS_AES_128_GCM_SHA256")))
4129 } else if (idx == 3 || idx == 7 || idx == 9) {
4130 /* Non default ciphersuite */
4131 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4132 "TLS_AES_128_CCM_SHA256")))
4136 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4142 SSL_free(serverssl);
4143 SSL_free(clientssl);
4150 static int test_ciphersuite_change(void)
4152 SSL_CTX *cctx = NULL, *sctx = NULL;
4153 SSL *clientssl = NULL, *serverssl = NULL;
4154 SSL_SESSION *clntsess = NULL;
4156 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4158 /* Create a session based on SHA-256 */
4159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4160 TLS_client_method(), TLS1_VERSION, 0,
4161 &sctx, &cctx, cert, privkey))
4162 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4163 "TLS_AES_128_GCM_SHA256:"
4164 "TLS_AES_256_GCM_SHA384:"
4165 "TLS_AES_128_CCM_SHA256"))
4166 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4167 "TLS_AES_128_GCM_SHA256"))
4168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4169 &clientssl, NULL, NULL))
4170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4174 clntsess = SSL_get1_session(clientssl);
4175 /* Save for later */
4176 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4177 SSL_shutdown(clientssl);
4178 SSL_shutdown(serverssl);
4179 SSL_free(serverssl);
4180 SSL_free(clientssl);
4181 serverssl = clientssl = NULL;
4183 /* Check we can resume a session with a different SHA-256 ciphersuite */
4184 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4185 "TLS_AES_128_CCM_SHA256"))
4186 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4187 &clientssl, NULL, NULL))
4188 || !TEST_true(SSL_set_session(clientssl, clntsess))
4189 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4191 || !TEST_true(SSL_session_reused(clientssl)))
4194 SSL_SESSION_free(clntsess);
4195 clntsess = SSL_get1_session(clientssl);
4196 SSL_shutdown(clientssl);
4197 SSL_shutdown(serverssl);
4198 SSL_free(serverssl);
4199 SSL_free(clientssl);
4200 serverssl = clientssl = NULL;
4203 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4204 * succeeds but does not resume.
4206 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4207 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4209 || !TEST_true(SSL_set_session(clientssl, clntsess))
4210 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4212 || !TEST_false(SSL_session_reused(clientssl)))
4215 SSL_SESSION_free(clntsess);
4217 SSL_shutdown(clientssl);
4218 SSL_shutdown(serverssl);
4219 SSL_free(serverssl);
4220 SSL_free(clientssl);
4221 serverssl = clientssl = NULL;
4223 /* Create a session based on SHA384 */
4224 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4225 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4226 &clientssl, NULL, NULL))
4227 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4231 clntsess = SSL_get1_session(clientssl);
4232 SSL_shutdown(clientssl);
4233 SSL_shutdown(serverssl);
4234 SSL_free(serverssl);
4235 SSL_free(clientssl);
4236 serverssl = clientssl = NULL;
4238 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4239 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4240 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4241 "TLS_AES_256_GCM_SHA384"))
4242 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4244 || !TEST_true(SSL_set_session(clientssl, clntsess))
4246 * We use SSL_ERROR_WANT_READ below so that we can pause the
4247 * connection after the initial ClientHello has been sent to
4248 * enable us to make some session changes.
4250 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4251 SSL_ERROR_WANT_READ)))
4254 /* Trick the client into thinking this session is for a different digest */
4255 clntsess->cipher = aes_128_gcm_sha256;
4256 clntsess->cipher_id = clntsess->cipher->id;
4259 * Continue the previously started connection. Server has selected a SHA-384
4260 * ciphersuite, but client thinks the session is for SHA-256, so it should
4263 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4265 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4266 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4272 SSL_SESSION_free(clntsess);
4273 SSL_free(serverssl);
4274 SSL_free(clientssl);
4282 * Test TLSv1.3 Key exchange
4283 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4284 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4285 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4286 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4287 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4288 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4289 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4290 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4291 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4292 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4293 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4294 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4295 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4296 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4298 static int test_key_exchange(int idx)
4300 SSL_CTX *sctx = NULL, *cctx = NULL;
4301 SSL *serverssl = NULL, *clientssl = NULL;
4303 # ifndef OPENSSL_NO_EC
4304 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4305 NID_secp521r1, NID_X25519, NID_X448};
4307 # ifndef OPENSSL_NO_DH
4308 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4309 NID_ffdhe6144, NID_ffdhe8192};
4312 int *kexch_groups = &kexch_alg;
4313 int kexch_groups_size = 1;
4314 int max_version = TLS1_3_VERSION;
4317 # ifndef OPENSSL_NO_EC
4318 # ifndef OPENSSL_NO_TLS1_2
4320 max_version = TLS1_2_VERSION;
4324 kexch_groups = ecdhe_kexch_groups;
4325 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4328 kexch_alg = NID_X9_62_prime256v1;
4331 kexch_alg = NID_secp384r1;
4334 kexch_alg = NID_secp521r1;
4337 kexch_alg = NID_X25519;
4340 kexch_alg = NID_X448;
4343 # ifndef OPENSSL_NO_DH
4344 # ifndef OPENSSL_NO_TLS1_2
4346 max_version = TLS1_2_VERSION;
4350 kexch_groups = ffdhe_kexch_groups;
4351 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4354 kexch_alg = NID_ffdhe2048;
4357 kexch_alg = NID_ffdhe3072;
4360 kexch_alg = NID_ffdhe4096;
4363 kexch_alg = NID_ffdhe6144;
4366 kexch_alg = NID_ffdhe8192;
4370 /* We're skipping this test */
4374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4375 TLS_client_method(), TLS1_VERSION,
4376 max_version, &sctx, &cctx, cert,
4380 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4381 TLS1_3_RFC_AES_128_GCM_SHA256)))
4384 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4385 TLS1_3_RFC_AES_128_GCM_SHA256)))
4388 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4389 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4393 * Must include an EC ciphersuite so that we send supported groups in
4396 # ifndef OPENSSL_NO_TLS1_2
4397 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4398 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4399 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4407 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4408 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4411 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4415 * If Handshake succeeds the negotiated kexch alg should be the first one in
4416 * configured, except in the case of FFDHE groups (idx 13), which are
4417 * TLSv1.3 only so we expect no shared group to exist.
4419 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4420 idx == 13 ? 0 : kexch_groups[0]))
4422 if (max_version == TLS1_3_VERSION) {
4423 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4425 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4431 SSL_free(serverssl);
4432 SSL_free(clientssl);
4439 * Test TLSv1.3 Cipher Suite
4440 * Test 0 = Set TLS1.3 cipher on context
4441 * Test 1 = Set TLS1.3 cipher on SSL
4442 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4443 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4445 static int test_tls13_ciphersuite(int idx)
4447 SSL_CTX *sctx = NULL, *cctx = NULL;
4448 SSL *serverssl = NULL, *clientssl = NULL;
4449 static const struct {
4450 const char *ciphername;
4453 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4454 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4455 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4456 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4457 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4458 { TLS1_3_RFC_AES_256_GCM_SHA384
4459 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4461 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4463 const char *t13_cipher = NULL;
4464 const char *t12_cipher = NULL;
4465 const char *negotiated_scipher;
4466 const char *negotiated_ccipher;
4482 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4486 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4490 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4491 # ifdef OPENSSL_NO_TLS1_2
4492 if (max_ver == TLS1_2_VERSION)
4495 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4496 if (is_fips && !t13_ciphers[i].fipscapable)
4498 t13_cipher = t13_ciphers[i].ciphername;
4499 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4500 TLS_client_method(),
4501 TLS1_VERSION, max_ver,
4502 &sctx, &cctx, cert, privkey)))
4506 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4507 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4509 if (t12_cipher != NULL) {
4510 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4511 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4518 &clientssl, NULL, NULL)))
4522 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4523 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4525 if (t12_cipher != NULL) {
4526 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4527 || !TEST_true(SSL_set_cipher_list(clientssl,
4533 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4537 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4539 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4541 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4545 * TEST_strn_eq is used below because t13_cipher can contain
4546 * multiple ciphersuites
4548 if (max_ver == TLS1_3_VERSION
4549 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4550 strlen(negotiated_scipher)))
4553 # ifndef OPENSSL_NO_TLS1_2
4554 /* Below validation is not done when t12_cipher is NULL */
4555 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4556 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4560 SSL_free(serverssl);
4562 SSL_free(clientssl);
4573 SSL_free(serverssl);
4574 SSL_free(clientssl);
4582 * Test 0 = Test new style callbacks
4583 * Test 1 = Test both new and old style callbacks
4584 * Test 2 = Test old style callbacks
4585 * Test 3 = Test old style callbacks with no certificate
4587 static int test_tls13_psk(int idx)
4589 SSL_CTX *sctx = NULL, *cctx = NULL;
4590 SSL *serverssl = NULL, *clientssl = NULL;
4591 const SSL_CIPHER *cipher = NULL;
4592 const unsigned char key[] = {
4593 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4594 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4595 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4596 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4601 TLS_client_method(), TLS1_VERSION, 0,
4602 &sctx, &cctx, idx == 3 ? NULL : cert,
4603 idx == 3 ? NULL : privkey)))
4608 * We use a ciphersuite with SHA256 to ease testing old style PSK
4609 * callbacks which will always default to SHA256. This should not be
4610 * necessary if we have no cert/priv key. In that case the server should
4611 * prefer SHA256 automatically.
4613 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4614 "TLS_AES_128_GCM_SHA256")))
4618 * As noted above the server should prefer SHA256 automatically. However
4619 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4620 * code works even if we are testing with only the FIPS provider loaded.
4622 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4623 "TLS_AES_256_GCM_SHA384:"
4624 "TLS_AES_128_GCM_SHA256")))
4629 * Test 0: New style callbacks only
4630 * Test 1: New and old style callbacks (only the new ones should be used)
4631 * Test 2: Old style callbacks only
4633 if (idx == 0 || idx == 1) {
4634 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4635 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4637 #ifndef OPENSSL_NO_PSK
4639 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4640 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4644 use_session_cb_cnt = 0;
4645 find_session_cb_cnt = 0;
4646 psk_client_cb_cnt = 0;
4647 psk_server_cb_cnt = 0;
4651 * Check we can create a connection if callback decides not to send a
4654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4658 || !TEST_false(SSL_session_reused(clientssl))
4659 || !TEST_false(SSL_session_reused(serverssl)))
4662 if (idx == 0 || idx == 1) {
4663 if (!TEST_true(use_session_cb_cnt == 1)
4664 || !TEST_true(find_session_cb_cnt == 0)
4666 * If no old style callback then below should be 0
4669 || !TEST_true(psk_client_cb_cnt == idx)
4670 || !TEST_true(psk_server_cb_cnt == 0))
4673 if (!TEST_true(use_session_cb_cnt == 0)
4674 || !TEST_true(find_session_cb_cnt == 0)
4675 || !TEST_true(psk_client_cb_cnt == 1)
4676 || !TEST_true(psk_server_cb_cnt == 0))
4680 shutdown_ssl_connection(serverssl, clientssl);
4681 serverssl = clientssl = NULL;
4682 use_session_cb_cnt = psk_client_cb_cnt = 0;
4685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4689 /* Create the PSK */
4690 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4691 clientpsk = SSL_SESSION_new();
4692 if (!TEST_ptr(clientpsk)
4693 || !TEST_ptr(cipher)
4694 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4696 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4697 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4699 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4701 serverpsk = clientpsk;
4703 /* Check we can create a connection and the PSK is used */
4704 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4705 || !TEST_true(SSL_session_reused(clientssl))
4706 || !TEST_true(SSL_session_reused(serverssl)))
4709 if (idx == 0 || idx == 1) {
4710 if (!TEST_true(use_session_cb_cnt == 1)
4711 || !TEST_true(find_session_cb_cnt == 1)
4712 || !TEST_true(psk_client_cb_cnt == 0)
4713 || !TEST_true(psk_server_cb_cnt == 0))
4716 if (!TEST_true(use_session_cb_cnt == 0)
4717 || !TEST_true(find_session_cb_cnt == 0)
4718 || !TEST_true(psk_client_cb_cnt == 1)
4719 || !TEST_true(psk_server_cb_cnt == 1))
4723 shutdown_ssl_connection(serverssl, clientssl);
4724 serverssl = clientssl = NULL;
4725 use_session_cb_cnt = find_session_cb_cnt = 0;
4726 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4733 #if defined(OPENSSL_NO_EC)
4734 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4737 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4742 * Check we can create a connection, the PSK is used and the callbacks are
4745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4746 || !TEST_true(SSL_session_reused(clientssl))
4747 || !TEST_true(SSL_session_reused(serverssl)))
4750 if (idx == 0 || idx == 1) {
4751 if (!TEST_true(use_session_cb_cnt == 2)
4752 || !TEST_true(find_session_cb_cnt == 2)
4753 || !TEST_true(psk_client_cb_cnt == 0)
4754 || !TEST_true(psk_server_cb_cnt == 0))
4757 if (!TEST_true(use_session_cb_cnt == 0)
4758 || !TEST_true(find_session_cb_cnt == 0)
4759 || !TEST_true(psk_client_cb_cnt == 2)
4760 || !TEST_true(psk_server_cb_cnt == 2))
4764 shutdown_ssl_connection(serverssl, clientssl);
4765 serverssl = clientssl = NULL;
4766 use_session_cb_cnt = find_session_cb_cnt = 0;
4767 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4771 * Check that if the server rejects the PSK we can still connect, but with
4774 srvid = "Dummy Identity";
4775 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4777 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4779 || !TEST_false(SSL_session_reused(clientssl))
4780 || !TEST_false(SSL_session_reused(serverssl)))
4783 if (idx == 0 || idx == 1) {
4784 if (!TEST_true(use_session_cb_cnt == 1)
4785 || !TEST_true(find_session_cb_cnt == 1)
4786 || !TEST_true(psk_client_cb_cnt == 0)
4788 * If no old style callback then below should be 0
4791 || !TEST_true(psk_server_cb_cnt == idx))
4794 if (!TEST_true(use_session_cb_cnt == 0)
4795 || !TEST_true(find_session_cb_cnt == 0)
4796 || !TEST_true(psk_client_cb_cnt == 1)
4797 || !TEST_true(psk_server_cb_cnt == 1))
4801 shutdown_ssl_connection(serverssl, clientssl);
4802 serverssl = clientssl = NULL;
4807 SSL_SESSION_free(clientpsk);
4808 SSL_SESSION_free(serverpsk);
4809 clientpsk = serverpsk = NULL;
4810 SSL_free(serverssl);
4811 SSL_free(clientssl);
4817 static unsigned char cookie_magic_value[] = "cookie magic";
4819 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4820 unsigned int *cookie_len)
4823 * Not suitable as a real cookie generation function but good enough for
4826 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4827 *cookie_len = sizeof(cookie_magic_value) - 1;
4832 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4833 unsigned int cookie_len)
4835 if (cookie_len == sizeof(cookie_magic_value) - 1
4836 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4842 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4846 int res = generate_cookie_callback(ssl, cookie, &temp);
4851 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4854 return verify_cookie_callback(ssl, cookie, cookie_len);
4857 static int test_stateless(void)
4859 SSL_CTX *sctx = NULL, *cctx = NULL;
4860 SSL *serverssl = NULL, *clientssl = NULL;
4863 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4864 TLS_client_method(), TLS1_VERSION, 0,
4865 &sctx, &cctx, cert, privkey)))
4868 /* The arrival of CCS messages can confuse the test */
4869 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4873 /* Send the first ClientHello */
4874 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4875 SSL_ERROR_WANT_READ))
4877 * This should fail with a -1 return because we have no callbacks
4880 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4883 /* Fatal error so abandon the connection from this client */
4884 SSL_free(clientssl);
4887 /* Set up the cookie generation and verification callbacks */
4888 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4889 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4892 * Create a new connection from the client (we can reuse the server SSL
4895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4897 /* Send the first ClientHello */
4898 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4899 SSL_ERROR_WANT_READ))
4900 /* This should fail because there is no cookie */
4901 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4904 /* Abandon the connection from this client */
4905 SSL_free(clientssl);
4909 * Now create a connection from a new client but with the same server SSL
4912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4914 /* Send the first ClientHello */
4915 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4916 SSL_ERROR_WANT_READ))
4917 /* This should fail because there is no cookie */
4918 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4919 /* Send the second ClientHello */
4920 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4921 SSL_ERROR_WANT_READ))
4922 /* This should succeed because a cookie is now present */
4923 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4924 /* Complete the connection */
4925 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4929 shutdown_ssl_connection(serverssl, clientssl);
4930 serverssl = clientssl = NULL;
4934 SSL_free(serverssl);
4935 SSL_free(clientssl);
4941 #endif /* OPENSSL_NO_TLS1_3 */
4943 static int clntaddoldcb = 0;
4944 static int clntparseoldcb = 0;
4945 static int srvaddoldcb = 0;
4946 static int srvparseoldcb = 0;
4947 static int clntaddnewcb = 0;
4948 static int clntparsenewcb = 0;
4949 static int srvaddnewcb = 0;
4950 static int srvparsenewcb = 0;
4951 static int snicb = 0;
4953 #define TEST_EXT_TYPE1 0xff00
4955 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4956 size_t *outlen, int *al, void *add_arg)
4958 int *server = (int *)add_arg;
4959 unsigned char *data;
4961 if (SSL_is_server(s))
4966 if (*server != SSL_is_server(s)
4967 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4972 *outlen = sizeof(char);
4976 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4979 OPENSSL_free((unsigned char *)out);
4982 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4983 size_t inlen, int *al, void *parse_arg)
4985 int *server = (int *)parse_arg;
4987 if (SSL_is_server(s))
4992 if (*server != SSL_is_server(s)
4993 || inlen != sizeof(char)
5000 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5001 const unsigned char **out, size_t *outlen, X509 *x,
5002 size_t chainidx, int *al, void *add_arg)
5004 int *server = (int *)add_arg;
5005 unsigned char *data;
5007 if (SSL_is_server(s))
5012 if (*server != SSL_is_server(s)
5013 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5018 *outlen = sizeof(*data);
5022 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5023 const unsigned char *out, void *add_arg)
5025 OPENSSL_free((unsigned char *)out);
5028 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5029 const unsigned char *in, size_t inlen, X509 *x,
5030 size_t chainidx, int *al, void *parse_arg)
5032 int *server = (int *)parse_arg;
5034 if (SSL_is_server(s))
5039 if (*server != SSL_is_server(s)
5040 || inlen != sizeof(char) || *in != 1)
5046 static int sni_cb(SSL *s, int *al, void *arg)
5048 SSL_CTX *ctx = (SSL_CTX *)arg;
5050 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5051 *al = SSL_AD_INTERNAL_ERROR;
5052 return SSL_TLSEXT_ERR_ALERT_FATAL;
5055 return SSL_TLSEXT_ERR_OK;
5059 * Custom call back tests.
5060 * Test 0: Old style callbacks in TLSv1.2
5061 * Test 1: New style callbacks in TLSv1.2
5062 * Test 2: New style callbacks in TLSv1.2 with SNI
5063 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5064 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5066 static int test_custom_exts(int tst)
5068 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5069 SSL *clientssl = NULL, *serverssl = NULL;
5071 static int server = 1;
5072 static int client = 0;
5073 SSL_SESSION *sess = NULL;
5074 unsigned int context;
5076 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5077 /* Skip tests for TLSv1.2 and below in this case */
5082 /* Reset callback counters */
5083 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5084 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5087 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5088 TLS_client_method(), TLS1_VERSION, 0,
5089 &sctx, &cctx, cert, privkey)))
5093 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5095 &sctx2, NULL, cert, privkey)))
5100 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5101 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5103 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5107 context = SSL_EXT_CLIENT_HELLO
5108 | SSL_EXT_TLS1_2_SERVER_HELLO
5109 | SSL_EXT_TLS1_3_SERVER_HELLO
5110 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5111 | SSL_EXT_TLS1_3_CERTIFICATE
5112 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5114 context = SSL_EXT_CLIENT_HELLO
5115 | SSL_EXT_TLS1_2_SERVER_HELLO
5116 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5119 /* Create a client side custom extension */
5121 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5122 old_add_cb, old_free_cb,
5123 &client, old_parse_cb,
5127 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5128 new_add_cb, new_free_cb,
5129 &client, new_parse_cb, &client)))
5133 /* Should not be able to add duplicates */
5134 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5135 old_add_cb, old_free_cb,
5136 &client, old_parse_cb,
5138 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5139 context, new_add_cb,
5140 new_free_cb, &client,
5141 new_parse_cb, &client)))
5144 /* Create a server side custom extension */
5146 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5147 old_add_cb, old_free_cb,
5148 &server, old_parse_cb,
5152 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5153 new_add_cb, new_free_cb,
5154 &server, new_parse_cb, &server)))
5157 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5158 context, new_add_cb,
5159 new_free_cb, &server,
5160 new_parse_cb, &server)))
5164 /* Should not be able to add duplicates */
5165 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5166 old_add_cb, old_free_cb,
5167 &server, old_parse_cb,
5169 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5170 context, new_add_cb,
5171 new_free_cb, &server,
5172 new_parse_cb, &server)))
5177 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5178 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5183 &clientssl, NULL, NULL))
5184 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5189 if (clntaddoldcb != 1
5190 || clntparseoldcb != 1
5192 || srvparseoldcb != 1)
5194 } else if (tst == 1 || tst == 2 || tst == 3) {
5195 if (clntaddnewcb != 1
5196 || clntparsenewcb != 1
5198 || srvparsenewcb != 1
5199 || (tst != 2 && snicb != 0)
5200 || (tst == 2 && snicb != 1))
5203 /* In this case there 2 NewSessionTicket messages created */
5204 if (clntaddnewcb != 1
5205 || clntparsenewcb != 5
5207 || srvparsenewcb != 1)
5211 sess = SSL_get1_session(clientssl);
5212 SSL_shutdown(clientssl);
5213 SSL_shutdown(serverssl);
5214 SSL_free(serverssl);
5215 SSL_free(clientssl);
5216 serverssl = clientssl = NULL;
5219 /* We don't bother with the resumption aspects for this test */
5224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5226 || !TEST_true(SSL_set_session(clientssl, sess))
5227 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5232 * For a resumed session we expect to add the ClientHello extension. For the
5233 * old style callbacks we ignore it on the server side because they set
5234 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5238 if (clntaddoldcb != 2
5239 || clntparseoldcb != 1
5241 || srvparseoldcb != 1)
5243 } else if (tst == 1 || tst == 2 || tst == 3) {
5244 if (clntaddnewcb != 2
5245 || clntparsenewcb != 2
5247 || srvparsenewcb != 2)
5251 * No Certificate message extensions in the resumption handshake,
5252 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5254 if (clntaddnewcb != 2
5255 || clntparsenewcb != 8
5257 || srvparsenewcb != 2)
5264 SSL_SESSION_free(sess);
5265 SSL_free(serverssl);
5266 SSL_free(clientssl);
5267 SSL_CTX_free(sctx2);
5274 * Test loading of serverinfo data in various formats. test_sslmessages actually
5275 * tests to make sure the extensions appear in the handshake
5277 static int test_serverinfo(int tst)
5279 unsigned int version;
5280 unsigned char *sibuf;
5282 int ret, expected, testresult = 0;
5285 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5289 if ((tst & 0x01) == 0x01)
5290 version = SSL_SERVERINFOV2;
5292 version = SSL_SERVERINFOV1;
5294 if ((tst & 0x02) == 0x02) {
5295 sibuf = serverinfov2;
5296 sibuflen = sizeof(serverinfov2);
5297 expected = (version == SSL_SERVERINFOV2);
5299 sibuf = serverinfov1;
5300 sibuflen = sizeof(serverinfov1);
5301 expected = (version == SSL_SERVERINFOV1);
5304 if ((tst & 0x04) == 0x04) {
5305 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5307 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5310 * The version variable is irrelevant in this case - it's what is in the
5311 * buffer that matters
5313 if ((tst & 0x02) == 0x02)
5319 if (!TEST_true(ret == expected))
5331 * Test that SSL_export_keying_material() produces expected results. There are
5332 * no test vectors so all we do is test that both sides of the communication
5333 * produce the same results for different protocol versions.
5335 #define SMALL_LABEL_LEN 10
5336 #define LONG_LABEL_LEN 249
5337 static int test_export_key_mat(int tst)
5340 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5341 SSL *clientssl = NULL, *serverssl = NULL;
5342 const char label[LONG_LABEL_LEN + 1] = "test label";
5343 const unsigned char context[] = "context";
5344 const unsigned char *emptycontext = NULL;
5345 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5346 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5348 const int protocols[] = {
5357 #ifdef OPENSSL_NO_TLS1
5361 #ifdef OPENSSL_NO_TLS1_1
5365 if (is_fips && (tst == 0 || tst == 1))
5367 #ifdef OPENSSL_NO_TLS1_2
5371 #ifdef OPENSSL_NO_TLS1_3
5375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5376 TLS_client_method(), TLS1_VERSION, 0,
5377 &sctx, &cctx, cert, privkey)))
5380 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5381 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5382 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5383 if ((protocols[tst] < TLS1_2_VERSION) &&
5384 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5385 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5388 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5393 * Premature call of SSL_export_keying_material should just fail.
5395 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5396 sizeof(ckeymat1), label,
5397 SMALL_LABEL_LEN + 1, context,
5398 sizeof(context) - 1, 1), 0))
5401 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5407 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5410 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5411 sizeof(ckeymat1), label,
5412 LONG_LABEL_LEN + 1, context,
5413 sizeof(context) - 1, 1), 0))
5418 } else if (tst == 4) {
5419 labellen = LONG_LABEL_LEN;
5421 labellen = SMALL_LABEL_LEN;
5424 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5425 sizeof(ckeymat1), label,
5427 sizeof(context) - 1, 1), 1)
5428 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5429 sizeof(ckeymat2), label,
5433 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5434 sizeof(ckeymat3), label,
5437 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5438 sizeof(skeymat1), label,
5441 sizeof(context) -1, 1),
5443 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5444 sizeof(skeymat2), label,
5448 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5449 sizeof(skeymat3), label,
5453 * Check that both sides created the same key material with the
5456 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5459 * Check that both sides created the same key material with an
5462 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5465 * Check that both sides created the same key material without a
5468 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5470 /* Different contexts should produce different results */
5471 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5476 * Check that an empty context and no context produce different results in
5477 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5479 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5481 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5488 SSL_free(serverssl);
5489 SSL_free(clientssl);
5490 SSL_CTX_free(sctx2);
5497 #ifndef OPENSSL_NO_TLS1_3
5499 * Test that SSL_export_keying_material_early() produces expected
5500 * results. There are no test vectors so all we do is test that both
5501 * sides of the communication produce the same results for different
5502 * protocol versions.
5504 static int test_export_key_mat_early(int idx)
5506 static const char label[] = "test label";
5507 static const unsigned char context[] = "context";
5509 SSL_CTX *cctx = NULL, *sctx = NULL;
5510 SSL *clientssl = NULL, *serverssl = NULL;
5511 SSL_SESSION *sess = NULL;
5512 const unsigned char *emptycontext = NULL;
5513 unsigned char ckeymat1[80], ckeymat2[80];
5514 unsigned char skeymat1[80], skeymat2[80];
5515 unsigned char buf[1];
5516 size_t readbytes, written;
5518 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5522 /* Here writing 0 length early data is enough. */
5523 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5526 SSL_READ_EARLY_DATA_ERROR)
5527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5528 SSL_EARLY_DATA_ACCEPTED))
5531 if (!TEST_int_eq(SSL_export_keying_material_early(
5532 clientssl, ckeymat1, sizeof(ckeymat1), label,
5533 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5534 || !TEST_int_eq(SSL_export_keying_material_early(
5535 clientssl, ckeymat2, sizeof(ckeymat2), label,
5536 sizeof(label) - 1, emptycontext, 0), 1)
5537 || !TEST_int_eq(SSL_export_keying_material_early(
5538 serverssl, skeymat1, sizeof(skeymat1), label,
5539 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5540 || !TEST_int_eq(SSL_export_keying_material_early(
5541 serverssl, skeymat2, sizeof(skeymat2), label,
5542 sizeof(label) - 1, emptycontext, 0), 1)
5544 * Check that both sides created the same key material with the
5547 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5550 * Check that both sides created the same key material with an
5553 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5555 /* Different contexts should produce different results */
5556 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5563 SSL_SESSION_free(sess);
5564 SSL_SESSION_free(clientpsk);
5565 SSL_SESSION_free(serverpsk);
5566 clientpsk = serverpsk = NULL;
5567 SSL_free(serverssl);
5568 SSL_free(clientssl);
5575 #define NUM_KEY_UPDATE_MESSAGES 40
5579 static int test_key_update(void)
5581 SSL_CTX *cctx = NULL, *sctx = NULL;
5582 SSL *clientssl = NULL, *serverssl = NULL;
5583 int testresult = 0, i, j;
5585 static char *mess = "A test message";
5587 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5588 TLS_client_method(),
5591 &sctx, &cctx, cert, privkey))
5592 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5594 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5598 for (j = 0; j < 2; j++) {
5599 /* Send lots of KeyUpdate messages */
5600 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5601 if (!TEST_true(SSL_key_update(clientssl,
5603 ? SSL_KEY_UPDATE_NOT_REQUESTED
5604 : SSL_KEY_UPDATE_REQUESTED))
5605 || !TEST_true(SSL_do_handshake(clientssl)))
5609 /* Check that sending and receiving app data is ok */
5610 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5611 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5615 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5616 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5624 SSL_free(serverssl);
5625 SSL_free(clientssl);
5633 * Test we can handle a KeyUpdate (update requested) message while write data
5635 * Test 0: Client sends KeyUpdate while Server is writing
5636 * Test 1: Server sends KeyUpdate while Client is writing
5638 static int test_key_update_in_write(int tst)
5640 SSL_CTX *cctx = NULL, *sctx = NULL;
5641 SSL *clientssl = NULL, *serverssl = NULL;
5644 static char *mess = "A test message";
5645 BIO *bretry = BIO_new(bio_s_always_retry());
5647 SSL *peerupdate = NULL, *peerwrite = NULL;
5649 if (!TEST_ptr(bretry)
5650 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5651 TLS_client_method(),
5654 &sctx, &cctx, cert, privkey))
5655 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5661 peerupdate = tst == 0 ? clientssl : serverssl;
5662 peerwrite = tst == 0 ? serverssl : clientssl;
5664 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5665 || !TEST_true(SSL_do_handshake(peerupdate)))
5668 /* Swap the writing endpoint's write BIO to force a retry */
5669 tmp = SSL_get_wbio(peerwrite);
5670 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5674 SSL_set0_wbio(peerwrite, bretry);
5677 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5678 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5679 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5682 /* Reinstate the original writing endpoint's write BIO */
5683 SSL_set0_wbio(peerwrite, tmp);
5686 /* Now read some data - we will read the key update */
5687 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5688 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5692 * Complete the write we started previously and read it from the other
5695 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5696 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5699 /* Write more data to ensure we send the KeyUpdate message back */
5700 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5701 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5707 SSL_free(serverssl);
5708 SSL_free(clientssl);
5716 #endif /* OPENSSL_NO_TLS1_3 */
5718 static int test_ssl_clear(int idx)
5720 SSL_CTX *cctx = NULL, *sctx = NULL;
5721 SSL *clientssl = NULL, *serverssl = NULL;
5724 #ifdef OPENSSL_NO_TLS1_2
5729 /* Create an initial connection */
5730 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5731 TLS_client_method(), TLS1_VERSION, 0,
5732 &sctx, &cctx, cert, privkey))
5734 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5736 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5737 &clientssl, NULL, NULL))
5738 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5742 SSL_shutdown(clientssl);
5743 SSL_shutdown(serverssl);
5744 SSL_free(serverssl);
5747 /* Clear clientssl - we're going to reuse the object */
5748 if (!TEST_true(SSL_clear(clientssl)))
5751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5753 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5755 || !TEST_true(SSL_session_reused(clientssl)))
5758 SSL_shutdown(clientssl);
5759 SSL_shutdown(serverssl);
5764 SSL_free(serverssl);
5765 SSL_free(clientssl);
5772 /* Parse CH and retrieve any MFL extension value if present */
5773 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5776 unsigned char *data;
5777 PACKET pkt, pkt2, pkt3;
5778 unsigned int MFL_code = 0, type = 0;
5780 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5783 memset(&pkt, 0, sizeof(pkt));
5784 memset(&pkt2, 0, sizeof(pkt2));
5785 memset(&pkt3, 0, sizeof(pkt3));
5787 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5788 /* Skip the record header */
5789 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5790 /* Skip the handshake message header */
5791 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5792 /* Skip client version and random */
5793 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5794 + SSL3_RANDOM_SIZE))
5795 /* Skip session id */
5796 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5798 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5799 /* Skip compression */
5800 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5801 /* Extensions len */
5802 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5805 /* Loop through all extensions */
5806 while (PACKET_remaining(&pkt2)) {
5807 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5808 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5811 if (type == TLSEXT_TYPE_max_fragment_length) {
5812 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5813 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5816 *mfl_codemfl_code = MFL_code;
5825 /* Maximum-Fragment-Length TLS extension mode to test */
5826 static const unsigned char max_fragment_len_test[] = {
5827 TLSEXT_max_fragment_length_512,
5828 TLSEXT_max_fragment_length_1024,
5829 TLSEXT_max_fragment_length_2048,
5830 TLSEXT_max_fragment_length_4096
5833 static int test_max_fragment_len_ext(int idx_tst)
5837 int testresult = 0, MFL_mode = 0;
5840 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5844 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5845 ctx, max_fragment_len_test[idx_tst])))
5852 rbio = BIO_new(BIO_s_mem());
5853 wbio = BIO_new(BIO_s_mem());
5854 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5860 SSL_set_bio(con, rbio, wbio);
5861 SSL_set_connect_state(con);
5863 if (!TEST_int_le(SSL_connect(con), 0)) {
5864 /* This shouldn't succeed because we don't have a server! */
5868 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5869 /* no MFL in client hello */
5871 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5883 #ifndef OPENSSL_NO_TLS1_3
5884 static int test_pha_key_update(void)
5886 SSL_CTX *cctx = NULL, *sctx = NULL;
5887 SSL *clientssl = NULL, *serverssl = NULL;
5890 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5891 TLS_client_method(), TLS1_VERSION, 0,
5892 &sctx, &cctx, cert, privkey)))
5895 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5896 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5897 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5898 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5901 SSL_CTX_set_post_handshake_auth(cctx, 1);
5903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5907 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5911 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5912 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5915 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5918 /* Start handshake on the server */
5919 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5922 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5923 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5927 SSL_shutdown(clientssl);
5928 SSL_shutdown(serverssl);
5933 SSL_free(serverssl);
5934 SSL_free(clientssl);
5941 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5943 static SRP_VBASE *vbase = NULL;
5945 DEFINE_STACK_OF(SRP_user_pwd)
5947 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5949 int ret = SSL3_AL_FATAL;
5951 SRP_user_pwd *user = NULL;
5953 username = SSL_get_srp_username(s);
5954 if (username == NULL) {
5955 *ad = SSL_AD_INTERNAL_ERROR;
5959 user = SRP_VBASE_get1_by_user(vbase, username);
5961 *ad = SSL_AD_INTERNAL_ERROR;
5965 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5967 *ad = SSL_AD_INTERNAL_ERROR;
5974 SRP_user_pwd_free(user);
5978 static int create_new_vfile(char *userid, char *password, const char *filename)
5981 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5984 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5987 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5990 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5991 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5992 if (!TEST_ptr(gNid))
5996 * The only way to create an empty TXT_DB is to provide a BIO with no data
5999 db = TXT_DB_read(dummy, DB_NUMBER);
6003 out = BIO_new_file(filename, "w");
6007 row[DB_srpid] = OPENSSL_strdup(userid);
6008 row[DB_srptype] = OPENSSL_strdup("V");
6009 row[DB_srpgN] = OPENSSL_strdup(gNid);
6011 if (!TEST_ptr(row[DB_srpid])
6012 || !TEST_ptr(row[DB_srptype])
6013 || !TEST_ptr(row[DB_srpgN])
6014 || !TEST_true(TXT_DB_insert(db, row)))
6019 if (!TXT_DB_write(out, db))
6025 for (i = 0; i < DB_NUMBER; i++)
6026 OPENSSL_free(row[i]);
6036 static int create_new_vbase(char *userid, char *password)
6038 BIGNUM *verifier = NULL, *salt = NULL;
6039 const SRP_gN *lgN = NULL;
6040 SRP_user_pwd *user_pwd = NULL;
6043 lgN = SRP_get_default_gN(NULL);
6047 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6048 lgN->N, lgN->g, libctx, NULL)))
6051 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6052 if (!TEST_ptr(user_pwd))
6055 user_pwd->N = lgN->N;
6056 user_pwd->g = lgN->g;
6057 user_pwd->id = OPENSSL_strdup(userid);
6058 if (!TEST_ptr(user_pwd->id))
6061 user_pwd->v = verifier;
6063 verifier = salt = NULL;
6065 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6071 SRP_user_pwd_free(user_pwd);
6081 * Test 0: Simple successful SRP connection, new vbase
6082 * Test 1: Connection failure due to bad password, new vbase
6083 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6084 * Test 3: Connection failure due to bad password, vbase loaded from existing
6086 * Test 4: Simple successful SRP connection, vbase loaded from new file
6087 * Test 5: Connection failure due to bad password, vbase loaded from new file
6089 static int test_srp(int tst)
6091 char *userid = "test", *password = "password", *tstsrpfile;
6092 SSL_CTX *cctx = NULL, *sctx = NULL;
6093 SSL *clientssl = NULL, *serverssl = NULL;
6094 int ret, testresult = 0;
6096 vbase = SRP_VBASE_new(NULL);
6097 if (!TEST_ptr(vbase))
6100 if (tst == 0 || tst == 1) {
6101 if (!TEST_true(create_new_vbase(userid, password)))
6104 if (tst == 4 || tst == 5) {
6105 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6107 tstsrpfile = tmpfilename;
6109 tstsrpfile = srpvfile;
6111 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6115 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6116 TLS_client_method(), TLS1_VERSION, 0,
6117 &sctx, &cctx, cert, privkey)))
6120 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6121 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6122 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6123 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6124 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6128 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6131 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6139 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6141 if (!TEST_true(tst % 2 == 0))
6144 if (!TEST_true(tst % 2 == 1))
6151 SRP_VBASE_free(vbase);
6153 SSL_free(serverssl);
6154 SSL_free(clientssl);
6162 static int info_cb_failed = 0;
6163 static int info_cb_offset = 0;
6164 static int info_cb_this_state = -1;
6166 static struct info_cb_states_st {
6168 const char *statestr;
6169 } info_cb_states[][60] = {
6171 /* TLSv1.2 server followed by resumption */
6172 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6173 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6174 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6175 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6176 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6177 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6178 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6179 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6180 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6181 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6182 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6183 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6184 {SSL_CB_EXIT, NULL}, {0, NULL},
6186 /* TLSv1.2 client followed by resumption */
6187 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6188 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6189 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6190 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6191 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6192 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6193 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6194 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6195 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6196 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6197 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6198 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6200 /* TLSv1.3 server followed by resumption */
6201 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6202 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6203 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6204 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6205 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6206 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6207 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6208 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6209 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6210 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6211 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6212 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6213 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6215 /* TLSv1.3 client followed by resumption */
6216 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6217 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6218 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6219 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6220 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6221 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6222 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6223 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6224 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6225 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6226 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6227 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6228 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6229 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6230 {SSL_CB_EXIT, NULL}, {0, NULL},
6232 /* TLSv1.3 server, early_data */
6233 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6234 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6235 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6236 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6237 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6238 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6239 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6240 {SSL_CB_EXIT, NULL}, {0, NULL},
6242 /* TLSv1.3 client, early_data */
6243 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6244 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6245 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6246 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6247 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6248 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6249 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6250 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6251 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6257 static void sslapi_info_callback(const SSL *s, int where, int ret)
6259 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6261 /* We do not ever expect a connection to fail in this test */
6262 if (!TEST_false(ret == 0)) {
6268 * Do some sanity checks. We never expect these things to happen in this
6271 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6272 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6273 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6278 /* Now check we're in the right state */
6279 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6283 if ((where & SSL_CB_LOOP) != 0
6284 && !TEST_int_eq(strcmp(SSL_state_string(s),
6285 state[info_cb_this_state].statestr), 0)) {
6291 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6293 if ((where & SSL_CB_HANDSHAKE_DONE)
6294 && SSL_in_init((SSL *)s) != 0) {
6301 * Test the info callback gets called when we expect it to.
6303 * Test 0: TLSv1.2, server
6304 * Test 1: TLSv1.2, client
6305 * Test 2: TLSv1.3, server
6306 * Test 3: TLSv1.3, client
6307 * Test 4: TLSv1.3, server, early_data
6308 * Test 5: TLSv1.3, client, early_data
6310 static int test_info_callback(int tst)
6312 SSL_CTX *cctx = NULL, *sctx = NULL;
6313 SSL *clientssl = NULL, *serverssl = NULL;
6314 SSL_SESSION *clntsess = NULL;
6319 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6320 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6321 || !defined(OPENSSL_NO_DH))
6322 tlsvers = TLS1_2_VERSION;
6327 #ifndef OPENSSL_NO_TLS1_3
6328 tlsvers = TLS1_3_VERSION;
6336 info_cb_this_state = -1;
6337 info_cb_offset = tst;
6339 #ifndef OPENSSL_NO_TLS1_3
6341 SSL_SESSION *sess = NULL;
6342 size_t written, readbytes;
6343 unsigned char buf[80];
6345 /* early_data tests */
6346 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6347 &serverssl, &sess, 0)))
6350 /* We don't actually need this reference */
6351 SSL_SESSION_free(sess);
6353 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6354 sslapi_info_callback);
6356 /* Write and read some early data and then complete the connection */
6357 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6359 || !TEST_size_t_eq(written, strlen(MSG1))
6360 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6361 sizeof(buf), &readbytes),
6362 SSL_READ_EARLY_DATA_SUCCESS)
6363 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6364 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6365 SSL_EARLY_DATA_ACCEPTED)
6366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6368 || !TEST_false(info_cb_failed))
6376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6377 TLS_client_method(),
6378 tlsvers, tlsvers, &sctx, &cctx, cert,
6383 * For even numbered tests we check the server callbacks. For odd numbers we
6386 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6387 sslapi_info_callback);
6389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6390 &clientssl, NULL, NULL))
6391 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6393 || !TEST_false(info_cb_failed))
6398 clntsess = SSL_get1_session(clientssl);
6399 SSL_shutdown(clientssl);
6400 SSL_shutdown(serverssl);
6401 SSL_free(serverssl);
6402 SSL_free(clientssl);
6403 serverssl = clientssl = NULL;
6405 /* Now do a resumption */
6406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6408 || !TEST_true(SSL_set_session(clientssl, clntsess))
6409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6411 || !TEST_true(SSL_session_reused(clientssl))
6412 || !TEST_false(info_cb_failed))
6418 SSL_free(serverssl);
6419 SSL_free(clientssl);
6420 SSL_SESSION_free(clntsess);
6426 static int test_ssl_pending(int tst)
6428 SSL_CTX *cctx = NULL, *sctx = NULL;
6429 SSL *clientssl = NULL, *serverssl = NULL;
6431 char msg[] = "A test message";
6433 size_t written, readbytes;
6436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6437 TLS_client_method(),
6439 &sctx, &cctx, cert, privkey)))
6442 #ifndef OPENSSL_NO_DTLS
6443 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6444 DTLS_client_method(),
6446 &sctx, &cctx, cert, privkey)))
6453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6459 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6460 || !TEST_false(SSL_has_pending(clientssl))
6461 || !TEST_int_eq(SSL_pending(serverssl), 0)
6462 || !TEST_false(SSL_has_pending(serverssl))
6463 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6464 || !TEST_size_t_eq(written, sizeof(msg))
6465 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6466 || !TEST_size_t_eq(readbytes, sizeof(buf))
6467 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6468 || !TEST_true(SSL_has_pending(clientssl)))
6474 SSL_free(serverssl);
6475 SSL_free(clientssl);
6483 unsigned int maxprot;
6484 const char *clntciphers;
6485 const char *clnttls13ciphers;
6486 const char *srvrciphers;
6487 const char *srvrtls13ciphers;
6489 const char *fipsshared;
6490 } shared_ciphers_data[] = {
6492 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6493 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6495 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6498 "AES128-SHA:AES256-SHA",
6500 "AES256-SHA:DHE-RSA-AES128-SHA",
6505 # if !defined(OPENSSL_NO_CHACHA) \
6506 && !defined(OPENSSL_NO_POLY1305) \
6507 && !defined(OPENSSL_NO_EC)
6510 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6512 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6514 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6520 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6522 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6524 "AES128-SHA:AES256-SHA",
6525 "AES128-SHA:AES256-SHA"
6529 "AES128-SHA:AES256-SHA",
6531 "AES128-SHA:DHE-RSA-AES128-SHA",
6538 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6541 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6542 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6545 "AES128-SHA:AES256-SHA",
6547 "AES256-SHA:AES128-SHA256",
6549 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6550 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6551 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6554 #ifndef OPENSSL_NO_TLS1_3
6558 "TLS_AES_256_GCM_SHA384",
6560 "TLS_AES_256_GCM_SHA384",
6561 "TLS_AES_256_GCM_SHA384",
6562 "TLS_AES_256_GCM_SHA384"
6567 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6569 SSL_CTX *cctx = NULL, *sctx = NULL;
6570 SSL *clientssl = NULL, *serverssl = NULL;
6573 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6575 if (!TEST_ptr(tmplibctx))
6579 * Regardless of whether we're testing with the FIPS provider loaded into
6580 * libctx, we want one peer to always use the full set of ciphersuites
6581 * available. Therefore we use a separate libctx with the default provider
6582 * loaded into it. We run the same tests twice - once with the client side
6583 * having the full set of ciphersuites and once with the server side.
6586 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6587 if (!TEST_ptr(cctx))
6590 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6591 if (!TEST_ptr(sctx))
6595 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6596 TLS_client_method(),
6598 shared_ciphers_data[tst].maxprot,
6599 &sctx, &cctx, cert, privkey)))
6602 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6603 shared_ciphers_data[tst].clntciphers))
6604 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6605 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6606 shared_ciphers_data[tst].clnttls13ciphers)))
6607 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6608 shared_ciphers_data[tst].srvrciphers))
6609 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6610 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6611 shared_ciphers_data[tst].srvrtls13ciphers))))
6615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6617 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6621 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6622 || !TEST_int_eq(strcmp(buf,
6624 ? shared_ciphers_data[tst].fipsshared
6625 : shared_ciphers_data[tst].shared),
6627 TEST_info("Shared ciphers are: %s\n", buf);
6634 SSL_free(serverssl);
6635 SSL_free(clientssl);
6638 OPENSSL_CTX_free(tmplibctx);
6643 static int test_ssl_get_shared_ciphers(int tst)
6645 return int_test_ssl_get_shared_ciphers(tst, 0)
6646 && int_test_ssl_get_shared_ciphers(tst, 1);
6650 static const char *appdata = "Hello World";
6651 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6652 static int tick_key_renew = 0;
6653 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6655 static int gen_tick_cb(SSL *s, void *arg)
6657 gen_tick_called = 1;
6659 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6663 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6664 const unsigned char *keyname,
6665 size_t keyname_length,
6666 SSL_TICKET_STATUS status,
6672 dec_tick_called = 1;
6674 if (status == SSL_TICKET_EMPTY)
6675 return SSL_TICKET_RETURN_IGNORE_RENEW;
6677 if (!TEST_true(status == SSL_TICKET_SUCCESS
6678 || status == SSL_TICKET_SUCCESS_RENEW))
6679 return SSL_TICKET_RETURN_ABORT;
6681 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6683 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6684 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6685 return SSL_TICKET_RETURN_ABORT;
6687 if (tick_key_cb_called) {
6688 /* Don't change what the ticket key callback wanted to do */
6690 case SSL_TICKET_NO_DECRYPT:
6691 return SSL_TICKET_RETURN_IGNORE_RENEW;
6693 case SSL_TICKET_SUCCESS:
6694 return SSL_TICKET_RETURN_USE;
6696 case SSL_TICKET_SUCCESS_RENEW:
6697 return SSL_TICKET_RETURN_USE_RENEW;
6700 return SSL_TICKET_RETURN_ABORT;
6703 return tick_dec_ret;
6707 #ifndef OPENSSL_NO_DEPRECATED_3_0
6708 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6709 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6710 HMAC_CTX *hctx, int enc)
6712 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6713 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6714 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6715 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6718 tick_key_cb_called = 1;
6719 memset(iv, 0, AES_BLOCK_SIZE);
6720 memset(key_name, 0, 16);
6721 if (aes128cbc == NULL
6723 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6724 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6728 ret = tick_key_renew ? 2 : 1;
6730 EVP_CIPHER_free(aes128cbc);
6731 EVP_MD_free(sha256);
6737 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6738 unsigned char iv[EVP_MAX_IV_LENGTH],
6739 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6741 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6742 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6743 OSSL_PARAM params[3];
6744 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6747 tick_key_cb_called = 1;
6748 memset(iv, 0, AES_BLOCK_SIZE);
6749 memset(key_name, 0, 16);
6750 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6752 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6754 sizeof(tick_hmac_key));
6755 params[2] = OSSL_PARAM_construct_end();
6756 if (aes128cbc == NULL
6757 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6758 || !EVP_MAC_CTX_set_params(hctx, params)
6759 || !EVP_MAC_init(hctx))
6762 ret = tick_key_renew ? 2 : 1;
6764 EVP_CIPHER_free(aes128cbc);
6770 * Test the various ticket callbacks
6771 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6772 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6773 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6774 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6775 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6776 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6777 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6778 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6779 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6780 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6781 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6782 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6783 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6784 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6785 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6786 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6788 static int test_ticket_callbacks(int tst)
6790 SSL_CTX *cctx = NULL, *sctx = NULL;
6791 SSL *clientssl = NULL, *serverssl = NULL;
6792 SSL_SESSION *clntsess = NULL;
6795 #ifdef OPENSSL_NO_TLS1_2
6799 #ifdef OPENSSL_NO_TLS1_3
6803 #ifdef OPENSSL_NO_DEPRECATED_3_0
6804 if (tst >= 8 && tst <= 11)
6808 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6810 /* Which tests the ticket key callback should request renewal for */
6811 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6816 /* Which tests the decrypt ticket callback should request renewal for */
6820 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6825 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6830 tick_dec_ret = SSL_TICKET_RETURN_USE;
6835 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6839 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6842 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6843 TLS_client_method(),
6845 ((tst % 2) == 0) ? TLS1_2_VERSION
6847 &sctx, &cctx, cert, privkey)))
6851 * We only want sessions to resume from tickets - not the session cache. So
6852 * switch the cache off.
6854 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6857 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6862 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6864 #ifndef OPENSSL_NO_DEPRECATED_3_0
6865 } else if (tst >= 8) {
6866 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6878 * The decrypt ticket key callback in TLSv1.2 should be called even though
6879 * we have no ticket yet, because it gets called with a status of
6880 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6881 * actually send any ticket data). This does not happen in TLSv1.3 because
6882 * it is not valid to send empty ticket data in TLSv1.3.
6884 if (!TEST_int_eq(gen_tick_called, 1)
6885 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6888 gen_tick_called = dec_tick_called = 0;
6890 clntsess = SSL_get1_session(clientssl);
6891 SSL_shutdown(clientssl);
6892 SSL_shutdown(serverssl);
6893 SSL_free(serverssl);
6894 SSL_free(clientssl);
6895 serverssl = clientssl = NULL;
6897 /* Now do a resumption */
6898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6900 || !TEST_true(SSL_set_session(clientssl, clntsess))
6901 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6905 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6906 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6907 if (!TEST_false(SSL_session_reused(clientssl)))
6910 if (!TEST_true(SSL_session_reused(clientssl)))
6914 if (!TEST_int_eq(gen_tick_called,
6916 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6917 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6919 || !TEST_int_eq(dec_tick_called, 1))
6925 SSL_SESSION_free(clntsess);
6926 SSL_free(serverssl);
6927 SSL_free(clientssl);
6935 * Test incorrect shutdown.
6936 * Test 0: client does not shutdown properly,
6937 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6938 * server should get SSL_ERROR_SSL
6939 * Test 1: client does not shutdown properly,
6940 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6941 * server should get SSL_ERROR_ZERO_RETURN
6943 static int test_incorrect_shutdown(int tst)
6945 SSL_CTX *cctx = NULL, *sctx = NULL;
6946 SSL *clientssl = NULL, *serverssl = NULL;
6951 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6952 TLS_client_method(), 0, 0,
6953 &sctx, &cctx, cert, privkey)))
6957 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6967 c2s = SSL_get_rbio(serverssl);
6968 BIO_set_mem_eof_return(c2s, 0);
6970 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6973 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6975 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6981 SSL_free(serverssl);
6982 SSL_free(clientssl);
6990 * Test bi-directional shutdown.
6992 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6993 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6994 * Test 3: TLSv1.3, pending NewSessionTicket messages
6995 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6996 * sends key update, client reads it
6997 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6998 * sends CertificateRequest, client reads and ignores it
6999 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7002 static int test_shutdown(int tst)
7004 SSL_CTX *cctx = NULL, *sctx = NULL;
7005 SSL *clientssl = NULL, *serverssl = NULL;
7007 char msg[] = "A test message";
7009 size_t written, readbytes;
7012 #ifdef OPENSSL_NO_TLS1_2
7016 #ifdef OPENSSL_NO_TLS1_3
7021 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7022 TLS_client_method(),
7024 (tst <= 1) ? TLS1_2_VERSION
7026 &sctx, &cctx, cert, privkey)))
7030 SSL_CTX_set_post_handshake_auth(cctx, 1);
7032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7037 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7039 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7040 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7042 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7044 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7045 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7049 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7054 * Reading on the server after the client has sent close_notify should
7055 * fail and provide SSL_ERROR_ZERO_RETURN
7057 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7058 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7059 SSL_ERROR_ZERO_RETURN)
7060 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7061 SSL_RECEIVED_SHUTDOWN)
7063 * Even though we're shutdown on receive we should still be
7066 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7069 && !TEST_true(SSL_key_update(serverssl,
7070 SSL_KEY_UPDATE_REQUESTED)))
7073 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7074 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7077 if ((tst == 4 || tst == 5)
7078 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7080 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7082 if (tst == 4 || tst == 5) {
7083 /* Should still be able to read data from server */
7084 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7086 || !TEST_size_t_eq(readbytes, sizeof(msg))
7087 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7088 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7090 || !TEST_size_t_eq(readbytes, sizeof(msg))
7091 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7096 /* Writing on the client after sending close_notify shouldn't be possible */
7097 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7102 * For these tests the client has sent close_notify but it has not yet
7103 * been received by the server. The server has not sent close_notify
7106 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7108 * Writing on the server after sending close_notify shouldn't
7111 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7112 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7113 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7114 || !TEST_true(SSL_SESSION_is_resumable(sess))
7115 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7117 } else if (tst == 4 || tst == 5) {
7119 * In this test the client has sent close_notify and it has been
7120 * received by the server which has responded with a close_notify. The
7121 * client needs to read the close_notify sent by the server.
7123 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7124 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7125 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7131 * The client has sent close_notify and is expecting a close_notify
7132 * back, but instead there is application data first. The shutdown
7133 * should fail with a fatal error.
7135 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7136 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7143 SSL_free(serverssl);
7144 SSL_free(clientssl);
7151 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7152 static int cert_cb_cnt;
7154 static int cert_cb(SSL *s, void *arg)
7156 SSL_CTX *ctx = (SSL_CTX *)arg;
7158 EVP_PKEY *pkey = NULL;
7159 X509 *x509 = NULL, *rootx = NULL;
7160 STACK_OF(X509) *chain = NULL;
7161 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7164 if (cert_cb_cnt == 0) {
7165 /* Suspend the handshake */
7168 } else if (cert_cb_cnt == 1) {
7170 * Update the SSL_CTX, set the certificate and private key and then
7171 * continue the handshake normally.
7173 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7176 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7177 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7179 || !TEST_true(SSL_check_private_key(s)))
7183 } else if (cert_cb_cnt == 3) {
7186 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7187 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7188 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7189 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7191 chain = sk_X509_new_null();
7192 if (!TEST_ptr(chain))
7194 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7195 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7196 || !TEST_ptr(rootx = X509_new_with_libctx(libctx, NULL))
7197 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7198 || !TEST_true(sk_X509_push(chain, rootx)))
7202 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7203 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7204 || !TEST_ptr(x509 = X509_new_with_libctx(libctx, NULL))
7205 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7208 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7209 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7210 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7214 rv = SSL_check_chain(s, x509, pkey, chain);
7216 * If the cert doesn't show as valid here (e.g., because we don't
7217 * have any shared sigalgs), then we will not set it, and there will
7218 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7219 * will cause tls_choose_sigalgs() to fail the connection.
7221 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7222 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7223 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7230 /* Abort the handshake */
7232 OPENSSL_free(ecdsacert);
7233 OPENSSL_free(ecdsakey);
7234 OPENSSL_free(rootfile);
7236 EVP_PKEY_free(pkey);
7239 sk_X509_pop_free(chain, X509_free);
7244 * Test the certificate callback.
7245 * Test 0: Callback fails
7246 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7247 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7248 * Test 3: Success - Call SSL_check_chain from the callback
7249 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7251 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7253 static int test_cert_cb_int(int prot, int tst)
7255 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7256 SSL *clientssl = NULL, *serverssl = NULL;
7257 int testresult = 0, ret;
7259 #ifdef OPENSSL_NO_EC
7260 /* We use an EC cert in these tests, so we skip in a no-ec build */
7265 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7266 TLS_client_method(),
7269 &sctx, &cctx, NULL, NULL)))
7280 snictx = SSL_CTX_new(TLS_server_method());
7281 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7283 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7289 * We cause SSL_check_chain() to fail by specifying sig_algs that
7290 * the chain doesn't meet (the root uses an RSA cert)
7292 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7293 "ecdsa_secp256r1_sha256")))
7295 } else if (tst == 5) {
7297 * We cause SSL_check_chain() to fail by specifying sig_algs that
7298 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7300 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7301 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7305 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7306 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7308 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7315 SSL_free(serverssl);
7316 SSL_free(clientssl);
7319 SSL_CTX_free(snictx);
7325 static int test_cert_cb(int tst)
7329 #ifndef OPENSSL_NO_TLS1_2
7330 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7332 #ifndef OPENSSL_NO_TLS1_3
7333 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7339 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7344 BIO *priv_in = NULL;
7346 /* Check that SSL_get0_peer_certificate() returns something sensible */
7347 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
7350 in = BIO_new_file(cert, "r");
7354 if (!TEST_ptr(xcert = X509_new_with_libctx(libctx, NULL))
7355 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7356 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7357 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7375 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7380 static int test_client_cert_cb(int tst)
7382 SSL_CTX *cctx = NULL, *sctx = NULL;
7383 SSL *clientssl = NULL, *serverssl = NULL;
7386 #ifdef OPENSSL_NO_TLS1_2
7390 #ifdef OPENSSL_NO_TLS1_3
7395 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7396 TLS_client_method(),
7398 tst == 0 ? TLS1_2_VERSION
7400 &sctx, &cctx, cert, privkey)))
7404 * Test that setting a client_cert_cb results in a client certificate being
7407 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7408 SSL_CTX_set_verify(sctx,
7409 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7421 SSL_free(serverssl);
7422 SSL_free(clientssl);
7429 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7431 * Test setting certificate authorities on both client and server.
7433 * Test 0: SSL_CTX_set0_CA_list() only
7434 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7435 * Test 2: Only SSL_CTX_set_client_CA_list()
7437 static int test_ca_names_int(int prot, int tst)
7439 SSL_CTX *cctx = NULL, *sctx = NULL;
7440 SSL *clientssl = NULL, *serverssl = NULL;
7443 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7444 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7445 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7446 const STACK_OF(X509_NAME) *sktmp = NULL;
7448 for (i = 0; i < OSSL_NELEM(name); i++) {
7449 name[i] = X509_NAME_new();
7450 if (!TEST_ptr(name[i])
7451 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7460 TLS_client_method(),
7463 &sctx, &cctx, cert, privkey)))
7466 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7468 if (tst == 0 || tst == 1) {
7469 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7470 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7471 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7472 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7473 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7474 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7477 SSL_CTX_set0_CA_list(sctx, sk1);
7478 SSL_CTX_set0_CA_list(cctx, sk2);
7481 if (tst == 1 || tst == 2) {
7482 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7483 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7484 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7485 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7486 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7487 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7490 SSL_CTX_set_client_CA_list(sctx, sk1);
7491 SSL_CTX_set_client_CA_list(cctx, sk2);
7495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7497 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7502 * We only expect certificate authorities to have been sent to the server
7503 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7505 sktmp = SSL_get0_peer_CA_list(serverssl);
7506 if (prot == TLS1_3_VERSION
7507 && (tst == 0 || tst == 1)) {
7508 if (!TEST_ptr(sktmp)
7509 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7510 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7512 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7515 } else if (!TEST_ptr_null(sktmp)) {
7520 * In all tests we expect certificate authorities to have been sent to the
7521 * client. However, SSL_set_client_CA_list() should override
7522 * SSL_set0_CA_list()
7524 sktmp = SSL_get0_peer_CA_list(clientssl);
7525 if (!TEST_ptr(sktmp)
7526 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7527 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7528 name[tst == 0 ? 0 : 2]), 0)
7529 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7530 name[tst == 0 ? 1 : 3]), 0))
7536 SSL_free(serverssl);
7537 SSL_free(clientssl);
7540 for (i = 0; i < OSSL_NELEM(name); i++)
7541 X509_NAME_free(name[i]);
7542 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7543 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7549 static int test_ca_names(int tst)
7553 #ifndef OPENSSL_NO_TLS1_2
7554 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7556 #ifndef OPENSSL_NO_TLS1_3
7557 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7563 #ifndef OPENSSL_NO_TLS1_2
7564 static const char *multiblock_cipherlist_data[]=
7572 /* Reduce the fragment size - so the multiblock test buffer can be small */
7573 # define MULTIBLOCK_FRAGSIZE 512
7575 static int test_multiblock_write(int test_index)
7577 static const char *fetchable_ciphers[]=
7579 "AES-128-CBC-HMAC-SHA1",
7580 "AES-128-CBC-HMAC-SHA256",
7581 "AES-256-CBC-HMAC-SHA1",
7582 "AES-256-CBC-HMAC-SHA256"
7584 const char *cipherlist = multiblock_cipherlist_data[test_index];
7585 const SSL_METHOD *smeth = TLS_server_method();
7586 const SSL_METHOD *cmeth = TLS_client_method();
7587 int min_version = TLS1_VERSION;
7588 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7589 SSL_CTX *cctx = NULL, *sctx = NULL;
7590 SSL *clientssl = NULL, *serverssl = NULL;
7594 * Choose a buffer large enough to perform a multi-block operation
7595 * i.e: write_len >= 4 * frag_size
7596 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7598 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7599 unsigned char buf[sizeof(msg)], *p = buf;
7600 size_t readbytes, written, len;
7601 EVP_CIPHER *ciph = NULL;
7604 * Check if the cipher exists before attempting to use it since it only has
7605 * a hardware specific implementation.
7607 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7609 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7612 EVP_CIPHER_free(ciph);
7614 /* Set up a buffer with some data that will be sent to the client */
7615 RAND_bytes(msg, sizeof(msg));
7617 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7618 max_version, &sctx, &cctx, cert,
7622 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7629 /* settings to force it to use AES-CBC-HMAC_SHA */
7630 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7631 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7634 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7637 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7638 || !TEST_size_t_eq(written, sizeof(msg)))
7643 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7648 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7653 SSL_free(serverssl);
7654 SSL_free(clientssl);
7660 #endif /* OPENSSL_NO_TLS1_2 */
7663 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7664 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7665 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7666 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7667 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7668 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7669 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7670 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7671 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7672 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7674 static int test_servername(int tst)
7676 SSL_CTX *cctx = NULL, *sctx = NULL;
7677 SSL *clientssl = NULL, *serverssl = NULL;
7679 SSL_SESSION *sess = NULL;
7680 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7682 #ifdef OPENSSL_NO_TLS1_2
7686 #ifdef OPENSSL_NO_TLS1_3
7691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7692 TLS_client_method(),
7694 (tst <= 4) ? TLS1_2_VERSION
7696 &sctx, &cctx, cert, privkey))
7697 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7701 if (tst != 1 && tst != 6) {
7702 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7707 if (tst != 3 && tst != 8) {
7708 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7710 sexpectedhost = cexpectedhost = "goodhost";
7713 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7716 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7718 || !TEST_str_eq(SSL_get_servername(serverssl,
7719 TLSEXT_NAMETYPE_host_name),
7723 /* Now repeat with a resumption handshake */
7725 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7726 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7727 || !TEST_true(SSL_SESSION_is_resumable(sess))
7728 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7731 SSL_free(clientssl);
7732 SSL_free(serverssl);
7733 clientssl = serverssl = NULL;
7735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7739 if (!TEST_true(SSL_set_session(clientssl, sess)))
7742 sexpectedhost = cexpectedhost = "goodhost";
7743 if (tst == 2 || tst == 7) {
7744 /* Set an inconsistent hostname */
7745 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7748 * In TLSv1.2 we expect the hostname from the original handshake, in
7749 * TLSv1.3 we expect the hostname from this handshake
7752 sexpectedhost = cexpectedhost = "altgoodhost";
7754 if (!TEST_str_eq(SSL_get_servername(clientssl,
7755 TLSEXT_NAMETYPE_host_name),
7758 } else if (tst == 4 || tst == 9) {
7760 * A TLSv1.3 session does not associate a session with a servername,
7761 * but a TLSv1.2 session does.
7764 sexpectedhost = cexpectedhost = NULL;
7766 if (!TEST_str_eq(SSL_get_servername(clientssl,
7767 TLSEXT_NAMETYPE_host_name),
7771 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7774 * In a TLSv1.2 resumption where the hostname was not acknowledged
7775 * we expect the hostname on the server to be empty. On the client we
7776 * return what was requested in this case.
7778 * Similarly if the client didn't set a hostname on an original TLSv1.2
7779 * session but is now, the server hostname will be empty, but the client
7782 if (tst == 1 || tst == 3)
7783 sexpectedhost = NULL;
7785 if (!TEST_str_eq(SSL_get_servername(clientssl,
7786 TLSEXT_NAMETYPE_host_name),
7791 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7794 if (!TEST_true(SSL_session_reused(clientssl))
7795 || !TEST_true(SSL_session_reused(serverssl))
7796 || !TEST_str_eq(SSL_get_servername(clientssl,
7797 TLSEXT_NAMETYPE_host_name),
7799 || !TEST_str_eq(SSL_get_servername(serverssl,
7800 TLSEXT_NAMETYPE_host_name),
7807 SSL_SESSION_free(sess);
7808 SSL_free(serverssl);
7809 SSL_free(clientssl);
7816 #ifndef OPENSSL_NO_EC
7818 * Test that if signature algorithms are not available, then we do not offer or
7820 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7821 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7822 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7823 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7824 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7825 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7827 static int test_sigalgs_available(int idx)
7829 SSL_CTX *cctx = NULL, *sctx = NULL;
7830 SSL *clientssl = NULL, *serverssl = NULL;
7832 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
7833 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
7834 OSSL_PROVIDER *filterprov = NULL;
7837 if (!TEST_ptr(tmpctx))
7840 if (idx != 0 && idx != 3) {
7841 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7842 filter_provider_init)))
7845 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7846 if (!TEST_ptr(filterprov))
7851 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7852 * or accepted for the peer that uses this libctx. Note that libssl
7853 * *requires* SHA2-256 to be available so we cannot disable that. We
7854 * also need SHA1 for our certificate.
7856 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7860 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7862 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7867 if (idx == 1 || idx == 4)
7873 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
7874 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
7875 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7878 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7879 TLS_client_method(),
7882 &sctx, &cctx, cert, privkey)))
7886 if (!SSL_CTX_set1_sigalgs_list(cctx,
7887 "rsa_pss_rsae_sha384"
7888 ":rsa_pss_rsae_sha256")
7889 || !SSL_CTX_set1_sigalgs_list(sctx,
7890 "rsa_pss_rsae_sha384"
7891 ":rsa_pss_rsae_sha256"))
7894 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7895 || !SSL_CTX_set1_sigalgs_list(sctx,
7896 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7900 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7901 SSL_FILETYPE_PEM), 1)
7902 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7904 SSL_FILETYPE_PEM), 1)
7905 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7912 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7915 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7916 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7918 (idx == 0 || idx == 3) ? 2 : 1))
7921 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7924 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7931 SSL_free(serverssl);
7932 SSL_free(clientssl);
7935 OSSL_PROVIDER_unload(filterprov);
7936 OPENSSL_CTX_free(tmpctx);
7940 #endif /* OPENSSL_NO_EC */
7942 #ifndef OPENSSL_NO_TLS1_3
7943 static int test_pluggable_group(void)
7945 SSL_CTX *cctx = NULL, *sctx = NULL;
7946 SSL *clientssl = NULL, *serverssl = NULL;
7948 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
7949 /* Check that we are not impacted by a provider without any groups */
7950 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
7952 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
7955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7956 TLS_client_method(),
7959 &sctx, &cctx, cert, privkey))
7960 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7964 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
7965 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
7968 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7974 SSL_free(serverssl);
7975 SSL_free(clientssl);
7978 OSSL_PROVIDER_unload(tlsprov);
7979 OSSL_PROVIDER_unload(legacyprov);
7985 #ifndef OPENSSL_NO_TLS1_2
7986 static int test_ssl_dup(void)
7988 SSL_CTX *cctx = NULL, *sctx = NULL;
7989 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
7991 BIO *rbio = NULL, *wbio = NULL;
7993 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7994 TLS_client_method(),
7997 &sctx, &cctx, cert, privkey)))
8000 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8004 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8005 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8008 client2ssl = SSL_dup(clientssl);
8009 rbio = SSL_get_rbio(clientssl);
8011 || !TEST_true(BIO_up_ref(rbio)))
8013 SSL_set0_rbio(client2ssl, rbio);
8016 wbio = SSL_get_wbio(clientssl);
8017 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8019 SSL_set0_wbio(client2ssl, wbio);
8022 if (!TEST_ptr(client2ssl)
8023 /* Handshake not started so pointers should be different */
8024 || !TEST_ptr_ne(clientssl, client2ssl))
8027 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8028 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8031 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8034 SSL_free(clientssl);
8035 clientssl = SSL_dup(client2ssl);
8036 if (!TEST_ptr(clientssl)
8037 /* Handshake has finished so pointers should be the same */
8038 || !TEST_ptr_eq(clientssl, client2ssl))
8044 SSL_free(serverssl);
8045 SSL_free(clientssl);
8046 SSL_free(client2ssl);
8054 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8056 int setup_tests(void)
8061 libctx = OPENSSL_CTX_new();
8062 if (!TEST_ptr(libctx))
8065 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8068 * Verify that the default and fips providers in the default libctx are not
8071 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8072 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8075 if (!test_skip_common_options()) {
8076 TEST_error("Error parsing test options\n");
8080 if (!TEST_ptr(certsdir = test_get_argument(0))
8081 || !TEST_ptr(srpvfile = test_get_argument(1))
8082 || !TEST_ptr(tmpfilename = test_get_argument(2))
8083 || !TEST_ptr(modulename = test_get_argument(3))
8084 || !TEST_ptr(configfile = test_get_argument(4)))
8087 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8090 /* Check we have the expected provider available */
8091 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8094 /* Check the default provider is not available */
8095 if (strcmp(modulename, "default") != 0
8096 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8099 if (strcmp(modulename, "fips") == 0)
8103 * We add, but don't load the test "tls-provider". We'll load it when we
8106 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8107 tls_provider_init)))
8111 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8112 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8113 TEST_error("not supported in this build");
8116 int i, mcount, rcount, fcount;
8118 for (i = 0; i < 4; i++)
8119 test_export_key_mat(i);
8120 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8121 test_printf_stdout("malloc %d realloc %d free %d\n",
8122 mcount, rcount, fcount);
8127 cert = test_mk_file_path(certsdir, "servercert.pem");
8131 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8132 if (privkey == NULL)
8135 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8139 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8140 if (privkey2 == NULL)
8143 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8144 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8145 ADD_ALL_TESTS(test_ktls, 32);
8146 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8149 ADD_TEST(test_large_message_tls);
8150 ADD_TEST(test_large_message_tls_read_ahead);
8151 #ifndef OPENSSL_NO_DTLS
8152 ADD_TEST(test_large_message_dtls);
8154 ADD_TEST(test_cleanse_plaintext);
8155 #ifndef OPENSSL_NO_OCSP
8156 ADD_TEST(test_tlsext_status_type);
8158 ADD_TEST(test_session_with_only_int_cache);
8159 ADD_TEST(test_session_with_only_ext_cache);
8160 ADD_TEST(test_session_with_both_cache);
8161 ADD_TEST(test_session_wo_ca_names);
8162 #ifndef OPENSSL_NO_TLS1_3
8163 ADD_ALL_TESTS(test_stateful_tickets, 3);
8164 ADD_ALL_TESTS(test_stateless_tickets, 3);
8165 ADD_TEST(test_psk_tickets);
8166 ADD_ALL_TESTS(test_extra_tickets, 6);
8168 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8169 ADD_TEST(test_ssl_bio_pop_next_bio);
8170 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8171 ADD_TEST(test_ssl_bio_change_rbio);
8172 ADD_TEST(test_ssl_bio_change_wbio);
8173 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8174 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8175 ADD_TEST(test_keylog);
8177 #ifndef OPENSSL_NO_TLS1_3
8178 ADD_TEST(test_keylog_no_master_key);
8180 #ifndef OPENSSL_NO_TLS1_2
8181 ADD_TEST(test_client_hello_cb);
8182 ADD_TEST(test_no_ems);
8183 ADD_TEST(test_ccs_change_cipher);
8185 #ifndef OPENSSL_NO_TLS1_3
8186 ADD_ALL_TESTS(test_early_data_read_write, 3);
8188 * We don't do replay tests for external PSK. Replay protection isn't used
8191 ADD_ALL_TESTS(test_early_data_replay, 2);
8192 ADD_ALL_TESTS(test_early_data_skip, 3);
8193 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8194 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8195 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8196 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8197 ADD_ALL_TESTS(test_early_data_psk, 8);
8198 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8199 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8200 # ifndef OPENSSL_NO_TLS1_2
8201 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8204 #ifndef OPENSSL_NO_TLS1_3
8205 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8206 ADD_TEST(test_ciphersuite_change);
8207 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8208 # ifdef OPENSSL_NO_PSK
8209 ADD_ALL_TESTS(test_tls13_psk, 1);
8211 ADD_ALL_TESTS(test_tls13_psk, 4);
8212 # endif /* OPENSSL_NO_PSK */
8213 # ifndef OPENSSL_NO_TLS1_2
8214 /* Test with both TLSv1.3 and 1.2 versions */
8215 ADD_ALL_TESTS(test_key_exchange, 14);
8217 /* Test with only TLSv1.3 versions */
8218 ADD_ALL_TESTS(test_key_exchange, 12);
8220 ADD_ALL_TESTS(test_custom_exts, 5);
8221 ADD_TEST(test_stateless);
8222 ADD_TEST(test_pha_key_update);
8224 ADD_ALL_TESTS(test_custom_exts, 3);
8226 ADD_ALL_TESTS(test_serverinfo, 8);
8227 ADD_ALL_TESTS(test_export_key_mat, 6);
8228 #ifndef OPENSSL_NO_TLS1_3
8229 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8230 ADD_TEST(test_key_update);
8231 ADD_ALL_TESTS(test_key_update_in_write, 2);
8233 ADD_ALL_TESTS(test_ssl_clear, 2);
8234 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8235 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8236 ADD_ALL_TESTS(test_srp, 6);
8238 ADD_ALL_TESTS(test_info_callback, 6);
8239 ADD_ALL_TESTS(test_ssl_pending, 2);
8240 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8241 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8242 ADD_ALL_TESTS(test_shutdown, 7);
8243 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8244 ADD_ALL_TESTS(test_cert_cb, 6);
8245 ADD_ALL_TESTS(test_client_cert_cb, 2);
8246 ADD_ALL_TESTS(test_ca_names, 3);
8247 #ifndef OPENSSL_NO_TLS1_2
8248 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8250 ADD_ALL_TESTS(test_servername, 10);
8251 #ifndef OPENSSL_NO_EC
8252 ADD_ALL_TESTS(test_sigalgs_available, 6);
8254 #ifndef OPENSSL_NO_TLS1_3
8255 ADD_TEST(test_pluggable_group);
8257 #ifndef OPENSSL_NO_TLS1_2
8258 ADD_TEST(test_ssl_dup);
8264 OPENSSL_free(privkey);
8265 OPENSSL_free(cert2);
8266 OPENSSL_free(privkey2);
8270 void cleanup_tests(void)
8273 OPENSSL_free(privkey);
8274 OPENSSL_free(cert2);
8275 OPENSSL_free(privkey2);
8276 bio_s_mempacket_test_free();
8277 bio_s_always_retry_free();
8278 OSSL_PROVIDER_unload(defctxnull);
8279 OPENSSL_CTX_free(libctx);